CN114629713B

CN114629713B - Identity verification method, device and system

Info

Publication number: CN114629713B
Application number: CN202210300792.9A
Authority: CN
Inventors: 赵浩然
Original assignee: Alibaba Cloud Computing Ltd
Current assignee: Alibaba Cloud Computing Ltd
Priority date: 2022-03-25
Filing date: 2022-03-25
Publication date: 2024-06-04
Anticipated expiration: 2042-03-25
Also published as: CN114629713A

Abstract

The application discloses an identity verification method and system. The method comprises the following steps: storing a first login information ciphertext generated based on user privacy data into a blockchain, wherein the server does not store the user privacy data; generating a second login information ciphertext based on the login information plaintext in the user blockchain home domain, detecting whether the second login information ciphertext is consistent with the first login information ciphertext, generating a one-time login password under the condition of consistency, and storing the one-time login password into the blockchain; transmitting login user information and a one-time login password to a server across a public network; and authenticating the login user in the local domain of the server according to the login user information and the one-time login password received by the server and the first login information ciphertext and the one-time login password stored in the link point of the block of the local domain of the server. By adopting the processing mode, the login information plaintext does not enter the public network, and the server side does not sense the privacy data of the user any more; therefore, the security of the user privacy data can be effectively improved.

Description

Identity verification method, device and system

Technical Field

The present application relates to the field of information security technologies, and in particular, to an identity verification method, device and system, a user registration method, device and electronic equipment.

Background

In the internet age, user password leakage can have a tremendous impact on users. For maintenance of user Password information, such as account passwords (Password) and user privacy data AK/SK of a cloud computing platform, the user Password data is required to be prevented from being leaked through a Password storage system.

At present, a typical password storage system is a password storage system of a server side, and the implementation mainly adopts the following three schemes: 1) Storing a password plaintext: storing the user password in a back-end server cluster; 2) Storing the irreversible cryptographic hash value: storing a hash value of the user password by MD5/SHA 256; 3) Storing reversible cipher text: after encryption by the specific key, the ciphertext of the user password is stored in a database. Taking a login password as an example, the server calculates and stores a hash value of the account password when the user registers, so as to perform identity verification when the user logs in next time. For some service platforms which need to use the AK/SK of the user to call other cloud products in the cloud computing platform, the service end generally stores SK in a platform database in a ciphertext mode, when the user accesses the cloud products, the platform decrypts the ciphertext in the database to obtain real SK, compares the real SK with the real SK sent in the request body to verify the identity of the user, and then initiates call to the appointed cloud products through the AK/SK.

However, in the process of implementing the present invention, the inventors found that the above technical solutions all have the following problems: 1) The user password can enter the public network, and the risk of user password leakage exists in the transmission process: 2) The server side can sense the privacy data of the user, and leakage risks exist in the server side. For example, the above-described scheme, once in clear text storage in a database, can easily inadvertently expose user passwords to application developers or database administrators DBAs; the password in the scheme II is often stored in an application configuration file or a database, and is also easily obtained by other people so as to crack the user password; in the third scheme, although the risk is avoided, the domain name of part of the products may not have TLS encryption capability, i.e. the user registration message may be stolen to the key in the request body in the process of transmitting the user registration message in the public network.

In summary, the existing server-side password storage system has a risk of user password leakage, and how to improve the security of user password storage is an urgent problem to be solved by those skilled in the art.

Disclosure of Invention

The application provides an identity authentication method to solve the problem of low password storage security in the prior art. The application further provides an identity verification device and system, a user registration method and device and electronic equipment.

The application provides an identity verification method, which comprises the following steps:

storing a first login information ciphertext of a network service registered user in a blockchain, wherein the first login information ciphertext is a ciphertext obtained by encrypting registration privacy information related to identity verification, and storing registered user information which does not comprise user privacy data at a server;

acquiring a login user name and a login password;

generating a second login information ciphertext according to the login user name and the login password;

in the client local network, according to the second login information ciphertext and the first login information ciphertext stored in the first block link point of the client local network, carrying out identity authentication on a login user;

if the authentication is judged to pass in the client local network, a one-time login password is allocated to the login user, and the one-time login password is stored in the blockchain; a user login request is sent to a server through a public network, wherein the user login request comprises login user information and a one-time login password;

in the server-side local network, the identity of the login user is verified according to the login user information and the one-time login password received by the server-side and the one-time login password corresponding to the login user stored in the second blockchain node of the server-side local network.

Optionally, the login information ciphertext is a ciphertext obtained by encrypting a combined character string of the user name and the password;

the login user information comprises a second login information ciphertext;

The authentication of the login user according to the second login information ciphertext and the first login information ciphertext stored in the first block link point of the client local network comprises the following steps:

Judging whether a first login information ciphertext set stored by a first block link point comprises a second login information ciphertext or not; if the judgment result is yes, judging that the identity verification is passed;

the step of performing identity authentication on the login user according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the login user stored by the second blockchain node of the local network of the server, includes:

Acquiring a one-time login password corresponding to the login information ciphertext received by the server and stored by the second blockchain node as a target login password;

judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server judges that the identity authentication is passed.

Optionally, the method further comprises:

The first block chain node also stores a secret key for decrypting the registered cipher ciphertext into a plaintext;

Judging whether a first login information ciphertext set stored by a first block link point comprises a second login information ciphertext or not; if the judgment result is yes, decrypting the registered password ciphertext corresponding to the second login information ciphertext into a registered password plaintext through the secret key;

if the login password plaintext is the same as the login password plaintext, the authentication is judged to be passed.

