CN108235314B

CN108235314B - Identity authentication method, device and system

Info

Publication number: CN108235314B
Application number: CN201611125077.7A
Authority: CN
Inventors: 魏文娟; 邢燕霞; 李鹏宇; 毛聪杰
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2016-12-09
Filing date: 2016-12-09
Publication date: 2020-11-27
Anticipated expiration: 2036-12-09
Also published as: CN108235314A

Abstract

The invention discloses an identity authentication method, device and system. The method comprises the following steps: a calling terminal initiates a calling request carrying identity information of a calling user; the identity certificate forwarding device extracts the identity information of the calling party from the calling request and forwards the identity information of the calling party to the identity certificate verifying device; after the identity certificate verifying device verifies the identity information of the calling user, the identity certificate forwarding device returns an identity verification result; the identity certificate forwarding device sends a call request carrying an identity verification result to a called terminal; and the called terminal displays the identity confirmation prompt of the calling user when receiving the call. The invention further increases the authentication of the real user on the basis of the authentication of the equipment in the original network access, thereby being used for preventing telecommunication fraud or providing high-reliability user authentication in internet service.

Description

Identity authentication method, device and system

Technical Field

The present invention relates to the field of mobile communications, and in particular, to a method, an apparatus, and a system for identity authentication.

Background

With the development of mobile communication and mobile internet, more and more communication and services are transferred to be performed online, but in such a digital world, how to define the identity of the other party becomes a difficult problem. Such as internet finance, electronic commerce and other services, have high requirements on identity recognition and transaction non-repudiation. In addition, at present, the telecommunication fraud horizontal line has real name system requirements, but the user cannot confirm the real identity of the caller at the first time. Therefore, an identity authentication technology is urgently needed to authenticate a service visitor or an actual user of a communication opposite end.

In a mobile communication system, the device access network needs to be authenticated (for example, device authentication using a SIM card), but the authentication only stays in the physical device authentication stage, and cannot authenticate the actual user. At present, the authentication means for users in network environment includes account/password authentication, dynamic password authentication, USB Key identity authentication, short message verification code authentication and the like. The account/password or short message verification code authentication technology mainly applied at present belongs to a low-security level authentication technology, has the problems of being cracked and stolen, intercepting short messages, delaying short messages, being poor in convenience and the like, and cannot meet the requirements of application development and users. Although the security level of the dynamic password, the USB Key and the like is high, the risk of being stolen exists, and the fact that the actual user is an account opening person cannot be guaranteed.

Disclosure of Invention

In view of the above technical problems, the present invention provides an identity authentication method, apparatus and system for providing identity confirmation of another party to a party in communication, which can be used to prevent telecommunication fraud or provide highly reliable user authentication in internet services.

According to an aspect of the present invention, there is provided an identity authentication method, including:

a calling terminal initiates a calling request carrying identity information of a calling user;

the identity certificate forwarding device extracts the identity information of the calling party from the calling request and forwards the identity information of the calling party to the identity certificate verifying device;

after the identity certificate verifying device verifies the identity information of the calling user, the identity certificate forwarding device returns an identity verification result;

the identity certificate forwarding device sends a call request carrying an identity verification result to a called terminal;

and the called terminal displays the identity confirmation prompt of the calling user when receiving the call.

In an embodiment of the present invention, the initiating, by the calling terminal, a call request carrying identity information of a calling party includes:

a calling terminal collects identity information of a calling user;

the calling terminal sends a calling request carrying the identity information of the calling user to the identity certificate forwarding device.

In one embodiment of the invention, the method further comprises:

a calling terminal initiates a calling request to a called terminal;

when receiving a call, a called terminal initiates an identity authentication request aiming at a calling user;

after receiving the identity authentication request, the calling terminal sends a response message carrying the identity information of the calling user to the identity certificate forwarding device;

the identity certificate forwarding device extracts the identity information of the calling party from the response message, and then executes the step of forwarding the identity information of the calling party to the identity certificate verifying device.

In an embodiment of the present invention, the sending the response message carrying the identity information of the calling party to the identity credential forwarding device includes:

a calling terminal collects identity information of a calling user;

the calling terminal sends a response message carrying the identity information of the calling user to the identity certificate forwarding device.

In one embodiment of the invention, the method further comprises:

the calling user selects the identity authentication service when opening an account, and reserves the identity information of the calling user in the identity certificate verification device under the condition of real-name registration.

