Search

CN-122027236-A - Identity authentication method, device, equipment, storage medium and program product

CN122027236ACN 122027236 ACN122027236 ACN 122027236ACN-122027236-A

Abstract

The embodiment of the application provides an identity authentication method, an identity authentication device, identity authentication equipment, an identity authentication storage medium and an identity authentication program product, and relates to the field of information security. After registration is completed, a client responds to an initial identity authentication request triggered by a user, performs primary identity authentication on the user based on a biological characteristic template in a trusted execution environment of a terminal where the client is currently located, utilizes a private key in an encryption key pair and environment evidence to generate authentication assertion in the trusted execution environment if the primary identity authentication is passed, and submits the identity authentication request comprising a terminal identification and the authentication assertion to a server. The server receives the identity authentication request and authenticates the user based on the information carried by the request. The whole authentication process of the method is completed in the TEE, thereby effectively preventing unauthorized access software from stealing biological characteristics or private keys, effectively improving the accuracy and reliability of identity authentication and comprehensively ensuring the privacy of user data.

Inventors

  • Liang Yanv
  • CHEN JIAN
  • LIU LILI
  • CHEN YANNI

Assignees

  • 中国工商银行股份有限公司

Dates

Publication Date
20260512
Application Date
20260120

Claims (13)

  1. 1. An identity authentication method, wherein the method is applied to a client, and the method comprises: Responding to an initial registration request triggered by a user, generating an encryption key pair in a trusted execution environment of a current target terminal, an environment certification of the trusted execution environment and storing a biological characteristic template of the user; sending a registration request to a server, wherein the registration request carries a public key in the encryption key pair, the environment evidence and a target terminal identifier, so that the server stores authentication reference information, and the authentication reference information comprises a mapping relation between the public key and the target terminal identifier and the environment evidence; After registration is completed, responding to an initial identity authentication request triggered by the user, and performing initial identity authentication on the user in a trusted execution environment of the terminal where the user is currently located based on the biometric template; generating an authentication assertion in the trusted execution environment by using a private key of the encryption key pair and the environment attestation under the condition that the primary identity verification is passed; And submitting an identity authentication request to the server, wherein the identity authentication request carries a current terminal identifier and the authentication assertion, so that the server performs identity authentication on the user based on the carried current terminal identifier, the authentication assertion and the authentication reference information.
  2. 2. The method of claim 1, wherein storing the biometric template of the user comprises: collecting biological characteristics of the user in the trusted execution environment, and storing the collected biological characteristics as the biological characteristic template; the first verifying the user based on the biometric template in the trusted execution environment comprises: And collecting the biological characteristics of the user in the trusted execution environment, and comparing the collected biological characteristics with the biological characteristic template to perform primary verification on the user.
  3. 3. The method according to claim 2, wherein the method further comprises: and under the condition that the primary identity authentication fails, outputting prompt information of the identity authentication failure.
  4. 4. A method according to any of claims 1-3, wherein said generating an authentication assertion with a private key of said encryption key pair and said environment proof comprises: Generating an identity authentication data packet based on the environment evidence; Encrypting the identity authentication data packet by using the private key to obtain a digital signature; And assembling the identity authentication data packet and the digital signature to obtain the authentication assertion.
  5. 5. The method of claim 4, wherein generating an authentication data packet based on the environmental proof comprises: Sending a random number acquisition request to the server; receiving a random number returned by the server; and assembling an identity authentication data packet based on the random number, the counter value and the time stamp and the environment evidence, so that the service end performs identity authentication on the user based on the carried terminal identification, the authentication assertion, the authentication reference information and the counter value in the last identity authentication request.
  6. 6. An identity authentication method, wherein the method is applied to a server, and the method comprises the following steps: receiving a registration request from a client, wherein the registration request carries a public key of an encryption key pair generated by the client in a trusted execution environment of a current target terminal, an environment proof of the trusted execution environment and a target terminal identifier; Storing authentication reference information, wherein the authentication reference information comprises a mapping relation between the public key and a target terminal identifier and the environment evidence; after registration is completed, receiving an identity authentication request of a user, wherein the identity authentication request carries a terminal identifier of the user at present, and generating authentication assertion in the trusted execution environment by utilizing a private key in the encryption key pair and the environment proof; and carrying out identity authentication on the user based on the carried terminal identifier, the authentication assertion and the authentication reference information.
  7. 7. The method of claim 6, wherein the authentication assertion comprises an authentication data packet constructed based on the environmental proof, and a digital signature obtained by encrypting the authentication data packet using the private key, and wherein authenticating the user based on the carried current terminal identification, the authentication assertion, and the authentication reference information comprises: acquiring a public key corresponding to a terminal identifier by using the carried current terminal identifier; Verifying the digital signature based on the public key; under the condition that the digital signature verification is passed, verifying the environment evidence in the identity authentication data packet by using the environment evidence stored during registration; And determining an identity authentication result of the user based on the verification result of the environment proof.
  8. 8. The method of claim 7, wherein the authentication data packet further comprises a counter value, a timestamp, and a random number obtained from a server; the verifying result based on the environment proof, determining the identity authentication result of the user, comprises the following steps: based on the counter value and the counter value in the last identity authentication request, carrying out replay attack verification on the identity authentication request; based on the time stamp and the time of the server, performing non-counterfeit request verification on the identity authentication request; based on the random number, cross-session attack verification is carried out on the identity authentication request; Under the condition that the verification is passed, determining that the identity authentication of the user is passed, updating the value of a counter stored in a server, and sending prompt information of the passing of the identity authentication to the client; And under the condition that any verification fails, determining that the identity authentication of the user fails, and sending prompt information of the identity authentication failure to the client.
  9. 9. An identity authentication device, wherein the device is applied to a client, and comprises: The generation module is used for responding to an initial registration request triggered by a user, generating an encryption key pair in the trusted execution environment of the current target terminal, and storing a biological characteristic template of the user; The sending module is used for sending a registration request to a server, wherein the registration request carries a public key in the encryption key pair, the environment evidence and a target terminal identifier, so that the server stores authentication reference information, and the authentication reference information comprises a mapping relation between the public key and the target terminal identifier and the environment evidence; the verification module is used for responding to the initial identity authentication request triggered by the user after registration is completed, and performing initial identity verification on the user based on the biological characteristic template in the trusted execution environment of the terminal where the user is currently located; The generation module is used for utilizing a private key in the encryption key pair in the trusted execution environment and generating authentication assertion by the environment certification under the condition that the primary identity verification is passed; And the sending module is used for submitting an identity authentication request to the server, wherein the identity authentication request carries the current terminal identifier and the authentication assertion, so that the server performs identity authentication on the user based on the carried current terminal identifier, the authentication assertion and the authentication reference information.
  10. 10. An identity authentication device, wherein the device is applied to a server, and comprises: The receiving module is used for receiving a registration request from a client, wherein the registration request carries a public key of an encryption key pair generated by the client in a trusted execution environment of a current target terminal, environment evidence of the trusted execution environment and a target terminal identifier; the storage module is used for storing authentication reference information, wherein the authentication reference information comprises a mapping relation between the public key and a target terminal identifier and the environment evidence; The receiving module is used for receiving an identity authentication request of a user after registration is completed, wherein the identity authentication request carries a terminal identifier where the user is currently located and the authentication assertion; And the authentication module is used for carrying out identity authentication on the user based on the carried terminal identifier, the authentication assertion and the authentication reference information.
  11. 11. An electronic device comprising a processor and a memory communicatively coupled to the processor; The memory stores computer-executable instructions; the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 5, 6 to 8.
  12. 12. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 5, 6 to 8.
  13. 13. A computer program product comprising a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5, 6 to 8.

