CN117014146A - Unified identity authentication method based on double factors - Google Patents

Abstract

Translated fromChinese

本发明公开了一种基于双因子的统一身份认证方法；1)用户注册：待注册用户设置口令并提供生物特征信息，计算口令与生物特征的哈希值，并利用哈希值生成对应的公私钥对；用户利用私钥计算注册签名，并将相关信息与签名发送给管理员验证有效后通过智能合约将用户公钥上传至区块链中，并生成与用户公钥对应的id；2)权限授权：当注册用户请求被授权某个系统的权限时，需提供身份信息及签名供管理员验证，管理员验证有效后，在区块链的系统授权列表中添加用户的系统权限；3)用户登录：当用户登录某个系统时，提供身份信息及签名供系统服务器验证，系统服务器利用智能合约验证用户合法则允许用户登录系统。本发明具有安全性高、兼容性强等特点。

The invention discloses a unified identity authentication method based on two factors; 1) User registration: the user to be registered sets a password and provides biometric information, calculates the hash value of the password and biometric characteristics, and uses the hash value to generate the corresponding public and private Key pair; the user uses the private key to calculate the registration signature, and sends the relevant information and signature to the administrator for verification. After verification, the user's public key is uploaded to the blockchain through the smart contract, and an id corresponding to the user's public key is generated; 2) Permission authorization: When a registered user requests to be authorized to a certain system, he or she needs to provide identity information and signature for verification by the administrator. After the administrator verifies that it is valid, the user's system permissions will be added to the system authorization list in the blockchain; 3) User login: When a user logs into a system, identity information and signature are provided for verification by the system server. The system server uses smart contracts to verify that the user is legitimate and then allows the user to log in to the system. The invention has the characteristics of high safety and strong compatibility.

Description

Unified identity authentication method based on double factors

Technical Field

The invention belongs to the technical field of information security, and relates to a unified identity authentication method based on double factors.

Background

The identity authentication technology is a technology for determining the true identity of a user, is an important component of an information security system, and plays a very important role in the fields of computer networks, electronic commerce, financial transactions and the like. In conventional businesses, the identity of a user is typically confirmed by an identity document (e.g., an identity card, a household account book, a passport, etc.), and a paper or electronic image of the identity document is saved as a business authorization credential.

After the digital age, account number plus password and digital certificate plus private key become two mainstream digital identity security authentication technologies. However, although the conventional identity authentication technology is convenient to use, the security and management aspects are still to be further improved, enriched and perfected, and the conventional identity authentication technology is mainly characterized in the following two aspects:

(1) The single-factor authentication mode is single, and once the password is lost, the user account is leaked;

(2) The identity authentication of the PKI system involves cumbersome certificate management, increasing the operation cost.

Disclosure of Invention

Aiming at the technical problems existing in the prior art, the invention aims to provide a unified identity authentication method based on double factors, and provides a double-factor unified authentication system with trusted registration, autonomous authorization and reliable audit by utilizing the characteristics of the blockchain technology, such as disclosure verification, non-falsification, reliable audit and the like, so as to facilitate access, use and management of various application systems. The system and the method perform identity authentication based on two factors, namely the password, the secret key or the biotechnology, and ensure account security even if the password of the user is lost or revealed, thereby meeting the unified identity authentication requirements of system security and reliability.

Aiming at the purpose of the invention, the invention provides a double-factor based unified authentication method, which specifically comprises the following 3 steps:

step 1. Registration phase (Register): the registration server acquires the user biological characteristic information P according to the password pwd set by the user_i Calculating to obtain the private key of the userPublic key pk=g^sk The method comprises the steps of carrying out a first treatment on the surface of the And acquires the registration timestamp ts of the current time_r Calculating registration signature sigma_r ＝sign_sk (M_r ,ts_r ) The above processing is done on the registration server. After the processing is completed, the registration server applies for registration information M_r Registration timestamp ts_r Public key pk, registration signature sigma_r And sending the data to the verification server. The authentication server automatically authenticates the registration timestamp ts_r If so, running a verification algorithm verf_pk (M_r ,ts_r ,σ_r ) Whether the calculation result is 1. If the user id is 1, uploading the pk to the blockchain by using the sub function of the intelligent contract, generating the corresponding user id, and returning the user id to the user to indicate that the registration is completed.

