CN110659467A - A remote user identity authentication method, device, system, terminal and server - Google Patents

Abstract

Translated fromChinese

本发明公开了一种远程用户身份认证方法、装置、系统、终端及服务器，该方法应用于终端设备，包括：在服务器登陆时，获取按照预设存储方式存储的用户凭证；根据用户凭证，生成登陆请求；将登陆请求发送到服务器，以使服务器根据登陆请求，得到用户凭证和预先存储的第一加密信息，并根据用户凭证、第一加密信息和用户信息，生成认证结果信息；根据服务器返回的认证结果信息，确定登陆情况，并在登陆成功后进行访问操作；可见，本发明通过用户凭证的设置，采用基于共享随机凭证的认证方式完成用户身份认证，从而使服务器中不需要存储用户的隐私信息，减少了用户的隐私信息泄露的情况，提高了远程身份认证系统的安全性。

The invention discloses a remote user identity authentication method, device, system, terminal and server. The method is applied to terminal equipment and includes: acquiring user credentials stored in a preset storage mode when logging in to the server; generating user credentials according to the user credentials Login request; send the login request to the server, so that the server obtains the user credential and the pre-stored first encrypted information according to the login request, and generates authentication result information according to the user credential, the first encrypted information and the user information; returns according to the server It can be seen that the present invention uses the authentication method based on shared random credentials to complete the user identity authentication through the setting of user credentials, so that the server does not need to store the user's credentials. The private information reduces the leakage of the user's private information and improves the security of the remote identity authentication system.

Description

Translated fromChinese

一种远程用户身份认证方法、装置、系统、终端及服务器A remote user identity authentication method, device, system, terminal and server

技术领域technical field

本发明涉及计算机技术领域，特别涉及一种远程用户身份认证方法、装置、系统、终端及服务器。The present invention relates to the field of computer technology, and in particular, to a remote user identity authentication method, device, system, terminal and server.

背景技术Background technique

目前，用户的终端设备与服务提供商的服务器之间的交互需要进行远程用户身份认证。传统的远程身份认证系统如图1所示，往往通过共享口令、图案、指纹、社保等用户个人的隐私信息以验证用户身份及其有效性，要求客户提供各类的隐私信息并由服务器存储，即使在服务器中采取加密、保护等措施，也会存在内部泄露和外部攻击等各种形式的大规模数据泄露风险。国内外用户账号、口令等用于远程身份认证的隐私信息泄露事件频发，包括著名的Facebook、Sony等用户账号信息泄露事件，证明目前基于共享隐私信息的远程用户身份认证已不再安全可靠。Currently, the interaction between the user's terminal device and the service provider's server requires remote user identity authentication. The traditional remote identity authentication system, as shown in Figure 1, often verifies user identity and its validity by sharing personal privacy information such as passwords, patterns, fingerprints, social security, etc. Even if encryption, protection and other measures are taken in the server, there will be risks of large-scale data leakage in various forms such as internal leakage and external attacks. There have been frequent incidents of leakage of private information used for remote identity authentication, such as user accounts and passwords at home and abroad, including the famous Facebook, Sony and other user account information leakage incidents, which proves that the current remote user identity authentication based on shared private information is no longer safe and reliable.

因此，如何能够减少用户的隐私信息泄露的情况，提高远程身份认证系统的安全性，增强用户的隐私信息的保护，是现今急需解决的问题。Therefore, how to reduce the leakage of the user's private information, improve the security of the remote identity authentication system, and enhance the protection of the user's private information is an urgent problem to be solved today.

发明内容SUMMARY OF THE INVENTION

本发明的目的是提供一种远程用户身份认证方法、装置、系统、终端及服务器，以实现基于共享随机凭证的远程用户身份认证，减少用户的隐私信息泄露的情况，提高远程身份认证系统的安全性。The purpose of the present invention is to provide a remote user identity authentication method, device, system, terminal and server, so as to realize remote user identity authentication based on shared random credentials, reduce the leakage of users' private information, and improve the security of the remote identity authentication system sex.

为解决上述技术问题，本发明提供一种远程用户身份认证方法，应用于终端设备，包括：In order to solve the above technical problems, the present invention provides a remote user identity authentication method, which is applied to terminal equipment, including:

在服务器登陆时，获取按照预设存储方式存储的用户凭证；其中，所述用户凭证为用户信息和第一加密信息经过第一预设加密后的结果，所述第一加密信息包括第一随机数，所述用户信息不包括隐私信息；When logging in to the server, obtain a user credential stored in a preset storage manner; wherein, the user credential is the result of user information and first encrypted information after being encrypted by a first preset, and the first encrypted information includes a first random number, the user information does not include private information;

根据所述用户凭证，生成登陆请求；其中，所述登陆请求包括所述用户信息、加密凭证和第二加密信息，所述加密凭证为所述用户凭证和所述第二加密信息经过第二预设加密后的结果，所述第二加密信息包括第二随机数；According to the user credential, a login request is generated; wherein, the login request includes the user information, the encrypted credential and the second encrypted information, and the encrypted credential is that the user credential and the second encrypted information have undergone a second pre-preparation. Assuming the encrypted result, the second encrypted information includes a second random number;

将所述登陆请求发送到所述服务器，以使所述服务器根据所述登陆请求，得到所述用户凭证和预先存储的所述第一加密信息，并根据所述用户凭证、所述第一加密信息和所述用户信息，生成认证结果信息；Send the login request to the server, so that the server obtains the user credential and the pre-stored first encrypted information according to the login request, and obtains the user credential and the first encrypted information according to the user credential and the first encrypted information. information and the user information to generate authentication result information;

根据所述服务器返回的所述认证结果信息，确定登陆情况，并在登陆成功后进行访问操作。According to the authentication result information returned by the server, the login situation is determined, and the access operation is performed after the login is successful.

可选的，所述预设存储方式为加密存储时，所述获取按照预设存储方式存储的用户凭证，包括：Optionally, when the preset storage mode is encrypted storage, the obtaining the user credentials stored in the preset storage mode includes:

接收采集到的目标隐私信息；Receive the collected target privacy information;

利用所述目标隐私信息，对认证信息进行解密，得到所述用户凭证；其中，所述认证信息为所述终端设备中存储的所述用户凭证经过第三预设加密后的结果。Using the target privacy information, the authentication information is decrypted to obtain the user credential; wherein the authentication information is the result of the third preset encryption of the user credential stored in the terminal device.

可选的，该方法还包括：Optionally, the method further includes:

在所述服务器注册时，向所述服务器发送注册请求，以使所述服务器根据所述注册请求，生成注册结果信息；When the server registers, sending a registration request to the server, so that the server generates registration result information according to the registration request;

接收所述服务器返回的所述注册结果信息，并在注册成功时，按照所述预设存储方式存储所述注册结果信息中的所述用户凭证。The registration result information returned by the server is received, and when the registration is successful, the user credentials in the registration result information are stored according to the preset storage method.

本发明还提供了一种远程用户身份认证装置，应用于终端设备，包括：The present invention also provides a remote user identity authentication device, which is applied to terminal equipment, including:

获取模块，用于在服务器登陆时，获取按照预设存储方式存储的用户凭证；其中，所述用户凭证为用户信息和第一加密信息经过第一预设加密后的结果，所述第一加密信息包括第一随机数，所述用户信息不包括隐私信息；The obtaining module is used to obtain the user credential stored in the preset storage mode when logging in to the server; wherein, the user credential is the result of the user information and the first encrypted information after being encrypted by a first preset, and the first encrypted The information includes a first random number, and the user information does not include private information;

生成模块，用于根据所述用户凭证，生成登陆请求；其中，所述登陆请求包括所述用户信息、加密凭证和第二加密信息，所述加密凭证为所述用户凭证和所述第二加密信息经过第二预设加密后的结果，所述第二加密信息包括第二随机数；A generating module, configured to generate a login request according to the user credential; wherein, the login request includes the user information, an encrypted credential and a second encrypted information, and the encrypted credential is the user credential and the second encrypted information The result after the information is encrypted by a second preset, the second encrypted information includes a second random number;

发送模块，用于将所述登陆请求发送到所述服务器，以使所述服务器根据所述登陆请求，得到所述用户凭证和预先存储的所述第一加密信息，并根据所述用户凭证、所述第一加密信息和所述用户信息，生成认证结果信息；A sending module, configured to send the login request to the server, so that the server obtains the user credential and the pre-stored first encrypted information according to the login request, and according to the user credential, The first encrypted information and the user information generate authentication result information;

确定模块，用于根据所述服务器返回的所述认证结果信息，确定登陆情况，并在登陆成功后进行访问操作。The determining module is used for determining the login situation according to the authentication result information returned by the server, and performing an access operation after the login is successful.