Optionally, the login information ciphertext is a ciphertext obtained by encrypting a combined character string or a password of the user name and the password;

the user name corresponding to the first login information ciphertext is also stored in the blockchain;

The login user information comprises a login user name;

Judging whether a first login information ciphertext corresponding to a login user name stored by a first blockchain node is consistent with a second login information ciphertext; if the judgment result is yes, judging that the identity verification is passed;

acquiring a one-time login password corresponding to a login user name received by a server and stored by a second blockchain node as a target login password;

Optionally, the first login information ciphertext includes: encrypting a user name to obtain a first user name ciphertext, and encrypting a password to obtain a first password ciphertext;

the generating the second login information ciphertext according to the login user name and the login password comprises the following steps:

Encrypting the login user name to obtain a second user name ciphertext, and encrypting the login password to obtain a second password ciphertext;

the login user information comprises a second user name ciphertext and a second password ciphertext;

Judging whether a corresponding relation set between a first user name ciphertext and a first password ciphertext stored by a first blockchain node comprises a corresponding relation between a second user name ciphertext and a second password ciphertext or not; if the judgment result is yes, judging that the identity verification is passed;

acquiring a one-time login password corresponding to a user name ciphertext and a password ciphertext received by a server and stored by a second blockchain node as a target login password;

Optionally, the server comprises a cloud platform server, and the password comprises a key SK used by a user to encrypt the authentication string and used by a cloud vendor to verify the authentication string.

The method further comprises the steps of:

If the cloud platform server side judges that the identity verification is passed, the cloud platform server side sends a user login request to the cloud product server side, wherein the user login request comprises login user information and a one-time login password;

And in the cloud product server local network, carrying out identity authentication on the login user according to the login user information and the one-time login password received by the cloud product server and the one-time login password corresponding to the login user stored by a third blockchain node of the cloud product server local network.

Optionally, the method further comprises:

Setting the effective duration and the generation time of a one-time login password;

The step of performing identity authentication on the login user according to the login user information and the one-time login password received by the server side and the one-time login password corresponding to the login user stored in the second blockchain node, includes:

Acquiring a one-time login password corresponding to login user information received by a server and stored by a second blockchain node as a target login password;

judging whether the target login password is valid or not according to the generation time and the valid time of the target login password;

if the target login password is judged to be valid, judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server judges that the identity authentication is passed.

The application also provides a user registration method, which is used for the client and comprises the following steps:

Acquiring user registration information of network service, wherein the user registration information comprises a registration user name and a registration password;

Transmitting the registered user name and the registered password to a first blockchain node of the client local network to generate a first login information ciphertext according to the registered user name and the registered password through the first blockchain node; and storing the first login information ciphertext into the blockchain, and storing the registered user information except the registered password into the network server.

The application also provides a user registration method for the first blockchain node of the client local network, comprising the following steps:

Receiving a user name and a password of a network service registration user sent by a client;

generating a first login information ciphertext according to the user name and the password;

And storing the first login information ciphertext into the blockchain, and storing the registered user information except the registered password into the network server.

The application also provides an identity verification method for the client, which comprises the following steps:

acquiring a login user name and a login password;

transmitting the login user name and the login password to a first blockchain node of the client local network to generate a second login information ciphertext according to the login user name and the login password through the first blockchain node; according to the second login information ciphertext and the first login information ciphertext set stored in the first block link point, carrying out identity authentication on the login user; if the first block chain link point judges that the identity authentication is passed, a one-time login password is allocated to the login user, and the one-time login password is stored in the block chain; a user login request is sent to a server through a public network, wherein the user login request comprises login user information and a one-time login password; and in a second blockchain node of the server local network, authenticating the login user according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the login user stored in the second blockchain node.

The application also provides an identity verification method, which is used for the server and comprises the following steps:

Receiving a user login request, wherein the user login request comprises login user information and a one-time login password;

And sending the login user information and the one-time login password received by the server to a second blockchain node of the local network of the server so as to carry out identity authentication on the login user through the second blockchain node according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the login user stored by the second blockchain node of the local network of the server.

The application also provides an identity verification method for a second blockchain node of the server local network, the method comprising the following steps:

Receiving login user information and a one-time login password sent by a server;

And authenticating the login user according to the login user information and the one-time login password received by the server side and the one-time login password corresponding to the login user stored by the second blockchain node.

The present application also provides a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the various methods described above.

The application also provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the various methods described above.

Compared with the prior art, the application has the following advantages:

According to the identity verification method provided by the embodiment of the application, the first login information ciphertext of the network service registered user is stored in the blockchain, and the registered user information which does not comprise the user privacy data is stored in the server; after a user submits a login request, a login user name and a login password are obtained, and a second login information ciphertext is generated; in the client local network, according to the second login information ciphertext and the first login information ciphertext stored in the first block link point of the client local network, carrying out identity authentication on a login user; if the authentication is judged to pass in the client local network, a one-time login password is allocated to the login user, and the one-time login password is stored in the blockchain; a user login request is sent to a server through a public network, wherein the user login request comprises login user information and a one-time login password; in the server-side local network, the identity of the login user is verified according to the login user information and the one-time login password received by the server-side and the one-time login password corresponding to the login user stored in the second blockchain node of the server-side local network. By adopting the processing mode, the plaintext of the user login information is only transmitted in the local domain of the login client side and does not enter the public network, and the server side does not sense the user privacy data any more, so that the user privacy data are prevented from being leaked in the transmission process of the public network, and the internal leakage risk of the server side is also eliminated; therefore, the security of the user privacy data can be effectively improved.

Drawings

FIG. 1 is a schematic flow chart of an embodiment of an authentication method according to the present application;

FIG. 2 is a schematic view of an embodiment of an authentication method according to the present application;

FIG. 3 is an interactive schematic diagram of an embodiment of an authentication method provided by the present application;

Fig. 4 is a schematic diagram of another scenario of an embodiment of the authentication method provided by the present application.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. The present application may be embodied in many other forms than those herein described, and those skilled in the art will readily appreciate that the present application may be similarly embodied without departing from the spirit or essential characteristics thereof, and therefore the present application is not limited to the specific embodiments disclosed below.

The application provides an identity verification method, an identity verification device, an identity verification system, a user registration method, a user registration device and electronic equipment. The various schemes are described in detail one by one in the examples below.

First embodiment

Fig. 1 is a flow chart of an authentication method according to the present application. In this embodiment, the method may include the steps of:

Step S101: a first login information secret set of a network service registered user is stored in a block chain, and registered user information which does not comprise user privacy data is stored in a server side.

