技术领域technical field
本发明涉及互联网和移动通信技术领域,具体涉及一种基于人证合一的UMA服务的方法、装置和系统。The present invention relates to the technical field of Internet and mobile communication, in particular to a method, device and system of UMA service based on the integration of human and certificate.
背景技术Background technique
OAuth是一个安全协议,用于保护全球范围内大量且在不断增长的 Web API。OAuth 是一个委托协议,提供跨系统授权的方案,用可用性和安全性更高的委托协议取代了密码共享反模式。它用于连接不同的网站,还支持原生应用和移动应用与云服务之间的连接。它是各领域标准协议中的安全层,覆盖了从医疗到身份管理,从能源到社交网络的广阔应用领域。OAuth 已成为当今 Web 上占主导地位的安全手段。OAuth不是身份认证框架,但是可以加入身份认证使OAuth更加安全。OAuth is a security protocol used to secure a large and growing number of web APIs worldwide. OAuth is a delegation protocol that provides a cross-system authorization solution, replacing the password sharing anti-pattern with a more usable and secure delegation protocol. It is used to connect different websites and also supports connections between native and mobile apps and cloud services. It is a security layer in standard protocols in various fields, covering a wide range of applications from medical care to identity management, from energy to social networking. OAuth has become the dominant means of security on the web today. OAuth is not an authentication framework, but authentication can be added to make OAuth more secure.
UMA( User Managed Access)是一个基于 OAuth 2.0 构建的协议,它让资源拥有者能够利用授权服务器对其资源的访问进行更丰富的控制。访问资源的客户端可能是受资源拥有者控制的,也可能是受其他用户控制的。UMA 协议基于 OAuth 2.0 构建的主要功能:用户对用户的授权。UMA (User Managed Access) is a protocol built on OAuth 2.0, which enables resource owners to use authorization servers to exercise richer control over access to their resources. Clients accessing resources may be controlled by the resource owner or by other users. The main function of the UMA protocol based on OAuth 2.0: user-to-user authorization.
人脸识别是基于人的面部特征信息进行身份识别的一种生物识别技术,主要工作就是对人脸图像进行预处理然后提取特征值,然后通过特征值比对确认身份。该技术目前已经很成熟,应用广泛。Face recognition is a biometric identification technology based on human facial feature information. The main work is to preprocess the face image and then extract the feature value, and then confirm the identity through feature value comparison. The technology is already very mature and widely used.
身份证件OCR识别技术,OCR(Optical Character Recognition,光学字符识别)是指通过检测暗、亮的模式确定其形状,然后用字符识别方法将形状翻译成计算机文字的过程。可以利用该技术提取身份证件上的姓名,身份证号,头像图片等信息。ID card OCR recognition technology, OCR (Optical Character Recognition, optical character recognition) refers to the process of determining its shape by detecting dark and bright patterns, and then using character recognition to translate the shape into computer text. This technology can be used to extract the name, ID number, profile picture and other information on the ID card.
专利申请号:201510493553.X,公开了一种基于生物识别的OAuth服务,包括步骤:用户在 OAuth 的系统服务平台注册;Patent application number: 201510493553.X, which discloses a biometric-based OAuth service, including steps: users register on the OAuth system service platform;
系统服务平台向外部开放OAuth 服务;用户访问第三方应用,选择通过 OAuth 系统服务平台进行授权;OAuth 系统服务平台确定提供授权的目标智能终端;OAuth 系统服务平台将用户的授权请求路由到目标智能终端;用户在智能终端上选择是否同意授权,如同意,则在智能终端采集生物识别信息,如选择拒绝或不做任何操作则为拒绝授权;系统根据采集和识别的结果,判断是否为注册用户的生物识别信息,系统服务平台获取用户的识别结果或拒绝授权的操作后,指示第三方应用对应的平台授权结果。The system service platform opens OAuth services to the outside; users access third-party applications and choose to authorize through the OAuth system service platform; the OAuth system service platform determines the target smart terminal that provides authorization; the OAuth system service platform routes the user's authorization request to the target smart terminal ;The user chooses whether to agree to the authorization on the smart terminal. If he agrees, the biometric information will be collected on the smart terminal. If he chooses to refuse or do not do any operation, it is a denial of authorization; the system judges whether it is a registered user based on the results of collection and identification. Biometric information, after the system service platform obtains the user's identification result or rejects the authorization operation, it instructs the third party to apply the corresponding platform authorization result.
在上述专利中的授权业务流程中,存在以下几个缺点:In the authorized business process in the above patent, there are the following disadvantages:
(1)无法对其他用户授权(1) Unable to authorize other users
只能通过系统服务平台对第三方应用授权,而且资源的拥有者只能是用户自己,当我们需要访问的资源需要其他用户授权时,该方案无法满足要求。Third-party applications can only be authorized through the system service platform, and the owner of the resources can only be the user himself. When the resources we need to access require authorization from other users, this solution cannot meet the requirements.
(2)对智能终端安全防护能力要求高(2) High requirements for the security protection capabilities of smart terminals
由于生物识别和对比都是在智能终端上进行,因此智能终端的对生物特征数据的存储和传输有安全需求,而目前市场上市场份额较高的是Android智能终端,大多数Android智能终端安全防护能力并不高,而且很容易被root和安装恶意应用。Since biometric identification and comparison are performed on smart terminals, smart terminals have security requirements for the storage and transmission of biometric data. At present, Android smart terminals have a higher market share, and most Android smart terminal security protection The ability is not high, and it is easy to be rooted and install malicious applications.
(3)无法确认用户的合法身份(3) Unable to confirm the legal identity of the user
只能保证注册和使用为同一用户,但是此用户是否为合法用户无法保证,在很多使用场景中,需要判断用户是否为合法用户,例如酒店,学校,银行,公司等。It can only guarantee that the registration and usage are the same user, but whether this user is a legitimate user cannot be guaranteed. In many usage scenarios, it is necessary to determine whether the user is a legitimate user, such as hotels, schools, banks, companies, etc.
发明内容Contents of the invention
为解决现有技术中的不足,本发明提供一种基于人证合一的UMA服务的方法、装置和系统,解决了现有的基于生物识别的OAuth 服务的方法不能核实注册者真实身份、无法对其他用户授权、对智能终端的安全防护能力要求高的问题,适用范围更广。In order to solve the deficiencies in the prior art, the present invention provides a UMA service method, device and system based on the combination of human and ID, which solves the problem that the existing OAuth service method based on biometrics cannot verify the real identity of the registrant and cannot The scope of application is wider for issues that require other user authorization and high security protection capabilities for smart terminals.
