CN114978537A - Identity recognition method, device, equipment and computer readable storage medium - Google Patents

Abstract

Translated fromChinese

本申请实施例公开了一种身份识别方法、装置、设备和计算机可读存储介质，获取球面构造参数；依据当前时间以及球面构造参数，生成用于身份验证的初始凭证信息。利用盲因子对初始凭证信息进行转换，以得到身份凭证信息。将身份凭证信息传输至对端设备，以便于对端设备根据设定的球面点坐标判别条件对身份凭证信息进行验证。通过盲因子对初始凭证信息进行转换，保证了认证的安全性。基于球面点坐标的分布规律设置球面点坐标判别条件，对于需要建立定向通信的设备，通过球面取点得到身份凭证信息，利用球面点坐标判别条件可以直接对身份凭证信息进行验证，无需再按照公钥密码体制进行大量的数据运算进行认证，有效的降低了身份认证的时延。

The embodiments of the present application disclose an identity recognition method, apparatus, device and computer-readable storage medium for acquiring spherical structure parameters; and generating initial credential information for identity verification according to the current time and the spherical structure parameters. The initial credential information is transformed using a blind factor to obtain identity credential information. The identity credential information is transmitted to the peer device, so that the peer device can verify the identity credential information according to the set spherical point coordinate discrimination conditions. The initial credential information is converted through a blind factor to ensure the security of authentication. Based on the distribution law of spherical point coordinates, the spherical point coordinate discrimination conditions are set. For devices that need to establish directional communication, the identity credential information can be obtained by taking the spherical point. The key cryptosystem performs a large number of data operations for authentication, which effectively reduces the delay of identity authentication.

Description

Translated fromChinese

一种身份识别方法、装置、设备和计算机可读存储介质An identification method, apparatus, device and computer-readable storage medium

技术领域technical field

本申请涉及通信技术领域，特别是涉及一种身份识别方法、装置、设备和计算机可读存储介质。The present application relates to the field of communication technologies, and in particular, to an identification method, apparatus, device, and computer-readable storage medium.

背景技术Background technique

复杂电磁环境下，为排除其它信号干扰，准确建立两节点如节点A和节点B之间的定向通信链路，需要对节点A和节点B进行动态身份认证。在定向通信设备位置转移时，为确保信号跟踪过程中重新搜索到的信号为己方信号，定向通信设备信号对准后需要进行身份识别。In a complex electromagnetic environment, in order to eliminate other signal interference and accurately establish a directional communication link between two nodes, such as node A and node B, it is necessary to perform dynamic identity authentication on node A and node B. When the location of the directional communication device is transferred, in order to ensure that the re-searched signal during the signal tracking process is the own signal, the directional communication device needs to be identified after the signal is aligned.

目前为防止身份识别信息泄露导致重放攻击，要求身份识别凭证采取“一次一密”的动态更新方式，即每次进行身份识别所使用的密钥不同。所有身份凭证一经验证，即使暴露给第三方，也无法再次重新使用。在密钥动态变化的情况下，实现定向通信信号的多次跟踪识别，弥补定向通信点对点盲目对准的安全缺陷。传统方式中采用公钥密码体制生成密钥，公钥密码认证体制需要大量的数据运算，导致身份认证花费较长的时间，从而造成认证时延。At present, in order to prevent replay attacks caused by the leakage of identity information, it is required to adopt a dynamic update method of "one-time-one-password" for identity certificates, that is, the keys used for identity recognition are different each time. Once all credentials are verified, they cannot be reused again, even if exposed to a third party. When the key changes dynamically, multiple tracking and identification of the directional communication signal is realized, which makes up for the security defect of the point-to-point blind alignment of the directional communication. In the traditional way, the public key cryptosystem is used to generate the key, and the public key cryptography authentication system requires a large amount of data operations, which leads to a long time for identity authentication, resulting in authentication delay.

可见，如何在保证认证安全性的同时，降低身份认证的时延，是本领域技术人员需要解决的问题。It can be seen that how to reduce the delay of identity authentication while ensuring authentication security is a problem to be solved by those skilled in the art.

发明内容SUMMARY OF THE INVENTION

本申请实施例的目的是提供一种身份识别方法、装置、设备和计算机可读存储介质，可以在保证认证安全性的同时，降低身份认证的时延。The purpose of the embodiments of the present application is to provide an identity identification method, apparatus, device, and computer-readable storage medium, which can reduce the delay of identity authentication while ensuring authentication security.

为解决上述技术问题，本申请实施例提供一种身份识别方法，包括：In order to solve the above-mentioned technical problem, the embodiment of the present application provides an identification method, including:

获取球面构造参数；Get spherical construction parameters;

依据当前时间以及所述球面构造参数，生成用于身份验证的初始凭证信息；generating initial credential information for identity verification according to the current time and the spherical surface construction parameters;

利用盲因子对所述初始凭证信息进行转换，以得到身份凭证信息；Convert the initial credential information with a blind factor to obtain identity credential information;

将所述身份凭证信息传输至对端设备，以便于所述对端设备根据设定的球面点坐标判别条件对所述身份凭证信息进行验证。The identity credential information is transmitted to the peer device, so that the peer device can verify the identity credential information according to the set spherical point coordinate discrimination condition.

可选地，所述球面构造参数包括奇素数、多维球面初始参数、基于所述奇素数生成的随机数和盲因子；Optionally, the spherical construction parameters include an odd prime number, a multi-dimensional spherical initial parameter, a random number generated based on the odd prime number, and a blind factor;

所述依据当前时间以及所述球面构造参数，生成用于身份验证的初始凭证信息包括：The generating initial credential information for identity verification according to the current time and the spherical structure parameters includes:

利用所述奇素数、所述多维球面初始参数、所述随机数，重构球面；Using the odd prime number, the initial parameter of the multi-dimensional spherical surface, and the random number to reconstruct the spherical surface;

按照设定的球面选点方法，依据当前时间从所述球面上选取球面点；其中，所述球面点有其对应的球面坐标信息；According to the set spherical point selection method, the spherical point is selected from the spherical surface according to the current time; wherein, the spherical point has its corresponding spherical coordinate information;

将所述球面点的球面坐标信息作为用于身份验证的初始凭证信息。The spherical coordinate information of the spherical point is used as the initial credential information for authentication.

可选地，还包括：Optionally, also include:

接收所述对端设备发送的对端身份凭证信息；receiving the peer identity credential information sent by the peer device;

根据设定的球面点坐标判别条件对所述对端身份凭证信息进行验证。The peer identity credential information is verified according to the set spherical point coordinate discrimination conditions.

可选地，所述球面点坐标判别条件为基于所述球面的已知点坐标信息构建的判别式；Optionally, the spherical point coordinate discrimination condition is a discriminant constructed based on the known point coordinate information of the spherical surface;

所述根据设定的球面点坐标判别条件对所述对端身份凭证信息进行验证包括：The verification of the peer identity credential information according to the set spherical point coordinate discrimination conditions includes:

将所述对端身份凭证信息带入所述判别式，得到判别结果；Bringing the peer identity credential information into the discriminant to obtain a discriminant result;

在所述判别结果符合设定的输出结果的情况下，判定所述对端身份凭证信息合法；In the case that the determination result conforms to the set output result, determine that the peer-end identity credential information is legal;

在所述判别结果不符合设定的输出结果的情况下，判定所述对端身份凭证信息不合法。In the case that the determination result does not conform to the set output result, it is determined that the peer identification credential information is invalid.

可选地，在所述将所述对端身份凭证信息带入所述判别式，得到判别结果之后还包括：Optionally, after bringing the peer-end identity credential information into the discriminant to obtain the discriminant result, the method further includes:

向所述对端设备反馈与所述判别结果对应的响应信息。Feedback response information corresponding to the determination result to the peer device.

可选地，在所述将所述身份凭证信息传输至对端设备之后还包括：Optionally, after the transmitting the identity credential information to the peer device, the method further includes:

在接收到所述对端设备反馈的表征身份凭证信息合法的响应信息，并且判定所述对端身份凭证信息合法的情况下，建立与所述对端设备的通信连接。After receiving the response information indicating the validity of the identity credential information fed back by the peer device, and determining that the peer identity credential information is valid, a communication connection with the peer device is established.

