[go: up one dir, main page]

CN108833361B - Identity authentication method and device based on virtual account - Google Patents

Identity authentication method and device based on virtual account Download PDF

Info

Publication number
CN108833361B
CN108833361B CN201810501374.XA CN201810501374A CN108833361B CN 108833361 B CN108833361 B CN 108833361B CN 201810501374 A CN201810501374 A CN 201810501374A CN 108833361 B CN108833361 B CN 108833361B
Authority
CN
China
Prior art keywords
identity
virtual account
user
module
identity information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810501374.XA
Other languages
Chinese (zh)
Other versions
CN108833361A (en
Inventor
李首峰
李莉莉
孙立宏
陈放
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guozhengtong Technology Co ltd
Original Assignee
Guozhengtong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guozhengtong Technology Co ltd filed Critical Guozhengtong Technology Co ltd
Priority to CN201810501374.XA priority Critical patent/CN108833361B/en
Publication of CN108833361A publication Critical patent/CN108833361A/en
Application granted granted Critical
Publication of CN108833361B publication Critical patent/CN108833361B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0414Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses an identity authentication method and device based on a virtual account, and belongs to the technical field of identity authentication. The method comprises the following steps: the server receives and analyzes a registration request submitted by a user through a client to obtain identity information of the user and uses the identity information as an identity information plaintext; randomly generating an identity certificate, encrypting identity information plaintext by using the identity certificate to obtain an identity information ciphertext, and generating a virtual account according to the identity certificate and the identity information plaintext; establishing association between the identity information ciphertext and the virtual account, and returning the identity certificate and the virtual account to the user through the client; and when the server receives a login request sent by the user through the client, performing identity authentication on the user according to the corresponding virtual account and the identity certificate. According to the invention, the login is carried out through the virtual account, so that the risk of leakage of the real identity information of the user is effectively avoided, and the management efficiency of the server side on the user information is improved.