Description

Identity authentication method, device, equipment, storage medium and program product Technical Field The present application relates to the field of information security, and in particular, to an identity authentication method, apparatus, device, storage medium, and program product. Background Under the background of wide application of the current mobile internet and cloud computing, client identity authentication is a core link for guaranteeing user account safety and service compliance. The conventional authentication method generally adopts that after a user inputs an identity credential (such as a password and a fingerprint), a client transmits the credential to a remote server for verification through an encryption channel. Or the user identity may be verified locally at the device, such as by a secure element or software generating a signature assertion, and then sending the signature result to a server for verification. However, in the existing authentication mode, the user biological characteristics (such as fingerprints and faces) need to be stored locally or transmitted to the cloud end of the device, so that the risk of aggressive software stealing or man-in-the-middle attack exists, the device binding mechanism is weak, an attacker can initiate authentication attacks on other devices through copying credentials (such as passwords and biological characteristic templates), and in addition, the scheme relying on server centralized verification is difficult to meet the user experience requirements under high concurrency scenes due to network transmission delay and real-time requirements. Disclosure of Invention The application provides an identity authentication method, an identity authentication device, identity authentication equipment, an identity authentication storage medium and an identity authentication program product, which are used for solving the problem that sensitive data are revealed because a biological characteristic template or a private key can be stolen by aggressive software in the existing authentication scheme. In a first aspect, the present application provides an identity authentication method, applied to a client, including: Responding to an initial registration request triggered by a user, generating an encryption key pair in a trusted execution environment of a current target terminal, an environment certification of the trusted execution environment and storing a biological characteristic template of the user; sending a registration request to a server, wherein the registration request carries a public key in the encryption key pair, the environment evidence and a target terminal identifier, so that the server stores authentication reference information, and the authentication reference information comprises a mapping relation between the public key and the target terminal identifier and the environment evidence; After registration is completed, responding to an initial identity authentication request triggered by the user, and performing initial identity authentication on the user in a trusted execution environment of the terminal where the user is currently located based on the biometric template; generating an authentication assertion in the trusted execution environment by using a private key of the encryption key pair and the environment attestation under the condition that the primary identity verification is passed; And submitting an identity authentication request to the server, wherein the identity authentication request carries a current terminal identifier and the authentication assertion, so that the server performs identity authentication on the user based on the carried current terminal identifier, the authentication assertion and the authentication reference information. In a second aspect, the present application provides an identity authentication method, applied to a server, including: receiving a registration request from a client, wherein the registration request carries a public key of an encryption key pair generated by the client in a trusted execution environment of a current target terminal, an environment proof of the trusted execution environment and a target terminal identifier; Storing authentication reference information, wherein the authentication reference information comprises a mapping relation between the public key and a target terminal identifier and the environment evidence; After registration is completed, receiving an identity authentication request of the user, wherein the identity authentication request carries a terminal identifier of the user at present, and generating authentication assertion in the trusted execution environment by utilizing a private key in the encryption key pair and the environment proof; and carrying out identity authentication on the user based on the carried terminal identifier, the authentication assertion and the authentication reference information. In a third aspect, the present application provides