可选地，在所述判别结果不符合设定的输出结果的情况下，判定所述对端身份凭证信息不合法之后还包括：Optionally, in the case that the judgment result does not conform to the set output result, after judging that the peer identification credential information is invalid, the method further includes:

在所述对端身份凭证信息对应多个对端设备的情况下，按照设定的二分法，将所述对端身份凭证信息划分为第一对端身份凭证信息和第二对端身份凭证信息；In the case that the peer-end identity credential information corresponds to multiple peer-end devices, the peer-end identity credential information is divided into first peer-end identity credential information and second peer-end identity credential information according to the set dichotomy ;

将所述第一对端身份凭证信息和所述第二对端身份凭证信息分别带入所述判别式，得到第一判别结果和第二判别结果；Bringing the first peer identity credential information and the second peer identity credential information into the discriminant, respectively, to obtain a first discrimination result and a second discrimination result;

依据所述第一判别结果和所述第二判别结果，从所述对端身份凭证信息中筛选出待评估对端身份凭证信息；According to the first discrimination result and the second discrimination result, filter out the peer identity credential information to be evaluated from the peer identity credential information;

将所述待评估对端身份凭证信息作为新的对端身份凭证信息，返回所述在所述对端身份凭证信息对应多个对端设备的情况下，按照设定的二分法，将所述对端身份凭证信息划分为第一对端身份凭证信息和第二对端身份凭证信息，直至所述待评估对端身份凭证信息对应一个对端设备，则确定所述待评估对端身份凭证信息为不合法信息。Taking the peer identity credential information to be evaluated as new peer identity credential information, and returning the described peer identity credential information corresponding to multiple peer devices, according to the set dichotomy, the The peer-end identity credential information is divided into first peer-end identity credential information and second peer-end identity credential information, until the peer-end identity credential information to be evaluated corresponds to a peer-end device, then the peer-end identity credential information to be evaluated is determined. for illegal information.

本申请实施例还提供了一种身份识别装置，包括获取单元、生成单元、转换单元和传输单元；The embodiment of the present application also provides an identification device, including an acquisition unit, a generation unit, a conversion unit and a transmission unit;

所述获取单元，用于获取球面构造参数；The obtaining unit is used to obtain spherical structure parameters;

所述生成单元，用于依据当前时间以及所述球面构造参数，生成用于身份验证的初始凭证信息；The generating unit is configured to generate initial credential information for identity verification according to the current time and the spherical structure parameter;

所述转换单元，用于利用盲因子对所述初始凭证信息进行转换，以得到身份凭证信息；The conversion unit is used to convert the initial credential information by using a blind factor to obtain identity credential information;

所述传输单元，用于将所述身份凭证信息传输至对端设备，以便于所述对端设备根据设定的球面点坐标判别条件对所述身份凭证信息进行验证。The transmission unit is configured to transmit the identity credential information to the peer device, so that the peer device can verify the identity credential information according to the set spherical point coordinate discrimination condition.

可选地，所述球面构造参数包括奇素数、多维球面初始参数、基于所述奇素数生成的随机数和盲因子；Optionally, the spherical construction parameters include an odd prime number, a multi-dimensional spherical initial parameter, a random number generated based on the odd prime number, and a blind factor;

所述生成单元包括重构子单元、选取子单元和作为子单元；The generation unit includes a reconstruction subunit, a selection subunit, and a subunit;

所述重构子单元，用于利用所述奇素数、所述多维球面初始参数、所述随机数，重构球面；The reconstruction subunit is used to reconstruct the spherical surface by using the odd prime number, the initial parameter of the multi-dimensional spherical surface, and the random number;

所述选取子单元，用于按照设定的球面选点装置，依据当前时间从所述球面上选取球面点；其中，所述球面点有其对应的球面坐标信息；The selection subunit is used to select spherical points from the spherical surface according to the set spherical point selection device according to the current time; wherein, the spherical point has its corresponding spherical coordinate information;

所述作为子单元，用于将所述球面点的球面坐标信息作为用于身份验证的初始凭证信息。The acting subunit is used to use the spherical coordinate information of the spherical point as initial credential information for identity verification.

可选地，还包括接收单元和验证单元；Optionally, it also includes a receiving unit and a verification unit;

所述接收单元，用于接收所述对端设备发送的对端身份凭证信息；the receiving unit, configured to receive the peer identity credential information sent by the peer device;

所述验证单元，用于根据设定的球面点坐标判别条件对所述对端身份凭证信息进行验证。The verification unit is configured to verify the peer identification credential information according to the set spherical point coordinate discrimination condition.

可选地，所述球面点坐标判别条件为基于所述球面的已知点坐标信息构建的判别式；Optionally, the spherical point coordinate discrimination condition is a discriminant constructed based on the known point coordinate information of the spherical surface;

所述验证单元包括带入子单元、第一判定子单元和第二判定子单元；The verification unit includes a bring-in subunit, a first determination subunit and a second determination subunit;

所述带入子单元，用于将所述对端身份凭证信息带入所述判别式，得到判别结果；The bringing-in subunit is used to bring the peer-end identity credential information into the discriminant to obtain a discriminant result;

所述第一判定子单元，用于在所述判别结果符合设定的输出结果的情况下，判定所述对端身份凭证信息合法；The first determination subunit is configured to determine that the peer identification credential information is legal when the determination result conforms to the set output result;

所述第二判定子单元，用于在所述判别结果不符合设定的输出结果的情况下，判定所述对端身份凭证信息不合法。The second determination subunit is configured to determine that the peer identification credential information is invalid when the determination result does not conform to the set output result.

可选地，还包括反馈单元；Optionally, it also includes a feedback unit;

所述反馈单元，用于向所述对端设备反馈与所述判别结果对应的响应信息。The feedback unit is configured to feed back the response information corresponding to the determination result to the peer device.

可选地，还包括建立单元；Optionally, it also includes an establishment unit;

所述建立单元，用于在接收到所述对端设备反馈的表征身份凭证信息合法的响应信息，并且判定所述对端身份凭证信息合法的情况下，建立与所述对端设备的通信连接。The establishment unit is configured to establish a communication connection with the opposite end device after receiving the response information representing the legality of the identity credential information fed back by the opposite end device, and determining that the opposite end identity credential information is legal .

可选地，还包括划分单元、带入单元、筛选单元、作为单元和确定单元；Optionally, it also includes a dividing unit, a bringing-in unit, a screening unit, a serving unit and a determining unit;

所述划分单元，用于在所述对端身份凭证信息对应多个对端设备的情况下，按照设定的二分法，将所述对端身份凭证信息划分为第一对端身份凭证信息和第二对端身份凭证信息；The dividing unit is configured to divide the peer identity credential information into first peer identity credential information and Second peer identity credential information;

所述带入单元，用于将所述第一对端身份凭证信息和所述第二对端身份凭证信息分别带入所述判别式，得到第一判别结果和第二判别结果；The bringing-in unit is used to respectively bring the first peer identification credential information and the second peer identification credential information into the discriminant to obtain a first discrimination result and a second discrimination result;

所述筛选单元，用于依据所述第一判别结果和所述第二判别结果，从所述对端身份凭证信息中筛选出待评估对端身份凭证信息；the screening unit, configured to filter out the peer identity credential information to be evaluated from the peer identity credential information according to the first discrimination result and the second discrimination result;

所述作为单元，用于将所述待评估对端身份凭证信息作为新的对端身份凭证信息，返回所述在所述对端身份凭证信息对应多个对端设备的情况下，按照设定的二分法，将所述对端身份凭证信息划分为第一对端身份凭证信息和第二对端身份凭证信息；The acting unit is used to use the peer-end identity credential information to be evaluated as new peer-end identity credential information, and return the peer-end identity credential information according to the setting in the case that the peer-end identity credential information corresponds to multiple peer devices. The dichotomy method, the peer identity credential information is divided into first peer identity credential information and second peer identity credential information;

所述确定单元，用于直至所述待评估对端身份凭证信息对应一个对端设备，则确定所述待评估对端身份凭证信息为不合法信息。The determining unit is configured to determine that the peer identity credential information to be evaluated is illegal information until the peer identity credential information to be evaluated corresponds to a peer device.