Step 2, authorization phase (Authorization): when a user requests the right to be authorized for a target application in the system server, the password pwd and the biometric information P need to be entered_i Simultaneously generating request authority information M_a ，M_a Application and rights information that is authorized for the user request. Subsequently, the authorized timestamp ts of the current time is obtained_a Calculating a private keyThen calculating the signature sigma of the request authority according to the private key sk_a ＝sign_sk (M_a ,ts_a Id). The above processes are all completed on the user side. After the processing is completed, the user requests the authority information M_a Authorized timestamp ts_a Request rights signature sigma_a And sending the data to a system server. Subsequent processing in the systemAnd (3) finishing on the server. System server automatically verifies the authorization timestamp ts_a If so, running Check (id) algorithm in the smart contract to verify whether the user id exists, and if so, verifying sigma by using public key pk of the user_a If so, adding corresponding pk information in a system authorization List of the blockchain to indicate the authority of the target application in the system server requested by the user authorized.

Step 3, login phase (Login): when a user logs into a target application in the system, the password pwd and biometric information P need to be input_i Simultaneously generating request login information M_l ，M_l Application information logged in for the user request. Subsequently, the login timestamp ts of the current time is obtained_l Calculating a private keyThen according to the private key sk, calculating the request login signature sigma_l ＝sign_sk (M_l ,ts_l Id). The above processes are all completed on the user side. After the processing is completed, the user will request the login information M_l Logging in timestamp ts_l Request login signature sigma_l And sending the data to a system server. The System server calls Check (id, system) algorithm in the intelligent contract to verify, wherein the System is the identification of the target application in the System server, if the result is 1, the user is authorized by the System, and the System further calls verf_pk (M_l ,ts_l ,σ_l ) And (3) the algorithm, if the result is 1, allowing the user to log in the target application in the system, otherwise, refusing to log in.

The invention has the following advantages:

the existing identity authentication systems in the market at present mostly adopt a single password authentication mode of MD5 international hash algorithm with poor security intensity, and the authentication mode has poor security. Although some two-factor authentication systems exist in the market, the systems require a server to store user passwords, keys and biological information, and once the server is invaded, the private information of a user is revealed, so that the requirements of safety, reliability, high efficiency and the like are difficult to meet.

The invention designs a unified identity authentication protocol based on double factors, and designs a unified authentication method by using two factors of password, secret key or biotechnology, so that the account security can be ensured even if the password of a user is lost or revealed. In addition, the method does not need to store the user password, the secret key and the biological information at the server, only stores the public information in the blockchain, and effectively reduces the risk of leakage of the user information due to invasion of the server. In addition, the invention can be combined with the existing ECDSA, schnorr, SM and other digital signature algorithms in the current market, and has stronger system compatibility.

Drawings

FIG. 1 is a flow chart of one implementation of the present invention.

Detailed Description

The invention will now be described in further detail with reference to the accompanying drawings, which are given by way of illustration only and are not intended to limit the scope of the invention.

An implementation flow of the present invention is shown in fig. 1, and includes a client, a verification end, a registration server, a system server, and a blockchain. The specific user registration, authority authorization and user login processes are as follows:

1) User registration: the user to be registered sets a password and provides biological characteristic information, a hash value of the password and the biological characteristic is calculated, and a corresponding public and private key pair is generated by using the hash value. The user calculates a registration signature containing a time stamp and registration information by using a private key, and sends the registration information, the registration time stamp, the public key and the registration signature to a verification server together for verification by the verification server, after verification by the verification server is effective, an identity information registration function in the intelligent contract is called, the public key of the user is uploaded to a blockchain, and an id corresponding to the public key of the user is generated to represent successful registration of the user.

2) Rights authorization: if the registered user requests the right of a target application in the authorized system server, the password and the biological characteristic information need to be input, the hash value of the password and the biological characteristic is calculated, and the corresponding public and private key pair is generated by utilizing the hash value. The user calculates a request authorization signature comprising a time stamp, a user id and request authorization information by using a private key, and sends the request authorization information, the authorization time stamp, the public key, the user id and the request authorization signature to a system server together for verification by the system server, and after the system server invokes a verification algorithm in an intelligent contract to verify that the user id is registered and the signature is valid, corresponding public key information is added in a system authorization list of a blockchain to represent the authority of a target application in the system server requested by the user to be authorized.