为了实现上述目标,本发明采用如下技术方案:一种基于人证合一的UMA服务的方法,其特征在于:包括步骤:In order to achieve the above object, the present invention adopts the following technical scheme: a method for UMA service based on the integration of witnesses and certificates, characterized in that: comprising steps:
提供UMA服务的授权服务器接受资源服务器的注册,为资源服务器分配资源服务器ID号以及对应的公钥;The authorization server providing the UMA service accepts the registration of the resource server, and assigns the resource server ID number and corresponding public key to the resource server;
授权服务器接受资源服务器为其资源的注册,为资源分配唯一的资源标识符,所述资源被资源拥有者通过授权服务器配置授权策略;The authorization server accepts the resource server's registration of its resource, assigns a unique resource identifier to the resource, and the resource owner configures the authorization policy through the authorization server;
当资源申请者访问资源时,授权服务器根据资源申请者上传的头像照片和预先存储的用户注册信息,通过人证合一比对判断是否为注册用户本人,如果是,再根据资源授权策略获得申请者提供的访问证明,判断访问证明是否符合要求,如果符合要求,则表示已授权,如果不是注册用户本人或者访问证明不符合要求则未授权;授权服务器使用私钥签发包括授权结果的访问令牌给资源申请者的客户端;所述访问令牌用于提供给资源服务器通过公钥验签,如通过验签且已经授权,并且资源访问次数正确,则资源被发送给资源申请者。When a resource applicant accesses a resource, the authorization server judges whether the resource applicant is the registered user himself or not by comparing the avatar photo uploaded by the resource applicant and the pre-stored user registration information, and if so, obtains the application according to the resource authorization strategy The access certificate provided by the user, to determine whether the access certificate meets the requirements, if it meets the requirements, it means authorized, if it is not the registered user himself or the access certificate does not meet the requirements, it is not authorized; the authorization server uses the private key to issue the access token including the authorization result To the client of the resource applicant; the access token is used to provide the resource server with a public key for signature verification. If the signature is verified and authorized, and the resource access times are correct, the resource will be sent to the resource applicant.
前述的一种基于人证合一的UMA服务的方法,其特征是:所述用户注册信息包括传统注册信息和注册身份证件照;所述传统注册信息包括用户名、密码、性别,籍贯、联系方式;所述注册身份证件照为通过摄像头采集的身份证件照,核验身份证件照是否真实有效,如果身份证是真实有效的,则授权服务器加密保存传统用户信息、身份证件照,关联传统用户信息和身份证件照。The aforementioned method of UMA service based on the integration of human and certificate is characterized in that: the user registration information includes traditional registration information and registered identity certificate photos; the traditional registration information includes user name, password, gender, place of origin, contact method; the registered ID photo is an ID photo collected by a camera, verify whether the ID photo is authentic and valid, if the ID card is true and valid, the authorization server encrypts and saves the traditional user information and ID photo, and associates the traditional user information and ID photo.
前述的一种基于人证合一的UMA服务的方法,其特征是:所述核验身份证件照是否真实有效,具体步骤包括:The aforesaid method of UMA service based on the integration of person and certificate is characterized in that: the verification of whether the ID photo is true and valid, the specific steps include:
1)提供UMA服务的授权服务器接收用户使用摄像头拍摄的身份证件照;1) The authorized server providing UMA service receives the photo of the user's ID card taken by the camera;
2)授权服务器解析身份证件照,将姓名、身份证号码、头像数据发送给公安部数据库,查询身份证真伪,公安部数据库返回验证结果;2) The authorized server parses the photo of the ID card, sends the name, ID number, and avatar data to the database of the Ministry of Public Security, checks the authenticity of the ID card, and the database of the Ministry of Public Security returns the verification result;
3)如果身份证验证成功则授权服务器将身份证件照保留到数据库中,如果身份证验证失败,则提示用户身份证验证失败并且删除身份证件照。3) If the ID verification is successful, the authorization server will save the ID photo in the database; if the ID verification fails, the user will be prompted that the ID verification failed and the ID photo will be deleted.
前述的一种基于人证合一的UMA服务的方法,其特征是:所述通过人证合一比对判断是否为注册用户本人,具体为:The aforesaid method of UMA service based on the combination of witness and certificate is characterized in that: the judgment of whether the user is a registered user is judged through the comparison of witness and certificate, specifically:
1)授权服务器接收用户头像照片;1) The authorization server receives the user's avatar photo;
2)提取用户头像特征值,获取数据库存放的身份证件上的头像特征值,对比两个特征值相似度,当相似度到达一定阈值即认为人和证为同一人。2) Extract the feature value of the user's avatar, obtain the feature value of the profile picture on the ID card stored in the database, and compare the similarity of the two feature values. When the similarity reaches a certain threshold, the person and the certificate are considered to be the same person.
前述的一种基于人证合一的UMA服务的方法,其特征是:所述访问令牌包括用户信息和签名信息,用户信息包括用户ID、请求的资源标识符、资源操作权限、资源访问次数、以及用户是否已经授权,签名信息为对用户信息进行加密产生的数据。The aforementioned method of UMA service based on the integration of human and certificate is characterized in that: the access token includes user information and signature information, and the user information includes user ID, requested resource identifier, resource operation authority, and resource access times , and whether the user has been authorized, the signature information is the data generated by encrypting the user information.
一种基于人证合一的UMA服务的授权服务器,其特征在于:包括:An authorization server based on the UMA service of the combination of witnesses and certificates, characterized in that it includes:
资源服务器注册模块,用于接受资源服务器的注册,为资源服务器分配资源服务器ID号以及对应的公钥;The resource server registration module is used for accepting the registration of the resource server, and assigning the resource server ID number and the corresponding public key to the resource server;
资源注册模块,用于接受资源服务器为其资源的注册,为资源分配唯一的资源标识符,所述资源被资源拥有者通过授权服务器配置授权策略;The resource registration module is used to accept the registration of resources by the resource server, and assign a unique resource identifier to the resource, and the resource owner configures the authorization policy through the authorization server;
人证合一核验及获取资源模块,用于当资源申请者访问资源时,根据资源申请者上传的头像照片和预先存储的用户注册信息,通过人证合一比对判断是否为注册用户本人,如果是,再根据资源授权策略获得申请者提供的访问证明,判断访问证明是否符合要求,如果符合要求,则表示已授权,如果不是注册用户本人或者访问证明不符合要求则未授权;授权服务器使用私钥签发包括授权结果的访问令牌给资源申请者的客户端;所述访问令牌用于提供给资源服务器通过公钥验签,如通过验签且已经授权,并且资源访问次数正确,则资源被发送给资源申请者。The verification and resource acquisition module of the combination of witness and certificate is used to judge whether the resource applicant is the registered user himself or not through the comparison of the combination of witness and certificate according to the avatar photo uploaded by the resource applicant and the pre-stored user registration information when the resource applicant accesses the resource. If so, obtain the access certificate provided by the applicant according to the resource authorization policy, and judge whether the access certificate meets the requirements. If it meets the requirements, it means that it has been authorized. If it is not the registered user himself or the access certificate does not meet the requirements, it is not authorized; the authorization server uses The private key issues an access token including the authorization result to the client of the resource applicant; the access token is used to provide the resource server to pass the public key verification. If the verification is passed and authorized, and the number of resource accesses is correct, then Resources are sent to resource requesters.
前述的一种基于人证合一的UMA服务的授权服务器,其特征在于:所述通过人证合一比对判断是否为注册用户本人,具体为:The aforesaid authorization server based on the UMA service of the combination of witness and certificate is characterized in that: the comparison of the verification of witness and certificate to determine whether it is the registered user himself, specifically:
1)授权服务器接收用户头像照片;1) The authorization server receives the user's avatar photo;
2)提取用户头像特征值,获取数据库存放的身份证件上的头像特征值,对比两个特征值相似度,当相似度到达一定阈值即认为人和证为同一人。2) Extract the feature value of the user's avatar, obtain the feature value of the profile picture on the ID card stored in the database, and compare the similarity of the two feature values. When the similarity reaches a certain threshold, the person and the certificate are considered to be the same person.