本申请实施例还提供了一种电子设备，包括：The embodiment of the present application also provides an electronic device, including:

存储器，用于存储计算机程序；memory for storing computer programs;

处理器，用于执行所述计算机程序以实现如上述身份识别方法的步骤。The processor is configured to execute the computer program to implement the steps of the above-mentioned identification method.

本申请实施例还提供了一种计算机可读存储介质，所述计算机可读存储介质上存储有计算机程序，所述计算机程序被处理器执行时实现如上述身份识别方法的步骤。Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the above-mentioned identification method are implemented.

由上述技术方案可以看出，获取球面构造参数；依据当前时间以及球面构造参数，生成用于身份验证的初始凭证信息。球面构造参数构造的球面可以实现无限取点，保证了身份凭证信息可以实现一次一密的动态变化。盲因子的使用可以有效的避免球面上点的暴露，同时盲因子不会对身份凭证信息的验证造成干扰，因此可以利用盲因子对初始凭证信息进行转换，以得到身份凭证信息。将身份凭证信息传输至对端设备，以便于对端设备根据设定的球面点坐标判别条件对身份凭证信息进行验证。在该技术方案中，通过盲因子对初始凭证信息进行转换，保证了认证的安全性。基于球面点坐标的分布规律设置球面点坐标判别条件，对于需要建立定向通信的设备，通过球面取点得到身份凭证信息，利用球面点坐标判别条件可以直接对身份凭证信息进行验证，无需再按照公钥密码体制进行大量的数据运算进行认证，有效的降低了身份认证的时延。It can be seen from the above technical solutions that the spherical structure parameters are obtained; the initial credential information for identity verification is generated according to the current time and the spherical structure parameters. The spherical surface constructed by the spherical structure parameters can realize unlimited point selection, which ensures that the identity credential information can realize the dynamic change of one-time pad. The use of the blind factor can effectively avoid the exposure of points on the sphere, and the blind factor will not interfere with the verification of the identity credential information. Therefore, the blind factor can be used to convert the initial credential information to obtain the identity credential information. The identity credential information is transmitted to the peer device, so that the peer device can verify the identity credential information according to the set spherical point coordinate discrimination conditions. In this technical solution, the initial credential information is converted through a blind factor, which ensures the security of authentication. Based on the distribution law of spherical point coordinates, the spherical point coordinate discrimination conditions are set. For devices that need to establish directional communication, the identity credential information can be obtained by taking the spherical point. The key cryptosystem performs a large number of data operations for authentication, which effectively reduces the delay of identity authentication.

附图说明Description of drawings

为了更清楚地说明本申请实施例，下面将对实施例中所需要使用的附图做简单的介绍，显而易见地，下面描述中的附图仅仅是本申请的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to describe the embodiments of the present application more clearly, the following will briefly introduce the drawings that are used in the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application, which are not relevant to ordinary skills in the art. As far as personnel are concerned, other drawings can also be obtained from these drawings on the premise of no creative work.

图1为本申请实施例提供的一种身份识别方法的流程图；1 is a flowchart of an identity recognition method provided by an embodiment of the present application;

图2为本申请实施例提供的一种身份识别装置的结构示意图；FIG. 2 is a schematic structural diagram of an identification device provided by an embodiment of the present application;

图3为本申请实施例提供的一种电子设备的结构图。FIG. 3 is a structural diagram of an electronic device provided by an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部实施例。基于本申请中的实施例，本领域普通技术人员在没有做出创造性劳动前提下，所获得的所有其他实施例，都属于本申请保护范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. All other embodiments obtained by those of ordinary skill in the art based on the embodiments in the present application without creative work fall within the protection scope of the present application.

本申请的说明书和权利要求书及上述附图中的术语“包括”和“具有”以及他们任何变形，意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元，而是可包括没有列出的步骤或单元。The terms "comprising" and "having" and any variations thereof in the specification and claims of this application and the above-mentioned drawings are intended to cover non-exclusive inclusions. For example, a process, method, system, product or device comprising a series of steps or elements is not limited to the listed steps or elements, but may include unlisted steps or elements.

为了使本技术领域的人员更好地理解本申请方案，下面结合附图和具体实施方式对本申请作进一步的详细说明。In order to make those skilled in the art better understand the solution of the present application, the present application will be further described in detail below with reference to the accompanying drawings and specific embodiments.

接下来，详细介绍本申请实施例所提供的一种身份识别方法。图1为本申请实施例提供的一种身份识别方法的流程图，该方法包括：Next, an identity recognition method provided by an embodiment of the present application is described in detail. FIG. 1 is a flowchart of an identity recognition method provided by an embodiment of the present application, and the method includes:

S101：获取球面构造参数。S101: Acquire spherical surface construction parameters.

本申请实施例采用基于有限域上多维球面理论建立身份密钥管理体制，以有限域上多维球面上的点作为认证双方的身份凭证，通过验证身份凭证是否在球面上判断身份的合法与否。The embodiments of the present application establish an identity key management system based on the multi-dimensional sphere theory on a finite field, use points on the multi-dimensional sphere on the finite field as the identity credentials of both parties to authenticate, and determine whether the identity is legal or not by verifying whether the identity credentials are on the sphere.

只要认证双方具有共同的多维球面初始参数，便能够保证身份识别方案的可行性。并且多维球面上点数量的无限性，保证了身份凭据能够“一次一密”动态变化，以免身份凭据暴露引起“重放”攻击。The feasibility of the identification scheme can be guaranteed as long as both parties have the common multi-dimensional spherical initial parameters. And the infinite number of points on the multi-dimensional sphere ensures that the identity credentials can be dynamically changed with "one-time pad", so as to avoid the exposure of identity credentials and cause "replay" attacks.

球面取点的前提是构造出球面。球面构造参数是重构球面所需的基础参数。球面构造参数可以包括奇素数、多维球面初始参数、基于奇素数生成的随机数和盲因子。The premise of taking points on a sphere is to construct a sphere. The spherical construction parameters are the basic parameters required to reconstruct the spherical surface. The spherical construction parameters can include odd prime numbers, multi-dimensional spherical initial parameters, random numbers generated based on odd prime numbers, and blind factors.

举例说明，在实际应用中，可以选择奇素数p＝3(mod)4，多维球面初始参数S＝{s₁,s₂…s_t-1}，基于奇素数生成随机数c∈_R(0,p)。盲因子可以通过随机选择r∈_R(0,p)作为盲因子，且(r,p)＝1。For example, in practical applications, an odd prime number p=3(mod)4 can be selected, the initial parameters of the multi-dimensional spherical surface S={s₁ , s₂ …s_t-1 }, and a random number c ∈_R (0 ,p). The blinding factor can be chosen by randomly selecting r∈_R (0,p) as the blinding factor, and (r,p)=1.

可信中心维护有球面构造参数，可信中心可以将球面构造参数下发至需要进行身份认证的节点。假设，节点A和节点B之间需要建立通信，节点A和节点B可以向可信中心提交自己的身份信息，可信中心验证通过后，可以将球面构造参数分别下发给节点A和节点B。The trusted center maintains the spherical structure parameters, and the trusted center can send the spherical structure parameters to the nodes that need to be authenticated. It is assumed that communication needs to be established between node A and node B. Node A and node B can submit their own identity information to the trusted center. After the trusted center passes the verification, the spherical construction parameters can be distributed to node A and node B respectively. .

S102：依据当前时间以及球面构造参数，生成用于身份验证的初始凭证信息。S102: Generate initial credential information for identity verification according to the current time and spherical surface construction parameters.

在本申请实施例中，通过基于球面构造参数可以重构出球面，按照球面取点的方式可以得到身份凭证信息。为了更好的区分不同时间点所选取的球面点，可以将当前时间作为生成身份凭证信息的一个依据。In the embodiment of the present application, the spherical surface can be reconstructed based on the spherical surface construction parameters, and the identity credential information can be obtained by taking points on the spherical surface. In order to better distinguish the spherical points selected at different time points, the current time can be used as a basis for generating the identity credential information.