Description

Identity authentication method and device based on virtual account
Technical Field
The invention relates to the technical field of identity authentication, in particular to an identity authentication method and device based on a virtual account.
Background
With the rapid development of science and technology, security is more and more concerned by people, and before logging in various application programs and conducting transactions, the essential operation is identity authentication. In some current identity authentication processes, a user generally provides real identity information, and then an authentication end authenticates the identity of the user according to the real identity information of the user maintained by the authentication end, but in the process, the real identity information of the user is easy to steal, so that the problem of insecurity exists, meanwhile, the authentication end needs to maintain the real identity information of each user, and when a database is stolen, the identity information of all users faces the risk of leakage. Therefore, a more secure identity authentication method and an effective information management method in the authentication process are necessary.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides an identity authentication method and device based on a virtual account.
In a first aspect, the present invention provides an identity authentication method based on a virtual account, including:
the server receives and analyzes a registration request submitted by a user through a client to obtain identity information of the user and uses the identity information as identity information plaintext;
the server randomly generates an identity certificate, encrypts the identity information plaintext by using the identity certificate to obtain an identity information ciphertext, and generates a virtual account according to the identity certificate and the identity information plaintext;
the server establishes association between the identity information ciphertext and the virtual account, and returns the identity certificate and the virtual account to the user through the client;
and the server receives a login request sent by a user through the client and performs identity authentication on the user according to the corresponding virtual account and the identity certificate.
Optionally, the server randomly generates an identity credential, specifically: the server randomly generates a random number with a preset digit, acquires the current time, calculates the effective expiration date of the corresponding virtual account according to the current time, and sequentially splices the effective expiration date and the random number to obtain an identity certificate;
before the identity authentication of the user according to the corresponding virtual account and the identity credential, the method further includes: analyzing the corresponding identity certificate to obtain the effective expiration date of the corresponding virtual account, judging whether the corresponding virtual account is within the expiration date according to the obtained effective expiration date, and if so, continuing; otherwise, returning the unavailable information of the virtual account to the corresponding user through the client.
Optionally, the generating a virtual account according to the identity credential and the identity information plaintext includes:
vectorizing the identity voucher and the identity information plaintext respectively to obtain a corresponding first matrix and a corresponding second matrix;
performing preset operation on the first matrix and the second matrix to obtain an operation result;
and reading data of a preset position in the operation result as a virtual account.
Optionally, the returning, by the client, the identity credential and the virtual account to the user includes: returning the virtual account to the user through the client, and storing the identity certificate in the terminal equipment where the client is located;
before the identity authentication of the user according to the corresponding virtual account and the identity credential, the method further includes: and the server reads the identity certificate stored in the terminal equipment where the corresponding client is located.
Optionally, the performing identity authentication on the user according to the corresponding virtual account and the identity credential includes:
the server searches the associated identity information ciphertext according to the corresponding virtual account;
the server decrypts the searched identity information ciphertext by using the corresponding identity certificate to obtain an identity information plaintext;
the server sends an identifying code to the mobile phone number or the mailbox in the obtained identity information plaintext;
the server judges whether the verification code returned by the user through the client is received within preset time, and if so, the server judges that the identity authentication is successful; otherwise, the identity authentication is judged to fail.
In a second aspect, the present invention provides an identity authentication apparatus based on a virtual account, including:
the receiving module is used for receiving a registration request submitted by a user through a client;
the analyzing module is used for analyzing the registration request received by the receiving module to obtain the identity information of the user and using the identity information as an identity information plaintext;
the first generation module is used for generating the identity certificate at any time;
the encryption module is used for encrypting the identity information plaintext obtained by the analysis module by using the identity certificate generated by the first generation module to obtain an identity information ciphertext;
the second generation module is used for generating a virtual account according to the identity voucher generated by the first generation module and the identity information plaintext obtained by the analysis module;
the association module is used for establishing association between the identity information ciphertext obtained by the encryption module and the virtual account generated by the second generation module;
the sending module is used for returning the identity voucher generated by the first generating module and the virtual account generated by the second generating module to the user through a client;
the receiving module is also used for receiving a login request sent by a user through a client;
and the authentication module is used for authenticating the identity of the user according to the virtual account and the identity certificate corresponding to the login request received by the receiving module.
Optionally, the apparatus further comprises: a judgment module;
the first generation module is specifically configured to: randomly generating a random number with a preset digit, acquiring current time, calculating an effective expiration date of a corresponding virtual account according to the current time, and sequentially splicing the effective expiration date and the random number to obtain an identity certificate;
the judging module is used for analyzing the identity certificate corresponding to the login request received by the receiving module, obtaining the effective expiration date of the corresponding virtual account, and judging whether the corresponding virtual account is within the effective period according to the obtained effective expiration date;