一种基于人证合一的 UMA服务的系统,其特征是:包括资源服务器、根据前述的授权服务器和终端设备;A system of UMA services based on the integration of witnesses and certificates is characterized in that: it includes a resource server, an authorization server and a terminal device according to the foregoing;
所述资源服务器用于保存资源拥有者上传的资源;The resource server is used to store resources uploaded by resource owners;
所述授权服务器用于提供符合UMA协议要求的服务,用于用户注册、用户核验、资源服务器及其资源的注册、访问令牌的生成;The authorization server is used to provide services that meet the requirements of the UMA protocol, and is used for user registration, user verification, registration of resource servers and their resources, and generation of access tokens;
所述终端设备用于身份证件照和人脸头像的采集以及接收UMA服务推送信息。The terminal device is used for collecting ID photos and face portraits and receiving UMA service push information.
前述的一种基于人证合一的 UMA服务的系统,其特征是:所述资源包括文档等可见资源或者授权凭证。The above-mentioned UMA service system based on the integration of witnesses and witnesses is characterized in that: the resources include visible resources such as documents or authorization credentials.
前述的一种基于人证合一的 UMA服务的系统,其特征是:所述终端与授权服务器通过HTTPS进行安全通信。The aforementioned UMA service system based on the integration of human and certificate is characterized in that: the terminal communicates securely with the authorization server through HTTPS.
本发明所达到的有益效果:本发明利用身份证件核实注册人员的真实身份,然后利用人脸识别与OCR技术确认人和证件为同一人,并且利用COTS设备获取身份证件照和人脸头像照片,在不增加硬件成本的情况下提高授权服务的安全性和便捷性;本发明对COTS设备要求很低,唯一要求是具备前置摄像头,目前市场上智能终端的前置摄像头为标配,提高了授权设备的适用范围;本发明除了应用于用户对第三方应用授权,也应用于用户对其他用户授权,使用场景更加广泛。The beneficial effects achieved by the present invention: the present invention verifies the real identity of the registrant by using the ID card, then uses face recognition and OCR technology to confirm that the person and the ID card are the same person, and uses COTS equipment to obtain the photo of the ID card and the photo of the face, Improve the security and convenience of authorized services without increasing the cost of hardware; the invention has very low requirements for COTS equipment, the only requirement is to have a front camera, and the front camera of smart terminals on the market is currently standard, which improves the Scope of application of the authorization device: the present invention is not only applied to the user's authorization of third-party applications, but also to the user's authorization of other users, and the application scenarios are more extensive.
通过人证合一,确保用户是合法用户并且一定是注册用户本人,而授权凭证为通过人证比对确认后授权服务器生成的一种带签名信息的访问令牌,此访问令牌并不包含用户的身份信息,资源服务器通过在向授权服务器注册时获得的公钥验证签名信息保证访问令牌的合法性,进一步能证明用户已经获得授权。这种带签名信息的令牌不容易伪造和篡改,有效地保证了授权的安全性。Through the integration of witnesses and certificates, it is ensured that the user is a legitimate user and must be the registered user himself, and the authorization certificate is an access token with signature information generated by the authorization server after verification of the witness verification. This access token does not contain The identity information of the user, the resource server guarantees the legitimacy of the access token by verifying the signature information with the public key obtained when registering with the authorization server, and further proves that the user has been authorized. This kind of token with signature information is not easy to forge and tamper, effectively guaranteeing the security of authorization.
附图说明Description of drawings
图1是本发明实施例中的一种基于人证合一的 UMA服务的方法流程图;Fig. 1 is a kind of method flow chart of the UMA service based on the integration of witnesses and certificates in the embodiment of the present invention;
图2是本发明实施例中的一种用户注册流程图;Fig. 2 is a kind of user registration flowchart in the embodiment of the present invention;
图3是本发明实施例中的一种身份证件照核验流程图;Fig. 3 is a kind of identity document according to verification flow chart in the embodiment of the present invention;
图4是本发明实施例中的一种人证合一比对流程图;。Fig. 4 is a flow chart of a human-certificate integration comparison in an embodiment of the present invention;
具体实施方式Detailed ways
下面结合附图对本发明作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本发明的保护范围。The present invention will be further described below in conjunction with the accompanying drawings. The following examples are only used to illustrate the technical solution of the present invention more clearly, but not to limit the protection scope of the present invention.
实施例1:Example 1:
一种基于人证合一的 UMA服务的系统,包括资源服务器、授权服务器和终端设备;A UMA service system based on the integration of human and certificate, including resource server, authorization server and terminal equipment;
资源服务器用于保存资源拥有者上传的资源,所述资源包括文档等可见资源或者授权凭证;The resource server is used to store the resources uploaded by the resource owner, and the resources include documents and other visible resources or authorization credentials;
授权服务器提供符合UMA协议要求的服务,用于用户注册、用户核验、资源服务器及其资源的注册、访问令牌的生成。The authorization server provides services that meet the requirements of the UMA protocol for user registration, user verification, registration of resource servers and their resources, and generation of access tokens.
终端设备为COTS设备(Commercial Off-The-Shelf,商用现成品或技术,指可以采购到的具有开放式标准定义的接口的软件或硬件产品,可以节省成本和时间,例如手机或者平板电脑就是一种COTS设备),终端设备上运行APP,用于身份证件照和人脸头像的采集以及接收UMA服务推送信息(当用户访问某个资源需要资源拥有者确认时,发送推送信息到APP提醒资源拥有者确认),终端与授权服务器通过HTTPS进行安全通信。The terminal device is a COTS device (Commercial Off-The-Shelf, commercial off-the-shelf or technology, which refers to a software or hardware product that can be purchased with an interface defined by an open standard, which can save costs and time. For example, a mobile phone or a tablet computer is a A COTS device), the APP runs on the terminal device, which is used to collect ID photos and face portraits and receive UMA service push information (when a user needs to confirm a resource owner when accessing a resource, send a push message to the APP to remind the resource owner confirmed by the author), the terminal communicates securely with the authorization server through HTTPS.
UMA服务服务的对象为资源服务器、资源拥有者、客户端、资源申请者。资源申请者和资源拥有者可以为同一人,若为不同人,相当于实现用户对其他用户的授权。资源拥有者通过设置一些授权策略允许其他用户和第三方客户端访问资源。资源申请者、客户端可以通过向授权服务器出示申请者信息或客户端信息,只要这些信息满足资源拥有者的授权策略要求就可以获取相关资源。The objects served by the UMA service are resource servers, resource owners, clients, and resource applicants. The resource applicant and the resource owner can be the same person, if they are different people, it is equivalent to realizing the user's authorization to other users. Resource owners allow other users and third-party clients to access resources by setting some authorization policies. Resource applicants and clients can obtain relevant resources by presenting applicant information or client information to the authorization server, as long as the information meets the authorization policy requirements of the resource owner.