在具体实现中，可以利用奇素数、多维球面初始参数、随机数，重构球面；按照设定的球面选点方法，依据当前时间从球面上选取球面点；其中，球面点有其对应的球面坐标信息。在选取球面点之后，可以将球面点的球面坐标信息作为用于身份验证的初始凭证信息。In the specific implementation, odd prime numbers, multi-dimensional spherical initial parameters, and random numbers can be used to reconstruct the spherical surface; according to the set spherical surface point selection method, spherical surface points are selected from the spherical surface according to the current time; wherein, spherical surface points have their corresponding spherical surfaces Coordinate information. After the spherical point is selected, the spherical coordinate information of the spherical point can be used as the initial credential information for authentication.

在本申请实施例中，相互通信的各节点均会获取到球面构造参数，各节点的工作流程类似，后续均以一个节点为例展开说明。In the embodiment of the present application, each node that communicates with each other will acquire spherical surface construction parameters, and the work flow of each node is similar, and the subsequent description will take one node as an example.

节点可以利用球面构造参数中的(p,S,c,t)，在有限域F_p上构造t-1维空间的球面，球面方程如下：The node can use (p, S, c, t) in the spherical surface construction parameters to construct a spherical surface in the t-1 dimension space on the finite field F_p . The spherical surface equation is as follows:

其中，

x_j表示球面上点，a_j表示球心坐标，R表示球面半径。in,

x_j represents the point on the sphere, a_j represents the coordinates of the center of the sphere, and R represents the radius of the sphere.

在实际应用中，可以按照如下球面取点的流程选取球面点：In practical applications, spherical points can be selected according to the following spherical point selection process:

(1)在(0，p)上选取x_i1，x_i2，……x_i1(t-3)；(1) Select x_i1 , x_i2 , ...... x_{i1(t-3) on (0, p)} ;

其中，在(0，p)上选取的坐标点是与当前时间相关联的坐标点。Among them, the coordinate point selected on (0, p) is the coordinate point associated with the current time.

(2)计算d_i1＝x_i1-a₁(mod p)，d_i2＝x_i2-a₂(mod p)，……d_i(t-3)＝x_i(t-3)-a_(t-3)(modp)；(2) Calculate d_i1 =x_i1 -a₁ (mod p), d_i2 =x_i2 -a₂ (mod p), ... d_i(t-3) =x_i(t-3) -a_{( t-3)} (modp);

(3)

(3)

(4)随机选取d_i(t-2)∈(0,p)，计算

(4) Randomly select d_i(t-2) ∈(0,p), calculate

(5)计算

(5) Calculation

(6)计算

(6) Calculation

(7)如果

则返回(4)；(7) If

then return (4);

(8)x_i(t-2)＝d_i(t-2)+a_t-2(mod p),x_i(t-1)＝d_i(t-1)+a_t-1(mod p)；(8) x_i(t-2) =d_i(t-2) +a_t-2 (mod p),x_i(t-1) =d_i(t-1) +a_t-1 (mod p);

(9)输出球面点A_i＝(x_i1,x_i2,…,x_i(t-1))。(9) Output spherical point A_i =(x_i1 ,x_i2 ,...,_xi(t-1) ).

S103：利用盲因子对初始凭证信息进行转换，以得到身份凭证信息。S103: Convert the initial credential information using a blind factor to obtain identity credential information.

在本申请实施例中，为了有效的避免球面点的暴露，同时保证验证时，盲因子不会干扰行列式的计算值。可以按照如下公式，对初始凭证信息A_i进行转换，得到身份凭证信息IDA_i，In the embodiment of the present application, in order to effectively avoid exposure of spherical points, and at the same time to ensure that the blind factor will not interfere with the calculated value of the determinant during verification. The initial credential information A_i can be converted according to the following formula to obtain the identity credential information IDA_i ,

其中，r表示盲因子；i＝1,2…n，且t<n；n表示A的身份凭据个数，即A共生成了n个不一样的身份凭据，IDA₁，IDA₂，…，IDA_n作为身份凭证池供节点A进行随机使用。Among them, r represents the blind factor; i=1,2...n, and t<n; n represents the number of identity credentials of A, that is, A has generated n different identity credentials, IDA₁ , IDA₂ , ..., IDA_{n is} used as an identity credential pool for random use by node A.

多维球面上点的盲因子遮蔽，保证了认证凭据与点坐标之间的复杂关联关系，抵抗身份凭据泄露造成的“串谋”攻击。有限域阶数的合理选取，保证了身份凭证具有广阔的选取空间，降低了穷举搜索的执行效率。基于多维球面理论构建的身份识别，其验证时间少于公钥密码体制下构建的认证体制，有利于提高身份识别效率。The blind factor masking of the points on the multi-dimensional sphere ensures the complex relationship between the authentication credentials and the coordinates of the points, and resists the "collusion" attack caused by the leakage of the identity credentials. The reasonable selection of the order of the finite field ensures that the identity certificate has a broad selection space and reduces the execution efficiency of the exhaustive search. The identity recognition constructed based on the multi-dimensional spherical theory has less verification time than the authentication system constructed under the public key cryptosystem, which is beneficial to improve the efficiency of identity recognition.

S104：将身份凭证信息传输至对端设备，以便于对端设备根据设定的球面点坐标判别条件对身份凭证信息进行验证。S104: Transmit the identity credential information to the peer device, so that the peer device can verify the identity credential information according to the set spherical point coordinate discrimination condition.

以节点A和节点B之间定向通信为例，节点A和节点B可以生成各自的身份凭证信息，将身份凭证信息传输至对端设备，从而便于对端设备实现对节点的身份验证。Taking the directional communication between node A and node B as an example, node A and node B can generate their own identity credential information and transmit the identity credential information to the peer device, thereby facilitating the peer device to authenticate the node.

对于节点A而言，节点B为对端设备；对于节点B而言，节点A为对端设备。For node A, node B is the peer device; for node B, node A is the peer device.

节点将自身的身份凭证信息传输至对端设备，对端设备可以根据设定的球面点坐标判别条件对身份凭证信息进行验证。在身份凭证信息通过验证之后，对端设备可以向节点发送对端设备的对端身份凭证信息，节点接收到对端设备发送的对端身份凭证信息之后，可以根据设定的球面点坐标判别条件对对端身份凭证信息进行验证。The node transmits its own identity credential information to the peer device, and the peer device can verify the identity credential information according to the set spherical point coordinate discrimination conditions. After the identity credential information is verified, the peer device can send the peer device's peer identity credential information to the node. After the node receives the peer identity credential information sent by the peer device, it can discriminate the conditions according to the set spherical point coordinates. Validate the peer-end identity credential information.

在本申请实施例中，球面点坐标判别条件可以为基于球面的已知点坐标信息构建的判别式。In this embodiment of the present application, the spherical point coordinate discrimination condition may be a discriminant constructed based on the known point coordinate information of the spherical surface.

对身份凭证信息的验证可以包括将对端身份凭证信息带入判别式，得到判别结果；在判别结果符合设定的输出结果的情况下，判定对端身份凭证信息合法；在判别结果不符合设定的输出结果的情况下，判定对端身份凭证信息不合法。The verification of the identity credential information may include bringing the peer-end identity credential information into the discriminant to obtain the discrimination result; if the discrimination result conforms to the set output result, determine that the peer-end identity credential information is legal; if the discrimination result does not conform to the set In the case of a predetermined output result, it is determined that the peer-end identity credential information is invalid.

在得到判别结果之后，节点可以向对端设备反馈与判别结果对应的响应信息。在具体实现中，在判别结果符合设定的输出结果的情况下，可以向对端设备反馈验证通过的响应信息；在判别结果不符合设定的输出结果的情况下，可以向对端设备反馈验证未通过的响应信息。After obtaining the discrimination result, the node may feed back response information corresponding to the discrimination result to the peer device. In the specific implementation, in the case that the judgment result conforms to the set output result, the response information that passes the verification can be fed back to the peer device; in the case that the discrimination result does not conform to the set output result, it can be fed back to the peer device Validation failed response information.

在接收到对端设备反馈的表征身份凭证信息合法的响应信息，并且判定对端身份凭证信息合法的情况下，说明节点和对端设备身份验证通过，此时可以建立与对端设备的通信连接。In the case of receiving the response information representing the validity of the identity credential information fed back by the peer device, and determining that the peer identity credential information is legal, it means that the identity verification between the node and the peer device has passed, and a communication connection with the peer device can be established at this time. .