the authentication module is specifically configured to: when the judging module judges that the corresponding virtual account is within the valid period, the identity authentication is carried out on the user according to the virtual account and the identity certificate corresponding to the login request received by the receiving module;
and the sending module is also used for returning the unavailable information of the virtual account to the corresponding user through the client when the judging module judges that the corresponding virtual account is not in the valid period.
Optionally, the second generating module includes: the device comprises a vectorization submodule, an operation submodule and a reading submodule;
the vectorization submodule is used for respectively carrying out vectorization processing on the identity voucher generated by the first generation module and the identity information plaintext obtained by the analysis module to obtain a corresponding first matrix and a corresponding second matrix;
the operation submodule is used for carrying out preset operation on the first matrix and the second matrix obtained by the vectorization submodule to obtain an operation result;
and the reading submodule is used for reading the data of the preset position in the operation result obtained by the operation submodule to be used as the virtual account.
Optionally, the sending module is specifically configured to: and returning the virtual account generated by the second generation module to the user through the client, and storing the identity certificate generated by the first generation module into the terminal equipment where the client is located.
Optionally, the authentication module comprises: the search submodule, the decryption submodule and the judgment submodule;
the searching submodule is used for searching the associated identity information ciphertext according to the virtual account corresponding to the login request received by the receiving module;
the decryption submodule is used for decrypting the searched identity information ciphertext by using the identity certificate corresponding to the login request received by the receiving module to obtain an identity information plaintext;
the sending module is further configured to send a verification code to a mobile phone number or a mailbox in the plaintext of the identity information obtained by the decryption sub-module;
the receiving module is further used for receiving the verification code returned by the user through the client;
the judging submodule is used for judging whether the receiving module receives the verification code returned by the user through the client within the preset time, and if so, the identity authentication is judged to be successful; otherwise, the identity authentication is judged to fail.
In a third aspect, the present invention provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the first aspect of the invention.
The invention has the advantages that:
in the invention, firstly, the server generates a corresponding virtual account according to the registration request of the user and returns the virtual account to the user, so that the user logs in through the virtual account subsequently instead of the real identity information, thereby effectively avoiding the risk of identity information leakage of the user; secondly, the server does not need to maintain the identity information plaintext and the identity certificate of the user, but only maintains the identity information ciphertext and the virtual account number of the user, so that when data is stolen, a thief cannot decrypt the identity information ciphertext to obtain the identity information plaintext of the user due to the fact that the identity certificate does not exist, and the risk of leakage of the identity information plaintext of the user due to leakage of data of the server is effectively avoided; finally, the server does not record the effective expiration date of each virtual account number for individual monitoring, but stores each virtual account number and the corresponding identity information ciphertext into the corresponding storage area according to the effective expiration date of each virtual account number, so that all information in the storage area is emptied uniformly when a certain month is finished, the storage space is saved, batch management of user information is realized, and the management efficiency of the user information is improved.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart of an identity authentication method based on a virtual account according to the present invention;
fig. 2 is a block diagram of an identity authentication device based on a virtual account according to the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Example one
According to an embodiment of the present invention, there is provided an identity authentication method based on a virtual account, as shown in fig. 1, including:
step 101: the server receives and analyzes a registration request submitted by a user through a client to obtain identity information of the user and uses the identity information as an identity information plaintext;
the registration request includes user identity information and communication mode, such as identity document number, user mobile phone number, and/or user mailbox.
For example, in this embodiment, the obtained user identity information is a mobile phone number, and is used as the identity information plaintext.
Step 102: the server randomly generates an identity certificate, encrypts the obtained identity information plaintext by using the generated identity certificate to obtain an identity information ciphertext, and generates a virtual account according to the generated identity certificate and the obtained identity information plaintext;
according to the embodiment of the invention, the server randomly generates the identity voucher, which specifically comprises the following steps: the server randomly generates a random number with a preset digit, acquires the current time, calculates the effective expiration date of the corresponding virtual account according to the current time, and sequentially splices the effective expiration date and the random number to obtain an identity certificate;
the preset digit can be defined according to the requirement, for example, the preset digit is 6 bits, and the current randomly generated random number is 254368.
In the invention, the virtual account number has an effective time limit, preferably, the maximum effective time limit is 12 months, so as to avoid the situation that the virtual account number is cracked due to too long use time limit; the valid time limit may be noted in the registration request submitted by the user, and further, when the user is not noted in the registration request, a default valid time limit is adopted, for example, 6 months;
for example, if the user indicates that the validity time limit is 8 months in the submitted registration request, and the current time is 2018, 1 month and 10 days, the generated identity credential is 20180910254368.
Further, in the invention, the generated identity certificate is used for encrypting the obtained identity information plaintext to obtain the identity information ciphertext, and the encryption algorithm can be set according to the requirement, such as AES encryption, DES encryption and the like.
Furthermore, in the present invention, generating a virtual account according to the generated identity credential and the obtained identity information plaintext includes:
step D1: the server respectively carries out vectorization processing on the generated identity voucher and the obtained identity information plaintext to obtain a corresponding first matrix and a corresponding second matrix;
according to an embodiment of the present invention, step D1 specifically includes:
step D1-1: the server respectively carries out binary conversion on each number and letter in the generated identity voucher and the obtained identity information plain text to obtain corresponding first character strings;
for example, the number 5 is converted to 101 and the letter m is converted to 01101101.
Step D1-2: supplementing bits to the first character strings to obtain second character strings of corresponding preset bits;
specifically, a plurality of zeros are supplemented after the last bit of each first character string to obtain a second character string with a corresponding preset number of bits;
for example, in the present invention, the predetermined number of bits is 10 bits, the second string obtained by bit-filling the first string 101 is 1010000000, and the second string obtained by bit-filling the first string 01101101 is 0110110100.
Step D1-3: and constructing a first matrix according to each second character string corresponding to the identity certificate, and constructing a second matrix according to each second character string corresponding to the identity information plaintext.
Specifically, according to the sequence from left to right, sequentially taking a second character string corresponding to each character in the identity certificate as a first row and a second row · · last row of a first matrix to obtain a first matrix a (n · t) of n · t, where n is the row number of the first matrix, that is, the number of characters in the identity certificate, and t is the column number of the first matrix, that is, the number of characters in the second character string; according to the sequence from right to left, sequentially taking a second character string corresponding to each character in the identity information plaintext as a first column and a second column & cndot & cn;
for example, in this embodiment, the identity credential is composed of 16 digits, the identity information plaintext is a mobile phone number composed of 11 digits of the user, and the obtained first matrix is sixteen rows and ten columns, and the second matrix is ten rows and ten columns.
Step D2: performing preset operation on the first matrix and the second matrix to obtain an operation result;
specifically, the first matrix is multiplied by the second matrix to obtain a third matrix, and the third matrix is used as the operation result, i.e., a (n × t) × B (t × p) ═ C (n × p), where C (n × p) is the operation result.
Step D3: and reading data of a preset position in the operation result as a virtual account.
Specifically, when the operation result is a symmetric matrix, reading data on a diagonal line as a virtual account; and when the operation result is an asymmetric matrix, reading data in a preset row or a preset column as a virtual account.
Step 103: the server establishes association between the obtained identity information ciphertext and the generated virtual account, and returns the generated identity certificate and the virtual account to the user through the client;
the server establishes association between the obtained identity information ciphertext and the generated virtual account, and specifically comprises the following steps: the server partitions the storage area according to the month, and correspondingly stores the obtained identity information ciphertext and the generated virtual account number into the corresponding storage area according to the effective expiration date of the virtual account number;
for example, if the effective expiration date of the virtual account is 2018, 9 and 10, the identity information cryptograph and the virtual account are correspondingly stored in the storage area corresponding to 2018, 9 and 10.
Correspondingly, the method further comprises the following steps: when a month ends, the corresponding storage area is emptied.
Further, returning the generated identity credential and the virtual account to the user through the client, including: the server returns the generated virtual account to the user through the client, and stores the generated identity certificate in the terminal equipment where the client is located.
Preferably, before the step of storing the generated identity credential to the terminal device where the client is located, the method further includes: the pop-up box prompts a user to select a storage position;
correspondingly, the step of storing the generated identity certificate to the terminal equipment where the client is located includes: storing the generated identity voucher to a storage position selected by a user, and recording a corresponding storage position identifier;
furthermore, when the user does not select the storage location, the generated identity credential is stored to the default storage location, and the corresponding storage location identifier is recorded.
In the invention, the server only maintains the identity information ciphertext and the virtual account number of the user without maintaining the identity information plaintext and the identity certificate of the user, so that when data is stolen, a thief cannot decrypt the identity information ciphertext to obtain the identity information plaintext of the user due to the absence of the identity certificate, thereby effectively avoiding the risk of the leakage of the identity information plaintext of the user caused by the leakage of the data of the server; meanwhile, the server does not record the effective expiration date of each virtual account number for individual monitoring, but stores each virtual account number and the corresponding identity information ciphertext into the corresponding storage area according to the effective expiration date of each virtual account number, so that all information in the storage area is emptied uniformly when a certain month is finished, the storage space is saved, batch management of user information is realized, and the management efficiency of the user information is improved.
Step 104: and the server receives a login request sent by the user through the client and performs identity authentication on the user according to the corresponding virtual account and the identity certificate.
According to the embodiment of the present invention, before performing identity authentication on a user according to a corresponding virtual account and an identity credential, the method further includes:
step F: the server reads the identity certificate stored in the terminal equipment where the corresponding client is located;
specifically, the corresponding storage position is determined according to the recorded storage position identification, and the identity credential is read in the determined storage position.
Further, before performing identity authentication on the user according to the corresponding virtual account and the identity credential, the method further includes:
step H: analyzing the corresponding identity certificate to obtain the effective expiration date of the corresponding virtual account, judging whether the corresponding virtual account is within the expiration date according to the obtained effective expiration date, and if so, continuing; otherwise, returning the unavailable information of the virtual account to the corresponding user through the client.