本发明还提供了一种终端设备，包括：The present invention also provides a terminal device, comprising:

存储器，用于存储计算机程序；memory for storing computer programs;

处理器，用于执行所述计算机程序时实现如上述任一项所述的远程用户身份认证方法的步骤。The processor is configured to implement the steps of the remote user identity authentication method according to any one of the above when executing the computer program.

本发明还提供了一种远程用户身份认证方法，应用于服务器，包括：The present invention also provides a remote user identity authentication method, applied to the server, including:

接收终端设备发送的登陆请求；其中，所述登陆请求包括用户信息、加密凭证和第二加密信息，所述第二加密信息包括第二随机数；receiving a login request sent by the terminal device; wherein, the login request includes user information, encrypted credentials and second encrypted information, and the second encrypted information includes a second random number;

根据所述第二加密信息，对所述加密凭证进行解密，得到用户凭证；其中，所述用户凭证为所述用户信息和所述用户信息对应的第一加密信息经过第一预设加密后的结果，所述第一加密信息包括第一随机数；Decrypt the encrypted credential according to the second encrypted information to obtain a user credential; wherein the user credential is the first encrypted information corresponding to the user information and the user information after the first preset encryption. As a result, the first encrypted information includes a first random number;

根据所述用户信息，获取所述用户信息对应的预先存储的校验信息；其中，所述校验信息包括所述第一加密信息；Acquire pre-stored verification information corresponding to the user information according to the user information; wherein the verification information includes the first encrypted information;

根据所述用户信息和所述校验信息，确定认证结果，并生成对应的认证结果信息；Determine an authentication result according to the user information and the verification information, and generate corresponding authentication result information;

将所述认证结果信息发送到所述终端设备。Send the authentication result information to the terminal device.

可选的，所述第一预设加密为单向加密时，所述根据所述用户信息和所述校验信息，确定认证结果，包括：Optionally, when the first preset encryption is one-way encryption, the determining the authentication result according to the user information and the verification information includes:

利用所述用户信息和所述第一加密信息进行所述第一预设加密，获取标准用户凭证；Using the user information and the first encrypted information to perform the first preset encryption to obtain a standard user credential;

判断所述用户凭证与所述标准用户凭证是否相同；Determine whether the user credential is the same as the standard user credential;

若是，则确定所述认证结果为认证成功；If yes, then determine that the authentication result is authentication success;

若否，则确定所述认证结果为认证失败。If not, it is determined that the authentication result is authentication failure.

本发明还提供了一种远程用户身份认证装置，应用于服务器，包括：The present invention also provides a remote user identity authentication device, which is applied to the server and includes:

接收模块，用于接收终端设备发送的登陆请求；其中，所述登陆请求包括用户信息、加密凭证和第二加密信息，所述第二加密信息包括第二随机数；a receiving module, configured to receive a login request sent by the terminal device; wherein, the login request includes user information, encrypted credentials and second encrypted information, and the second encrypted information includes a second random number;

解密模块，用于根据所述第二加密信息，对所述加密凭证进行解密，得到用户凭证；其中，所述用户凭证为所述用户信息和所述用户信息对应的第一加密信息经过第一预设加密后的结果，所述第一加密信息包括第一随机数；a decryption module, configured to decrypt the encrypted credential according to the second encrypted information to obtain a user credential; wherein the user credential is the user information and the first encrypted information corresponding to the user information through the first encrypted Presetting the encrypted result, the first encrypted information includes a first random number;

校验获取模块，用于根据所述用户信息，获取所述用户信息对应的预先存储的校验信息；其中，所述校验信息包括所述第一加密信息；a verification acquisition module, configured to acquire pre-stored verification information corresponding to the user information according to the user information; wherein the verification information includes the first encrypted information;

校验模块，用于根据所述用户信息和所述校验信息，确定认证结果，并生成对应的认证结果信息；a verification module, configured to determine an authentication result according to the user information and the verification information, and generate corresponding authentication result information;

结果发送模块，用于将所述认证结果信息发送到所述终端设备。A result sending module, configured to send the authentication result information to the terminal device.

本发明还提供了一种服务器，包括：The present invention also provides a server, including:

存储器，用于存储计算机程序；memory for storing computer programs;

处理器，用于执行所述计算机程序时实现如上述任一项所述的远程用户身份认证方法的步骤。The processor is configured to implement the steps of the remote user identity authentication method according to any one of the above when executing the computer program.

此外，本发明还提供了一种远程用户身份认证系统，包括：In addition, the present invention also provides a remote user identity authentication system, including:

上述终端设备和上述服务器。The above terminal device and the above server.

本发明所提供的一种远程用户身份认证方法，通过用户凭证的设置，可以采用基于共享随机凭证的认证方式完成用户身份认证，使得用户身份验证可以不需要用户的隐私信息，从而可以使服务器中不需要存储用户的隐私信息，减少了用户的隐私信息泄露的情况，提高了远程身份认证系统的安全性，增强了对用户的隐私信息的保护。此外，本发明还提供了一种远程用户身份认证装置、系统、终端及服务器。In the remote user identity authentication method provided by the present invention, through the setting of user credentials, the authentication method based on shared random credentials can be used to complete the user identity authentication, so that the user authentication does not require the user's private information, so that the server can There is no need to store the user's private information, which reduces the leakage of the user's private information, improves the security of the remote identity authentication system, and enhances the protection of the user's private information. In addition, the present invention also provides a remote user identity authentication device, system, terminal and server.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据提供的附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without creative work.

图1为现有技术中基于共享隐私的远程用户身份认证系统的结构示意图；1 is a schematic structural diagram of a remote user identity authentication system based on shared privacy in the prior art;

图2为本发明实施例所提供的一种远程用户身份认证方法的流程图；2 is a flowchart of a remote user identity authentication method provided by an embodiment of the present invention;

图3为本发明实施例所提供的一种远程用户身份认证系统的认证过程示意图；3 is a schematic diagram of an authentication process of a remote user identity authentication system according to an embodiment of the present invention;

图4为本发明实施例所提供的另一种远程用户身份认证方法的流程图；4 is a flowchart of another remote user identity authentication method provided by an embodiment of the present invention;

图5为本发明实施例所提供的一种远程用户身份认证系统的注册过程示意图；5 is a schematic diagram of a registration process of a remote user identity authentication system provided by an embodiment of the present invention;

图6为本发明实施例所提供的一种远程用户身份认证装置的结构框图；6 is a structural block diagram of a remote user identity authentication device provided by an embodiment of the present invention;

图7为本发明实施例所提供的另一种远程用户身份认证方法的流程图；7 is a flowchart of another remote user identity authentication method provided by an embodiment of the present invention;

图8为本发明实施例所提供的另一种远程用户身份认证装置的结构框图。FIG. 8 is a structural block diagram of another remote user identity authentication apparatus provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚，下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

请参考图2，图2为本发明实施例所提供的一种远程用户身份认证方法的流程图。该方法应用与终端设备，可以包括：Please refer to FIG. 2. FIG. 2 is a flowchart of a remote user identity authentication method provided by an embodiment of the present invention. The method is applied to terminal equipment, which may include:

步骤101：在服务器登陆时，获取按照预设存储方式存储的用户凭证；其中，用户凭证为用户信息和第一加密信息经过第一预设加密后的结果，第一加密信息包括第一随机数，用户信息不包括隐私信息。Step 101: When logging in to the server, obtain a user credential stored in a preset storage mode; wherein, the user credential is the result of user information and first encrypted information after being encrypted by a first preset, and the first encrypted information includes a first random number , user information does not include private information.