以判别式为行列式为例，假设需要对一个节点的身份凭证信息进行验证，可以将该节点的身份凭证信息带入行列式的最后一行。若行列式的结果为零，说明认证通过；若行列式的结果不为零，说明认证未通过。Taking the discriminant as a determinant as an example, assuming that the identity credential information of a node needs to be verified, the identity credential information of the node can be brought into the last row of the determinant. If the result of the determinant is zero, the authentication is passed; if the result of the determinant is not zero, the authentication is not passed.

以节点A和节点B之间定向通信为例，节点A与节点B之间采取“三次握手”的方式进行验证。假设由节点A发起呼叫，节点A从身份凭证池中取出一个身份凭证信息IDA_i发送出去。节点B听到节点A的呼叫后，接收并验证IDA_i，假设节点A向节点B出示的身份凭证信息为IDA₁＝(x′₁₁,x′₁₂,…,x′_1(t-1))(mod p)，节点B使用自己的身份凭证信息IDB_i＝(y′_i1,y′_i2,…,y′_i(t-1))，i＝1,2…n，构造判别行列式D_判断，Taking the directional communication between node A and node B as an example, the "three-way handshake" method is used for verification between node A and node B. Assuming that the call is initiated by node A, node A takes out an identity credential information IDA_i from the identity credential pool and sends it out. After hearing the call from node A, node B receives and verifies IDA_i , assuming that the identity credential information presented by node A to node B is IDA₁ =(x'₁₁ ,x'₁₂ ,...,x'_1(t-1) )(mod p), Node B uses its own identity credential information IDB_i =(y′_i1 ,y′_i2 ,…,y′_i(t-1) ), i=1,2…n to construct the discriminant determinant D_judges ,

判别式为t+1行和t+1列的行列式。The discriminant is the determinant of row t+1 and column t+1.

其中，行列式的第1行至第t行为已知量，可以基于球面上的t个已知的球面点设置。行列式的最后一行为未知量，将所需验证的身份凭证信息带入行列式的最后一行。Among them, the 1st row to the tth row of the determinant are known quantities, which can be set based on t known spherical points on the spherical surface. The last row of the determinant is an unknown quantity, and the identity credential information that needs to be verified is brought into the last row of the determinant.

将(x′₁₁,x′₁₂,…,x′_1(t-1))代入判别行列式中变量(z₁,z₂,…,z_t-1)中计算，判断是否为零。如果D_判断≠0，认证失败，节点B直接中断与节点A的链接，返回静默状态直至下一次呼叫。如果D_判断＝0，说明认证成功。Substitute (x′₁₁ ,x′₁₂ ,…,x′_1(t-1) ) into the variable (z₁ ,z₂ ,…,z_t-1 ) in the discriminant determinant for calculation, and judge whether it is zero. If D_judges ≠ 0, the authentication fails, node B directly interrupts the link with node A, and returns to the silent state until the next call. If D_judgment = 0, it indicates that the authentication is successful.

认证成功时，节点B可以发送自己的身份凭证信息给节点A，完成应答；节点A接收到节点B的应答，采用如下行列式验证节点B的身份凭证信息，When the authentication is successful, node B can send its own identity credential information to node A to complete the response; node A receives the response of node B and uses the following determinant to verify the identity credential information of node B:

如果D_判断≠0，认证失败，节点A直接中断与节点B的链接，重新开始下一次呼叫。如果D_判断＝0，说明认证成功，节点A向节点B发送确认信息，完成身份识别，双方之间可以建立通信连接，进行安全通信，直到信号发生中断后，再进行重新身份识别。下次的身份识别从身份凭证池中重新选取身份凭证信息，上一次运用过的身份凭证信息作废。If D_judges ≠ 0, authentication fails, node A directly interrupts the link with node B, and restarts the next call. If D_judgment = 0, it means that the authentication is successful, node A sends confirmation information to node B to complete the identification, and the two parties can establish a communication connection for secure communication, and then re-identify until the signal is interrupted. In the next identification, the identity credential information is re-selected from the identity credential pool, and the identity credential information used last time is invalid.

由上述技术方案可以看出，获取球面构造参数；依据当前时间以及球面构造参数，生成用于身份验证的初始凭证信息。球面构造参数构造的球面可以实现无限取点，保证了身份凭证信息可以实现一次一密的动态变化。盲因子的使用可以有效的避免球面上点的暴露，同时盲因子不会对身份凭证信息的验证造成干扰，因此可以利用盲因子对初始凭证信息进行转换，以得到身份凭证信息。将身份凭证信息传输至对端设备，以便于对端设备根据设定的球面点坐标判别条件对身份凭证信息进行验证。在该技术方案中，通过盲因子对初始凭证信息进行转换，保证了认证的安全性。基于球面点坐标的分布规律设置球面点坐标判别条件，对于需要建立定向通信的设备，通过球面取点得到身份凭证信息，利用球面点坐标判别条件可以直接对身份凭证信息进行验证，无需再按照公钥密码体制进行大量的数据运算进行认证，有效的降低了身份认证的时延。It can be seen from the above technical solutions that the spherical structure parameters are obtained; the initial credential information for identity verification is generated according to the current time and the spherical structure parameters. The spherical surface constructed by the spherical structure parameters can realize unlimited point selection, which ensures that the identity credential information can realize the dynamic change of one-time pad. The use of the blind factor can effectively avoid the exposure of points on the sphere, and the blind factor will not interfere with the verification of the identity credential information. Therefore, the blind factor can be used to convert the initial credential information to obtain the identity credential information. The identity credential information is transmitted to the peer device, so that the peer device can verify the identity credential information according to the set spherical point coordinate discrimination conditions. In this technical solution, the initial credential information is converted through a blind factor, which ensures the security of authentication. Based on the distribution law of spherical point coordinates, the spherical point coordinate discrimination conditions are set. For devices that need to establish directional communication, the identity credential information can be obtained by taking the spherical point. The key cryptosystem performs a large number of data operations for authentication, which effectively reduces the delay of identity authentication.

本申请实施例提供的身份识别方法不仅适用于点对点的逐一验证场景，还适用于点对多点的批量验证。The identity identification method provided by the embodiment of the present application is not only applicable to point-to-point verification scenarios one by one, but also to point-to-multipoint batch verification.

(1)点对点逐一验证：当节点A向B出示的身份凭证为IDA₁＝(x′₁₁,x′₁₂,…,x′_1(t-1))(mod p)，B使用自己的身份凭证IDB_i＝(y′_i1,y′_i2,…,y′_i(t-1))，i＝1,2…t，构造判别行列式，如公式(1)，(1) Point-to-point verification: When the identity certificate presented by node A to B is IDA₁ =(x′₁₁ ,x′₁₂ ,...,x′_1(t-1) )(mod p), B uses its own identity Credentials IDB_i =(y′_i1 ,y′_i2 ,…,y′_i(t-1) ), i=1,2…t, construct the discriminant determinant, such as formula (1),

节点B收到IDA₁＝(x′₁₁,x′₁₂,…,x′_1(t-1))(mod p)后，首先通过盲因子r还原(x₁₁,x₁₂,…,x_1(t-1))，检查x₁₁，x₁₂，……x_1(t-3)是否符合时间戳要求，并将(x′₁₁,x′₁₂,…,x′_1(t-1))代入判别行列式(1)的变量(z₁,z₂,…,z_t-1)中计算，计算结果是否为零，从而判断IDA₁的身份合法与否。After receiving IDA₁ =(x'₁₁ ,x'₁₂ ,...,x'_1(t-1) )(mod p), Node B first restores (x₁₁ ,x₁₂ ,...,x₁ through the blind factor r)_(t-1) ), check whether x₁₁ , x₁₂ ,...x_1(t-3) meet the timestamp requirements, and convert (x'₁₁ ,x'₁₂ ,...,x'_1(t-1) ) into the variables (z₁ , z₂ , ..., z_t-1 ) of the discriminant determinant (1) to calculate whether the calculation result is zero, so as to judge whether the identity of IDA₁ is legal or not.