According to another aspect of the present invention, there is provided an identity authentication method, including:

a calling terminal initiates a calling request to a called terminal;

the identity certificate forwarding device extracts the identity information of the calling party from the response message and forwards the identity information of the calling party to the identity certificate verifying device;

According to another aspect of the present invention, an identity credential forwarding device is provided, which includes a call request receiving module, an identity information extracting module, an identity information forwarding module, and a call request forwarding module, wherein:

the calling request receiving module is used for receiving a calling request which is initiated by a calling terminal and carries the identity information of a calling user;

the identity information extraction module is used for extracting the identity information of the calling party from the calling request;

the identity information forwarding module is used for forwarding the identity information of the calling party to the identity certificate verifying device so as to return an identity verification result to the identity certificate forwarding device after the identity certificate verifying device verifies the identity information of the calling party;

and the call request forwarding module is used for sending the call request carrying the identity verification result to the called terminal so that the called terminal can display the identity confirmation prompt of the calling party while receiving the call.

In an embodiment of the present invention, the identity credential forwarding apparatus further includes an authentication request obtaining module, an authentication request forwarding module, and a response message receiving module, where:

the verification request acquisition module is used for receiving an identity verification request aiming at a calling user and initiated by a called terminal, wherein the called terminal initiates the identity verification request aiming at the calling user when receiving a calling request initiated to the called terminal by the calling terminal;

the authentication request forwarding module is used for forwarding the authentication request to the calling terminal so that the calling terminal responds after receiving the authentication request;

the response message receiving module is used for receiving a response message which is sent by the calling terminal and carries the identity information of the calling subscriber;

the identity information extraction module is also used for extracting the identity information of the calling party from the response message and then instructing the identity information forwarding module to execute the operation of forwarding the identity information of the calling party to the identity certificate verification device.

According to another aspect of the present invention, an identity credential forwarding apparatus is provided, which includes an authentication request obtaining module, an authentication request forwarding module, a response message receiving module, an identity information extracting module, an identity information forwarding module, and a call request forwarding module, wherein:

the identity information extraction module is used for extracting the identity information of the calling party from the response message;

According to another aspect of the present invention, there is provided an identity credential verifying apparatus, comprising an identity information receiving module, an identity information verifying module, and a verification result returning module, wherein:

the identity information receiving module is used for receiving the identity information of the calling party forwarded by the identity certificate forwarding device, wherein the identity information of the calling party is extracted from a calling request sent by the identity certificate forwarding device from a calling terminal or a response message of the calling terminal aiming at an identity verification request of a called terminal;

the identity information verification module is used for verifying the identity information of the calling party;

and the verification result returning module is used for returning the identity verification result to the identity certificate forwarding device so that the identity certificate forwarding device can send the call request carrying the identity verification result to the called terminal, and the called terminal displays the identity confirmation prompt of the calling user while receiving the call.

In an embodiment of the present invention, the identity credential verifying apparatus further includes an identity information storage module, wherein:

the identity information storage module is used for synchronizing with the customer relationship management system and storing the identity information of the user;

the identity information verifying module is used for comparing the calling party identity information forwarded by the identity certificate forwarding device with the calling party identity information stored in the identity information storage module to obtain an identity verification result.

According to another aspect of the present invention, an identity credential collecting device is provided, which includes an identity information collecting module and an identity information sending module, wherein:

the identity information acquisition module is used for acquiring identity information of a terminal user;

and the identity information sending module is used for initiating a calling request carrying the identity information of the calling party and sending the calling request carrying the identity information of the calling party to the identity certificate forwarding device, so that the identity certificate forwarding device forwards the identity information of the calling party to the identity certificate verifying device for verification and then sends the calling request carrying the identity verification result to the called terminal.

In an embodiment of the present invention, the identity credential collecting device further includes a calling module, an authentication request receiving module, and an authentication request responding module, wherein:

the calling module is used for initiating a calling request to a called terminal;

the authentication request receiving module is used for receiving an authentication request which is forwarded by the identity credential forwarding device and aims at a calling user, wherein the authentication request is an authentication request which is initiated by a called terminal aiming at the calling user when the called terminal receives a call request which is initiated to the called terminal by the calling module;

and the verification request response module is used for sending a response message carrying the identity information of the calling party to the identity certificate forwarding device so that the identity certificate forwarding device forwards the identity information of the calling party to the identity certificate verification device for verification and then sends the call request carrying the identity verification result to the called terminal.

According to another aspect of the present invention, an identity credential collecting device is provided, which includes an identity information collecting module, a calling module, an authentication request receiving module, and an authentication request responding module, wherein:

According to another aspect of the present invention, there is provided an identity credential validation apparatus comprising a validation information extraction module and a validation information display module, wherein:

the identity certificate forwarding device is used for forwarding the identity information of the calling party to the identity certificate verification device, the identity certificate verification device verifies the identity information of the calling party, and the identity certificate forwarding device sends the call request carrying the identity verification result to the identity certificate confirmation device;

and the confirmation information display module is used for displaying the identity confirmation information to the user.