The analyzing of the corresponding identity credential to obtain the effective expiration date of the corresponding virtual account specifically includes: reading the first eight data of the identity voucher to obtain the effective expiration date of the corresponding virtual account;
in the invention, the server does not need to maintain the effective expiration dates of the virtual account numbers, but analyzes the corresponding identity certificates to obtain the effective expiration dates of the virtual account numbers when the virtual account numbers log in, compared with the existing mode of correspondingly storing the virtual account numbers and the effective expiration dates and searching the corresponding effective expiration dates according to the virtual account numbers, the efficiency is improved, and the storage space required by data storage is saved.
Further, the identity authentication of the user according to the corresponding virtual account and the identity credential includes:
step F1: the server searches the associated identity information ciphertext according to the corresponding virtual account;
step F2: the server decrypts the searched identity information ciphertext by using the corresponding identity certificate to obtain identity information plaintext;
step F3: the server sends an identifying code to the mobile phone number or the mailbox in the obtained identity information plaintext;
step F4: the server judges whether a verification code returned by the user through the client is received within preset time, and if yes, the server judges that the identity authentication is successful; otherwise, the identity authentication is judged to fail.
Wherein, step F4 includes:
step F4-1: the server judges whether the verification code returned by the user through the client is received within the preset time, if so, the step F4-2 is executed, otherwise, the authentication is judged to be failed;
step F4-2: the server judges whether the received verification code is matched with the sent verification code, and if so, the server judges that the authentication is successful; otherwise, the authentication is judged to be failed.
Preferably, the method further comprises: a user submits a virtual account number delayed use request through a client;
correspondingly, when the server receives the virtual account delayed use request, the server reads the identity certificate in the equipment where the client is located, decrypts the corresponding identity information ciphertext by using the read identity certificate to obtain the identity information plaintext, generates a new identity certificate, encrypts the obtained identity information plaintext by using the new identity certificate to obtain the new identity information ciphertext, associates the new identity information ciphertext with the virtual account, and updates the identity certificate stored in the terminal equipment where the client is located by using the new identity certificate.
Example two
According to an embodiment of the present invention, there is provided an identity authentication apparatus based on a virtual account, as shown in fig. 2, including:
a receiving module 201, configured to receive a registration request submitted by a user through a client;
the analyzing module 202 is configured to analyze the registration request received by the receiving module 201 to obtain identity information of the user and use the identity information as an identity information plaintext;
a first generation module 203 for randomly generating an identity credential;
the encryption module 204 is configured to encrypt the identity information plaintext obtained by the parsing module 202 by using the identity credential generated by the first generation module 203 to obtain an identity information ciphertext;
the second generating module 205 is configured to generate a virtual account according to the identity credential generated by the first generating module 203 and the identity information plaintext obtained by the parsing module 202;
an association module 206, configured to establish an association between the identity information ciphertext obtained by the encryption module 204 and the virtual account generated by the second generation module 205;
a sending module 207, configured to return, to the user through the client, the identity credential generated by the first generating module 203 and the virtual account generated by the second generating module 205;
the receiving module 201 is further configured to receive a login request sent by a user through a client;
the authentication module 208 is configured to perform identity authentication on the user according to the virtual account and the identity credential corresponding to the login request received by the receiving module 201.
According to an embodiment of the present invention, the first generating module 203 is specifically configured to: randomly generating a random number with a preset digit, acquiring current time, calculating an effective expiration date of a corresponding virtual account according to the acquired current time, and sequentially splicing the effective expiration date and the random number to obtain an identity certificate;
correspondingly, the device also comprises: a judgment module;
the judging module is configured to analyze the identity credential corresponding to the login request received by the receiving module 201, obtain an effective expiration date of the corresponding virtual account, and judge whether the corresponding virtual account is within an effective period according to the obtained effective expiration date;
correspondingly, the authentication module 208 is specifically configured to: when the judging module judges that the corresponding virtual account is within the valid period, performing identity authentication on the user according to the virtual account and the identity certificate corresponding to the login request received by the receiving module 201;
correspondingly, the sending module 207 is further configured to return, by the client, the unavailable information of the virtual account to the corresponding user when the determining module determines that the corresponding virtual account is not within the valid period.
The preset digit can be defined according to the requirement, for example, the preset digit is 6 bits, and the current randomly generated random number is 254368.
In the invention, the virtual account number has an effective time limit, preferably, the maximum effective time limit is 12 months, so as to avoid the situation that the virtual account number is cracked due to too long use time limit; wherein, the valid time can be noted in the submitted registration request by the user, and further, when the user is not noted in the registration request, a default valid time limit is adopted, for example, 6 months;
for example, if the user indicates in the submitted registration request that the registration period is 8 months, and the current time obtained by the first generation module 203 is 2018, 1 month and 10 days, the generated identity credential is 20180910254368.
According to an embodiment of the invention, the second generation module 205 comprises: vectorization submodule, operation submodule and reading submodule, wherein:
the vectorization submodule is used for respectively carrying out vectorization processing on the identity voucher generated by the first generation module 203 and the identity information plaintext obtained by the analysis module 202 to obtain a corresponding first matrix and a corresponding second matrix;