3) User login: when a user logs in a target application in a certain system server, the user needs to input a password and biological characteristic information, calculates hash values of the password and the biological characteristic, and generates a corresponding public and private key pair by using the hash values. The user calculates a login signature containing login time stamp, user id and login information by using a private key, and sends the login information, the time stamp, the public key, the user id and the login signature to a system server together for verification by the system server, and the system server invokes a verification algorithm in the intelligent contract for verification; after verifying that the user id is authorized and the signature is valid, the user is allowed to log in to the target application in the system, otherwise the user is refused to log in.

Example 1

1. Symbol and definition

g: and generating elements of the multiplication group.

A hash function.

ts: a time stamp.

pk: the public key of the user.

sk: the private key of the user.

pwd: a password set by the user.

P_i : biometric information of the user.

M: a request message of the user.

Sigma: signer signature of message.

sign_sk (. Cndot.): signing algorithm, the signer calls the algorithm to complete the signature of the message.

verf_pk (. Cndot.): and the signature verification algorithm is called by a verifier to finish verification of the signature.

Sub: and the submitting algorithm of the intelligent contract is used for uploading pk to the blockchain.

Check (.): and the verification algorithm of the intelligent contract is used for verifying the validity of the user authority.

2. The two-factor unified identity authentication scheme mainly comprises a registration stage (Register), an Authorization stage (Authorization), a Login stage (Login) and three parts. The method comprises the following steps:

step 1. Registration phase (Register): the registration server acquires the user biological characteristic information P according to the password pwd set by the user_i Calculating to obtain the private key of the userPublic key pk=g^sk The method comprises the steps of carrying out a first treatment on the surface of the And acquires the registration timestamp ts of the current time_r Calculating registration signature sigma_r ＝sign_sk (M_r ,ts_r ) The above processing is done on the registration server. After the processing is completed, the registration server applies for registration information M_r Registration timestamp ts_r Public key pk, registration signature sigma_r And sending the data to the verification server. The authentication server automatically authenticates the registration timestamp ts_r If so, running a verification algorithm verf_pk (M_r ,ts_r ,σ_r ) Whether the calculation result is 1. If the user id is 1, uploading the pk to the blockchain by using the sub function of the intelligent contract, generating the corresponding user id, and returning the user id to the user to indicate that the registration is completed.

Step 2, authorization phase (Authorization): when a user requests the right to be authorized for a target application in the system server, the password pwd and the biometric information P need to be entered_i Simultaneously generating request authority information M_a ，M_a Application and rights information that is authorized for the user request. Subsequently, the authorized timestamp ts of the current time is obtained_a Calculating a private keyThen calculating the signature sigma of the request authority according to the private key sk_a ＝sign_sk (M_a ,ts_a Id). The above processes are all completed on the user side. After the processing is completed, the user requests the authority information M_a Authorized timestamp ts_a Request rights signature sigma_a And sending the data to a system server. The process is then completed on the system server. System server automatically verifies the authorization timestamp ts_a If so, running Check (id) algorithm in the smart contract to verify whether the user id exists, and if so, verifying sigma by using public key pk of the user_a If so, adding corresponding pk information in a system authorization List of the blockchain to indicate the authority of the target application in the system server requested by the user authorized.

Step 3, login phase (Login): when a user logs into a target application in the system, the password pwd and biometric information P need to be input_i Simultaneously generating request login information M_l ，M_l Application information logged in for the user request. Subsequently, the login timestamp ts of the current time is obtained_l Calculating a private keyThen according to the private key sk, calculating the request login signature sigma_l ＝sign_sk (M_l ,ts_l Id). The above processes are all completed on the user side. After the processing is completed, the user will request the login information M_l Logging in timestamp ts_l Request login signature sigma_l And sending the data to a system server. The System server calls Check (id, system) algorithm in the intelligent contract to verify, wherein the System is the identification of the target application in the System server, if the result is 1, the user is authorized by the System, and the System further calls verf_pk (M_l ,ts_l ,σ_l ) And (3) the algorithm, if the result is 1, allowing the user to log in the target application in the system, otherwise, refusing to log in.

Although specific embodiments of the invention have been disclosed for illustrative purposes, it will be appreciated by those skilled in the art that the invention may be implemented with the help of a variety of examples: various alternatives, variations and modifications are possible without departing from the spirit and scope of the invention and the appended claims. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will have the scope indicated by the scope of the appended claims.