In an embodiment of the present invention, the identity credential validation apparatus further includes an authentication request sending module, wherein:

the authentication request sending module is used for initiating an authentication request aiming at a calling user when receiving a calling request initiated by a calling terminal to a called terminal, so that the calling terminal sends a response message carrying the identity information of the calling user to an identity certificate forwarding device after receiving the authentication request, the identity certificate forwarding device forwards the identity information of the calling user to an identity certificate authentication device, the identity certificate authentication device authenticates the identity information of the calling user, and the identity certificate forwarding device sends the calling request carrying the authentication result to an identity certificate confirmation device.

According to another aspect of the present invention, there is provided a user terminal, including the identity credential collecting device according to any one of the above embodiments, and/or the identity credential confirming device according to any one of the above embodiments.

According to another aspect of the present invention, there is provided an identity authentication system, comprising an identity credential forwarding device as described in any of the above embodiments, an identity credential verifying device as described in any of the above embodiments, an identity credential collecting device as described in any of the above embodiments, and an identity credential validating device as described in any of the above embodiments.

In one embodiment of the invention, the identity certificate forwarding device is arranged in an IP multimedia subsystem network; the identity certificate acquisition device is arranged in the calling user terminal; the identity certificate confirmation device is arranged in the called user terminal.

The present invention can be used to prevent telecommunication fraud or provide highly reliable user authentication in internet services by further increasing authentication of real users on the basis of authentication of devices at the time of original network access.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic diagram of an identity authentication system according to an embodiment of the present invention.

Fig. 2 is a schematic diagram of an identity credential collecting device according to a first embodiment of the present invention.

Fig. 3 is a schematic diagram of an identity credential collecting device according to a second embodiment of the present invention.

Fig. 4 is a schematic diagram of an identity credential collecting device according to a third embodiment of the present invention.

Fig. 5 is a diagram illustrating an identity credential forwarding device according to a first embodiment of the present invention.

Fig. 6 is a diagram illustrating an identity credential forwarding device according to a second embodiment of the present invention.

Fig. 7 is a diagram illustrating an identity credential forwarding device according to a third embodiment of the present invention.

Fig. 8 is a diagram illustrating an authentication device according to a first embodiment of the present invention.

Fig. 9 is a diagram illustrating an authentication device according to a second embodiment of the present invention.

Fig. 10 is a diagram illustrating an identity credential validation device according to a first embodiment of the present invention.

Fig. 11 is a diagram illustrating an identity credential validation device according to a second embodiment of the present invention.

Fig. 12 is a diagram illustrating an identity authentication method according to a first embodiment of the present invention.

Fig. 13 is a diagram illustrating an identity authentication method according to a second embodiment of the present invention.

Fig. 14 is a diagram illustrating an identity authentication method according to a third embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.

Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.

Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.

In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.

The applicant found that: in order to meet the authentication requirements of users at any time and any place, the identity authentication of real users needs to be added on the basis of the existing equipment authentication. The identity authentication technology is used for solving the problem of consistency of physical identity and digital identity of an accessor and providing a basis for authority management for other security technologies.

Fig. 1 is a schematic diagram of an identity authentication system according to an embodiment of the present invention. As shown in fig. 1, the identity authentication system includes an identity credential collecting device 11, an identity credential confirming device 12, an identity credential forwarding device 13, and an identity credential verifying device 14, wherein:

the identity credential forwarding device 13 is arranged in an IMS (IP Multimedia Core Network Subsystem) Network 3; the identity certificate acquisition device 11 is arranged in the calling user terminal 1; the identity credential validation means 12 is provided in the called user terminal 2.

The identity voucher acquisition device 11 is used for initiating a call request carrying the identity information of a calling party;

identity certificate forwarding means 13 for extracting the identity information of the calling party from the call request and forwarding the identity information of the calling party to identity certificate verifying means 14;

the identity certificate verifying device 14 is used for verifying the identity information of the calling party and returning an identity verification result to the identity certificate forwarding device 13;

an identity certificate forwarding device 13, configured to send a call request carrying an identity verification result to the identity certificate confirming device 12;

and the identity certificate confirmation device 12 is used for displaying the identity confirmation prompt of the calling party when the call is received.

Based on the identity authentication system provided by the above embodiment of the present invention, the identity confirmation of the other party can be provided for the party in communication, thereby being capable of preventing telecommunication fraud or providing high-reliability user authentication in internet services.

At present, the authentication means for users in a network environment comprises modes of account numbers/passwords, dynamic passwords, USB keys, short message verification codes and the like, but the authentication means has the problems of being cracked, stolen, intercepted and the like.