(2)点对多点批量验证：在多个节点构成的中心网络中，多个节点A_k(k＝1，2…N)，可能同时向中心节点提交身份凭据IDA_k＝(x′_k1,x′_k2,…,x′_k(t-1))(mod p)，(k＝1，2…N)。为了提高验证效率，中心节点可以采用批量验证的方法，一次性验证多个节点提交的身份凭据。(2) Point-to-multipoint batch verification: In the central network composed of multiple nodes, multiple nodes A_k (k=1, 2...N) may submit identity credentials to the central node at the same time IDA_k = (x′_k1 ,x'_k2 ,...,x'_k(t-1) )(mod p), (k=1, 2...N). In order to improve the verification efficiency, the central node can use the batch verification method to verify the identity credentials submitted by multiple nodes at one time.

中心节点在检查完多个节点的身份凭据的时间戳后，将IDA_k(k＝1，2…N)聚合成一个整体After checking the timestamps of the identity credentials of multiple nodes, the central node aggregates IDA_k (k=1, 2...N) into a whole

代入判别式(1)最下面的1行中，根据计算结果是否为零，从而判断IDA_k(k＝1，2…N)的身份合法与否。如果行列式计算结果不等于零，则证明N个节点至少存在一个非法者；如果行列式计算结果不等于零，证明不存在非法者。这主要是由于行列式的性质Substitute into the bottom row of discriminant (1), and judge whether the identity of IDA_k (k=1, 2...N) is legal or not according to whether the calculation result is zero. If the calculation result of the determinant is not equal to zero, it is proved that there is at least one illegal person in N nodes; if the calculation result of the determinant is not equal to zero, it is proved that there is no illegal person. This is mainly due to the nature of the determinant

决定的。decided.

对于多个节点中存在非法者的情况，可以采用二分法的方式，确定出具体是哪些或哪个节点属于非法者。In the case where there are illegal persons in multiple nodes, the method of dichotomy can be used to determine which or which node belongs to the illegal persons.

在具体实现中，可以在判别结果不符合设定的输出结果的情况下，判定对端身份凭证信息不合法之后，在对端身份凭证信息对应多个对端设备的情况下，按照设定的二分法，将对端身份凭证信息划分为第一对端身份凭证信息和第二对端身份凭证信息；将第一对端身份凭证信息和第二对端身份凭证信息分别带入判别式，得到第一判别结果和第二判别结果；依据第一判别结果和第二判别结果，从对端身份凭证信息中筛选出待评估对端身份凭证信息；将待评估对端身份凭证信息作为新的对端身份凭证信息，返回在对端身份凭证信息对应多个对端设备的情况下，按照设定的二分法，将对端身份凭证信息划分为第一对端身份凭证信息和第二对端身份凭证信息，直至待评估对端身份凭证信息对应一个对端设备，则确定待评估对端身份凭证信息为不合法信息。In a specific implementation, if the judgment result does not conform to the set output result, after it is judged that the peer identity credential information is invalid, in the case that the peer identity credential information corresponds to multiple peer devices, according to the set Dichotomy method, the peer-end identity credential information is divided into the first peer-end identity credential information and the second peer-end identity credential information; the first peer-end identity credential information and the second peer-end identity credential information are respectively brought into the discriminant to obtain The first discrimination result and the second discrimination result; according to the first discrimination result and the second discrimination result, screen out the peer identity credential information to be evaluated from the peer identity credential information; take the peer identity credential information to be evaluated as the new peer identity credential information. The terminal identity credential information is returned. In the case that the peer identity credential information corresponds to multiple peer devices, according to the set dichotomy, the peer identity credential information is divided into the first peer identity credential information and the second peer identity. credential information, until the peer identity credential information to be evaluated corresponds to a peer device, then it is determined that the peer identity credential information to be evaluated is illegal information.

举例说明，当批量验证N个节点发现存在非法者时，可以将待识别的N个节点折半分为前、后两个部分。当前半部分批量验证的结果合法时，则表明后半部分存在非法者；若此时后半部分包含节点的数量为1，则这个节点为非法者，去掉非法节点，对剩余的节点进行批量验证，如果剩余的节点均合法，则表明非法者已经全部被识别；若后半部分节点的数量多于1，则继续进行折半拆分。当前半部分批量验证的结果非法时，同样根据节点数量的多少进行处理。For example, when a batch of N nodes is verified and it is found that there is an illegal person, the N nodes to be identified can be divided into two parts, the front part and the back part. When the result of batch verification in the first half is legal, it means that there are illegals in the second half; if the number of nodes in the second half is 1, then this node is illegal, remove the illegal nodes, and perform batch verification on the remaining nodes , if the remaining nodes are legal, it means that all illegals have been identified; if the number of nodes in the second half is more than 1, the split will continue. When the result of batch verification in the first half is illegal, it is also processed according to the number of nodes.

在本申请实施例中，可以对多个节点进行批量验证。在多个节点中存在非法节点时，可以通过二分法的方式，确定出具体是哪个或哪些节点为非法节点。相比于对所有节点一一进行验证的方式，二分法的验证方式执行效率更高，可以更为快速的确定出非法节点。In this embodiment of the present application, batch verification can be performed on multiple nodes. When there are illegal nodes in a plurality of nodes, it can be determined which specific node or nodes are illegal nodes by means of dichotomy. Compared with the method of verifying all nodes one by one, the verification method of the dichotomous method has higher execution efficiency and can identify illegal nodes more quickly.

图2为本申请实施例提供的一种身份识别装置的结构示意图，包括获取单元21、生成单元22、转换单元23和传输单元24；2 is a schematic structural diagram of an identification device provided by an embodiment of the present application, including anacquisition unit 21, a generation unit 22, aconversion unit 23, and atransmission unit 24;

获取单元21，用于获取球面构造参数；anacquisition unit 21 for acquiring spherical surface construction parameters;

生成单元22，用于依据当前时间以及球面构造参数，生成用于身份验证的初始凭证信息；The generating unit 22 is used for generating initial credential information for identity verification according to the current time and the spherical structure parameters;

转换单元23，用于利用盲因子对初始凭证信息进行转换，以得到身份凭证信息；Theconversion unit 23 is used to convert the initial credential information by using the blind factor to obtain the identity credential information;

传输单元24，用于将身份凭证信息传输至对端设备，以便于对端设备根据设定的球面点坐标判别条件对身份凭证信息进行验证。Thetransmission unit 24 is configured to transmit the identity credential information to the peer device, so that the peer device can verify the identity credential information according to the set spherical point coordinate discrimination conditions.

可选地，球面构造参数包括奇素数、多维球面初始参数、基于奇素数生成的随机数和盲因子；Optionally, the spherical surface construction parameters include an odd prime number, a multi-dimensional spherical initial parameter, a random number generated based on the odd prime number, and a blind factor;

生成单元包括重构子单元、选取子单元和作为子单元；The generating unit includes reconstructing subunits, selecting subunits, and serving as subunits;

重构子单元，用于利用奇素数、多维球面初始参数、随机数，重构球面；The reconstruction subunit is used to reconstruct the spherical surface by using odd prime numbers, multi-dimensional spherical initial parameters, and random numbers;

选取子单元，用于按照设定的球面选点装置，依据当前时间从球面上选取球面点；其中，球面点有其对应的球面坐标信息；The selection subunit is used to select spherical points from the spherical surface according to the set spherical point selection device according to the current time; wherein, the spherical point has its corresponding spherical coordinate information;

作为子单元，用于将球面点的球面坐标信息作为用于身份验证的初始凭证信息。As a subunit, it is used to use the spherical coordinate information of the spherical point as the initial credential information for authentication.

可选地，还包括接收单元和验证单元；Optionally, it also includes a receiving unit and a verification unit;

接收单元，用于接收对端设备发送的对端身份凭证信息；a receiving unit, configured to receive the peer identity credential information sent by the peer device;

验证单元，用于根据设定的球面点坐标判别条件对对端身份凭证信息进行验证。The verification unit is used for verifying the identity credential information of the peer according to the set discriminating conditions of spherical point coordinates.