Claims (6)

Translated fromChinese

1.一种基于双因子的统一身份认证方法，其步骤包括：1. A unified identity authentication method based on two factors, the steps of which include:注册阶段：注册服务器根据采集的用户生物特征信息P_i和用户设置的口令pwd，计算得到该用户的私钥sk、公钥pk；并利用当前的注册时间戳ts_r计算注册签名σ_r；然后注册服务器将申请注册信息M_r、注册时间戳ts_r、公钥pk和注册签名σ_r发送给验证端进行验证，验证通过后所述验证端将该用户的公钥pk上传至区块链中，并生成对应的用户id返回给该用户；Registration stage: The registration server calculates the user's private key sk and public key pk based on the collected user biometric information_Pi and the password pwd set by the user; and uses the current registration timestamp ts_r to calculate the registration signature σ_r ; then The registration server sends the application registration information M_r , registration timestamp ts_r , public key pk and registration signature σ_r to the verification end for verification. After the verification is passed, the verification end uploads the user's public key pk to the blockchain. , and generate the corresponding user ID and return it to the user;授权阶段：当该用户请求系统服务器中一目标应用的权限时，用户端根据该用户所请求的目标应用及权限、输入的口令pwd及生物特征信息P_i生成请求权限信息M_a，获取当前的授权时间戳ts_a并计算私钥sk，再根据私钥sk、请求权限信息M_a和授权时间戳ts_a计算请求权限签名σ_a；然后所述用户端将请求权限信息M_a、授权时间戳ts_a以及请求权限签名σ_a发送给所述系统服务器进行验证，若验证通过则在区块链的系统授权列表List中添加对应的公钥pk；Authorization phase: When the user requests permissions for a target application in the system server, the client generates request permission information M_a based on the target application and permissions requested by the user, the input password pwd and biometric information_Pi , and obtains the current Authorization timestamp ts_a and calculate the private key sk, then calculate the request permission signature σ a based on the private key sk, request permission information Ma_and authorization timestamp ts_a ; then the_user terminal will request permission information Ma_and authorization timestamp ts_a and request permission signature σ_a are sent to the system server for verification. If the verification is passed, the corresponding public key pk will be added to the system authorization list List of the blockchain;登录阶段：当该用户登录所述系统服务器时，所述用户端根据该用户输入的口令pwd以及生物特征信息P_i并生成登录请求信息M_l，获取当前的登录时间戳ts_l以及计算私钥sk，再根据私钥sk计算请求登录签名σ_l；然后所述用户端将登录请求信息M_l、登录时间戳ts_l以及请求登录签名σ_l发送给所述系统服务器进行验证，若验证通过则允许该用户登录所述系统服务器并在对应的权限范围内访问所请求的目标应用，否则拒绝其登录所述系统服务器。Login phase: When the user logs in to the system server, the client generates login request information M_l based on the password pwd and biometric information_Pi entered by the user, obtains the current login timestamp ts_l and calculates the private key sk, and then calculates the login request signature σ_l according to the private key sk; then the user terminal sends the login request information M_l , the login timestamp ts_l and the login request signature σ_l to the system server for verification. If the verification is passed, The user is allowed to log in to the system server and access the requested target application within the corresponding permission range, otherwise the user is denied to log in to the system server.2.根据权利要求1所述的方法，其特征在于，所述系统服务器首先验证时间戳ts_a的有效性，若有效，则验证该用户id是否存在，若存在，则利用公钥pk验证σ_a的有效性，若有效则验证通过，在区块链的系统授权列表List中添加对应的公钥pk，代表允许该用户访问所请求的目标应用及权限。2. The method according to claim 1, characterized in that the system server first verifies the validity of the timestamp ts_a . If it is valid, then verifies whether the user id exists. If it exists, then uses the public key pk to verify σ. The validity of_a , if valid, is verified and the corresponding public key pk is added to the system authorization list of the blockchain, which means that the user is allowed to access the requested target application and permissions.3.根据权利要求1所述的方法，其特征在于，所述系统服务器调用智能合约中的验证算法Check(id，System)进行验证，其中System为所述系统服务器的标识，若结果为1，则判定该用户已获得所述系统服务器的授权；然后调用签名验证算法verf_pk(M_i，ts_l，σ_l)进行验证，若结果为1，则允许该用户登录所述系统服务器并在对应的权限范围内访问所请求的目标应用。