The identity authentication system of the embodiment of the invention further increases the authentication of the real user on the basis of the authentication of the equipment when the original network is accessed. The identity information is collected during the call initiation or call proceeding, can represent the real identity of the user, and has high reliability.

The embodiment of the invention does not need special terminal hardware, and the acquisition of the user identity information can utilize the existing capability of the terminal, such as acquiring face information by utilizing a camera and acquiring fingerprint information by utilizing a fingerprint sensor.

The communication opposite terminal of the embodiment of the invention can know the authentication result in real time, thereby increasing the trust level between the calling party and the called party and reducing the telecom fraud.

The structure and function of the identity certificate acquisition device 11, the identity certificate validation device 12, the identity certificate forwarding device 13 and the identity certificate verification device 14 in the above embodiments of the present invention are further described below by specific embodiments.

Fig. 2 is a schematic diagram of an identity credential collecting device according to a first embodiment of the present invention. As shown in fig. 2, the identity credential collecting device 11 in the embodiment of fig. 1 may include an identity information collecting module 111 and an identity information sending module 112, where:

the identity information collecting module 111 is configured to collect identity information of a terminal user, such as biological information of a fingerprint and a face of an individual user, and certificate information of an enterprise user.

In one embodiment of the present invention, the identity information may include, but is not limited to, the following: the certificate number, biological information (face, fingerprint, iris, etc.), password, certificate of the individual user; enterprise registration information, certificates, passwords, etc. for the enterprise customers.

In an embodiment of the present invention, the collection of the user identity information may utilize the existing capability of the terminal, such as collecting face information by using a camera, collecting fingerprint information by using a fingerprint sensor; identity information extraction software or means may also be attached to the terminal as required.

The identity information sending module 112 is configured to initiate a call request carrying identity information of a calling party (end user), and send the call request carrying the identity information of the calling party to the identity credential forwarding device 13, so that the identity credential forwarding device 13 forwards the identity information of the calling party to the identity credential verifying device 14 for verification, and then sends the call request carrying an identity verification result to a called terminal.

In an embodiment of the present invention, the caller identity information utilizes an extension of a Session Initiation Protocol (SIP) Protocol to transmit an identity credential, an identity confirmation request and a response, and finally provides an identity confirmation prompt to a called party.

Based on the identity certificate acquisition device provided by the embodiment of the invention, the identity of the calling party can be authenticated when the calling party actively carries identity information. Practical application scenarios in which the identity credential gathering device of the present invention may be applied include: government agencies (public security and the like) or enterprises actively carry identity information when customer service calls users so as to obtain the trust of the other party.

In an embodiment of the present invention, as shown in fig. 2, the identity credential collecting device 11 may further include an identity information processing module 113, where:

and an identity information processing module 113, configured to process the identity information of the calling party, and send the identity information of the calling party to the identity credential forwarding device through the identity information sending module 112.

The processing mode of the identity information of the calling party in the above embodiment of the present invention may be encryption, hash or signature, and the like, and may be selected according to the system requirement and the processing capability of the terminal.

Fig. 3 is a schematic diagram of an identity credential collecting device according to a second embodiment of the present invention. Compared with the embodiment shown in fig. 2, in the embodiment shown in fig. 3, the identity credential collecting device 11 of the embodiment of fig. 1 may further include a calling module 114, an authentication request receiving module 115, and an authentication request responding module 116, where:

and a calling module 114 for initiating a call request to the called terminal.

An authentication request receiving module 115, configured to receive an authentication request for the calling user forwarded by the identity credential forwarding device 13, where the authentication request is an authentication request for the calling user initiated by the called terminal when the called terminal receives a call request initiated by the calling module 114 to the called terminal.

The verification request response module 116 is configured to send a response message carrying the identity information of the calling party to the identity credential forwarding device 13, so that the identity credential forwarding device 13 forwards the identity information of the calling party to the identity credential verifying device 14 for verification, and then sends the call request carrying the identity verification result to the called terminal.

The embodiment of the invention can not only realize the authentication of the identity of the calling party under the condition that the called party initiates the identity authentication request, so that the embodiment of the invention can be applied to the practical application scene that the service systems such as banks and the like verify the identity information of the user when receiving the service request for changing the password; and when the user receives the suspected fraud call, the user initiates the verification of the other party. Meanwhile, the above embodiment of the present invention can also be used to implement the authentication of the identity of the calling user when the calling user actively carries identity information, and thus, the actual application scenario in which the identity credential collecting device of the present invention can be applied includes: government agencies (public security and the like) or enterprises actively carry identity information when customer service calls users so as to obtain the trust of the other party.