实施例2:Example 2:
一种基于人证合一的UMA服务的方法,包括如下步骤:A method for UMA services based on the integration of witnesses and certificates, comprising the steps of:
步骤1,在提供UMA服务的授权服务器上进行传统信息注册和身份证件照注册,授权服务器加密保存用户注册信息;Step 1, perform traditional information registration and ID photo registration on the authorization server that provides UMA services, and the authorization server encrypts and saves user registration information;
传统信息注册,传统信息注册包括用户名/密码,性别,籍贯,联系方式等,同时为用户自动生成唯一的用户ID(身份标识号)号,用户名和密码可以作为UMA服务的登陆凭证也可以作为低安全等级要求的用户认证信息;Traditional information registration, traditional information registration includes user name/password, gender, place of origin, contact information, etc., and at the same time automatically generates a unique user ID (identification number) for the user. The user name and password can be used as login credentials for UMA services or as User authentication information for low security level requirements;
身份证件照注册,通过COTS设备摄像头采集身份证件照,核验身份证件照是否真实有效,主要核查身份证姓名和号码是否一致以及身份证头像真伪;如果确认身份证是真实有效的,则授权服务器加密保存传统用户信息、身份证件照,关联传统用户信息和身份证件照;若身份证件照无效,则提示身份证验证失败,可以选择重新拍摄身份证件照。ID photo registration, collect ID photos through the COTS equipment camera, verify whether the ID photo is authentic and valid, mainly check whether the name and number of the ID card are consistent and whether the photo of the ID card is authentic; if the ID card is confirmed to be true and valid, the server will be authorized Encrypt and store traditional user information and ID photos, and associate traditional user information and ID photos; if the ID photo is invalid, it will prompt that the ID card verification failed, and you can choose to take a new ID photo.
所述核验身份证件照是否真实有效,具体步骤包括:The specific steps for verifying whether the identity photo is authentic and valid include:
4)提供UMA服务的授权服务器接收用户使用摄像头拍摄的身份证件照;用户需判断身份证件照是否清晰,如不清晰需要重新拍摄;4) The authorized server that provides UMA service receives the photo of the ID card taken by the user with the camera; the user needs to judge whether the photo of the ID card is clear, and if it is not clear, it needs to be taken again;
5)授权服务器(需获得公安部授权)解析身份证件照,将姓名、身份证号码、头像数据发送给公安部数据库,查询身份证真伪,公安部数据库返回验证结果;5) The authorization server (authorized by the Ministry of Public Security) parses the photo of the ID card, sends the name, ID number, and avatar data to the database of the Ministry of Public Security, checks the authenticity of the ID card, and the database of the Ministry of Public Security returns the verification result;
6)如果身份证验证成功则授权服务器将身份证件照保留到数据库中,如果身份证验证失败,则提示用户身份证验证失败并且删除身份证件照,用户可以选择重新拍摄身份证件照。6) If the ID card verification is successful, the authorization server will save the ID card photo in the database. If the ID card verification fails, the user will be prompted that the ID card verification failed and the ID card photo will be deleted. The user can choose to take the ID photo again.
步骤2,授权服务器接受资源服务器的注册,为资源服务器分配资源服务器ID号以及对应的公钥(此公钥可以验签访问令牌)。Step 2, the authorization server accepts the registration of the resource server, and assigns the resource server ID number and the corresponding public key (this public key can verify the signature of the access token) to the resource server.
步骤3,授权服务器接受资源服务器为其资源的注册,为资源分配唯一的资源标识符,所述资源被资源拥有者通过授权服务器配置授权策略;Step 3, the authorization server accepts the resource server's registration of its resource, and assigns a unique resource identifier to the resource, and the resource owner configures an authorization policy through the authorization server;
不同的资源可以配置不同的授权策略。资源申请者和他们的客户端(浏览器/原生应用)需要提供能够满足授权策略要求的访问证明。例如,授权策略要求使用绑定的终端,那么终端的MAC地址即作为其中一个访问证明。如果资源未配置授权策略,该资源被视为不可访问。Different resources can be configured with different authorization policies. Resource applicants and their clients (browsers/native applications) need to provide access proofs that meet authorization policy requirements. For example, if the authorization policy requires the use of a bound terminal, then the MAC address of the terminal is used as one of the access proofs. If a resource does not have an authorization policy configured, the resource is considered inaccessible.
所述授权策略包括但不限于以下内容:The authorization policy includes but is not limited to the following:
1)人证合一核验后,是否需要资源拥有者再次确认以及确认方式(账户密码或人脸识别等);1) After verification, whether the resource owner needs to confirm again and the confirmation method (account password or face recognition, etc.);
2)是否绑定授权终端,即采集人脸照片的终端是否绑定特定的终端还是任何终端皆可;2) Whether to bind the authorized terminal, that is, whether the terminal that collects face photos is bound to a specific terminal or any terminal;
3)资源可访问的日期范围;3) The date range in which the resource is accessible;
4)限定特定的用户访问;4) Restrict specific user access;
5)资源可被访问的次数限制;5) The number of times a resource can be accessed is limited;
步骤4,当资源申请者需要访问资源时,授权服务器根据资源申请者上传的头像照片,通过人证合一比对判断是否为注册用户本人,如果是,则根据资源授权策略获得申请者提供的访问证明,判断访问证明是否符合要求,如果符合要求,则表示已授权,如果不是注册用户本人或者访问证明不符合要求则未授权;授权服务器使用私钥签发包括授权结果的访问令牌给资源申请者的客户端;所述访问令牌用于提供给资源服务器,资源服务器通过公钥验签访问令牌,判断访问令牌签名是否正确,如果访问令牌通过验签,则判断该用户是否已经授权以及资源访问次数是否正确,如已经授权并且资源访问次数正确则获取可访问资源标识符对应的资源并返回资源给资源申请者。Step 4. When the resource applicant needs to access the resource, the authorization server judges whether the resource applicant is the registered user himself or not by comparing the avatar photo uploaded by the resource applicant, and if so, obtains the resource authorization policy provided by the applicant. Access proof, to judge whether the access proof meets the requirements, if it meets the requirements, it means authorized, if it is not the registered user himself or the access proof does not meet the requirements, it is not authorized; the authorization server uses the private key to issue the access token including the authorization result to the resource application The client of the user; the access token is used to provide the resource server, and the resource server verifies the access token through the public key to determine whether the signature of the access token is correct. If the access token passes the verification, it determines whether the user has Whether the authorization and resource access times are correct. If authorized and the resource access times are correct, obtain the resource corresponding to the accessible resource identifier and return the resource to the resource applicant.