3. The method according to claim 1, characterized in that the system server calls the verification algorithm Check(id, System) in the smart contract for verification, where System is the identification of the system server, and if the result is 1, Then it is determined that the user has been authorized by the system server; then the signature verification algorithm verf_pk (M_i , ts_l , σ_l ) is called for verification. If the result is 1, the user is allowed to log in to the system server and log in to the corresponding system server. to access the requested target application.4.根据权利要求1或2或3所述的方法，其特征在于，私钥公钥pk＝g^sk，注册签名σ_r＝sign_sk(M_r，tS_r)，权限签名σ_a＝sign_sk(M_a，ts_a，id)，请求登录签名σ_l＝sign_sk(M_l，ts_i，id)；其中，/>为哈希函数，g为乘法群的生成元，sign_sk(·)为签名算法。4. The method according to claim 1 or 2 or 3, characterized in that the private key Public key pk = g^sk , registration signature σ_r = sign_sk (M_r , tS_r ), authority signature σ_a = sign_sk (M_a , ts_a , id), request login signature σ_l = sign_sk (M_l , ts_i , id); among them,/> is the hash function, g is the generator of the multiplicative group, and sign_sk (·) is the signature algorithm.5.根据权利要求1或2或3所述的方法，其特征在于，所述验证端利用智能合约将该用户的公钥pk上传至区块链中。5. The method according to claim 1, 2 or 3, characterized in that the verification end uses a smart contract to upload the user's public key pk to the blockchain.6.一种基于双因子的统一身份认证系统，其特征在于，包括注册服务器、系统服务器、验证端和用户端；6. A unified identity authentication system based on two factors, characterized by including a registration server, a system server, a verification terminal and a user terminal;所述注册服务器，用于根据采集的用户生物特征信息P_i和用户设置的口令pwd计算得到该用户的私钥sk、公钥pk；并利用当前注册时间戳ts_r计算注册签名σ_r；然后将申请注册信息M_r、注册时间戳ts_r、公钥pk和注册签名σ_r发送给验证端进行验证；The registration server is used to calculate the user's private key sk and public key pk based on the collected user biometric information_Pi and the password pwd set by the user; and use the current registration timestamp ts_r to calculate the registration signature σ_r ; and then Send the application registration information M_r , registration timestamp ts_r , public key pk and registration signature σ_r to the verification end for verification;所述验证端，用于对收到的信息进行验证，验证通过后将该用户的公钥pk上传至区块链中，并生成对应的用户id返回给该用户；The verification end is used to verify the received information. After the verification is passed, the user's public key pk is uploaded to the blockchain, and the corresponding user ID is generated and returned to the user;所述用户端，在授权阶段用于根据该用户所请求的目标应用及权限、输入的口令pwd及生物特征信息P_i生成请求权限信息M_a，获取授权时间戳ts_a并计算私钥sk，再根据私钥sk、请求权限信息M_a和授权时间戳ts_a计算请求权限签名σ_a；然后将请求权限信息M_a、授权时间戳ts_a以及请求权限签名σ_a发送给所述系统服务器进行验证；若验证通过则所述系统服务器在区块链的系统授权列表List中添加对应的公钥pk；以及在登录阶段用于根据该用户输入的口令pwd以及生物特征信息P_i并生成登录请求信息M_l，获取登录时间戳ts_l以及计算私钥sk，再根据私钥sk计算请求登录签名σ_l；然后所述用户端将登录请求信息M_l、登录时间戳ts_l以及请求登录签名σ_l发送给所述系统服务器进行验证，若验证通过则允许该用户登录所述系统服务器并在对应的权限范围内访问所请求的目标应用，否则拒绝其登录所述系统服务器。The client is used in the authorization phase to generate request permission information M_a based on the target application and permissions requested by the user, the input password pwd and biometric information_Pi , obtain the authorization timestamp ts_a and calculate the private key sk, Then calculate the request permission signature σ a based on the private key sk, request permission information M_a and authorization timestamp ts_a; then send the request permission information M_a , authorization timestamp ts_a and request permission signature σ_a to the system server for processing Verification; if the verification is passed, the system server adds the corresponding public key pk to the system authorization list List of the blockchain; and during the login stage, it is used to generate a login request based on the password pwd and biometric information_Pi entered by the user. information M_l , obtain the login timestamp ts_l and calculate the private key sk, and then calculate the login request signature σ_l based on the private key sk; then the user terminal will obtain the login request information M_l , the login timestamp ts_l and the request login signature σ_l is sent to the system server for verification. If the verification is passed, the user is allowed to log in to the system server and access the requested target application within the corresponding authority range. Otherwise, the user is refused to log in to the system server.