The network service may be a WEB application service (such as an online shopping service, a mailbox service, etc.), an API interface service, a cloud platform service, etc. The server provides network services for registered users, such as the server provides shopping websites, online shopping services for buyer users, and the like.

The first login information ciphertext is a ciphertext obtained by encrypting registration privacy information related to identity verification. The registered privacy information includes at least a user password and may further include a user name. The first login information ciphertext may be a ciphertext generated based on the privacy data input during user registration or may be a ciphertext generated based on a user modifying a password.

According to the method provided by the embodiment of the application, the first login information ciphertext of the network service registered user is stored in the blockchain, and the blockchain can store the first login information ciphertext of a plurality of registered users of at least one network service. The server side does not store user privacy data and only stores other information which does not relate to user privacy. Therefore, the server side does not sense the user privacy data any more, and the risk of leakage inside the server side is eliminated.

The blockchain is a decentralized distributed database, and the first login information ciphertext of the network service registration user stored in the decentralized distributed database has the characteristics of incapability of counterfeiting, whole trace, traceability, openness, transparency, collective maintenance and the like. Blockchains do not rely on a centralized server, and consist of millions of "nodes". As shown in fig. 2, the authentication system adopting the method provided in this embodiment includes a client (such as ClientA, clientB, etc.), a Server (Server), and a plurality of blockchain nodes (Blockchain Node, BC Node). Each blockchain node is located in a different private network, which may be a local area network, referred to as a private network or an intranet for short. All the blockchain nodes store first login information ciphertext of the network service registered user, and the blockchain nodes synchronize the first login information ciphertext through a blockchain (Blockchain). The client and the server communicate via public network (Internet), such as sending user login request, transmitting network service data, etc.

A server with a blockchain client installed is a blockchain node. The blockchain node needs to have the following characteristics: 1) Computing capabilities, such as encrypting/hashing user privacy data, while also requiring participation in a consistent consensus of blockchains; 2) The storage space is used for maintaining ciphertext of user privacy data of a plurality of registered users of the network service, maintaining full-quantity account book data and traceable historical records; 3) The system has the public network capability, is used for connecting all block chain nodes of the whole network, and ensures the data consistency through a consensus mechanism.

The login information ciphertext may be a reversible ciphertext, such as a ciphertext obtained by an encryption algorithm such as shift encryption, displacement encryption, or the like. The login information ciphertext can also be an irreversible ciphertext, so that the blockchain does not have the leakage risk of the user privacy data. For example, the irreversible login information ciphertext may be generated by a message digest algorithm. The message digest algorithm does not need a secret key in the encryption process, the management and distribution problems of the secret key do not exist, the encrypted data cannot be decrypted, and the same ciphertext can be obtained by inputting the same plaintext data through the same message digest algorithm.

Because the reversible ciphertext may be cracked, and the reversible ciphertext with different lengths may occupy more storage space and have slower retrieval speed, the embodiment adopts the irreversible login information ciphertext. In this embodiment, the login information ciphertext is a hash value (hash value) of the login information, and the hash Algorithm may be SHA (Secure Hash Algorithm ), MD5 (Mesage-Digest algorism), or the like.

The login information ciphertext may be obtained by encrypting a combined character string formed by the user name and the password, for example, the connection character string of the user name and the password is encrypted. The login information ciphertext also can comprise a user name ciphertext and a password ciphertext which are obtained by encrypting the user name and the password respectively. The login information ciphertext may be a password ciphertext obtained by encrypting only the password.

In the implementation, different private networks can adopt the same encryption algorithm to generate login information ciphertext, so that a user can log in a server through any private network. Different private networks can also adopt different encryption algorithms to generate login information ciphertext, so that a user can only login a server through the private network used during registration. For example, the private network 1 calculates a hash value of a combined character string composed of a user name and a password; the private network 2 calculates a cipher text by adopting a shift encryption algorithm; the private network 3 calculates the cipher text using a shift encryption algorithm and calculates the hash value of the user name.

In one example, the first login information ciphertext is a hash value generated by a blockchain node of a local network where the registration client is located according to a combined string of a user name and a password, and the hash value can be written into a blockchain ledger of the node and synchronized to all blockchain nodes of the whole network by using a distributed consensus mechanism through a blockchain. The blockchain node may store a first login information ciphertext for all users of at least one network service, as shown in table 1 below.

Table 1, user privacy data for block link point storage

As can be seen from table 1, when the block link point adopting the processing mode stores the user name and the password, the user name and the password are not recorded, only the irreversible ciphertext (hash value) of the connection character string of the user name and the password is recorded, only the user knows the plaintext of the user name and the password, and even if the database is stolen, the ciphertext cannot be reversely deduced out of the plaintext of the user name and the password, so that the user privacy data is stored more safely. The processing mode can reduce the leakage risk of the user password and the leakage risk of the user name.

In another example, the first login information ciphertext is also a hash value generated according to a combined string of the user name and the password, in addition, the blockchain node of the local network where the registration client is located further stores a registration password ciphertext corresponding to the first login information ciphertext, stores a private key for decrypting the registration password ciphertext into plaintext, writes the hash value and the corresponding registration password ciphertext into a blockchain ledger of the node, and synchronizes to all blockchain nodes of the whole network by using a distributed consensus mechanism through a blockchain, but the private key is not stored in other blockchain nodes as shown in the following table 2.

Table 2, first login information ciphertext and corresponding login password ciphertext

As can be seen from table 2, when the block link point in this processing manner stores the user name and the password, the password user name and the password are not recorded, only the hash value of the user name and the password connection character string and the reversible ciphertext of the password are recorded, only the user knows the plaintext of the user name and the password, and even if the database is stolen, the ciphertext cannot be reversely deduced out of the plaintext of the user name and the password, so that the user privacy data is stored more safely. Likewise, the processing mode not only can reduce the leakage risk of the user password, but also can reduce the leakage risk of the user name.