the operation submodule is used for carrying out preset operation on the first matrix and the second matrix obtained by the opposite quantization submodule to obtain an operation result;
and the reading sub-module is used for reading the data of the preset position in the operation result obtained by the operation sub-module as the virtual account.
According to an embodiment of the invention, the vectoring sub-module comprises: conversion unit, complement unit and construction unit, wherein:
a conversion unit, configured to perform binary conversion on each number and letter in the identity document generated by the first generation module 203 and the identity information plaintext obtained by the parsing module 202, respectively, to obtain each corresponding first character string;
the bit complementing unit is used for complementing the bits of the first character strings obtained by the conversion unit to obtain second character strings with corresponding preset bits;
and the construction unit is used for constructing a first matrix according to each second character string corresponding to the identity certificate and constructing a second matrix according to each second character string corresponding to the identity information plaintext.
Further, the construction unit is specifically configured to: according to the sequence from left to right, sequentially taking a second character string corresponding to each character in the identity certificate as a first row and a second row.cndot.cndot.the last row of a first matrix to obtain a first matrix A (n.cndot.t) of n.cndot.t, wherein n is the row number of the first matrix, namely the number of the characters in the identity certificate, and t is the column number of the first matrix, namely the number of the characters in the second character string; and according to the sequence from right to left, sequentially taking a second character string corresponding to each character in the identity information plaintext as a first column and a second column · · last column of a second matrix to obtain a second matrix B (t · p) of t · p, wherein t is the row number of the second matrix, i.e. the number of characters in the second character string, and p is the column number of the second matrix, i.e. the number of characters in the identity information plaintext.
For example, in this embodiment, the identity credential is composed of 16 digits, the identity information plaintext is a mobile phone number composed of 11 digits of the user, and the first matrix is sixteen rows and ten columns, and the second matrix is ten rows and ten columns.
According to an embodiment of the present invention, the operation submodule is specifically configured to: and multiplying the first matrix obtained by the vectorization submodule by the second matrix to obtain a third matrix, and taking the third matrix as an operation result, namely, A (n × t) × B (t × p) ═ C (n × p), wherein C (n × p) is the operation result.
According to an embodiment of the present invention, the read submodule is specifically configured to: when the operation result obtained by the operation submodule is a symmetric matrix, reading data on a diagonal line as a virtual account; and when the operation result obtained by the operation sub-module is an asymmetric matrix, reading data in a preset row or a preset column as a virtual account.
According to an embodiment of the present invention, the association module 206 is specifically configured to: partitioning the storage area according to months, and correspondingly storing the identity information ciphertext obtained by the analysis module 202 and the virtual account number generated by the second generation module 205 into the corresponding storage area according to the effective expiration date of the virtual account number generated by the second generation module 205;
for example, if the effective expiration date of the virtual account is 2018, 9 and 10, the identity information cryptograph and the virtual account are correspondingly stored in the storage area corresponding to 2018, 9 and 10.
Correspondingly, the device also comprises: a clearing module;
and the clearing module is used for clearing the corresponding storage area when a certain month is ended.
According to an embodiment of the present invention, the sending module 207 is specifically configured to: the virtual account generated by the second generation module 205 is returned to the user through the client, and the identity credential generated by the first generation module 203 is stored in the terminal device where the client is located.
According to an embodiment of the invention, the authentication module 208 comprises: the device comprises a searching submodule, a decryption submodule and a judging submodule, wherein:
the search sub-module is configured to search for a related identity information ciphertext according to the virtual account corresponding to the login request received by the receiving module 201;
the decryption submodule is configured to decrypt the found identity information ciphertext by using the identity credential corresponding to the login request received by the receiving module 201 to obtain an identity information plaintext;
the sending module 207 is further configured to send a verification code to the mobile phone number or the mailbox in the plaintext of the identity information obtained by the decryption sub-module;
the receiving module 201 is further configured to receive a verification code returned by the user through the client;
the judging submodule is used for judging whether the receiving module 201 receives a correct verification code returned by the user through the client within the preset time, and if so, judging that the identity authentication is successful; otherwise, the identity authentication is judged to fail.
EXAMPLE III
According to an embodiment of the present invention, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, implements the method according to the first embodiment of the present invention.
In the invention, firstly, the server generates a corresponding virtual account according to the registration request of the user and returns the virtual account to the user, so that the user logs in through the virtual account subsequently instead of the real identity information, thereby effectively avoiding the risk of identity information leakage of the user; secondly, the server does not need to maintain the identity information plaintext and the identity certificate of the user, but only maintains the identity information ciphertext and the virtual account number of the user, so that when data is stolen, a thief cannot decrypt the identity information ciphertext to obtain the identity information plaintext of the user due to the fact that the identity certificate does not exist, and the risk of leakage of the identity information plaintext of the user due to leakage of data of the server is effectively avoided; finally, the server does not record the effective expiration date of each virtual account number for individual monitoring, but stores each virtual account number and the corresponding identity information ciphertext into the corresponding storage area according to the effective expiration date of each virtual account number, so that all information in the storage area is emptied uniformly when a certain month is finished, the storage space is saved, batch management of user information is realized, and the management efficiency of the user information is improved.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (8)