访问证明例如:若需要资源拥有者再次确认,则授权服务器通过应用消息推送(终端APP接收)提醒资源拥有者进行授权确认;若需要提供绑定终端,则需提供作为人脸头像采集的终端的MAC地址;Access proof For example: if the resource owner needs to confirm again, the authorization server will remind the resource owner to confirm the authorization through application message push (received by the terminal APP); MAC address;
访问令牌包括用户信息和签名信息,用户信息包括用户ID、请求的资源标识符、资源操作权限、资源访问次数(资源服务器和授权服务器有访问次数的记录,被授权的资源访问记录会加1,此信息为了防止重放攻击),以及是否已经授权等,签名信息为对用户信息进行HASH变换然后加密产生的数据;The access token includes user information and signature information. User information includes user ID, requested resource identifier, resource operation authority, and resource access times (resource server and authorization server have records of access times, and authorized resource access records will be added by 1 , this information is to prevent replay attacks), and whether it has been authorized, etc., the signature information is the data generated by hashing the user information and then encrypting it;
资源申请者使用客户端(可以是浏览器或者原生应用)通过账号密码登陆资源服务器,在没有授权的情况下尝试访问资源服务器的选定资源。授权服务器从这个初始请求中知道客户端尝试访问的是哪个资源,进而知道对应的资源拥有者以及授权服务器需要哪些访问证明(具体根据配置策略);用户如同意授权则使用带有摄像头的COTS设备进行头像拍照并上传照片到授权服务器,如不同意则选取消或者不做任何操作;The resource applicant uses the client (which can be a browser or a native application) to log in to the resource server with an account and password, and tries to access the selected resources of the resource server without authorization. From this initial request, the authorization server knows which resource the client is trying to access, and then knows the corresponding resource owner and which access certificates the authorization server needs (according to the configuration policy); if the user agrees to the authorization, use the COTS device with a camera Take a portrait photo and upload the photo to the authorized server. If you disagree, choose to cancel or do nothing;
授权服务器中的人证核验服务利用人脸识别技术和证件OCR技术对头像照片和身份证上的头像进行特征值提取和比对,简称人证合一比对,如图4所示,人证合一比对包括步骤:The witness verification service in the authorization server uses face recognition technology and certificate OCR technology to extract and compare the feature values of the head portrait photo and the head portrait on the ID card, which is referred to as the verification of human certificate, as shown in Figure 4. The unification comparison includes steps:
1)授权服务器接收用户头像照片;用户需判断身份证件照是否清晰,如不清晰需要重新拍摄;1) The authorized server receives the user's avatar photo; the user needs to judge whether the ID card photo is clear, and if it is not clear, it needs to be re-taken;
2)提取用户头像特征值,获取数据库存放的身份证件上的头像特征值,对比两个特征值相似度,当相似度到达一定阈值即认为人和证为同一人。2) Extract the feature value of the user's avatar, obtain the feature value of the profile picture on the ID card stored in the database, and compare the similarity of the two feature values. When the similarity reaches a certain threshold, the person and the certificate are considered to be the same person.
授权服务器使用私钥签发访问令牌并且颁发访问令牌给用户客户端,而资源服务器可以通过在向授权服务器注册时获得的公钥验证签名信息保证访问令牌的合法性。The authorization server uses the private key to issue the access token and issues the access token to the user client, and the resource server can verify the signature information through the public key obtained when registering with the authorization server to ensure the legitimacy of the access token.
实施例3:Example 3:
如图1所示,一种基于人证合一的UMA服务的方法,包括如下步骤:As shown in Figure 1, a method of UMA service based on the integration of human and certificate includes the following steps:
步骤1,用户在提供UMA服务的授权服务器上注册;如图2所示,注册包括:Step 1, the user registers on the authorization server that provides UMA services; as shown in Figure 2, the registration includes:
传统信息注册,传统信息注册主要包括用户名/密码,性别,籍贯,联系方式等,同时为用户自动生成唯一的ID号,用户名和密码可以作为UMA服务的登陆凭证也可以作为低安全等级要求的用户认证;如图2所示,Traditional information registration, traditional information registration mainly includes username/password, gender, place of origin, contact information, etc. At the same time, a unique ID number is automatically generated for the user. The username and password can be used as login credentials for UMA services or as low security level requirements. User authentication; as shown in Figure 2,
身份证件照注册,通过COTS设备摄像头采集身份证件照,核验身份证件照是否真实有效,主要核查身份证姓名和号码是否一致以及身份证头像真伪;如果确认身份证是真实有效的,则授权服务器加密保存用户信息、身份证件照,关联注册的用户信息和身份证件照;若身份证件照无效,则提示身份证验证失败,可以选择重新拍摄身份证件照。ID photo registration, collect ID photos through the COTS equipment camera, verify whether the ID photo is authentic and valid, mainly check whether the name and number of the ID card are consistent and whether the photo of the ID card is authentic; if the ID card is confirmed to be true and valid, the server will be authorized Encrypted storage of user information, ID photos, and associated registered user information and ID photos; if the ID photo is invalid, it will prompt that the ID card verification failed, and you can choose to take a new ID photo.
如图3所示,核验身份证件照是否真实有效,具体步骤包括:As shown in Figure 3, to verify whether the ID photo is authentic and valid, the specific steps include:
1)用户根据提供UMA服务的授权服务器要求请求注册服务,授权服务器等待接收用户身份证件照;1) The user requests the registration service according to the requirements of the authorization server providing UMA service, and the authorization server waits to receive the user's ID photo;
2)用户使用摄像头拍摄身份证件照;2) The user uses the camera to take a photo of the ID card;
3)用户需判断身份证件照是否清晰,如不清晰需要重新拍摄;3) The user needs to judge whether the photo of the ID card is clear, and if it is not clear, it needs to be re-taken;
4)用户确认照片清晰后将照片提交给授权服务器;4) The user confirms that the photo is clear and submits the photo to the authorization server;
6)授权服务器(获得公安部授权)解析身份证件照,将姓名,身份证号码,头像数据发送给公安部,查询身份证真伪;公安部返回验证结果;6) The authorization server (authorized by the Ministry of Public Security) parses the photo of the ID card, and sends the name, ID number, and avatar data to the Ministry of Public Security to check the authenticity of the ID card; the Ministry of Public Security returns the verification result;
7)如果身份证验证成功则授权服务器将身份证件照保留到数据库中,如果身份证验证失败,则提示用户身份证验证失败并且删除身份证件照,用户可以选择重新拍摄身份证件照。7) If the ID verification is successful, the authorization server will save the ID photo in the database. If the ID verification fails, the user will be prompted that the ID verification failed and the ID photo will be deleted. The user can choose to take a new ID photo.
步骤2,资源服务器向提供UMA服务的授权服务器注册,获得授权服务器分配的资源服务器ID号以及对应的公钥(此公钥可以验签访问令牌)。Step 2: The resource server registers with the authorization server that provides the UMA service, and obtains the ID number of the resource server assigned by the authorization server and the corresponding public key (this public key can verify the signature of the access token).
步骤3,资源服务器向授权服务器注册其资源,获得资源标识符;资源拥有者通过授权服务器配置授权策略;Step 3, the resource server registers its resources with the authorization server to obtain the resource identifier; the resource owner configures the authorization policy through the authorization server;
授权服务器为资源分配唯一标识符,并将资源的唯一标识符与一个 URL 一同返回给资源服务器。资源服务器将资源拥有者引导至该 URL,资源拥有者就可以交互式地管理与该资源集关联的授权策略了;The authorization server assigns a unique identifier to the resource and returns the resource's unique identifier along with a URL to the resource server. The resource server directs the resource owner to the URL, and the resource owner can interactively manage the authorization policies associated with the resource set;
不同的资源需要不同的授权策略。申请者和他们的客户端(浏览器/原生应用)需要提供能够满足授权策略要求的访问证明。如果没有为一个资源配置授权策略,则该资源被视为不可访问。例如授权策略要求要人证合一,那么申请者就需要拍摄人脸头像,这个人脸头像数据就是一个声明。如果授权策略要求使用绑定的终端,那么终端的MAC地址必须与绑定终端的MAC地址一致。Different resources require different authorization policies. Applicants and their clients (browsers/native applications) need to provide proof of access that meets authorization policy requirements. If no authorization policy is configured for a resource, the resource is considered inaccessible. For example, the authorization policy requires that the person and certificate be integrated, then the applicant needs to take a photo of the face, and the face and photo data is a statement. If the authorization policy requires the use of a bound terminal, the MAC address of the terminal must be consistent with the MAC address of the bound terminal.