可选地，球面点坐标判别条件为基于球面的已知点坐标信息构建的判别式；Optionally, the spherical point coordinate discrimination condition is a discriminant constructed based on the known point coordinate information of the spherical surface;

验证单元包括带入子单元、第一判定子单元和第二判定子单元；The verification unit includes a bring-in subunit, a first determination subunit and a second determination subunit;

带入子单元，用于将对端身份凭证信息带入判别式，得到判别结果；Bring into the subunit, which is used to bring the peer-end identity credential information into the discriminant to obtain the discriminant result;

第一判定子单元，用于在判别结果符合设定的输出结果的情况下，判定对端身份凭证信息合法；a first determination subunit, configured to determine that the peer-end identity credential information is legal when the determination result conforms to the set output result;

第二判定子单元，用于在判别结果不符合设定的输出结果的情况下，判定对端身份凭证信息不合法。The second judging subunit is used for judging that the peer-end identity credential information is invalid when the judging result does not conform to the set output result.

可选地，还包括反馈单元；Optionally, a feedback unit is also included;

反馈单元，用于向对端设备反馈与判别结果对应的响应信息。The feedback unit is used to feed back the response information corresponding to the judgment result to the peer device.

可选地，还包括建立单元；Optionally, it also includes an establishment unit;

建立单元，用于在接收到对端设备反馈的表征身份凭证信息合法的响应信息，并且判定对端身份凭证信息合法的情况下，建立与对端设备的通信连接。The establishing unit is configured to establish a communication connection with the opposite end device when receiving the response information representing the legality of the identity credential information fed back by the opposite end device and determining that the opposite end identity credential information is legal.

可选地，还包括划分单元、带入单元、筛选单元、作为单元和确定单元；Optionally, it also includes a dividing unit, a bringing-in unit, a screening unit, a serving unit and a determining unit;

划分单元，用于在对端身份凭证信息对应多个对端设备的情况下，按照设定的二分法，将对端身份凭证信息划分为第一对端身份凭证信息和第二对端身份凭证信息；A dividing unit, configured to divide the peer identity credential information into the first peer identity credential information and the second peer identity credential according to the set dichotomy when the peer identity credential information corresponds to multiple peer devices information;

带入单元，用于将第一对端身份凭证信息和第二对端身份凭证信息分别带入判别式，得到第一判别结果和第二判别结果；a bringing-in unit, which is used to bring the first opposite-end identity credential information and the second opposite-end identity credential information into the discriminant respectively to obtain the first discrimination result and the second discrimination result;

筛选单元，用于依据第一判别结果和第二判别结果，从对端身份凭证信息中筛选出待评估对端身份凭证信息；a screening unit, configured to screen out the peer identity credential information to be evaluated from the peer identity credential information according to the first discrimination result and the second discrimination result;

作为单元，用于将待评估对端身份凭证信息作为新的对端身份凭证信息，返回在对端身份凭证信息对应多个对端设备的情况下，按照设定的二分法，将对端身份凭证信息划分为第一对端身份凭证信息和第二对端身份凭证信息；As a unit, it is used to use the peer identity credential information to be evaluated as the new peer identity credential information, and return the peer identity credential information according to the set dichotomy when the peer identity credential information corresponds to multiple peer devices. The credential information is divided into first peer identity credential information and second peer identity credential information;

确定单元，用于直至待评估对端身份凭证信息对应一个对端设备，则确定待评估对端身份凭证信息为不合法信息。The determining unit is configured to determine that the peer identity credential information to be evaluated is illegal information until the peer identity credential information to be evaluated corresponds to a peer device.

图2所对应实施例中特征的说明可以参见图1所对应实施例的相关说明，这里不再一一赘述。For the description of the features in the embodiment corresponding to FIG. 2 , reference may be made to the relevant description of the embodiment corresponding to FIG. 1 , which will not be repeated here.

由上述技术方案可以看出，获取球面构造参数；依据当前时间以及球面构造参数，生成用于身份验证的初始凭证信息。球面构造参数构造的球面可以实现无限取点，保证了身份凭证信息可以实现一次一密的动态变化。盲因子的使用可以有效的避免球面上点的暴露，同时盲因子不会对身份凭证信息的验证造成干扰，因此可以利用盲因子对初始凭证信息进行转换，以得到身份凭证信息。将身份凭证信息传输至对端设备，以便于对端设备根据设定的球面点坐标判别条件对身份凭证信息进行验证。在该技术方案中，通过盲因子对初始凭证信息进行转换，保证了认证的安全性。基于球面点坐标的分布规律设置球面点坐标判别条件，对于需要建立定向通信的设备，通过球面取点得到身份凭证信息，利用球面点坐标判别条件可以直接对身份凭证信息进行验证，无需再按照公钥密码体制进行大量的数据运算进行认证，有效的降低了身份认证的时延。It can be seen from the above technical solutions that the spherical structure parameters are obtained; the initial credential information for identity verification is generated according to the current time and the spherical structure parameters. The spherical surface constructed by the spherical structure parameters can realize unlimited point selection, which ensures that the identity credential information can realize the dynamic change of one-time pad. The use of the blind factor can effectively avoid the exposure of points on the sphere, and the blind factor will not interfere with the verification of the identity credential information. Therefore, the blind factor can be used to convert the initial credential information to obtain the identity credential information. The identity credential information is transmitted to the peer device, so that the peer device can verify the identity credential information according to the set spherical point coordinate discrimination conditions. In this technical solution, the initial credential information is converted through a blind factor, which ensures the security of authentication. Based on the distribution law of spherical point coordinates, the spherical point coordinate discrimination conditions are set. For devices that need to establish directional communication, the identity credential information can be obtained by taking the spherical point. The key cryptosystem performs a large number of data operations for authentication, which effectively reduces the delay of identity authentication.

图3为本申请实施例提供的一种电子设备的结构图，如图3所示，电子设备包括：存储器20，用于存储计算机程序；FIG. 3 is a structural diagram of an electronic device provided by an embodiment of the present application. As shown in FIG. 3 , the electronic device includes: a memory 20 for storing a computer program;

处理器21，用于执行计算机程序时实现如上述实施例身份识别方法的步骤。Theprocessor 21 is configured to implement the steps of the identity recognition method in the above embodiment when executing the computer program.

本实施例提供的电子设备可以包括但不限于智能手机、平板电脑、笔记本电脑或台式电脑等。The electronic device provided in this embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, or a desktop computer.

其中，处理器21可以包括一个或多个处理核心，比如4核心处理器、8核心处理器等。处理器21可以采用DSP(Digital Signal Processing，数字信号处理)、FPGA(Field-Programmable Gate Array，现场可编程门阵列)、PLA(Programmable Logic Array，可编程逻辑阵列)中的至少一种硬件形式来实现。处理器21也可以包括主处理器和协处理器，主处理器是用于对在唤醒状态下的数据进行处理的处理器，也称CPU(Central ProcessingUnit，中央处理器)；协处理器是用于对在待机状态下的数据进行处理的低功耗处理器。在一些实施例中，处理器21可以在集成有GPU(Graphics Processing Unit，图像处理器)，GPU用于负责显示屏所需要显示的内容的渲染和绘制。一些实施例中，处理器21还可以包括AI(Artificial Intelligence，人工智能)处理器，该AI处理器用于处理有关机器学习的计算操作。Theprocessor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. Theprocessor 21 may use at least one hardware form among DSP (Digital Signal Processing, digital signal processing), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array, programmable logic array) accomplish. Theprocessor 21 may also include a main processor and a coprocessor. The main processor is a processor used to process data in the wake-up state, also called a CPU (Central Processing Unit, central processing unit); A low-power processor for processing data in a standby state. In some embodiments, theprocessor 21 may be integrated with a GPU (Graphics Processing Unit, image processor), and the GPU is used for rendering and drawing the content that needs to be displayed on the display screen. In some embodiments, theprocessor 21 may further include an AI (Artificial Intelligence, artificial intelligence) processor, where the AI processor is used to process computing operations related to machine learning.