Fig. 4 is a schematic diagram of an identity credential collecting device according to a third embodiment of the present invention. As shown in fig. 4, the identity credential collecting device 11 in the embodiment of fig. 1 may include an identity information collecting module 111, an identity information processing module 113, a calling module 114, an authentication request receiving module 115, and an authentication request responding module 116, where:

and an identity information acquisition module 111, configured to acquire identity information of the terminal user.

And a calling module 114 for initiating a call request to the called terminal.

The embodiment of the invention can realize the authentication of the identity of the calling party under the condition that the called party initiates the identity authentication request, so the practical application scene which can be applied by the embodiment of the invention comprises that the bank and other business systems verify the identity information of the user when receiving the business request for changing the password; and when the user receives the suspected fraud call, the user initiates the verification of the other party.

The identity credential collecting device 11 in the above embodiments of the present invention may be located on the calling side user terminal or the called side user terminal.

Fig. 5 is a diagram illustrating an identity credential forwarding device according to a first embodiment of the present invention. As shown in fig. 5, the identity credential forwarding device 13 in the embodiment of fig. 1 may include a call request receiving module 131, an identity information extracting module 132, an identity information forwarding module 133, and a call request forwarding module 134, where:

the call request receiving module 131 is configured to receive a call request which is initiated by a calling terminal and carries identity information of a calling party.

An identity information extraction module 132, configured to extract the calling party identity information from the call request (SIP signaling).

The identity information forwarding module 133 is configured to forward the identity information of the calling party to the identity credential verifying apparatus 14, so that after the identity credential verifying apparatus 14 verifies the identity information of the calling party, the identity verification result is returned to the identity credential forwarding apparatus 13.

The call request forwarding module 134 is configured to send a call request carrying an authentication result to the called terminal, so that the called terminal displays a caller identity confirmation prompt while receiving the call.

The identity credential gathering means 13 is a functional module located in the IMS network.

In an embodiment of the present invention, the identity credential gathering means 13 may be located in an MMTEL (Multimedia telephony) network element.

Based on the identity certificate forwarding device provided by the embodiment of the invention, the identity of the calling party can be authenticated when the calling party actively carries identity information. Practical application scenarios in which the identity credential gathering device of the present invention may be applied include: government agencies (public security and the like) or enterprises actively carry identity information when customer service calls users so as to obtain the trust of the other party.

Fig. 6 is a diagram illustrating an identity credential forwarding device according to a second embodiment of the present invention. Compared with the embodiment shown in fig. 5, in the embodiment shown in fig. 6, the identity credential forwarding device 13 of the embodiment of fig. 1 further includes an authentication request obtaining module 135, an authentication request forwarding module 136, and a response message receiving module 137, where:

the verification request obtaining module 135 is configured to receive an authentication request for the calling user initiated by the called terminal, where the called terminal initiates the authentication request for the calling user when receiving a call request initiated by the calling terminal to the called terminal.

And an authentication request forwarding module 136, configured to forward the authentication request to the calling terminal, so that the calling terminal responds after receiving the authentication request.

The response message receiving module 137 is configured to receive a response message which is sent by the calling terminal and carries the identity information of the calling subscriber.

The identity information extraction module 132 is further configured to extract the caller identity information from the response message, and then instruct the identity information forwarding module 133 to perform an operation of forwarding the caller identity information to the authentication device 14.

Fig. 7 is a diagram illustrating an identity credential forwarding device according to a third embodiment of the present invention. As shown in fig. 7, the identity credential forwarding device 13 in the embodiment of fig. 1 may include an authentication request obtaining module 135, an authentication request forwarding module 136, a response message receiving module 137, an identity information extracting module 132, an identity information forwarding module 133, and a call request forwarding module 134, where:

the verification request obtaining module 135 is configured to receive an authentication request for the calling party initiated by the called terminal, where the called terminal initiates the authentication request for the calling party when receiving a call request initiated by the calling terminal to the called terminal.

And an identity information extraction module 132, configured to extract the identity information of the calling party from the response message.

Fig. 8 is a diagram illustrating an authentication device according to a first embodiment of the present invention. As shown in fig. 8, the authentication device 14 in the embodiment of fig. 1 may include an identity information receiving module 141, an identity information verifying module 142, and a verification result returning module 143, where:

the identity information receiving module 141 is configured to receive the identity information of the calling party forwarded by the identity credential forwarding device 13, where the identity information of the calling party is extracted from a call request sent by the calling terminal by the identity credential forwarding device 13 or a response message of the calling terminal to an identity verification request of the called terminal.

And an identity information verification module 142, configured to verify the identity information of the calling party.