1. An identity authentication method based on a virtual account is characterized by comprising the following steps:
the server receives and analyzes a registration request submitted by a user through a client to obtain identity information of the user and uses the identity information as identity information plaintext;
the server randomly generates an identity certificate, encrypts the identity information plaintext by using the identity certificate to obtain an identity information ciphertext, and generates a virtual account according to the identity certificate and the identity information plaintext;
the server establishes association between the identity information ciphertext and the virtual account, and returns the identity certificate and the virtual account to the user through the client;
the server receives a login request sent by a user through a client, and performs identity authentication on the user according to a corresponding virtual account and an identity certificate;
the server searches the associated identity information ciphertext according to the corresponding virtual account;
the server decrypts the searched identity information ciphertext by using the corresponding identity certificate to obtain an identity information plaintext;
the server sends an identifying code to the mobile phone number or the mailbox in the obtained identity information plaintext;
the server judges whether the verification code returned by the user through the client is received within preset time, and if so, the server judges that the identity authentication is successful; otherwise, the identity authentication is judged to fail.
2. The method according to claim 1, wherein the server randomly generates the identity credential, specifically: the server randomly generates a random number with a preset digit, acquires the current time, calculates the effective expiration date of the corresponding virtual account according to the current time, and sequentially splices the effective expiration date and the random number to obtain an identity certificate;
before the identity authentication of the user according to the corresponding virtual account and the identity credential, the method further includes: analyzing the corresponding identity certificate to obtain the effective expiration date of the corresponding virtual account, judging whether the corresponding virtual account is within the expiration date according to the obtained effective expiration date, and if so, continuing; otherwise, returning the unavailable information of the virtual account to the corresponding user through the client.
3. The method of claim 1, wherein generating the virtual account number according to the identity credential and the identity information plaintext comprises:
vectorizing the identity voucher and the identity information plaintext respectively to obtain a corresponding first matrix and a corresponding second matrix;
performing preset operation on the first matrix and the second matrix to obtain an operation result;
and reading data of a preset position in the operation result as a virtual account.
4. The method of claim 1, wherein returning, by the client, the identity credential and the virtual account number to the user comprises: returning the virtual account to the user through the client, and storing the identity certificate in the terminal equipment where the client is located;
before the identity authentication of the user according to the corresponding virtual account and the identity credential, the method further includes: and the server reads the identity certificate stored in the terminal equipment where the corresponding client is located.
5. An identity authentication device based on a virtual account, comprising:
the receiving module is used for receiving a registration request submitted by a user through a client;
the analyzing module is used for analyzing the registration request received by the receiving module to obtain the identity information of the user and using the identity information as an identity information plaintext;
the first generation module is used for generating the identity certificate at any time;
the encryption module is used for encrypting the identity information plaintext obtained by the analysis module by using the identity certificate generated by the first generation module to obtain an identity information ciphertext;
the second generation module is used for generating a virtual account according to the identity voucher generated by the first generation module and the identity information plaintext obtained by the analysis module;
the association module is used for establishing association between the identity information ciphertext obtained by the encryption module and the virtual account generated by the second generation module;
the sending module is used for returning the identity voucher generated by the first generating module and the virtual account generated by the second generating module to the user through a client;
the receiving module is also used for receiving a login request sent by a user through a client;
the authentication module is used for authenticating the identity of the user according to the virtual account and the identity certificate corresponding to the login request received by the receiving module;
the authentication module includes: the search submodule, the decryption submodule and the judgment submodule;
the searching submodule is used for searching the associated identity information ciphertext according to the virtual account corresponding to the login request received by the receiving module;
the decryption submodule is used for decrypting the searched identity information ciphertext by using the identity certificate corresponding to the login request received by the receiving module to obtain an identity information plaintext;
the sending module is further configured to send a verification code to a mobile phone number or a mailbox in the plaintext of the identity information obtained by the decryption sub-module;
the receiving module is further used for receiving the verification code returned by the user through the client;
the judging submodule is used for judging whether the receiving module receives the verification code returned by the user through the client within the preset time, and if so, the identity authentication is judged to be successful; otherwise, the identity authentication is judged to fail.
6. The apparatus of claim 5, further comprising: a judgment module;
the first generation module is specifically configured to: randomly generating a random number with a preset digit, acquiring current time, calculating an effective expiration date of a corresponding virtual account according to the current time, and sequentially splicing the effective expiration date and the random number to obtain an identity certificate;
the judging module is used for analyzing the identity certificate corresponding to the login request received by the receiving module, obtaining the effective expiration date of the corresponding virtual account, and judging whether the corresponding virtual account is within the effective period according to the obtained effective expiration date;
the authentication module is specifically configured to: when the judging module judges that the corresponding virtual account is within the valid period, the identity authentication is carried out on the user according to the virtual account and the identity certificate corresponding to the login request received by the receiving module;
and the sending module is also used for returning the unavailable information of the virtual account to the corresponding user through the client when the judging module judges that the corresponding virtual account is not in the valid period.
7. The apparatus of claim 5, wherein the second generating module comprises: the device comprises a vectorization submodule, an operation submodule and a reading submodule;
the vectorization submodule is used for respectively carrying out vectorization processing on the identity voucher generated by the first generation module and the identity information plaintext obtained by the analysis module to obtain a corresponding first matrix and a corresponding second matrix;
the operation submodule is used for carrying out preset operation on the first matrix and the second matrix obtained by the vectorization submodule to obtain an operation result;
and the reading submodule is used for reading the data of the preset position in the operation result obtained by the operation submodule to be used as the virtual account.
8. The apparatus of claim 5, wherein the sending module is specifically configured to: and returning the virtual account generated by the second generation module to the user through the client, and storing the identity certificate generated by the first generation module into the terminal equipment where the client is located.
CN201810501374.XA 2018-05-23 2018-05-23 Identity authentication method and device based on virtual account Active CN108833361B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810501374.XA CN108833361B (en) 2018-05-23 2018-05-23 Identity authentication method and device based on virtual account