In yet another example, the first login information ciphertext is also a hash value generated according to a combined string of a user name and a password, the hash value and a corresponding user name are written into a blockchain ledger of the node, and the first login information ciphertext is synchronized to all blockchain nodes of the whole network by using a distributed consensus mechanism through blockchains, as shown in table 3 below.

TABLE 3 first login information ciphertext and corresponding user name

As can be seen from table 3, when the block link point in this processing manner stores the password, the hash value of the user name and the password connection string is recorded instead of the password itself, and the plaintext of the user name is recorded, so that only the user knows the plaintext of the password, even if the database is stolen, the ciphertext cannot be reversely pushed out of the plaintext of the password, thereby ensuring that the privacy data of the user is kept more safely.

In yet another example, the first login information ciphertext is a hash value of a password, the hash value and a corresponding user name are written into a blockchain ledger of the node, and the blockchain is synchronized to all blockchain nodes of the whole network using a distributed consensus mechanism, as shown in table 4 below.

TABLE 4 first login information ciphertext and corresponding user name

As can be seen from table 4, when the block link point in this processing manner stores the password, the password itself is not recorded, only the hash value of the password is recorded, and the plaintext of the user name is recorded, only the user knows the plaintext of the password, and even if the database is stolen, the ciphertext cannot be reversely pushed out of what the plaintext of the password is, so that the privacy data of the user can be stored more safely.

In yet another example, the first login information ciphertext includes: the hash value of the password (the first password ciphertext obtained by encrypting the password) and the hash value of the user name (the first user name ciphertext obtained by encrypting the user name) are written into the blockchain ledger of the node, and are synchronized to all blockchain nodes of the whole network by adopting a distributed consensus mechanism through the blockchain, as shown in the following table 5.

Table 5, user name ciphertext and password ciphertext

As can be seen from table 5, when the block link point in this processing manner stores the user name and the password, the user name and the password are not recorded, only the hash value of the user name and the hash value of the password are recorded, only the user knows the plaintext of the password, and even if the database is stolen, the ciphertext cannot be reversely deduced out of the plaintext of the user name and the password, so that the user privacy data is stored more safely.

In this embodiment, each network server stores registered user information, and the registered user information table includes only basic information of the registered user, does not include user privacy data, and at least does not include a user password, as shown in tables 6-1 and 6-2 below.

User name	Mailbox	Region of	…
				A001
A002
				…

Table 6-1, registered user information Table of shopping platform A

Table 6-2, registered user information Table of shopping platform B

As shown in fig. 3, in the user registration stage of the present embodiment, a client obtains plaintext of a registration user name (username) and a registration password (password), and sends the plaintext of the registration user name and the registration password to a blockchain node of a local network; generating a connection character string of a registered user name and a registered password by a blockchain node of a local network of the client, generating a hash value (hash=sha (username & password)), encrypting the registered password plaintext by using a user key to obtain a registered password ciphertext (code= ENCODE (password)), generating a one-time password (number), transmitting the hash value (first login information ciphertext) and the registered password ciphertext to other blockchain nodes, and returning the hash value and the one-time password to the client; the client sends a user registration request to the server, wherein the request comprises a hash value and a one-time password; the server sends the hash value and the one-time password to a block chain node of the local network, and inquires whether the hash value received by the server is included in the hash value stored by the block chain node of the local domain of the server so as to prove the existence of the registered user; if the registered user exists, the authenticity of the user registration request is verified according to the one-time password, and if the one-time password is consistent, the block link point of the local network of the server side returns the verification result (success or failure) to the server side, and the server side can store the basic information of the registered user to the server side as shown in the tables 6-1 and 6-2. By adopting the processing mode, the life cycle of the user password only exists in the local network where the registration client is located, is not transmitted to the server through the public network, and is not submitted to the blockchain. At this time, the server side does not sense the user key any more, and only needs to verify whether the registration request comes from the real user (provided that the network where the user is located needs to be deployed with BC Node); and meanwhile, the risk of eavesdropping and leakage of the user key in the public network propagation and circulation process is eliminated. Furthermore, the hash value and the cipher ciphertext of the user privacy data are stored through the blockchain, so that the user cipher is tamper-proof, and the record is traceable.

Step S103: and obtaining the login user name and the login password.

In this embodiment, the user inputs the login user name and the login password on the login client, and after the login client obtains the login user name and the login password, the login user name and the login password may be sent to the blockchain node of the local network of the login client.

The login client includes, but is not limited to, a mobile communication device, namely: the mobile phone or the intelligent mobile phone also comprises terminal equipment such as a personal computer, a PAD, an iPad and the like. The login client can be located in the same private network as the login client or in different private networks, and block chain nodes are deployed in each private network.

Step S105: and generating a second login information ciphertext according to the login user name and the login password.

In this embodiment, the blockchain node of the local network of the login client generates the second login information ciphertext according to the login user name and the login password in the same manner as the first login information ciphertext is generated. For example, the second login information ciphertext is a ciphertext obtained by encrypting a combined character string of the user name and the password, or the second login information ciphertext includes a user name ciphertext and a password ciphertext obtained by encrypting the user name and the password, respectively, or the second login information ciphertext includes only a password ciphertext obtained by encrypting the password.

Step S107: and in the client local network, carrying out identity authentication on the login user according to the second login information ciphertext and the first login information ciphertext stored in the first block link point of the client local network.

According to the method provided by the embodiment of the application, on the basis of storing the user privacy data ciphertext through the blockchain (replacing the existing server for maintaining the user privacy data plaintext), the user blockchain local domain verification mode is adopted to replace the cross public network server verification, so that the user privacy data does not enter the public network. Specifically, whether the second login information ciphertext generated during login detection and the first login information ciphertext generated during login are consistent or not can be determined by the user blockchain domain, and under the condition that the second login information ciphertext is consistent with the first login information ciphertext, the user blockchain domain can judge that identity verification is passed; if not, the identity verification is not passed in the user blockchain domain.