下面列出来可能的一些授权策略选项:Some possible authorization policy options are listed below:
1)是否需要资源拥有者再次确认以及确认方式(账户密码或人脸识别等);1) Whether it is necessary for the resource owner to confirm again and the confirmation method (account password or face recognition, etc.);
2)是否绑定授权终端,即拍摄人脸照片的终端是否绑定还是任何终端皆可;2) Whether to bind the authorized terminal, that is, whether the terminal that takes the face photo is bound or any terminal is acceptable;
3)资源可访问的日期范围;3) The date range in which the resource is accessible;
4)限定特定的用户访问;4) Restrict specific user access;
5)资源可被访问的次数限制;5) The number of times a resource can be accessed is limited;
步骤4,资源申请者使用客户端访问资源,授权服务器获得用户通过终端拍摄的头像照片,通过人证合一比对,若是用户本人,则根据资源授权策略进一步获得用户的访问证明,若符合要求,则表示已授权;授权服务器使用私钥签发包括授权结果的访问令牌给客户端,客户端将访问令牌发送给资源服务器,资源服务器通过公钥验签访问令牌,判断访问令牌签名是否正确,如果访问令牌通过验签,则判断该用户是否已经授权以及访问次数是否正确,如已经授权并且访问次数正确则获取可访问资源标识符对应的资源并返回资源给资源申请者。Step 4: The resource applicant uses the client to access the resource, and the authorization server obtains the profile picture taken by the user through the terminal, and compares the identity and certificate. If it is the user himself, then further obtains the user's access certificate according to the resource authorization policy. , means authorized; the authorization server uses the private key to issue an access token including the authorization result to the client, the client sends the access token to the resource server, and the resource server verifies the access token through the public key to determine the signature of the access token Whether it is correct, if the access token passes the signature verification, judge whether the user has been authorized and whether the number of visits is correct, if authorized and the number of visits is correct, obtain the resource corresponding to the accessible resource identifier and return the resource to the resource applicant.
资源申请者使用客户端(可以是浏览器或者原生应用)通过账号密码登陆资源服务器,在没有授权的情况下尝试访问资源服务器的选定资源。资源服务器从这个初始请求中知道客户端尝试访问的是哪个资源,进而知道对应的资源拥有者以及授权服务器需要哪些访问证明(具体根据配置策略);用户如同意授权则使用带有摄像头的COTS设备进行头像拍照并上传照片到授权服务器,如不同意则选取消或者不做任何操作;The resource applicant uses the client (which can be a browser or a native application) to log in to the resource server with an account and password, and tries to access the selected resources of the resource server without authorization. From this initial request, the resource server knows which resource the client is trying to access, and then knows the corresponding resource owner and what access certificates the authorization server needs (according to the configuration policy); if the user agrees to the authorization, use the COTS device with a camera Take a portrait photo and upload the photo to the authorized server. If you disagree, choose to cancel or do nothing;
授权服务器中的人证核验服务利用人脸识别技术和证件OCR技术对头像照片和身份证上的头像进行特征值提取和比对,简称人证合一比对,如图4所示;人证合一比对,包括步骤:The witness verification service in the authorization server uses face recognition technology and certificate OCR technology to extract and compare the feature values of the head photo and the head portrait on the ID card, which is referred to as the combination of face and certificate, as shown in Figure 4; One-in-one comparison, including steps:
1)用户根据UMA服务的授权服务器要求请求人脸识别服务,授权服务器等待接收用户头像照片;1) The user requests the face recognition service according to the authorization server of the UMA service, and the authorization server waits to receive the user's avatar photo;
2)电脑端浏览器/移动端APP申请摄像头权限,用户需点击同意;2) The computer browser/mobile APP applies for camera permission, and the user needs to click to agree;
3)用户使用摄像头拍摄头像;3) The user uses the camera to take a picture of the head;
4)用户需判断身份证件照是否清晰,如不清晰需要重新拍摄;4) The user needs to judge whether the photo of the ID card is clear, and if it is not clear, it needs to be re-taken;
5)用户确认照片清晰后将照片提交给授权服务器;5) The user confirms that the photo is clear and submits the photo to the authorization server;
6)授权服务器中人证核验服务提取用户头像特征值,然后获取数据库存放的身份证件上的头像特征值,对比两个特征值相似度,当相似度到达一定阈值即认为人和证为同一人。6) The witness verification service in the authorization server extracts the characteristic value of the user's avatar, then obtains the characteristic value of the avatar on the ID card stored in the database, and compares the similarity of the two characteristic values. When the similarity reaches a certain threshold, the person and the certificate are considered to be the same person .
授权服务器根据人证合一比对结果,判断是否为注册用户本人,如果是则根据配置策略是否还需资源拥有者进行授权确认,如果需要资源拥有者确认,则系统通过应用消息推送(终端APP接收)提醒资源拥有者进行授权确认,确认方式根据配置策略;The authorization server judges whether the registered user is the registered user according to the comparison result of the combination of witnesses and certificates. If so, whether the resource owner needs to confirm the authorization according to the configuration policy. Receive) to remind the resource owner to confirm the authorization, and the confirmation method is based on the configuration policy;
资源服务器通过步骤2获取的公钥验签访问令牌,判断访问令牌签名是否正确,如果访问令牌通过验签,则判断该用户是否已经授权,如已经授权则获取可访问资源标识符及对应的资源并返回资源给客户端。The resource server verifies the access token through the public key obtained in step 2, and judges whether the signature of the access token is correct. If the access token passes the signature verification, it judges whether the user is authorized. If authorized, it obtains the accessible resource identifier and The corresponding resource and return the resource to the client.
实施例4:Example 4:
一种基于人证合一的UMA服务的装置,包括:A UMA service device based on the unity of human and evidence, including:
用户注册模块,用于在提供UMA服务的授权服务器上进行传统信息注册和身份证件照注册,授权服务器加密保存用户注册信息;The user registration module is used to register traditional information and identity certificates on the authorized server that provides UMA services, and the authorized server encrypts and saves user registration information;
资源服务器注册模块,用于授权服务器接受资源服务器的注册,为资源服务器分配资源服务器ID号以及对应的公钥;The resource server registration module is used to authorize the server to accept the registration of the resource server, and assign the resource server ID number and corresponding public key to the resource server;
资源注册模块,用于授权服务器接受资源服务器为其资源的注册,为资源分配唯一的资源标识符,所述资源被资源拥有者通过授权服务器配置授权策略;The resource registration module is used for the authorization server to accept the registration of the resource server as its resource, and assign a unique resource identifier to the resource, and the resource owner configures the authorization policy through the authorization server;
人证合一核验及获取资源模块,用于当资源申请者访问资源时,授权服务器根据资源申请者上传的头像照片,通过人证合一比对判断是否为注册用户本人,如果是,再根据资源授权策略获得申请者提供的访问证明,判断访问证明是否符合要求,如果符合要求,则表示已授权,如果不是注册用户本人或者访问证明不符合要求则未授权;授权服务器使用私钥签发包括授权结果的访问令牌给资源申请者的客户端;所述访问令牌用于提供给资源服务器通过公钥验签,如通过验签且已经授权,则资源被发送给资源申请者。Verification and acquisition of resource modules for the integration of witnesses and certificates, which is used when resource applicants access resources, the authorization server judges whether it is the registered user himself or not based on the avatar photos uploaded by the resource applicants, and if so, according to The resource authorization strategy obtains the access certificate provided by the applicant, and judges whether the access certificate meets the requirements. If it meets the requirements, it means authorized. If it is not the registered user himself or the access certificate does not meet the requirements, it is not authorized; the authorization server uses the private key to issue the authorization The resulting access token is given to the client of the resource applicant; the access token is used to provide the resource server with public key verification, and if the verification is passed and authorized, the resource is sent to the resource applicant.