具体的，本实施例中执行远程用户身份认证方法的终端设备可以为用户所使用的具有计算、存储和通信功能的设备。本实施例中并不限定终端设备的具体类型，如终端设备可以包括智能手机、平板电脑、笔记本电脑、工作站、数字助理和可穿戴式智能设备等。Specifically, the terminal device that executes the remote user identity authentication method in this embodiment may be a device used by the user with functions of computing, storage, and communication. The specific type of the terminal device is not limited in this embodiment, for example, the terminal device may include a smart phone, a tablet computer, a notebook computer, a workstation, a digital assistant, a wearable smart device, and the like.

可以理解的是，本步骤中的用户凭证可以为终端设备登录到服务器时，所需使用的认证凭证(AC，authentication credit)，即服务器可以利用用户凭证完成用户身份认证。本实施例中的用户凭证为用户信息和第一加密信息经过第一预设加密后的结果；上述用户信息为用户身份对应的信息，如用户名；上述第一加密信息为第一预设加密过程中所需使用的加密信息，如随机数和系统主密钥等。上述的隐私信息可以为用户不希望被自己以外其他人所使用的个人信息，本实施例并不限定隐私信息的具体类型，如隐私信息可以包括记忆(例如口令、图案、爱好和知识等)、生物特征(例如指纹、面部、虹膜、视网膜、声音和掌型等)、个人信息(例如手机号码、家庭住址、工作单位和社保记录等)和人脉关系(例如工作关系、社交关系和家庭关系等)等。It can be understood that the user credential in this step may be an authentication credential (AC, authentication credit) required when the terminal device logs in to the server, that is, the server can use the user credential to complete user identity authentication. The user credential in this embodiment is the result of the user information and the first encrypted information after being encrypted by the first preset; the above-mentioned user information is the information corresponding to the user identity, such as the user name; the above-mentioned first encrypted information is the first preset encryption Encrypted information used in the process, such as random numbers and system master keys. The above-mentioned privacy information can be personal information that the user does not want to be used by others other than himself. This embodiment does not limit the specific type of privacy information. Biometrics (such as fingerprints, face, iris, retina, voice and palm shape, etc.), personal information (such as mobile phone number, home address, work unit and social security records, etc.) and personal relationships (such as work relationship, social relationship and family relationship, etc.) )Wait.

对应的，上述的第一预设加密可以为利用第一加密信息对用户信息进行加密的加密方法。本实施例并不限定第一预设加密的具体类型，第一预设加密可以为加密后能够被恢复的加密方法，如利用对称加密函数进行的对称加密、利用非对称加密函数进行的非对称加密和利用签名函数进行的数字签名加密等；为了避免因用户个人的用户凭证泄露，造成服务器中的密钥(如第一加密信息中的系统主密钥)被破解情况发生，第一预设加密也可以为加密后不能被恢复的加密方法，如利用单向函数进行的单向加密。Correspondingly, the above-mentioned first preset encryption may be an encryption method for encrypting user information by using the first encryption information. This embodiment does not limit the specific type of the first preset encryption. The first preset encryption may be an encryption method that can be recovered after encryption, such as symmetric encryption using a symmetric encryption function, asymmetric encryption using an asymmetric encryption function Encryption and digital signature encryption using signature functions, etc.; in order to avoid the occurrence of cracking of the key in the server (such as the system master key in the first encrypted information) due to the leakage of the user's personal user credentials, the first preset The encryption can also be an encryption method that cannot be recovered after encryption, such as one-way encryption using a one-way function.

具体的，上述对称加密包含但不限于以下具有相同加密和解密密钥的方法：国际对称加密标准(AES、DES等)及其变形方法、国内对称加密标准(SM系列)及其变形方法等。本实施例中简单利用异或操作代替加密以简化说明，即操作因子相同时，异或操作可以被视为对称加密。上述非对称加密包含但不限于以下具有不相同加密和解密密钥的方法：国际非对称加密标准(RSA等)及其变形方法、国内非对称加密标准(SM系列)及其变形方法等。上述数字签名加密包含但不限于以下具有数字签名和验证功能的方法：国际签名算法标准(DSA等)及其变形方法、国内签名标准以及变形方法等。上述单向加密包含但不限于以下具有单向可计算、逆向不可恢复特点的方法：国际哈希函数标准(SHA系列、MD系列等)及其变形方法、国内哈希函数标准(SM系列)及其变形方法等。Specifically, the above-mentioned symmetric encryption includes but is not limited to the following methods with the same encryption and decryption keys: international symmetric encryption standards (AES, DES, etc.) and their variants, domestic symmetric encryption standards (SM series) and their variants, etc. In this embodiment, the XOR operation is simply used instead of encryption to simplify the description, that is, when the operation factors are the same, the XOR operation can be regarded as symmetric encryption. The above-mentioned asymmetric encryption includes but is not limited to the following methods with different encryption and decryption keys: the international asymmetric encryption standard (RSA, etc.) and its variants, the domestic asymmetric encryption standards (SM series) and its variants, etc. The above-mentioned digital signature encryption includes, but is not limited to, the following methods with digital signature and verification functions: International Signature Algorithm Standard (DSA, etc.) and its variant method, domestic signature standard and variant method, etc. The above-mentioned one-way encryption includes but is not limited to the following methods with the characteristics of one-way computability and reverse irreversibility: international hash function standards (SHA series, MD series, etc.) and their deformation methods, domestic hash function standards (SM series) and its deformation method, etc.

需要说明的是，对于本步骤中用户凭证的具体内容，可以由设计人员根据实用场景和用户需求自行设置，如终端设备在服务器中注册成功后，服务器返回用户凭证时，服务器可以利用系统主密钥生成用户凭证，例如：AC＝hash(S||ID||r)，其中，AC可以为用户凭证，hash可以为哈希函数，S可以为系统主密钥，||可以为字符连接，r可以为随机数(即第一随机数)，ID可以为用户名。It should be noted that the specific content of the user credentials in this step can be set by the designer according to practical scenarios and user needs. For example, after the terminal device is successfully registered in the server, when the server returns the user credentials, the server can use the system master password. key to generate user credentials, for example: AC=hash(S||ID||r), where AC can be a user credential, hash can be a hash function, S can be a system master key, || can be a character connection, r can be a random number (ie, the first random number), and the ID can be a user name.

对应的，服务器中需要设定系统安全参数、配置访问控制列表并制定访问控制策略，包括：系统主密钥(S)的安全长度、安全等级和安全存储等各方面要求；生成的用户凭证(AC)必须包含随机因子(随机数)，二者也必须满足安全长度、安全等级和安全存储等各方面要求。Correspondingly, the server needs to set system security parameters, configure access control lists and formulate access control policies, including: the security length, security level and security storage requirements of the system master key (S); the generated user credentials ( AC) must contain a random factor (random number), and both must also meet the requirements of security length, security level and security storage.

具体的，对于本步骤中终端设备需要在服务器登陆时，获取按照预设存储方式存储的用户凭证的具体方式，即预设存储方式的具体设置，可以由设计人员或用户自行设置，如预设存储方式为直接存储时，终端设备可以直接获取存储的用户凭证，例如用户在终端设备认证其为合法持有者之后，可以打开服务器对应的客户端，使客户端直接获取存储的用户凭证，或使客户端在对采集的当前用户的隐私信息(如口令或指纹)与本地存储的标准隐私信息对比认证成功后，获取存储的用户凭证；预设存储方式为加密存储时，终端设备可以先对存储的用户凭证经过加密后的结果进行解密，获取用户凭证，即终端设备可以不直接存储用户凭证，而是存储用户凭证经过加密后的结果。Specifically, in this step, when the terminal device needs to log in to the server, the specific method of acquiring the user credentials stored in the preset storage mode, that is, the specific settings of the preset storage mode, can be set by the designer or the user, such as preset storage mode. When the storage method is direct storage, the terminal device can directly obtain the stored user credentials. For example, after the terminal device authenticates the user as the legal holder, the user can open the client corresponding to the server, so that the client can directly obtain the stored user credentials, or Enable the client to obtain the stored user credentials after successfully comparing and authenticating the collected private information (such as password or fingerprint) of the current user with the standard private information stored locally; when the default storage method is encrypted storage, the terminal device can The encrypted result of the stored user credential is decrypted to obtain the user credential, that is, the terminal device may not directly store the user credential, but store the encrypted result of the user credential.