In one example, the login information ciphertext is a ciphertext obtained by encrypting a combined string of a user name and a password, as shown in table 1 above. In this case, step S107 may be implemented as follows: judging whether a first login information ciphertext set stored by a first block link point comprises a second login information ciphertext or not; if the judgment result is yes, judging that the identity verification is passed; if the judgment result is negative, the identity verification is not passed. By adopting the processing mode, the block chain does not store the plaintext of the user name, and the risk of user name leakage can be effectively eliminated.

However, in implementing the present invention, the inventor has found that generating the login information ciphertext using a hash function can present a hash collision problem, i.e., if there are two input strings whose hash function values are the same, then the two strings are said to be one collision. In practical applications, there may be cases where the same hash value is obtained based on the same user name but different passwords, e.g. the hash values obtained from the user name a+password 1 (correct password) and the user name a+password 2 (wrong password) are the same. In this case, if an incorrect password is input at the time of login, but when a hash value obtained based on the incorrect password is the same as the first login information ciphertext due to hash collision, only whether the login information ciphertext is identical or not is used as a basis for judging the authentication, which may result in an incorrect authentication result.

To solve the above problem, in one example, the login information ciphertext is a hash value generated from a combined string of a user name and a password, and a login password ciphertext corresponding to the first login information ciphertext is also stored in the blockchain, as shown in table 2 above. The first blockchain node also stores a key for decrypting the registration password ciphertext into a plaintext, and the blockchain link points in other networks do not have the blockchain link point encryption key of the user domain, so that the user password cannot be decrypted by broadcasting the received hash value and the registration password ciphertext, and therefore the registration client and the registration client are required to be in the same network. In this case, step S107 may be implemented as follows: judging whether a first login information ciphertext set stored by a first block link point comprises a second login information ciphertext or not; if the judgment result is yes, decrypting the registered password ciphertext corresponding to the second login information ciphertext into a registered password plaintext through the secret key; if the login password plaintext is the same as the login password plaintext, judging that the authentication is passed; if the first login information ciphertext set does not comprise the second login information ciphertext or the login password plaintext is different from the login password plaintext, the identity verification is judged to be failed. By adopting the processing mode of double verification of the login information ciphertext and the password ciphertext, the user name plaintext is not stored in the blockchain, the risk of user name leakage can be effectively eliminated, and when the login password is wrong but the obtained hash value is the same as the first login information ciphertext due to hash collision, verification can be further carried out through the password plaintext to find the problem of login password mistake, so that the accuracy of identity verification can be effectively improved.

In the process of implementing the present invention, the inventor also finds that the hash values of the foregoing combined strings corresponding to different usernames may be the same, or the hash values of the passwords corresponding to different usernames may be the same, for example, the hash values respectively obtained according to the usernames a+password 1 and the usernames b+password 2 are the same. Therefore, when the first login information ciphertext of different users is the same due to the hash collision, only whether the login information ciphertext is consistent is used as a judgment basis for identity verification, and an incorrect identity verification result is also caused.

To solve the above problem, in one example, the login information ciphertext is a ciphertext obtained by encrypting a combined character string or a password of a user name and a password; a user name corresponding to the first login information ciphertext is also stored in the blockchain, as shown in table 4 above. In this case, step S107 may be implemented as follows: judging whether a first login information ciphertext corresponding to a login user name stored by a first blockchain node is consistent with a second login information ciphertext; if the judgment result is yes, the identity verification is judged to be passed. By adopting the processing mode, the login user name and the second login information ciphertext are used as query conditions together, and matched records are searched in the login information ciphertext data table stored in the blockchain node, so that even if hash collision exists among login information ciphertexts corresponding to different user names, the login user can be accurately identified, and an accurate identity verification result is obtained. Moreover, because the processing mode does not have the problem of private key, the registration client and the login client can be in different networks.

In another example, the login information ciphertext includes: the user name ciphertext obtained by encrypting the user name, and the password ciphertext obtained by encrypting the password are shown in table 5 above. In this case, the first login information ciphertext includes: encrypting a first user name ciphertext obtained by registering a user name, and encrypting a first password ciphertext obtained by registering a password; the second login information ciphertext includes: encrypting the login user name to obtain a second user name ciphertext, and encrypting the login password to obtain a second password ciphertext; accordingly, step S107 may be implemented as follows: judging whether a corresponding relation set between a first user name ciphertext and a first password ciphertext stored by a first blockchain node comprises a corresponding relation between a second user name ciphertext and a second password ciphertext or not; if the judgment result is yes, the identity verification is judged to be passed. By adopting the processing mode, the user name ciphertext and the password ciphertext can be judged to pass the identity verification only when the user name ciphertext and the password ciphertext are matched at the same time. Because the possibility that hash collision is generated simultaneously by two ciphertexts obtained by respective encryption is extremely low, the login user can be more accurately determined. The processing mode solves the problems that the wrong login password can pass through the authentication due to the hash collision and the wrong login user name can pass through the authentication due to the hash collision. In addition, the block chain does not store the plaintext of the user name, so that the risk of user name leakage can be effectively eliminated. In addition, the registration client and the login client in this processing manner may be in different networks.

In specific implementation, the client may send the login user name and the login password to the first blockchain node of the local network, and execute steps S105 and S107 through the first blockchain node; or the client may first obtain the first login information secret from the first blockchain node of the local network, then execute steps S105 and S107 in the client, and return the judgment result to the first blockchain node. The local authentication result obtained by executing steps S105 and S107 through the first blockchain node has higher reliability.

Step S109: if the authentication is judged to pass in the client local network, a one-time login password is allocated to the login user, and the one-time login password is stored in the blockchain; and sending a user login request to the server through the public network, wherein the user login request comprises login user information and a one-time login password.

The method provided by the embodiment of the application can send the user login request to the server across the public network after the user blockchain domain performs authentication on the user based on the login information ciphertext and judges that the user passes the authentication. The server adopts a token authentication mechanism, and needs to identify whether the received request is a login request of a real user passing through the block chain authentication, and the server can judge that the authentication is passed only when determining that the received user login request is a request of the real user. Therefore, the user login request sent by the user blockchain home domain to the server side includes a one-time login password set for the login user which has passed the authentication of the user blockchain home domain, and the one-time login password corresponds to the login user information and is stored in the blockchain.