所述通过人证合一比对判断是否为注册用户本人,具体为:The above-mentioned judging whether it is the registered user himself or not through the combination of witnesses and certificates is as follows:
1)授权服务器接收用户头像照片;1) The authorization server receives the user's avatar photo;
2)提取用户头像特征值,获取数据库存放的身份证件上的头像特征值,对比两个特征值相似度,当相似度到达一定阈值即认为人和证为同一人。2) Extract the feature value of the user's avatar, obtain the feature value of the profile picture on the ID card stored in the database, and compare the similarity of the two feature values. When the similarity reaches a certain threshold, the person and the certificate are considered to be the same person.
在整个过程中,资源拥有者的个人信息和申请者的个人信息都没有被透露给资源服务器或客户端。另外,这两方也没有相互透露敏感的个人信息。申请者只需要最小限度地提供证明信息,满足资源拥有者设置的授权策略即可。Throughout the process, neither the resource owner's personal information nor the applicant's personal information is disclosed to the resource server or client. In addition, the two parties did not disclose sensitive personal information to each other. The applicant only needs to provide minimum certification information to meet the authorization policy set by the resource owner.
授权服务器用于用户身份注册和验证、资源服务器的注册,申请者不需要同现实中出示身份证件给第三方,申请者只需拍摄头像照片发送给授权服务器,由授权服务器证明身份。避免了现实生活中个人信息泄露给第三方带来的身份冒用、滥用等问题。The authorization server is used for user identity registration and verification, and resource server registration. The applicant does not need to show his ID card to the third party in reality. The applicant only needs to take a picture of his head and send it to the authorization server, and the authorization server will prove his identity. It avoids problems such as identity fraud and abuse caused by personal information leakage to third parties in real life.
基于UMA框架和人证合一技术确保授权的安全以及提高授权的便利性,授权设备的多样化也更能适应多场景。Based on the UMA framework and human-certificate integration technology to ensure the security of authorization and improve the convenience of authorization, the diversification of authorized devices is also more suitable for multiple scenarios.
通过实人实证确保授权的安全性,但实人实证不限于人脸识别。随着指纹等生物特征集成到身份证,所有能证明和身份证件属于同一个人的生物特征信息都属于实人实证的范畴。The security of authorization is ensured through real-person verification, but real-person verification is not limited to face recognition. With the integration of biometric features such as fingerprints into ID cards, all biometric information that can prove that the ID card belongs to the same person belongs to the category of real person verification.
身份证核验成功后,可以直接保留身份证件照或者只保留头像特征值信息,因为有些使用场景如银行可能还存在需要人工比对身份证件头像与真人头像;After the ID card verification is successful, you can directly keep the ID card photo or only keep the feature value information of the avatar, because some usage scenarios, such as banks, may still require manual comparison of the ID card avatar with the real person's avatar;
用户可以选择绑定终端或者不绑定终端,这取决于使用场景的安全级别要求,当安全级别较高时,建议绑定终端。Users can choose to bind the terminal or not bind the terminal, which depends on the security level requirements of the usage scenario. When the security level is high, it is recommended to bind the terminal.
访问令牌包括用户信息和签名信息,用户信息包括用户ID、请求的资源标识符、资源操作权限、资源访问次数、以及是否已经授权等,签名信息为对用户信息进行HASH计算然后加密产生的数据,而资源服务器可以通过在向授权服务器注册时获得的公钥验证签名信息保证访问令牌的合法性。但本发明不限于使用此方法生成和校验令牌,所有可以安全保证令牌传输安全并能验证令牌的方法都在本文所指的访问令牌生成于校验范围内。The access token includes user information and signature information. User information includes user ID, requested resource identifier, resource operation authority, resource access times, and whether it has been authorized, etc. The signature information is the data generated by hash calculation and encryption of user information , and the resource server can verify the validity of the access token by verifying the signature information with the public key obtained when registering with the authorization server. But the present invention is not limited to using this method to generate and verify tokens, and all methods that can securely guarantee the security of token transmission and verify tokens are within the scope of access token generation and verification referred to herein.
本发明所指授权不局限于用户对其他用户的授权以及用户对第三方应用的授权,所有不能通过直接发送登陆凭证的授权都在本文所指授权范围内。The authorization referred to in the present invention is not limited to the user's authorization to other users and the user's authorization to third-party applications, and all authorizations that cannot be directly sent with login credentials are within the scope of authorization referred to herein.
系统提醒资源拥有者进行授权确认的方式不限于应用消息推送,所有能及时通知资源拥有者的方法都在本文所指的系统提醒范围内。The way the system reminds the resource owner to confirm the authorization is not limited to the application message push, and all methods that can notify the resource owner in time are within the scope of the system reminder referred to in this article.
本发明具有以下有益效果:The present invention has the following beneficial effects:
(1)更加安全便捷(1) Safer and more convenient
移动终端如智能手机和平板电脑的普及以及摄像头作为移动终端的标配,为人脸识别服务提供了广泛的终端设备,而且现在几乎每人都随身携带至少一部移动终端设备。虽然不少终端设备存在安全性问题,但是本发明无需在终端上存放生物特征信息,对终端设备的安全性要求不高,所以可以在不增加硬件成本的条件下增加授权安全性和便利性。The popularization of mobile terminals such as smartphones and tablet computers and the standard configuration of cameras as mobile terminals provide a wide range of terminal devices for face recognition services, and now almost everyone carries at least one mobile terminal device with them. Although many terminal devices have security problems, the present invention does not need to store biometric information on the terminal, and does not require high security of the terminal device, so it can increase authorization security and convenience without increasing hardware costs.
(2)适用性强(2) Strong applicability
人证合一验证比传统单一的账号密码或者生物识别更加安全,不仅适用于必须核实用户身份的使用场景,也适用于一般的授权登陆,具有更强的适用性。Verification of witnesses and certificates is more secure than the traditional single account password or biometrics. It is not only suitable for usage scenarios where user identity must be verified, but also for general authorized logins, and has stronger applicability.
(3)可扩展性强(3) Strong scalability
不仅可以做到资源拥有者对其他用户授权,也可以做到资源拥有者对第三方应用授权(当申请者为第三方应用时),系统的可扩展性更强。Not only can the resource owner authorize other users, but also the resource owner can authorize the third-party application (when the applicant is a third-party application), the system is more scalable.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and combinations of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a Means for realizing the functions specified in one or more steps of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart flow or flows and/or block diagram block or blocks.