对应的，预设存储方式为加密存储时，用户的终端设备收到服务器返回的认证凭证后，利用自己的隐私信息(如口令和指纹等信息)加密用户凭证生成认证信息(AI，authentication information)并存储，加密过程可以需要对隐私信息进行处理，如哈希处理以获取与用户凭证等长度的信息并进行异或加密。例如F₁(PW)+F₂(FP)+AC＝AI并且AC＝AI-F₁(PW)-F₂(FP)，其中，F₁和F₂都可以为相关处理函数，如F₁可以为哈希函数、F₂可以为指纹提取函数，PW可以为口令信息，FP可以为指纹信息，AC可以为用户凭证，AI可以为认证信息，上述公式中的加减法也可以由异或操作或对称加密函数取代，只要保证终端设备可以利用正确的口令信息(PW)和指纹信息(FP)将认证信息恢复为正确的用户凭证(AC)，本实施例对此不做任何限制。Correspondingly, when the default storage method is encrypted storage, after the user's terminal device receives the authentication credential returned by the server, it uses its own private information (such as password and fingerprint information) to encrypt the user credential to generate authentication information (AI, authentication information). And storage, the encryption process may need to process private information, such as hashing to obtain information of the same length as the user's credentials and perform XOR encryption. For example, F₁ (PW)+F₂ (FP)+AC=AI and AC=AI-F₁ (PW)-F₂ (FP), where both F₁ and F₂ can be related processing functions, such as F₁ Can be a hash function, F₂ can be a fingerprint extraction function, PW can be password information, FP can be fingerprint information, AC can be user credentials, AI can be authentication information, the addition and subtraction in the above formula can also be XORed Operation or symmetric encryption function is replaced, as long as it is guaranteed that the terminal device can use the correct password information (PW) and fingerprint information (FP) to restore the authentication information to the correct user credential (AC), this embodiment does not impose any restrictions on this.

也就是说，本步骤可以包括接收采集到的目标隐私信息；利用目标隐私信息，对认证信息进行解密，得到用户凭证的步骤；其中，认证信息为终端设备中存储的用户凭证经过第三预设加密后的结果，第三预设加密可以为加密后能够被恢复的加密方法，如对称加密。上述目标隐私信息可以为对认证信息进行解密所需的隐私信息，如上述口令信息(PW)和指纹信息(FP)。That is to say, this step may include the steps of receiving the collected target privacy information; using the target privacy information to decrypt the authentication information to obtain the user credential; wherein the authentication information is the user credential stored in the terminal device through a third preset As a result of encryption, the third preset encryption may be an encryption method that can be recovered after encryption, such as symmetric encryption. The above-mentioned target privacy information may be the privacy information required for decrypting the authentication information, such as the above-mentioned password information (PW) and fingerprint information (FP).

具体的，本实施例中用户凭证进行第三预设加密所使用的隐私信息需要安全相关要求，如口令信息需满足口令安全相关要求(长度、大小写等)，生物特征的提取方法(指纹、面部等)必须满足安全相关要求；加密后的用户凭证(认证信息)的存储以及访问控制方法必须满足相关要求。Specifically, in this embodiment, the privacy information used for the third preset encryption of the user credentials requires security-related requirements. For example, the password information must meet the password security-related requirements (length, case, etc.), and the extraction method of biometric features (fingerprint, face, etc.) must meet security-related requirements; storage of encrypted user credentials (authentication information) and access control methods must meet relevant requirements.

进一步的，终端设备利用采集到的当前用户的目标隐私信息，进行认证信息的解密得到用户凭证后，可以判断该用户凭证是否为正确的用户凭证(标准用户凭证)，即注册成功后服务器返回的用户凭证，如终端设备在注册成功后接收服务器返回的用户凭证(标准用户凭证)之后，不仅可以通过第三预设加密对标准用户凭证进行加密存储，还可以通过第四预设加密对标准用户凭证进行加密存储，从而在利用目标隐私信息对通过第三预设加密后存储的标准用户凭证(认证信息)解密得到用户凭证后，同样通过第四预设加密对该用户凭证进行加密，利用比较加密后的该用户凭证与通过第四预设加密的标准用户凭证，确定解密得到该用户凭证是否为标准用户凭证。Further, after the terminal device uses the collected target privacy information of the current user to decrypt the authentication information to obtain the user credential, it can determine whether the user credential is the correct user credential (standard user credential), that is, the server returns the credential after successful registration. User credentials, for example, after the terminal device receives the user credentials (standard user credentials) returned by the server after successful registration, it can not only encrypt and store the standard user credentials through the third preset encryption, but also encrypt and store the standard user credentials through the fourth preset encryption. The credentials are encrypted and stored, so that after using the target privacy information to decrypt the standard user credentials (authentication information) stored through the third preset encryption to obtain the user credentials, the user credentials are also encrypted through the fourth preset encryption, and the comparison The encrypted user credential and the standard user credential encrypted by the fourth preset determine whether the decrypted user credential is a standard user credential.

对应的，第四预设加密可以为加密后不能被恢复的加密方法，如利用单向函数(例如哈希函数)进行的单向加密。也就是说，若利用目标隐私信息，对认证信息进行解密，得到用户凭证与标准用户凭证相同，则该用户凭证通过第四预设加密的结果与标准用户凭证通过第四预设加密的结果相对应(如相同)，从而可以利用两个通过第四预设加密的结果的比较，确定采集的目标隐私信息是否正确，避免由于采集的目标隐私信息不正确，所造成的登陆失败。Correspondingly, the fourth preset encryption may be an encryption method that cannot be recovered after encryption, such as one-way encryption using a one-way function (eg, a hash function). That is to say, if the target privacy information is used to decrypt the authentication information, and the obtained user credential is the same as the standard user credential, the result of the fourth preset encryption of the user credential is the same as the result of the standard user credential encrypted by the fourth preset encryption. Corresponding (if the same), thus it can be determined whether the collected target privacy information is correct by using the comparison of the two results encrypted by the fourth preset, so as to avoid the login failure caused by the incorrect collected target privacy information.

步骤102：根据用户凭证，生成登陆请求；其中，登陆请求包括用户信息、加密凭证和第二加密信息，加密凭证为用户凭证和第二加密信息经过第二预设加密后的结果，第二加密信息包括第二随机数。Step 102: Generate a login request according to the user credential; wherein, the login request includes the user information, the encrypted credential and the second encrypted information, and the encrypted credential is the result of the user credential and the second encrypted information after the second preset encryption, and the second encrypted The information includes a second random number.

可以理解的是，本步骤的目的可以为终端设备利用加密凭证的生成，通过随机化用户凭证方式产生登录请求并发送给服务器。具体的，本步骤中加密凭证生成时所使用的加密方法，即第二预设加密，可以为加密后能够被恢复的加密方法，如数字签名加密、对称加密和非对称加密等，以使服务器可以根据登录请求中的第二加密信息对加密凭证进行解密恢复，得到用户凭证。It can be understood that the purpose of this step may be for the terminal device to generate a login request by randomizing the user credential by generating an encrypted credential and send it to the server. Specifically, the encryption method used when the encryption certificate is generated in this step, that is, the second preset encryption, can be an encryption method that can be recovered after encryption, such as digital signature encryption, symmetric encryption, and asymmetric encryption, so that the server can The encrypted credential can be decrypted and recovered according to the second encrypted information in the login request to obtain the user credential.

具体的，对于登陆请求的具体内容，可以由设计人员自行设置，如登陆请求(LR)可以为LR＝F_key(AC||random||timestamp)||ID||random||timestamp，其中，F可以为对称加密或非对称加密，key可以为密钥，random可以为随机数(即第二加密信息中的第二随机数)，timestamp可以为第二加密信息中的时间戳，ID可以为用户信息，如用户名，F_key(AC||random||timestamp)可以为加密凭证；也就是说，第二预设加密为对称加密或非对称加密时，若服务器中存储有解密加密凭证所需的密钥，登陆请求中可以不包括该密钥；反之登陆请求中可以包括解密加密凭证所需的密钥。Specifically, the specific content of the login request can be set by the designer. For example, the login request (LR) can be LR=F_key (AC||random||timestamp)||ID||random||timestamp, where, F can be symmetric encryption or asymmetric encryption, key can be a key, random can be a random number (that is, the second random number in the second encrypted message), timestamp can be a timestamp in the second encrypted message, and ID can be User information, such as user name, F_key (AC||random||timestamp) can be an encryption certificate; that is to say, when the second default encryption is symmetric encryption or asymmetric encryption, if the decryption encryption certificate is stored in the server. The key required for the login request may not be included in the login request; otherwise, the login request may include the key required to decrypt the encrypted certificate.