The one-time login password, also called one-time password or token (temporary), is used for distinguishing whether the user login request is a login request of a real user passing through the user blockchain local domain verification or an illegal request initiated by an illegal user not passing through the user blockchain local domain verification. In the implementation, a random number generation mode can be adopted to obtain a one-time login password, and the password is only effective for the login user passing the identity authentication of the user blockchain domain.

Taking the foregoing table 2 as an example, in one example, the one-time-login password and its status data may also be included in the user data stored in the blockchain node, as shown in table 7-1 below.

Table 7-1, user privacy data for block link point storage

As can be seen from table 7-1, in this embodiment, after the first blockchain node passing through the user blockchain home domain sets a one-time login password for the login user passing through the authentication at this time, the state of the one-time login password may also be set, before the server is not authenticated, the state of the one-time login password is a valid state, and after the server is authenticated, the state of the one-time login password is a invalid state.

In another example, the method may further comprise the steps of: the effective duration and the generation time of the one-time login password are set, and the effective duration is 10 seconds, so that if the server side does not verify the one-time login password after 10 seconds, the one-time login password is invalid. By adopting the processing mode, even if a malicious user steals the one-time login password stored in the blockchain, the malicious user cannot successfully pass the identity authentication of the server by using the password because the password has a limit on the effective duration. Taking the foregoing table 2 as an example, the user data stored in the blockchain node may further include a one-time login password and a generation time, as shown in the following table 7-2.

Table 7-2, user privacy data for block link point storage

The login user information is information capable of determining a login user, and specifically may be a login user name, a second login information ciphertext, and a user name ciphertext. If the second login information ciphertext or the user name ciphertext is adopted, the user login name does not enter the public network, so that the user name leakage in the public network transmission process is avoided, and the risk of user name leakage can be effectively eliminated.

In the implementation, the first blockchain node of the client local network can send the user login request to the server; or the first blockchain node firstly sends the one-time login password to the client, and the client sends the user login request to the server.

Step S111: in the server-side local network, the identity of the login user is verified according to the login user information and the one-time login password received by the server-side and the one-time login password corresponding to the login user stored in the second blockchain node of the server-side local network.

In the method provided by the embodiment of the application, a token authentication mode is adopted in the local network of the server side, the one-time login password of the login user received by the server side is compared with the one-time login password corresponding to the user stored in the second blockchain node of the local network of the server side, and only if the two passwords are consistent, the request received by the server side is a login request of a real user, and the authentication is judged to be passed. If the passwords are not consistent, an illegal request from a malicious user is indicated, and the identity verification cannot be passed.

Specifically, when a user login request passing through authentication of a user blockchain home domain is transmitted in a public network, even if a malicious user intercepts the request, the password carried by the request is a one-time password, so that even if the malicious user initiates the request to a server according to login user information and the one-time login password included in the request, the user cannot pass through authentication at the server, and replay attack can be effectively prevented.

In addition, based on the blockchain characteristic, a malicious user cannot tamper with the first login information ciphertext stored in the regional chain, so that even if the malicious user tampers with login user information carried in a user login request, the malicious user cannot pass identity verification at the server.

In one example, in the local network of the server, according to the login user information received by the server, whether the login user exists or not may be queried in the user data stored in the link point of the local domain block of the server; if the login user exists, the authenticity of the user login request is verified according to the one-time login password, and if the one-time login password is consistent, the client can use the service provided by the server through authentication.

In the implementation, the server side may send the received login user information and the one-time login password to a second blockchain node of the local network, and execute step S111 through the second blockchain node; the server may acquire the one-time login password corresponding to the login user from the second block link point of the local network, and then execute step S111.

In one example, the login user information includes a second login information ciphertext, and step S111 may be implemented as follows: acquiring a one-time login password corresponding to the login information ciphertext received by the server and stored by the second blockchain node as a target login password; judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server judges that the identity authentication is passed.

In the specific implementation, in the local network of the server side, whether the first login information ciphertext set stored by the link point of the local domain block of the server side comprises login information ciphertext received by the server side or not can be firstly inquired so as to prove the existence of a login user; if the login user exists, the authenticity of the user login request is verified according to the one-time login password, and if the one-time login password is consistent, the identity verification is passed.

In this embodiment, the first blockchain node further stores a secret key for decrypting the registered ciphertext into plaintext. In the login phase, the following login process flow may be adopted, corresponding to the above-described user registration processing manner of fig. 3. The client acquires the plaintext of the login user name and the login password, and sends the plaintext of the login user name and the login password to a blockchain node of the local network; generating a connection character string of a login user name and a login password by a blockchain node of a local network of the client, generating a hash value (second login information ciphertext), decoding the login password ciphertext corresponding to the hash value by using a locally stored user key to obtain a login password plaintext, generating a one-time login password if the login password plaintext is consistent with the login password plaintext, transmitting the one-time login password to other blockchain nodes, and returning the hash value and the one-time login password to the client; the client sends a user login request to the server, wherein the request comprises a hash value and a one-time login password; the server sends the hash value and the one-time login password to the blockchain node of the local network, the blockchain node of the local network of the server performs identity verification, and an identity verification result is returned to the server. By adopting the processing mode, the user login request transmitted to the server only comprises the hash value and one-time login password, so that the user privacy data is ensured not to enter the public network and to be transmitted only in the intranet, and leakage is not caused in the transmission process.

In another example, the login user information includes a login user name, and step S111 may be implemented as follows: acquiring a one-time login password corresponding to a login user name received by a server and stored by a second blockchain node as a target login password; judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server judges that the identity authentication is passed.

In yet another example, the login user information includes a second user name ciphertext and a second password ciphertext; step S111 may be implemented as follows: acquiring a one-time login password corresponding to a user name ciphertext and a password ciphertext received by a server and stored by a second blockchain node as a target login password; judging whether the target login password is the same as the one-time login password received by the server side; if the judgment result is yes, the server judges that the identity authentication is passed.