以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明技术原理的前提下,还可以做出若干改进和变形,这些改进和变形也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, and it should be pointed out that for those of ordinary skill in the art, without departing from the technical principle of the present invention, some improvements and modifications can also be made. It should also be regarded as the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910811610.2ACN110545274A (en) | 2019-08-30 | 2019-08-30 | A method, device and system for UMA service based on the integration of witnesses and witnesses |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910811610.2ACN110545274A (en) | 2019-08-30 | 2019-08-30 | A method, device and system for UMA service based on the integration of witnesses and witnesses |
| Publication Number | Publication Date |
|---|---|
| CN110545274Atrue CN110545274A (en) | 2019-12-06 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910811610.2APendingCN110545274A (en) | 2019-08-30 | 2019-08-30 | A method, device and system for UMA service based on the integration of witnesses and witnesses |
| Country | Link |
|---|---|
| CN (1) | CN110545274A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111538973A (en)* | 2020-03-26 | 2020-08-14 | 成都云巢智联科技有限公司 | Personal authorization access control system based on state cryptographic algorithm |
| CN111726348A (en)* | 2020-06-16 | 2020-09-29 | 中国建设银行股份有限公司 | Service processing method, device and system |
| CN112464194A (en)* | 2020-11-25 | 2021-03-09 | 数字广东网络建设有限公司 | Resource acquisition method and device, computer equipment and storage medium |
| CN113821783A (en)* | 2021-09-29 | 2021-12-21 | 北京云歌科技有限责任公司 | Multifunctional security authorization API Key implementation system and method |
| CN113917961A (en)* | 2021-09-22 | 2022-01-11 | 广西壮族自治区海洋环境监测中心站 | Intelligent laboratory management system and method |
| CN115242488A (en)* | 2022-07-20 | 2022-10-25 | 广东瑞普科技股份有限公司 | A domestic network security operation and maintenance system and method |
| CN117544378A (en)* | 2023-11-21 | 2024-02-09 | 广州方舟信息科技有限公司 | Authorization management method, device, equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506562A (en)* | 2015-01-13 | 2015-04-08 | 东北大学 | Two-dimension code and face recognition fused conference identity authentication device and method |
| CN105453524A (en)* | 2013-05-13 | 2016-03-30 | 霍约什实验室Ip有限公司 | System and method for authorizing access to access-controlled environments |
| CN105577665A (en)* | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control management system and method in cloud environment |
| CN106603513A (en)* | 2016-11-30 | 2017-04-26 | 中国人民解放军理工大学 | Host identifier-based resource access control method and system |
| US10021095B1 (en)* | 2015-05-29 | 2018-07-10 | Amdocs Development Limited | System, method, and computer program for two layer user authentication associated with connected home devices |
| US10164975B1 (en)* | 2016-03-30 | 2018-12-25 | Snap Inc. | Authentication via camera |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105453524A (en)* | 2013-05-13 | 2016-03-30 | 霍约什实验室Ip有限公司 | System and method for authorizing access to access-controlled environments |
| CN104506562A (en)* | 2015-01-13 | 2015-04-08 | 东北大学 | Two-dimension code and face recognition fused conference identity authentication device and method |
| US10021095B1 (en)* | 2015-05-29 | 2018-07-10 | Amdocs Development Limited | System, method, and computer program for two layer user authentication associated with connected home devices |
| CN105577665A (en)* | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control management system and method in cloud environment |
| US10164975B1 (en)* | 2016-03-30 | 2018-12-25 | Snap Inc. | Authentication via camera |
| CN106603513A (en)* | 2016-11-30 | 2017-04-26 | 中国人民解放军理工大学 | Host identifier-based resource access control method and system |
| Title |
|---|
| 沈桐等: "基于OAuth2.0,OpenID Connect 和UMA的用户认证授权系统架构", 《软件》* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111538973A (en)* | 2020-03-26 | 2020-08-14 | 成都云巢智联科技有限公司 | Personal authorization access control system based on state cryptographic algorithm |
| CN111726348A (en)* | 2020-06-16 | 2020-09-29 | 中国建设银行股份有限公司 | Service processing method, device and system |
| CN112464194A (en)* | 2020-11-25 | 2021-03-09 | 数字广东网络建设有限公司 | Resource acquisition method and device, computer equipment and storage medium |
| CN113917961A (en)* | 2021-09-22 | 2022-01-11 | 广西壮族自治区海洋环境监测中心站 | Intelligent laboratory management system and method |
| CN113821783A (en)* | 2021-09-29 | 2021-12-21 | 北京云歌科技有限责任公司 | Multifunctional security authorization API Key implementation system and method |
| CN113821783B (en)* | 2021-09-29 | 2022-04-08 | 北京云歌科技有限责任公司 | Multifunctional security authorization API Key implementation system and method |
| CN115242488A (en)* | 2022-07-20 | 2022-10-25 | 广东瑞普科技股份有限公司 | A domestic network security operation and maintenance system and method |
| CN117544378A (en)* | 2023-11-21 | 2024-02-09 | 广州方舟信息科技有限公司 | Authorization management method, device, equipment and storage medium |
| Publication | Publication Date | Title |
|---|---|---|
| CN110545274A (en) | A method, device and system for UMA service based on the integration of witnesses and witnesses | |
| CN107294900B (en) | Identity registration method and device based on biological characteristics | |
| CN111931144B (en) | Unified safe login authentication method and device for operating system and service application | |
| US9673981B1 (en) | Verification of authenticity and responsiveness of biometric evidence and/or other evidence | |
| US8955082B2 (en) | Authenticating using cloud authentication | |
| CN107231331B (en) | Implementation method and device for obtaining and issuing electronic certificates | |
| US20180316507A1 (en) | Methods and systems of revoking an attestation transaction using a centralized or distributed ledger | |
| US20140013108A1 (en) | On-Demand Identity Attribute Verification and Certification For Services | |
| CN108134791A (en) | A kind of data center's total management system login validation method | |
| CN110661800A (en) | Multi-factor identity authentication method supporting guarantee level | |
| JP2014527374A (en) | Identification device and method | |
| CN110535882A (en) | Identity authentication service method and system based on heterogeneous terminal | |
| LU93150B1 (en) | Method for providing secure digital signatures | |
| CN110659467A (en) | A remote user identity authentication method, device, system, terminal and server | |
| CN114531277B (en) | User identity authentication method based on blockchain technology | |
| EP3937037B1 (en) | A system and method for digital identity authentication based on biometric data | |
| CN116112242B (en) | Unified safety authentication method and system for power regulation and control system | |
| US20240305630A1 (en) | Access control to a wireless communication network by authentication based on a biometric print of a user | |
| WO2018109014A1 (en) | Authentication systems and methods | |
| WO2023027756A1 (en) | Secure ledger registration | |
| PRIYA et al. | TRUSTED HYBRID MULTIFACTOR AUTHENTICATION FOR CLOUD USERS. | |
| Nandhashree et al. | Survey on Multi-Factor Authentication in Cloud Computing | |
| HK40047460A (en) | Implementation method and device for acquiring and issuing electronic certificate | |
| CN117014146A (en) | Unified identity authentication method based on double factors | |
| HK1246035A1 (en) | Identity registration method and device based on biological features |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20191206 |