如图3所示，用户在终端设备认证其合法持有者之后，可以打开服务器对应的客户端，输入口令信息(PW)和指纹信息(FP)等隐私信息，将用户凭证AC＝AI-F1(PW)-F2(FP)恢复，并输入用户名(ID)通过随机化AC的方式产生登录请求(LR)。As shown in Figure 3, after the terminal device authenticates its legal holder, the user can open the client corresponding to the server, enter the password information (PW) and fingerprint information (FP) and other privacy information, and set the user credential AC=AI-F1 (PW)-F2 (FP) resume, and enter the user name (ID) to generate a login request (LR) by randomizing the AC.

步骤103：将登陆请求发送到服务器，以使服务器根据登陆请求，得到用户凭证和预先存储的第一加密信息，并根据用户凭证、第一加密信息和用户信息，生成认证结果信息。Step 103: Send the login request to the server, so that the server obtains the user credential and the pre-stored first encrypted information according to the login request, and generates authentication result information according to the user credential, the first encrypted information and the user information.

可以理解的是，本步骤的目的可以为终端设备通过将登陆请求发送到服务器，使服务器可以利用登陆请求进行用户身份认证，得到认证结果信息。It can be understood that the purpose of this step may be for the terminal device to send the login request to the server, so that the server can use the login request to perform user identity authentication and obtain authentication result information.

具体的，如图3所示，服务器可以先根据登陆请求中的第二加密信息对登陆请求中的加密凭证进行解密，从而恢复得到对应的用户凭证，在利用该用户凭证与登陆请求中的用户信息和存储的用户信息对应的第一加密信息的对比，确定该用户凭证是否有效，从而得到对应的应答(认证结果信息)。Specifically, as shown in FIG. 3, the server can first decrypt the encrypted credential in the login request according to the second encrypted information in the login request, so as to recover the corresponding user credential. The information is compared with the first encrypted information corresponding to the stored user information to determine whether the user credential is valid, so as to obtain a corresponding response (authentication result information).

对应的，对于上述利用该用户凭证与登陆请求中的用户信息和存储的用户信息对应的第一加密信息的对比，确定该用户凭证是否有效的具体方式，可以由设计人员自行设置，如第一预设加密为加密后能够被恢复的加密方法时，服务器可以对该用户凭证进行解密，通过解密结果与存储的用户信息对应的第一加密信息的对比，确定该用户凭证是否有效；第一预设加密为加密后不能被恢复的加密方法时，服务器可以利用登陆请求中的用户信息和存储的用户信息对应的第一加密信息经过第一预设加密生成新的用户凭证(标准用户凭证)，通过新的用户凭证与该用户凭证的对比，确定该用户凭证是否有效，如服务器收到登录请求(LR)后，可以利用存储的列表查找用户名(ID)并利用系统主密钥(S)、ID和第一随机数(r)加密恢复的用户凭证AC＝hash(S||ID||r)并认证用户登录请求LR的合法性。即服务器中可以不直接存储用户凭证，而是存储生成用户凭证所需的第一加密信息，避免因存储的用户凭证泄露，造成用户损失的情况。Correspondingly, for the above-mentioned comparison of the user credential with the user information in the login request and the first encrypted information corresponding to the stored user information, the specific method for determining whether the user credential is valid can be set by the designer, such as the first encryption method. When the preset encryption is an encryption method that can be recovered after encryption, the server may decrypt the user credential, and determine whether the user credential is valid by comparing the decryption result with the first encrypted information corresponding to the stored user information; When setting encryption as an encryption method that cannot be recovered after encryption, the server can utilize the user information in the login request and the first encrypted information corresponding to the stored user information to generate a new user credential (standard user credential) through the first preset encryption, Determine whether the user credential is valid by comparing the new user credential with the user credential. For example, after the server receives the login request (LR), it can use the stored list to find the user name (ID) and use the system master key (S) , ID and first random number (r) encrypt the recovered user credential AC=hash(S||ID||r) and authenticate the legitimacy of the user login request LR. That is, the server may not directly store the user credential, but store the first encrypted information required for generating the user credential, so as to avoid the loss of the user due to the leakage of the stored user credential.

步骤104：根据服务器返回的认证结果信息，确定登陆情况，并在登陆成功后进行访问操作。Step 104: Determine the login situation according to the authentication result information returned by the server, and perform an access operation after the login is successful.

可以理解的是，本步骤的目的可以为终端设备根据服务器返回的认证结果信息，确定登陆情况，即是否登陆成功，从而在登录成功后进行后续的访问操作；对应的，登录失败后，通过如显示屏的提示部件，提示用户需要重新登录服务器。It can be understood that the purpose of this step can be for the terminal device to determine the login status according to the authentication result information returned by the server, that is, whether the login is successful, so as to perform subsequent access operations after the login is successful; The prompt part of the display screen prompts the user to log in to the server again.

具体的，对于本步骤中终端设备在登陆成功后进行访问操作的具体方式，可以采用与现有技术中终端设备登录服务器后的访问操作相同或相似的方式实现，本实施例对此不做任何限制。Specifically, the specific manner in which the terminal device performs the access operation after the login is successful in this step can be implemented in the same or similar manner as the access operation after the terminal device logs in to the server in the prior art, and this embodiment does not do anything to this. limit.

进一步的，如图3所示，服务器认证成功后返回的认证结果信息中可以包含相互认证的消息，终端设备通过用户凭证认证服务器随机化后的消息正确性。如有安全通信要求，双方还可以生成临时的会话密钥。相互认证和会话密钥的生成方式可以自由设定，包含但不限于认证的Diffier-Hellman密钥协商方法等，其最终目的是完成用户的终端设备对于服务器的认证以防止伪装服务器攻击并完成临时会话密钥的生成以保障后续通信的安全。Further, as shown in FIG. 3 , the authentication result information returned by the server after successful authentication may include a message of mutual authentication, and the terminal device authenticates the correctness of the message after randomization by the server through the user credential. Both parties can also generate temporary session keys if required for secure communication. Mutual authentication and session key generation methods can be freely set, including but not limited to the authenticated Diffier-Hellman key agreement method, etc. The ultimate purpose is to complete the authentication of the user's terminal device to the server to prevent masquerading server attacks and complete temporary Session key generation to secure subsequent communications.

本实施例中，本发明实施例通过用户凭证的设置，可以采用基于共享随机凭证的认证方式完成用户身份认证，使得用户身份验证可以不需要用户的隐私信息，从而可以使服务器中不需要存储用户的隐私信息，减少了用户的隐私信息泄露的情况，提高了远程身份认证系统的安全性，增强了对用户的隐私信息的保护。In this embodiment, through the setting of user credentials, the embodiment of the present invention can use an authentication method based on shared random credentials to complete user identity authentication, so that user identity authentication does not require the user's private information, so that the server does not need to store the user's private information. It reduces the leakage of users' private information, improves the security of the remote identity authentication system, and enhances the protection of users' private information.

基于上述实施例，本实施例所提供的远程用户身份认证方法，还可以包括终端设备在服务器中注册的过程。终端设备在服务器中注册的过程可以如图4所示，应用于终端设备，可以包括：Based on the foregoing embodiment, the remote user identity authentication method provided in this embodiment may further include a process of registering the terminal device in the server. The process of registering the terminal device in the server may be as shown in FIG. 4, applied to the terminal device, and may include:

步骤201：在服务器注册时，向服务器发送注册请求，以使服务器根据注册请求，生成注册结果信息。Step 201: When the server is registered, a registration request is sent to the server, so that the server generates registration result information according to the registration request.