In an embodiment of the present invention, the identity information verification module 142 may be further configured to decrypt the identity information before verifying the identity information of the calling party.

The verification result returning module 143 is configured to return the authentication result to the identity credential forwarding device 13, so that the identity credential forwarding device 13 sends the call request carrying the authentication result to the called terminal, and the called terminal displays a caller identity confirmation prompt while receiving the call.

Based on the identity credential verification device provided by the above-mentioned embodiment of the present invention, the identity of the other party can be confirmed for the party in communication, so that the device can be used for preventing telecommunication fraud or providing highly reliable user authentication in internet services. The identity authentication system of the embodiment of the invention further increases the authentication of the real user on the basis of the authentication of the equipment when the original network is accessed. The communication opposite terminal of the embodiment of the invention can know the authentication result in real time, thereby increasing the trust level between the calling party and the called party and reducing the telecom fraud.

Fig. 9 is a diagram illustrating an authentication device according to a second embodiment of the present invention. Compared with the embodiment shown in fig. 8, in the embodiment shown in fig. 9, the identity credential verifying device 14 of the embodiment of fig. 1 may further include an identity information storage module 144, where:

the identity information storage module 144 is synchronized with a CRM (Customer Relationship Management) system, and is used to store user identity information in advance.

The identity information verification module 142 is configured to compare the identity information of the calling party forwarded by the identity credential forwarding device 13 with the identity information of the calling party stored in the identity information storage module 144, so as to obtain an identity verification result.

Fig. 10 is a diagram illustrating an identity credential validation device according to a first embodiment of the present invention. As shown in fig. 10, the identity credential validation device 12 of the embodiment of fig. 1 may include a validation information extraction module 121 and a validation information display module 122, where:

the confirmation information extracting module 121 is configured to extract the identity confirmation information when receiving the call request carrying the authentication result sent by the identity credential forwarding device 13, where the calling terminal initiates the call request carrying the identity information of the calling party, the identity credential forwarding device 13 forwards the identity information of the calling party to the identity credential verifying device 14, the identity credential verifying device 14 verifies the identity information of the calling party, and the identity credential forwarding device 13 sends the call request carrying the authentication result to the identity credential confirming device 12.

And a confirmation information display module 122, configured to display the identity confirmation information to the user.

Based on the identity certificate confirmation device provided by the embodiment of the invention, the identity of the calling party can be authenticated when the calling party actively carries identity information. Practical application scenarios in which the identity credential gathering device of the present invention may be applied include: government agencies (public security and the like) or enterprises actively carry identity information when customer service calls users so as to obtain the trust of the other party.

Fig. 11 is a diagram illustrating an identity credential validation device according to a second embodiment of the present invention. Compared with the embodiment shown in fig. 10, in the embodiment shown in fig. 11, the identity credential validation device 12 may further include an authentication request sending module 123, where:

the verification request sending module 123 is configured to initiate an authentication request for a calling party when receiving a call request initiated by a calling terminal to a called terminal, so that the calling terminal sends a response message carrying identity information of the calling party to the identity credential forwarding device 13 after receiving the authentication request, the identity credential forwarding device 13 forwards the identity information of the calling party to the identity credential verifying device 14, the identity credential verifying device 14 verifies the identity information of the calling party, and the identity credential forwarding device 13 sends the call request carrying an authentication result to the identity credential confirming device 12.

Based on the user terminal provided by the above embodiment of the present invention, the identity confirmation of the other party can be provided for the party in communication, thereby being capable of preventing telecommunication fraud or providing high-reliability user authentication in internet service. The identity authentication system of the embodiment of the invention further increases the authentication of the real user on the basis of the authentication of the equipment when the original network is accessed. The communication opposite terminal of the embodiment of the invention can know the authentication result in real time, thereby increasing the trust level between the calling party and the called party and reducing the telecom fraud.

Fig. 12 is a diagram illustrating an identity authentication method according to a first embodiment of the present invention. Preferably, this embodiment can be performed by the identity authentication system of the present invention. As shown in fig. 12, the method may further include:

step 121, the calling terminal initiates a call request carrying the identity information of the calling user.

In one embodiment of the present invention, step 121 may comprise:

step 1211, the calling terminal collects the identity information of the calling subscriber.

In step 1212, the calling terminal sends the call request carrying the identity information of the calling party to the identity credential forwarding device 13.

In step 122, the identity credential forwarding device 13 extracts the identity information of the calling party from the call request, and forwards the identity information of the calling party to the identity credential verifying device 14.

In step 123, after the identity information of the calling party is verified by the identity certificate verifying device 14, the identity verification result is returned to the identity certificate forwarding device 13.

In step 124, the identity credential forwarding device 13 sends the call request carrying the authentication result to the called terminal.