In one example, the service end is a cloud platform service end, as shown in fig. 4, where the cloud platform service end is a platform for providing user management services for multiple cloud product services, and different cloud product services are deployed on different service ends. The method comprises the steps that registered user information of various cloud product services is stored in a cloud platform service end, when a user uses the cloud product services, a login request is sent to the cloud platform service end, the cloud platform service end performs user authentication, after the user passes the authentication, the cloud platform service end recursively calls the cloud product services to be used by the user, and the user login request is sent to the cloud product service end. In this case, the password of the registered user includes a key SK used by the user to encrypt the authentication string and used by the cloud product vendor to verify the authentication string; the method may further comprise the steps of: if the cloud platform server side judges that the identity verification is passed, the cloud platform server side sends a user login request to the cloud product server side, wherein the user login request comprises login user information and a one-time login password; and in the cloud product server local network, carrying out identity authentication on the login user according to the login user information and the one-time login password received by the cloud product server and the one-time login password corresponding to the login user stored by a third blockchain node of the cloud product server local network.

In the implementation, after verifying that the login user is a legal user, the cloud platform server can generate a one-time login password and synchronize to all nodes of the blockchain, and the one-time login password is carried in a user login request sent to the cloud product server by the cloud platform server, and the one-time login password generated by the blockchain node of the local network of the client is invalid.

For example, for a platform in which a user AK/SK is required to be stored in an Arian cloud and then other cloud product services are called, the platform side can realize the calling of the cloud product under the condition that the user SK is not perceived at all by adopting the method provided by the embodiment of the application, the recursion access to other cloud products is realized, the unnecessary propagation of the user SK is avoided, and the protection of private data is realized in a true sense.

As can be seen from the above embodiments, in the authentication method provided by the embodiments of the present application, first login information ciphertext of a network service registered user is stored in a blockchain, and registered user information that does not include user privacy data is stored in a server; after a user submits a login request, a login user name and a login password are obtained, and a second login information ciphertext is generated; in the client local network, according to the second login information ciphertext and the first login information ciphertext stored in the first block link point of the client local network, carrying out identity authentication on a login user; if the authentication is judged to pass in the client local network, a one-time login password is allocated to the login user, and the one-time login password is stored in the blockchain; a user login request is sent to a server through a public network, wherein the user login request comprises login user information and a one-time login password; in the server-side local network, the identity of the login user is verified according to the login user information and the one-time login password received by the server-side and the one-time login password corresponding to the login user stored in the second blockchain node of the server-side local network. By adopting the processing mode, the plaintext of the user login information is only transmitted in the local domain of the login client side and does not enter the public network, and the server side does not sense the user privacy data any more, so that the user privacy data are prevented from being leaked in the transmission process of the public network, and the internal leakage risk of the server side is also eliminated; therefore, the security of the user privacy data can be effectively improved.

Second embodiment

In the above embodiment, an authentication method is provided, and correspondingly, the application further provides an authentication device. The device corresponds to the embodiment of the method described above. Since the apparatus embodiments are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points. The device embodiments described below are merely illustrative.

The present application further provides an authentication apparatus comprising:

The information storage unit is used for storing a first login information ciphertext of a network service registered user in the blockchain, wherein the first login information ciphertext is obtained by encrypting registration privacy information related to identity verification, and the registered user information which does not comprise user privacy data is stored in the server side;

The login information acquisition unit is used for acquiring a login user name and a login password;

the login information encryption unit is used for generating a second login information ciphertext according to the login user name and the login password;

The first verification unit is used for carrying out identity verification on the login user in the client local network according to the second login information ciphertext and the first login information ciphertext stored in the first block link point of the client local network;

The first verification passing unit is used for distributing a one-time login password for the login user and storing the one-time login password into the blockchain if the authentication passing unit judges that the authentication passes in the client local network; a user login request is sent to a server through a public network, wherein the user login request comprises login user information and a one-time login password;

and the second verification unit is used for carrying out identity verification on the login user in the server-side local network according to the login user information and the one-time login password received by the server-side and the one-time login password corresponding to the login user stored in the second blockchain node of the server-side local network.

Third embodiment

In the above embodiment, an authentication method is provided, and correspondingly, the application further provides an electronic device. The device corresponds to the embodiment of the method described above. Since the apparatus embodiments are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points. The device embodiments described below are merely illustrative.

An electronic device of the present embodiment includes: a processor and a memory; a memory for storing a program for implementing an authentication method, the apparatus being powered on and executing the program of the method by the processor, and performing the steps of: storing a first login information ciphertext of a network service registered user in a blockchain, wherein the first login information ciphertext is a ciphertext obtained by encrypting registration privacy information related to identity verification, and storing registered user information which does not comprise user privacy data at a server; acquiring a login user name and a login password; generating a second login information ciphertext according to the login user name and the login password; in the client local network, according to the second login information ciphertext and the first login information ciphertext stored in the first block link point of the client local network, carrying out identity authentication on a login user; if the authentication is judged to pass in the client local network, a one-time login password is allocated to the login user, and the one-time login password is stored in the blockchain; a user login request is sent to a server through a public network, wherein the user login request comprises login user information and a one-time login password; in the server-side local network, the identity of the login user is verified according to the login user information and the one-time login password received by the server-side and the one-time login password corresponding to the login user stored in the second blockchain node of the server-side local network.

Fourth embodiment

Corresponding to the identity verification method, the application also provides a user registration method, and an execution subject of the method is equipment used by a registered user and also becomes a registered client. The same parts of the present embodiment as those of the first embodiment will not be described again, please refer to the corresponding parts in the first embodiment.

In this embodiment, the user registration method may include the steps of:

Step 1: acquiring user registration information of network service, wherein the user registration information comprises a registration user name and a registration password;

Step 2: transmitting the registered user name and the registered password to a first blockchain node of the client local network to generate a first login information ciphertext according to the registered user name and the registered password through the first blockchain node; and storing the first login information ciphertext into the blockchain, and storing the registered user information except the registered password into the network server.