具体的，本步骤中的注册请求可以为用户使用终端设备在服务器注册所需的请求。对于注册请求的具体内容，可以由设计人员自行设置，如服务器需要确保注册用户的身份合法时，注册请求可以包括能够证明用户身份的隐私信息，如身份证号和姓名等，从而使服务器可以自身或通过第三方认证机构确定注册用户的身份合法性，对应的，服务器在确认注册用户的身份合法后，不必存储注册请求中的隐私信息；注册请求也可以包括第三方认证机构提供的合法性证明信息，如终端设备可以直接将能够证明用户身份的隐私信息发送到第三方认证机构，并根据第三方认证机构返回的合法性证明信息生成注册请求，使隐私信息不需要传输到服务器。Specifically, the registration request in this step may be a request required by the user to register with the server using the terminal device. The specific content of the registration request can be set by the designer. For example, when the server needs to ensure that the identity of the registered user is legal, the registration request can include private information that can prove the user's identity, such as ID number and name, so that the server can itself Or determine the legitimacy of the registered user's identity through a third-party certification body. Correspondingly, after confirming that the registered user's identity is legal, the server does not need to store the private information in the registration request; the registration request can also include the legality certificate provided by the third-party certification body. Information, such as the terminal device can directly send the private information that can prove the user's identity to the third-party certification body, and generate a registration request according to the legality certification information returned by the third-party certification body, so that the private information does not need to be transmitted to the server.

对应的，如图5所示，终端设备向服务器发送的注册请求中包含系统要求选择的隐私信息时，可以终端设备通过安全信道将注册请求发送到服务器，服务器在确认用户请求以及身份的合法性之后；若不合法，可以生成注册不成功的注册结果信息；若合法，可以生成包含用户凭证的注册结果信息，提示终端设备注册成功。如利用系统主密钥(S)、随机数(r)和用户名(ID)，通过AC＝hash(S||ID||r)，生成用户凭证。对应的，注册请求中可以包括用户名(ID)；也可以不包括用户名(ID)，若注册请求中不包括用户名(ID)，则服务器向终端设备返回的注册结果信息中不仅包括用户凭证，还包括服务器生成的用户名(ID)。Correspondingly, as shown in Figure 5, when the registration request sent by the terminal device to the server contains the privacy information required by the system, the terminal device can send the registration request to the server through a secure channel, and the server confirms the validity of the user request and identity. After that; if it is illegal, the registration result information that the registration is unsuccessful can be generated; if it is legal, the registration result information including the user credentials can be generated, indicating that the terminal device is successfully registered. For example, using the system master key (S), random number (r) and user name (ID), through AC=hash(S||ID||r), the user credential is generated. Correspondingly, the user name (ID) may be included in the registration request; it may not include the user name (ID), if the user name (ID) is not included in the registration request, the registration result information returned by the server to the terminal device not only includes the user name (ID). Credentials, including the server-generated username (ID).

步骤202：接收服务器返回的注册结果信息，并在注册成功时，按照预设存储方式存储注册结果信息中的用户凭证。Step 202: Receive the registration result information returned by the server, and when the registration is successful, store the user credentials in the registration result information according to a preset storage method.

具体的，如图5所示，终端设备可以为利用用户的隐私信息对注册结果信息中的用户凭证进行加密存储，以避免用户自身的用户凭证的泄露。Specifically, as shown in FIG. 5 , the terminal device may encrypt and store the user credentials in the registration result information by using the user's private information, so as to avoid leakage of the user's own user credentials.

基于上述实施例，本实施例所提供的远程用户身份认证方法，还可以包括终端设备在服务器中注销的过程，例如用户可以使用终端设备向服务器发送注销请求，在服务器确认用户的合法身份后，可以删除访问列表中对应的用户信息(如用户名)和第一加密信息(如第一随机数)，使用户无法利用用户名和之前的用户凭证登录服务器。Based on the above embodiment, the remote user identity authentication method provided in this embodiment may further include a process of logging out the terminal device in the server. For example, the user may use the terminal device to send a logout request to the server. The corresponding user information (eg, user name) and first encrypted information (eg, first random number) in the access list can be deleted, so that the user cannot log in to the server by using the user name and previous user credentials.

基于上述实施例，本实施例所提供的远程用户身份认证方法，还可以包括终端设备在服务器中再注册的过程，如用户仅需使用终端设备在再一次执行一次在服务器中注册的过程，即可实现在服务器中的再注册，再注册过程由于第一随机数的存在以及如单向加密中利用的单向函数的防碰撞性质，用户凭证重复的可能性几乎可以忽略不计，不存在相同用户凭证的可能。Based on the above embodiments, the remote user identity authentication method provided in this embodiment may further include a process of re-registering the terminal device in the server. For example, the user only needs to use the terminal device to perform the process of registering in the server again, that is, Re-registration in the server can be realized. Due to the existence of the first random number and the anti-collision property of the one-way function used in one-way encryption, the possibility of user credential duplication is almost negligible, and there is no identical user Credentials possible.

请参考图6，图6为本发明实施例所提供的一种远程用户身份认证装置的结构框图。该装置应用于终端设备，可以包括：Please refer to FIG. 6 , which is a structural block diagram of a remote user identity authentication apparatus according to an embodiment of the present invention. The device is applied to terminal equipment and may include:

获取模块11，用于在服务器登陆时，获取按照预设存储方式存储的用户凭证；其中，用户凭证为用户信息和第一加密信息经过第一预设加密后的结果，第一加密信息包括第一随机数，用户信息不包括隐私信息；The obtainingmodule 11 is used to obtain user credentials stored in a preset storage mode when logging in to the server; wherein, the user credentials are the result of the user information and the first encrypted information being encrypted by the first preset, and the first encrypted information includes the first encrypted information. A random number, user information does not include private information;

生成模块12，用于根据用户凭证，生成登陆请求；其中，登陆请求包括用户信息、加密凭证和第二加密信息，加密凭证为用户凭证和第二加密信息经过第二预设加密后的结果，第二加密信息包括第二随机数；The generatingmodule 12 is configured to generate a login request according to the user credentials; wherein, the login request includes user information, encryption credentials and second encryption information, and the encryption credentials are the result of the user credentials and the second encryption information being encrypted by a second preset, The second encrypted information includes a second random number;

发送模块13，用于将登陆请求发送到服务器，以使服务器根据登陆请求，得到用户凭证和预先存储的第一加密信息，并根据用户凭证、第一加密信息和用户信息，生成认证结果信息；The sendingmodule 13 is used to send the login request to the server, so that the server obtains the user credential and the pre-stored first encrypted information according to the login request, and generates authentication result information according to the user credential, the first encrypted information and the user information;

确定模块14，用于根据服务器返回的认证结果信息，确定登陆情况，并在登陆成功后进行访问操作。The determiningmodule 14 is used for determining the login situation according to the authentication result information returned by the server, and performing an access operation after the login is successful.

本实施例中，本发明实施例通过用户凭证的设置，可以采用基于共享随机凭证的认证方式完成用户身份认证，使得用户身份验证可以不需要用户的隐私信息，从而可以使服务器中不需要存储用户的隐私信息，减少了用户的隐私信息泄露的情况，提高了远程身份认证系统的安全性，增强了对用户的隐私信息的保护。In this embodiment, through the setting of user credentials, the embodiment of the present invention can use an authentication method based on shared random credentials to complete user identity authentication, so that user identity authentication does not require the user's private information, so that the server does not need to store the user's private information. It reduces the leakage of users' private information, improves the security of the remote identity authentication system, and enhances the protection of users' private information.

本发明实施例还提供了一种终端设备，包括：The embodiment of the present invention also provides a terminal device, including:

存储器，用于存储计算机程序；memory for storing computer programs;

处理器，用于执行计算机程序时实现如上述任一实施例所提供的远程用户身份认证方法的步骤。The processor is configured to implement the steps of the remote user identity authentication method provided by any of the foregoing embodiments when executing the computer program.

请参考图7，图7为本发明实施例所提供的另一种远程用户身份认证方法的流程图。该方法应用于服务器，可以包括：Please refer to FIG. 7 , which is a flowchart of another remote user identity authentication method provided by an embodiment of the present invention. The method is applied to the server and can include:

步骤301：接收终端设备发送的登陆请求；其中，登陆请求包括用户信息、加密凭证和第二加密信息，第二加密信息包括第二随机数。Step 301: Receive a login request sent by a terminal device; wherein the login request includes user information, encrypted credentials and second encrypted information, and the second encrypted information includes a second random number.