Step 125, the called terminal displays the identity confirmation prompt of the calling user while receiving the call.

The identity information and the identity confirmation request in the identity authentication system can be loaded in the SIP message, so that the SIP message needs to be expanded. The identity information is carried in messages such as INVITE, 200OK, etc., and the identity confirmation request can be carried in messages such as OPTIONS, etc.

The above embodiments of the present invention may extend header fields (headers) of messages such as INVITE, 200OK, OPTIONS, etc., or add contents of existing header fields. For example, a header domain User-Credential may be added, which may be in the form of:

User-Credential: an encryption mode; identity information 1 category; content; identity information 2 category; content; … identity information n category; content providing method and apparatus

The encryption mode is the encryption mode that the identity information is encrypted after being extracted by the identity acquisition unit. The identity information category represents the type of identity information, such as iris, fingerprint, certificate, etc. The User-confidential header field may contain a variety of identity information. And when the content of the User-confidential header field is null, representing the identity confirmation request. When the content of the User-confidential header domain is 1, the authentication is passed; the content is 0, representing that the authentication failed.

Based on the identity authentication method provided by the above embodiment of the present invention, the identity confirmation of the other party can be provided for the party in communication, thereby being capable of preventing telecommunication fraud or providing high-reliability user authentication in internet service. The identity authentication system of the embodiment of the invention further increases the authentication of the real user on the basis of the authentication of the equipment when the original network is accessed. The communication opposite terminal of the embodiment of the invention can know the authentication result in real time, thereby increasing the trust level between the calling party and the called party and reducing the telecom fraud.

The embodiment of the invention can realize the authentication of the identity of the calling user when the calling actively carries the identity information. Possible practical application scenarios of the above embodiments of the present invention include: government agencies (public security and the like) or enterprises actively carry identity information when customer service calls users so as to obtain the trust of the other party.

In an embodiment of the present invention, on the basis of the embodiment of fig. 12, the method may further include: a calling terminal initiates a calling request to a called terminal; when receiving a call, a called terminal initiates an identity authentication request aiming at a calling user; after receiving the authentication request, the calling terminal sends a response message carrying the identity information of the calling user to the identity certificate forwarding device 13; the identity credential forwarding means 13 extracts the caller identity information from the response message and then performs the step of forwarding the caller identity information to the identity credential verification means 14 in the embodiment of fig. 12.

Fig. 13 is a diagram illustrating an identity authentication method according to a second embodiment of the present invention. Preferably, this embodiment can be performed by the identity authentication system of the present invention. The embodiment of fig. 13 is a specific implementation of the embodiment of fig. 12. As shown in fig. 13, the method may include:

step 131, the calling user selects the identity authentication service when opening an account, and supplements and reserves verification code and fingerprint information under the condition of real-name registration. Meanwhile, the authentication prompt displayed on the called side is selected as the own name card information.

Step 132, the calling user wants to call out through the IMS network, selects the identity of the user to be carried on the calling interface, prompts the user to select the identity information type through the calling interface, and the calling user selects the verification code and the fingerprint information, inputs the verification code in the subsequent interface, and scans the fingerprint by using the fingerprint sensor.

Step 133, the identity credential collecting unit software in the calling terminal hashes the verification code and the fingerprint information respectively.

Step 134, the calling User clicks the call key to initiate a call, the terminal includes a User-confidential header field in the INVITE message sent to the network, and the User-confidential header field indicates that the encryption mode is hash and includes a hash value of the verification code and a hash value of the fingerprint information.

Step 135, when receiving INVITE message, MMTel network element in IMS network extracts User-confidential header field content and forwards it to identity Credential verification unit.

136, the identity certificate verification unit compares the received hash value of the verification code and the hash value of the fingerprint information with the hash value of the reserved information, and if the comparison is consistent, the authentication is successfully returned; and if the comparison fails, returning authentication failure.

Step 137, the MMTel network element sends the INVITE message to the called terminal, and the User-confidential header field content is 1 or 0, that is, the authentication is passed or not passed.

And step 138, the called terminal receives the call and analyzes the User-confidential header domain content, and the authentication prompt is displayed on the terminal interface while ringing. If the authentication is passed, the calling name card information is displayed, and the real name registration is prompted; if not, the calling terminal owner registered by the calling non-operator is prompted.