Fifth embodiment

Corresponding to the authentication method, the application also provides a user registration method, and an execution subject of the method is a first blockchain node of the client local network. The same parts of the present embodiment as those of the first embodiment will not be described again, please refer to the corresponding parts in the first embodiment.

In this embodiment, the user registration method may include the steps of:

Step 1: receiving a user name and a password of a network service registration user sent by a client;

step 2: generating a first login information ciphertext according to the user name and the password;

Step 3: and storing the first login information ciphertext into the blockchain, and storing the registered user information except the registered password into the network server.

Sixth embodiment

Corresponding to the authentication method, the application also provides an authentication method, and the execution subject of the method is a login client. The same parts of the present embodiment as those of the first embodiment will not be described again, please refer to the corresponding parts in the first embodiment.

In this embodiment, the authentication method may include the steps of:

Step 1: acquiring a login user name and a login password;

Step 2: transmitting the login user name and the login password to a first blockchain node of the client local network to generate a second login information ciphertext according to the login user name and the login password through the first blockchain node; according to the second login information ciphertext and the first login information ciphertext set stored in the first block link point, carrying out identity authentication on the login user; if the first block chain link point judges that the identity authentication is passed, a one-time login password is allocated to the login user, and the one-time login password is stored in the block chain; a user login request is sent to a server through a public network, wherein the user login request comprises login user information and a one-time login password; and in a second blockchain node of the server local network, authenticating the login user according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the login user stored in the second blockchain node.

Seventh embodiment

Corresponding to the identity verification method, the application also provides an identity verification method, and an execution subject of the method is a server. The same parts of the present embodiment as those of the first embodiment will not be described again, please refer to the corresponding parts in the first embodiment.

In this embodiment, the authentication method may include the steps of:

step 1: receiving a user login request, wherein the user login request comprises login user information and a one-time login password;

Step 2: and sending the login user information and the one-time login password received by the server to a second blockchain node of the local network of the server so as to carry out identity authentication on the login user through the second blockchain node according to the login user information and the one-time login password received by the server and the one-time login password corresponding to the login user stored by the second blockchain node of the local network of the server.

Eighth embodiment

Corresponding to the identity verification method, the application also provides an identity verification method, and an execution subject of the method is a second blockchain node of the server-side local network. The same parts of the present embodiment as those of the first embodiment will not be described again, please refer to the corresponding parts in the first embodiment.

In this embodiment, the authentication method may include the steps of:

step 1: receiving login user information and a one-time login password sent by a server;

Step 2: and authenticating the login user according to the login user information and the one-time login password received by the server side and the one-time login password corresponding to the login user stored by the second blockchain node.

Ninth embodiment

Corresponding to the identity verification method, the application also provides an identity verification system. The same parts of the present embodiment as those of the first embodiment will not be described again, please refer to the corresponding parts in the first embodiment.

In this embodiment, the authentication system may include: the method comprises the steps of registering a client, logging in a first blockchain node of a local network of the client, logging in the client, a server and a second blockchain node of the local network of the server. The registration client and the login client can be deployed on the same device.

The registration client is used for acquiring user registration information of the network service, wherein the user registration information comprises a registration user name and a registration password; the registered user name and the registered password are sent to a first blockchain node of the client local network.

The first blockchain node is used for receiving a registration user name and a registration password sent by the registration client; generating a first login information ciphertext according to the login user name and the login password; and storing the first login information ciphertext into the blockchain, and storing the registered user information except the registered password into the network server.

The login client is used for acquiring a login user name and a login password; the login user name and login password are sent to a first blockchain node of the client local network.

The first blockchain node is also used for receiving a login user name and a login password sent by the login client; generating a second login information ciphertext according to the login user name and the login password; according to the second login information ciphertext and the first login information ciphertext set stored in the first block link point, carrying out identity authentication on the login user; if the first block chain link point judges that the identity authentication is passed, a one-time login password is allocated to the login user, and the one-time login password is stored in the block chain; and sending a user login request to the server through the public network, wherein the user login request comprises login user information and a one-time login password.

The server side is used for receiving a user login request, wherein the user login request comprises login user information and a one-time login password; and sending the login user information and the one-time login password received by the server to a second blockchain node of the local network of the server.

The second block chain node is used for receiving login user information and a one-time login password sent by the server; and authenticating the login user according to the login user information and the one-time login password received by the server side and the one-time login password corresponding to the login user stored by the second blockchain node.

While the application has been described in terms of preferred embodiments, it is not intended to be limiting, but rather, it will be apparent to those skilled in the art that various changes and modifications can be made herein without departing from the spirit and scope of the application as defined by the appended claims.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

1. Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer readable media, as defined herein, does not include non-transitory computer readable media (transmission media), such as modulated data signals and carrier waves.

2. It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Claims

1. An authentication method, comprising:

acquiring a login user name and a login password;

2. The method of claim 1, wherein the step of determining the position of the substrate comprises,

The login information ciphertext is a ciphertext obtained by encrypting a combined character string of a user name and a password;

the login user information comprises a second login information ciphertext;

3. The method as recited in claim 2, further comprising:

4. The method of claim 1, wherein the step of determining the position of the substrate comprises,

The login information ciphertext is a ciphertext obtained by encrypting a combined character string or a password of a user name and the password;

The login user information comprises a login user name;

5. The method of claim 1, wherein the step of determining the position of the substrate comprises,

The first login information ciphertext includes: encrypting a user name to obtain a first user name ciphertext, and encrypting a password to obtain a first password ciphertext;

6. The method of claim 1, wherein the step of determining the position of the substrate comprises,

The server comprises a cloud platform server, and the password comprises a key SK used by a user for encrypting the authentication character string and used by a cloud manufacturer for verifying the authentication character string;

The method further comprises the steps of:

7. The method as recited in claim 1, further comprising:

8. An authentication method for a client, comprising:

acquiring a login user name and a login password;

9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein instructions, which when run on a computer, cause the computer to perform the method according to any of claims 1-8.

10. An electronic device, comprising:

A processor and a memory;

a memory for storing a program for implementing the method of any one of claims 1-8, the device being powered on and running the program of the method by the processor.