步骤302：根据第二加密信息，对加密凭证进行解密，得到用户凭证；其中，用户凭证为用户信息和用户信息对应的第一加密信息经过第一预设加密后的结果，第一加密信息包括第一随机数。Step 302: Decrypt the encrypted credential according to the second encrypted information to obtain a user credential; wherein the user credential is the result of the user information and the first encrypted information corresponding to the user information after being encrypted by a first preset, and the first encrypted information includes first random number.

步骤303：根据用户信息，获取用户信息对应的预先存储的校验信息；其中，校验信息包括第一加密信息。Step 303: Acquire pre-stored verification information corresponding to the user information according to the user information; wherein the verification information includes first encrypted information.

步骤304：根据用户信息和校验信息，确定认证结果，并生成对应的认证结果信息。Step 304: Determine the authentication result according to the user information and the verification information, and generate corresponding authentication result information.

可选的，第一预设加密为加密后不能被恢复的加密方法(如单向加密)时，本步骤可以包括：利用用户信息和第一加密信息进行第一预设加密，获取标准用户凭证；判断用户凭证与标准用户凭证是否相同；若是，则确定认证结果为认证成功；若否，则确定认证结果为认证失败。即服务器中可以不直接存储用户凭证(标准用户凭证)，而是存储生成用户凭证所需的第一加密信息，避免因存储的用户凭证泄露，造成用户损失的情况。Optionally, when the first preset encryption is an encryption method that cannot be recovered after encryption (such as one-way encryption), this step may include: using the user information and the first encryption information to perform the first preset encryption, and obtaining standard user credentials. ; Determine whether the user credential is the same as the standard user credential; if so, determine that the authentication result is authentication success; if not, determine that the authentication result is authentication failure. That is, the server may not directly store the user credential (standard user credential), but store the first encrypted information required to generate the user credential, so as to avoid the user's loss due to leakage of the stored user credential.

步骤305：将认证结果信息发送到终端设备。Step 305: Send the authentication result information to the terminal device.

本实施例中，本发明实施例通过用户凭证的设置，可以采用基于共享随机凭证的认证方式完成用户身份认证，使得用户身份验证可以不需要用户的隐私信息，从而可以使服务器中不需要存储用户的隐私信息，减少了用户的隐私信息泄露的情况，提高了远程身份认证系统的安全性，增强了对用户的隐私信息的保护。In this embodiment, through the setting of user credentials, the embodiment of the present invention can use an authentication method based on shared random credentials to complete user identity authentication, so that user identity authentication does not require the user's private information, so that the server does not need to store the user's private information. It reduces the leakage of users' private information, improves the security of the remote identity authentication system, and enhances the protection of users' private information.

请参考图8，图8为本发明实施例所提供的另一种远程用户身份认证装置的结构框图。该装置应用于服务器，可以包括：Please refer to FIG. 8 , which is a structural block diagram of another remote user identity authentication apparatus provided by an embodiment of the present invention. The device is applied to a server and may include:

接收模块21，用于接收终端设备发送的登陆请求；其中，登陆请求包括用户信息、加密凭证和第二加密信息，第二加密信息包括第二随机数；The receivingmodule 21 is configured to receive a login request sent by the terminal device; wherein, the login request includes user information, encrypted credentials and second encrypted information, and the second encrypted information includes a second random number;

解密模块22，用于根据第二加密信息，对加密凭证进行解密，得到用户凭证；其中，用户凭证为用户信息和用户信息对应的第一加密信息经过第一预设加密后的结果，第一加密信息包括第一随机数；Thedecryption module 22 is configured to decrypt the encrypted credential according to the second encrypted information to obtain the user credential; wherein the user credential is the result of the user information and the first encrypted information corresponding to the user information after being encrypted by the first preset, the first The encrypted information includes a first random number;

校验获取模块23，用于根据用户信息，获取用户信息对应的预先存储的校验信息；其中，校验信息包括第一加密信息；Theverification acquisition module 23 is configured to acquire pre-stored verification information corresponding to the user information according to the user information; wherein the verification information includes the first encrypted information;

校验模块24，用于根据用户信息和校验信息，确定认证结果，并生成对应的认证结果信息；Theverification module 24 is used to determine the authentication result according to the user information and the verification information, and generate corresponding authentication result information;

结果发送模块25，用于将认证结果信息发送到终端设备。Theresult sending module 25 is used for sending the authentication result information to the terminal device.

本实施例中，本发明实施例通过用户凭证的设置，可以采用基于共享随机凭证的认证方式完成用户身份认证，使得用户身份验证可以不需要用户的隐私信息，从而可以使服务器中不需要存储用户的隐私信息，减少了用户的隐私信息泄露的情况，提高了远程身份认证系统的安全性，增强了对用户的隐私信息的保护。In this embodiment, through the setting of user credentials, the embodiment of the present invention can use an authentication method based on shared random credentials to complete user identity authentication, so that user identity authentication does not require the user's private information, so that the server does not need to store the user's private information. It reduces the leakage of users' private information, improves the security of the remote identity authentication system, and enhances the protection of users' private information.

本发明实施例还提供了一种服务器，包括：The embodiment of the present invention also provides a server, including:

存储器，用于存储计算机程序；memory for storing computer programs;

处理器，用于执行计算机程序时实现如上述实施例所提供的远程用户身份认证方法的步骤。The processor is configured to implement the steps of the remote user identity authentication method provided by the above embodiments when executing the computer program.

此外，本发明还提供了一种远程用户身份认证系统，包括：In addition, the present invention also provides a remote user identity authentication system, including:

上述实施例所提供的终端设备和上述实施例所提供的服务器。The terminal device provided by the foregoing embodiment and the server provided by the foregoing embodiment.

说明书中各个实施例采用递进的方式描述，每个实施例重点说明的都是与其他实施例的不同之处，各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置、系统、终端及服务器而言，由于其与实施例公开的方法相对应，所以描述的比较简单，相关之处参见方法部分说明即可。The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other. As for the apparatus, system, terminal and server disclosed in the embodiments, since they correspond to the methods disclosed in the embodiments, the description is relatively simple, and for related parts, please refer to the description of the method section.

以上对本发明所提供的一种远程用户身份认证方法、装置、系统、终端及服务器进行了详细介绍。本文中应用了具体个例对本发明的原理及实施方式进行了阐述，以上实施例的说明只是用于帮助理解本发明的方法及其核心思想。应当指出，对于本技术领域的普通技术人员来说，在不脱离本发明原理的前提下，还可以对本发明进行若干改进和修饰，这些改进和修饰也落入本发明权利要求的保护范围内。A method, device, system, terminal and server for remote user identity authentication provided by the present invention are described above in detail. The principles and implementations of the present invention are described herein by using specific examples, and the descriptions of the above embodiments are only used to help understand the method and the core idea of the present invention. It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, several improvements and modifications can also be made to the present invention, and these improvements and modifications also fall within the protection scope of the claims of the present invention.

Claims (10)