存储器20可以包括一个或多个计算机可读存储介质，该计算机可读存储介质可以是非暂态的。存储器20还可包括高速随机存取存储器，以及非易失性存储器，比如一个或多个磁盘存储设备、闪存存储设备。本实施例中，存储器20至少用于存储以下计算机程序201，其中，该计算机程序被处理器21加载并执行之后，能够实现前述任一实施例公开的身份识别方法的相关步骤。另外，存储器20所存储的资源还可以包括操作系统202和数据203等，存储方式可以是短暂存储或者永久存储。其中，操作系统202可以包括Windows、Unix、Linux等。数据203可以包括但不限于球面构造参数、初始凭证信息、身份凭证信息、球面点坐标判别条件等。Memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash storage devices. In this embodiment, the memory 20 is at least used to store the following computer program 201 , where, after the computer program is loaded and executed by theprocessor 21 , the relevant steps of the identification method disclosed in any of the foregoing embodiments can be implemented. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, etc., and the storage mode may be short-term storage or permanent storage. The operating system 202 may include Windows, Unix, Linux, and the like. The data 203 may include, but is not limited to, spherical surface construction parameters, initial credential information, identity credential information, spherical point coordinate discrimination conditions, and the like.

在一些实施例中，电子设备还可包括有显示屏22、输入输出接口23、通信接口24、电源25以及通信总线26。In some embodiments, the electronic device may further include a display screen 22 , an input/output interface 23 , acommunication interface 24 , a power supply 25 and a communication bus 26 .

本领域技术人员可以理解，图3中示出的结构并不构成对电子设备的限定，可以包括比图示更多或更少的组件。Those skilled in the art can understand that the structure shown in FIG. 3 does not constitute a limitation on the electronic device, and may include more or less components than those shown in the drawings.

可以理解的是，如果上述实施例中的身份识别方法以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(Read-Only Memory，ROM)、随机存取存储器(Random Access Memory，RAM)、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、磁碟或者光盘等各种可以存储程序代码的介质。It can be understood that, if the identification method in the above embodiment is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , to execute all or part of the steps of the methods in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), electrically erasable programmable ROM, registers, hard disks, programmable Various media that can store program codes, such as removable disks, CD-ROMs, magnetic disks, or optical disks.

基于此，本发明实施例还提供了一种计算机可读存储介质，计算机可读存储介质上存储有计算机程序，计算机程序被处理器执行时实现如上述身份识别方法的步骤。Based on this, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the above-mentioned identification method are implemented.

本发明实施例所述计算机可读存储介质的各功能模块的功能可根据上述方法实施例中的方法具体实现，其具体实现过程可以参照上述方法实施例的相关描述，此处不再赘述。The functions of each functional module of the computer-readable storage medium according to the embodiments of the present invention may be specifically implemented according to the methods in the foregoing method embodiments, and the specific implementation process may refer to the relevant descriptions of the foregoing method embodiments, which will not be repeated here.

以上对本申请实施例所提供的一种身份识别方法、装置、设备和计算机可读存储介质进行了详细介绍。说明书中各个实施例采用递进的方式描述，每个实施例重点说明的都是与其他实施例的不同之处，各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言，由于其与实施例公开的方法相对应，所以描述的比较简单，相关之处参见方法部分说明即可。The identity identification method, apparatus, device, and computer-readable storage medium provided by the embodiments of the present application have been described in detail above. The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant part can be referred to the description of the method.

专业人员还可以进一步意识到，结合本文中所公开的实施例描述的各示例的单元及算法步骤，能够以电子硬件、计算机软件或者二者的结合来实现，为了清楚地说明硬件和软件的可互换性，在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本申请的范围。Professionals may further realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, the above description has generally described the components and steps of each example in terms of functionality. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

以上对本申请所提供的一种身份识别方法、装置、设备和计算机可读存储介质进行了详细介绍。本文中应用了具体个例对本发明的原理及实施方式进行了阐述，以上实施例的说明只是用于帮助理解本发明的方法及其核心思想。应当指出，对于本技术领域的普通技术人员来说，在不脱离本发明原理的前提下，还可以对本申请进行若干改进和修饰，这些改进和修饰也落入本申请权利要求的保护范围内。The identification method, apparatus, device and computer-readable storage medium provided by the present application have been described in detail above. The principles and implementations of the present invention are described herein by using specific examples, and the descriptions of the above embodiments are only used to help understand the method and the core idea of the present invention. It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, several improvements and modifications can also be made to the present application, and these improvements and modifications also fall within the protection scope of the claims of the present application.

Claims (10)

1. An identity recognition method, comprising:

obtaining spherical construction parameters;

generating initial certificate information for identity authentication according to the current time and the spherical surface construction parameters;

converting the initial certificate information by using a blind factor to obtain identity certificate information;

and transmitting the identity certificate information to opposite-end equipment so that the opposite-end equipment can verify the identity certificate information according to a set spherical point coordinate judgment condition.

2. The identity recognition method of claim 1, wherein the spherical construction parameters comprise odd prime numbers, multi-dimensional spherical initial parameters, random numbers generated based on the odd prime numbers, and blind factors;

the generating of the initial credential information for authentication according to the current time and the spherical configuration parameter includes:

reconstructing a spherical surface by using the odd prime number, the multi-dimensional spherical surface initial parameter and the random number;

selecting a spherical point from the spherical surface according to a set spherical point selection method and the current time; wherein, the spherical point has the corresponding spherical coordinate information;

and taking the spherical coordinate information of the spherical point as initial certificate information for identity authentication.

3. The method of claim 1, further comprising:

receiving opposite terminal identity certificate information sent by the opposite terminal equipment;

and verifying the identity certificate information of the opposite terminal according to the set spherical point coordinate judgment condition.

4. The identity recognition method according to claim 3, wherein the spherical point coordinate discrimination condition is a discrimination formula constructed based on known point coordinate information of the spherical surface;

the verifying the opposite-end identity certificate information according to the set spherical point coordinate distinguishing condition comprises the following steps:

substituting the opposite terminal identity certificate information into the discriminant to obtain a discriminant result;

judging that the opposite terminal identity certificate information is legal under the condition that the judgment result accords with a set output result;

and under the condition that the judgment result does not accord with the set output result, judging that the opposite-end identity certificate information is illegal.

5. The identity recognition method of claim 4, wherein after the substituting the opposite-end identity credential information into the discriminant to obtain a result of the discrimination, the method further comprises:

and feeding back response information corresponding to the judgment result to the opposite terminal equipment.

6. The identity recognition method of claim 4, further comprising, after the transmitting the identity credential information to a peer device:

and establishing communication connection with the opposite terminal equipment under the conditions that response information which is fed back by the opposite terminal equipment and represents that identity certificate information is legal is received and the opposite terminal identity certificate information is judged to be legal.

7. The method of claim 4, wherein, when the determination result does not meet the set output result, determining that the opposite-end identity credential information is not legal further comprises:

under the condition that the opposite-end identity certificate information corresponds to a plurality of opposite-end devices, dividing the opposite-end identity certificate information into first opposite-end identity certificate information and second opposite-end identity certificate information according to a set dichotomy;

respectively bringing the first pair of end identity certificate information and the second pair of end identity certificate information into the discriminant to obtain a first discrimination result and a second discrimination result;

screening the opposite terminal identity voucher information to be evaluated from the opposite terminal identity voucher information according to the first judgment result and the second judgment result;

and taking the to-be-evaluated opposite-end identity credential information as new opposite-end identity credential information, returning to the step of dividing the opposite-end identity credential information into first opposite-end identity credential information and second opposite-end identity credential information according to a set dichotomy under the condition that the opposite-end identity credential information corresponds to a plurality of opposite-end devices, and determining that the to-be-evaluated opposite-end identity credential information is illegal information until the to-be-evaluated opposite-end identity credential information corresponds to one opposite-end device.

8. An identity recognition device is characterized by comprising an acquisition unit, a generation unit, a conversion unit and a transmission unit;

the acquisition unit is used for acquiring spherical construction parameters;

the generating unit is used for generating initial certificate information for identity authentication according to the current time and the spherical surface construction parameters;

the conversion unit is used for converting the initial certificate information by using a blind factor to obtain identity certificate information;

and the transmission unit is used for transmitting the identity certificate information to opposite-end equipment so that the opposite-end equipment can verify the identity certificate information according to a set spherical point coordinate judgment condition.

9. An electronic device, comprising:

a memory for storing a computer program;

a processor for executing the computer program for carrying out the steps of the identification method according to any of claims 1 to 7.

10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the identification method according to any one of claims 1 to 7.

Images