The embodiment of the invention provides an identity authentication system and method based on an IMS network, and the main idea of the embodiment of the invention is that the identity of a real user can be verified on the basis of equipment authentication during communication, and a verification result can be notified to a communication opposite terminal. The information for verifying the user identity in the above embodiments of the present invention may be a verification code, a certificate, biometric information, and the like. The identity information of the above embodiment of the present invention is processed and then loaded in the SIP message for transmission. SIP messages may add a header field or extend the content of an existing header field to carry identity information. The above embodiment of the present invention adds the function of controlling and forwarding the identity credential in the IMS network, and can extract and forward the identity information and the authentication result. An identity certificate acquisition function and a confirmation function are added on the communication terminal. The above-described embodiments of the present invention can thus be used to prevent telecommunication fraud or to provide highly reliable user authentication in internet services

Fig. 14 is a diagram illustrating an identity authentication method according to a third embodiment of the present invention. Preferably, this embodiment can be performed by the identity authentication system of the present invention. As shown in fig. 14, the method may include:

in step 141, the calling terminal initiates a call request to the called terminal.

In step 142, the called terminal initiates an authentication request for the calling user when receiving the call.

Step 143, after receiving the authentication request, the calling terminal sends a response message carrying the identity information of the calling user to the identity credential forwarding device 13.

In step 144, the identity credential forwarding device 13 extracts the identity information of the calling party from the response message, and forwards the identity information of the calling party to the identity credential verifying device 14.

In step 145, the identity certificate verifying device 14 verifies the identity information of the calling party and returns the identity verification result to the identity certificate forwarding device 13.

In step 146, the identity credential forwarding device 13 sends the call request carrying the authentication result to the called terminal.

In step 147, the called terminal displays the identity confirmation prompt of the calling user while receiving the call.

In the above embodiments of the present invention, the operator may use the identity authentication as a service to authenticate and authorize the digital identity of the user.

The identity credential gathering means 11, the identity credential validation means 12, the identity credential forwarding means 13 and the identity credential verification means 14 described above may be implemented as a general purpose processor, a Programmable Logic Controller (PLC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components or any suitable combination thereof for performing the functions described herein.

Thus far, the present invention has been described in detail. Some details well known in the art have not been described in order to avoid obscuring the concepts of the present invention. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims

1. An identity authentication method, comprising:

the called terminal displays the identity confirmation prompt of the calling user when receiving the call;

wherein, the identity authentication method further comprises:

a calling terminal initiates a calling request to a called terminal;

2. The method of claim 1, wherein the initiating, by the calling terminal, a call request carrying identity information of a calling party comprises:

a calling terminal collects identity information of a calling user;

3. The method according to claim 1 or 2, wherein the sending the response message carrying the identity information of the calling party to the identity credential forwarding device comprises:

a calling terminal collects identity information of a calling user;

4. The method of claim 1 or 2, further comprising:

5. An identity authentication method, comprising:

a calling terminal initiates a calling request to a called terminal;

6. An identity certificate forwarding device is characterized by comprising a call request receiving module, an identity information extracting module, an identity information forwarding module and a call request forwarding module, wherein:

the call request forwarding module is used for sending the call request carrying the identity verification result to the called terminal so that the called terminal can display the identity confirmation prompt of the calling party while receiving the call;

the identity credential forwarding device further comprises an authentication request acquisition module, an authentication request forwarding module and a response message receiving module, wherein:

7. An identity certificate forwarding device is characterized by comprising an authentication request acquisition module, an authentication request forwarding module, a response message receiving module, an identity information extraction module, an identity information forwarding module and a call request forwarding module, wherein:

8. An identity certificate verification device is characterized by comprising an identity information receiving module, an identity information verification module and a verification result returning module, wherein:

9. The authentication device of claim 8, further comprising an identity information storage module, wherein:

10. The utility model provides an identity voucher collection system which characterized in that, includes identity information acquisition module and identity information sending module, wherein:

11. The identity credential collection device of claim 10, further comprising a calling module, a verification request receiving module, and a verification request response module, wherein:

12. The identity certificate acquisition device is characterized by comprising an identity information acquisition module, a calling module, an authentication request receiving module and an authentication request response module, wherein:

13. An identity credential validation device comprising a validation information extraction module and a validation information display module, wherein:

14. The identity credential validation device of claim 13, further comprising an authentication request sending module, wherein:

15. A user terminal, characterized in that it comprises an identity credential gathering device according to any one of claims 10-12 and/or an identity credential validation device according to claim 13 or 14.

16. An identity authentication system comprising an identity credential forwarding device as claimed in claim 6 or 7, an identity credential verification device as claimed in claim 8 or 9, an identity credential gathering device as claimed in any one of claims 10 to 12, and an identity credential validation device as claimed in claim 13 or 14.

17. The identity authentication system of claim 16,

the identity certificate forwarding device is arranged in an IP multimedia subsystem network;

the identity certificate acquisition device is arranged in the calling user terminal;

the identity certificate confirmation device is arranged in the called user terminal.