Translated fromChinese

1.一种远程用户身份认证方法，其特征在于，应用于终端设备，包括：1. a remote user identity authentication method, is characterized in that, is applied to terminal equipment, comprises:在服务器登陆时，获取按照预设存储方式存储的用户凭证；其中，所述用户凭证为用户信息和第一加密信息经过第一预设加密后的结果，所述第一加密信息包括第一随机数，所述用户信息不包括隐私信息；When logging in to the server, obtain a user credential stored in a preset storage manner; wherein, the user credential is the result of user information and first encrypted information after being encrypted by a first preset, and the first encrypted information includes a first random number, the user information does not include private information;根据所述用户凭证，生成登陆请求；其中，所述登陆请求包括所述用户信息、加密凭证和第二加密信息，所述加密凭证为所述用户凭证和所述第二加密信息经过第二预设加密后的结果，所述第二加密信息包括第二随机数；According to the user credential, a login request is generated; wherein, the login request includes the user information, the encrypted credential and the second encrypted information, and the encrypted credential is that the user credential and the second encrypted information have undergone a second pre-preparation. Assuming the encrypted result, the second encrypted information includes a second random number;将所述登陆请求发送到所述服务器，以使所述服务器根据所述登陆请求，得到所述用户凭证和预先存储的所述第一加密信息，并根据所述用户凭证、所述第一加密信息和所述用户信息，生成认证结果信息；Send the login request to the server, so that the server obtains the user credential and the pre-stored first encrypted information according to the login request, and obtains the user credential and the first encrypted information according to the user credential and the first encrypted information. information and the user information to generate authentication result information;根据所述服务器返回的所述认证结果信息，确定登陆情况，并在登陆成功后进行访问操作。According to the authentication result information returned by the server, the login situation is determined, and the access operation is performed after the login is successful.2.根据权利要求1所述的远程用户身份认证方法，其特征在于，所述预设存储方式为加密存储时，所述获取按照预设存储方式存储的用户凭证，包括：2. The remote user identity authentication method according to claim 1, wherein when the preset storage mode is encrypted storage, the obtaining of the user credentials stored in the preset storage mode comprises:接收采集到的目标隐私信息；Receive the collected target privacy information;利用所述目标隐私信息，对认证信息进行解密，得到所述用户凭证；其中，所述认证信息为所述终端设备中存储的所述用户凭证经过第三预设加密后的结果。Using the target privacy information, the authentication information is decrypted to obtain the user credential; wherein the authentication information is the result of the third preset encryption of the user credential stored in the terminal device.3.根据权利要求1或2所述的远程用户身份认证方法，其特征在于，还包括：3. remote user identity authentication method according to claim 1 and 2, is characterized in that, also comprises:在所述服务器注册时，向所述服务器发送注册请求，以使所述服务器根据所述注册请求，生成注册结果信息；When the server registers, sending a registration request to the server, so that the server generates registration result information according to the registration request;接收所述服务器返回的所述注册结果信息，并在注册成功时，按照所述预设存储方式存储所述注册结果信息中的所述用户凭证。The registration result information returned by the server is received, and when the registration is successful, the user credentials in the registration result information are stored according to the preset storage method.4.一种远程用户身份认证装置，其特征在于，应用于终端设备，包括：4. A remote user identity authentication device, characterized in that, applied to terminal equipment, comprising:获取模块，用于在服务器登陆时，获取按照预设存储方式存储的用户凭证；其中，所述用户凭证为用户信息和第一加密信息经过第一预设加密后的结果，所述第一加密信息包括第一随机数，所述用户信息不包括隐私信息；The obtaining module is used to obtain the user credential stored in the preset storage mode when logging in to the server; wherein, the user credential is the result of the user information and the first encrypted information after being encrypted by a first preset, and the first encrypted The information includes a first random number, and the user information does not include private information;生成模块，用于根据所述用户凭证，生成登陆请求；其中，所述登陆请求包括所述用户信息、加密凭证和第二加密信息，所述加密凭证为所述用户凭证和所述第二加密信息经过第二预设加密后的结果，所述第二加密信息包括第二随机数；A generating module, configured to generate a login request according to the user credential; wherein, the login request includes the user information, an encrypted credential and a second encrypted information, and the encrypted credential is the user credential and the second encrypted information The result after the information is encrypted by a second preset, the second encrypted information includes a second random number;发送模块，用于将所述登陆请求发送到所述服务器，以使所述服务器根据所述登陆请求，得到所述用户凭证和预先存储的所述第一加密信息，并根据所述用户凭证、所述第一加密信息和所述用户信息，生成认证结果信息；A sending module, configured to send the login request to the server, so that the server obtains the user credential and the pre-stored first encrypted information according to the login request, and according to the user credential, The first encrypted information and the user information generate authentication result information;确定模块，用于根据所述服务器返回的所述认证结果信息，确定登陆情况，并在登陆成功后进行访问操作。The determining module is used for determining the login situation according to the authentication result information returned by the server, and performing an access operation after the login is successful.5.一种终端设备，其特征在于，包括：5. A terminal device, comprising:存储器，用于存储计算机程序；memory for storing computer programs;处理器，用于执行所述计算机程序时实现如权利要求1至4任一项所述的远程用户身份认证方法的步骤。The processor is configured to implement the steps of the remote user identity authentication method according to any one of claims 1 to 4 when executing the computer program.6.一种远程用户身份认证方法，其特征在于，应用于服务器，包括：6. A remote user identity authentication method, characterized in that, applied to a server, comprising:接收终端设备发送的登陆请求；其中，所述登陆请求包括用户信息、加密凭证和第二加密信息，所述第二加密信息包括第二随机数；receiving a login request sent by the terminal device; wherein, the login request includes user information, encrypted credentials and second encrypted information, and the second encrypted information includes a second random number;根据所述第二加密信息，对所述加密凭证进行解密，得到用户凭证；其中，所述用户凭证为所述用户信息和所述用户信息对应的第一加密信息经过第一预设加密后的结果，所述第一加密信息包括第一随机数；Decrypt the encrypted credential according to the second encrypted information to obtain a user credential; wherein the user credential is the first encrypted information corresponding to the user information and the user information after the first preset encryption. As a result, the first encrypted information includes a first random number;根据所述用户信息，获取所述用户信息对应的预先存储的校验信息；其中，所述校验信息包括所述第一加密信息；Acquire pre-stored verification information corresponding to the user information according to the user information; wherein the verification information includes the first encrypted information;根据所述用户信息和所述校验信息，确定认证结果，并生成对应的认证结果信息；Determine an authentication result according to the user information and the verification information, and generate corresponding authentication result information;将所述认证结果信息发送到所述终端设备。Send the authentication result information to the terminal device.7.根据权利要求6所述的远程用户身份认证方法，其特征在于，所述第一预设加密为单向加密时，所述根据所述用户信息和所述校验信息，确定认证结果，包括：7. The remote user identity authentication method according to claim 6, wherein when the first preset encryption is one-way encryption, the authentication result is determined according to the user information and the verification information, include:利用所述用户信息和所述第一加密信息进行所述第一预设加密，获取标准用户凭证；Using the user information and the first encrypted information to perform the first preset encryption to obtain a standard user credential;判断所述用户凭证与所述标准用户凭证是否相同；Determine whether the user credential is the same as the standard user credential;若是，则确定所述认证结果为认证成功；If yes, then determine that the authentication result is authentication success;若否，则确定所述认证结果为认证失败。If not, it is determined that the authentication result is authentication failure.8.一种远程用户身份认证装置，其特征在于，应用于服务器，包括：8. A remote user identity authentication device, characterized in that, applied to a server, comprising:接收模块，用于接收终端设备发送的登陆请求；其中，所述登陆请求包括用户信息、加密凭证和第二加密信息，所述第二加密信息包括第二随机数；a receiving module, configured to receive a login request sent by the terminal device; wherein, the login request includes user information, encrypted credentials and second encrypted information, and the second encrypted information includes a second random number;解密模块，用于根据所述第二加密信息，对所述加密凭证进行解密，得到用户凭证；其中，所述用户凭证为所述用户信息和所述用户信息对应的第一加密信息经过第一预设加密后的结果，所述第一加密信息包括第一随机数；a decryption module, configured to decrypt the encrypted credential according to the second encrypted information to obtain a user credential; wherein the user credential is the user information and the first encrypted information corresponding to the user information through the first encrypted Presetting the encrypted result, the first encrypted information includes a first random number;校验获取模块，用于根据所述用户信息，获取所述用户信息对应的预先存储的校验信息；其中，所述校验信息包括所述第一加密信息；a verification acquisition module, configured to acquire pre-stored verification information corresponding to the user information according to the user information; wherein the verification information includes the first encrypted information;校验模块，用于根据所述用户信息和所述校验信息，确定认证结果，并生成对应的认证结果信息；a verification module, configured to determine an authentication result according to the user information and the verification information, and generate corresponding authentication result information;结果发送模块，用于将所述认证结果信息发送到所述终端设备。A result sending module, configured to send the authentication result information to the terminal device.9.一种服务器，其特征在于，包括：9. A server, characterized in that, comprising:存储器，用于存储计算机程序；memory for storing computer programs;处理器，用于执行所述计算机程序时实现如权利要求6或7所述的远程用户身份认证方法的步骤。The processor is configured to implement the steps of the remote user identity authentication method according to claim 6 or 7 when executing the computer program.10.一种远程用户身份认证系统，其特征在于，包括：10. A remote user identity authentication system, comprising:如权利要求5所述的终端设备和如权利要求9所述的服务器。The terminal device as claimed in claim 5 and the server as claimed in claim 9 .

Images