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810501374.XA CN108833361B (en) 2018-05-23 2018-05-23 Identity authentication method and device based on virtual account

Publications (2)

Publication Number Publication Date
CN108833361A CN108833361A (en) 2018-11-16
CN108833361B true CN108833361B (en) 2021-09-24

Family

ID=64148405

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810501374.XA Active CN108833361B (en) 2018-05-23 2018-05-23 Identity authentication method and device based on virtual account

Country Status (1)

Country Link
CN (1) CN108833361B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110611656B (en) * 2019-08-15 2021-11-26 中国人民银行数字货币研究所 Identity management method, device and system based on master identity multiple mapping
CN110659467A (en) * 2019-09-29 2020-01-07 浪潮(北京)电子信息产业有限公司 A remote user identity authentication method, device, system, terminal and server
CN110889133B (en) * 2019-11-07 2022-03-15 中国科学院信息工程研究所 An anti-network tracking privacy protection method and system based on identity behavior confusion
CN111931144B (en) * 2020-06-03 2023-04-07 南京南瑞信息通信科技有限公司 Unified safe login authentication method and device for operating system and service application
CN112995170A (en) * 2021-02-23 2021-06-18 中国工商银行股份有限公司 Method, device and system for protecting website user information
CN112671806B (en) * 2021-03-15 2021-06-08 北京远鉴信息技术有限公司 User authentication method, user authentication equipment and user authentication system
CN113194077B (en) * 2021-04-19 2022-11-11 中国建设银行股份有限公司 Login method and device, computer equipment and computer readable storage medium
CN113992353B (en) * 2021-09-27 2024-01-09 北京达佳互联信息技术有限公司 Login certificate processing method and device, electronic equipment and storage medium
CN115001786B (en) * 2022-05-26 2024-01-12 浙江零跑科技股份有限公司 Implementation method of intelligent cabin face-associated individual application account

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104540087A (en) * 2014-12-22 2015-04-22 北京用友政务软件有限公司 Virtual network operator value-added service providing method and service platform
CN106789851A (en) * 2015-11-24 2017-05-31 阿里巴巴集团控股有限公司 Auth method, system, service server and authentication server
CN106789924A (en) * 2016-11-25 2017-05-31 北京天威诚信电子商务服务有限公司 The method and system that a kind of digital certificate protection web site of use mobile terminal is logged in
CN106850392A (en) * 2015-12-04 2017-06-13 腾讯科技(深圳)有限公司 Message treatment method and device, message receival method and device
CN107483400A (en) * 2017-07-06 2017-12-15 福建天晴数码有限公司 A kind of login method and terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070056024A1 (en) * 2005-09-05 2007-03-08 Ho-Hsiung Hsu Method for remote server login

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104540087A (en) * 2014-12-22 2015-04-22 北京用友政务软件有限公司 Virtual network operator value-added service providing method and service platform
CN106789851A (en) * 2015-11-24 2017-05-31 阿里巴巴集团控股有限公司 Auth method, system, service server and authentication server
CN106850392A (en) * 2015-12-04 2017-06-13 腾讯科技(深圳)有限公司 Message treatment method and device, message receival method and device
CN106789924A (en) * 2016-11-25 2017-05-31 北京天威诚信电子商务服务有限公司 The method and system that a kind of digital certificate protection web site of use mobile terminal is logged in
CN107483400A (en) * 2017-07-06 2017-12-15 福建天晴数码有限公司 A kind of login method and terminal

Also Published As

Publication number Publication date
CN108833361A (en) 2018-11-16

Similar Documents

Publication Publication Date Title
CN108833361B (en) Identity authentication method and device based on virtual account
US11743041B2 (en) Technologies for private key recovery in distributed ledger systems
US9646161B2 (en) Relational database fingerprinting method and system
KR102493744B1 (en) Security Verification Method Based on Biometric Characteristics, Client Terminal, and Server
CN110324143A (en) Data transmission method, electronic equipment and storage medium
CN108965222B (en) Identity authentication method, system and computer readable storage medium
CN111726369B (en) Identity authentication method, system and server
CN107359998A (en) A kind of foundation of portable intelligent password management system and operating method
EP3313020B1 (en) Method of digital identity generation and authentication
CN110233850B (en) Registration method, application server, user side and system based on alliance chain
CN115225409B (en) Cloud data safety duplicate removal method based on multi-backup joint verification
CN112653556B (en) TOKEN-based micro-service security authentication method, device and storage medium
CN108667815A (en) Block chain secret key encipher-decipher method, device and terminal based on bio-identification
KR102391952B1 (en) System, device or method for encryption distributed processing
CN113489710B (en) File sharing method, device, equipment and storage medium
KR20190132120A (en) Simple login method and system using private domain name
CN112528309A (en) Data storage encryption and decryption method and device
CN114756887B (en) A method and device for encrypting and storing sensitive information blocks in files
CN113761488A (en) Content network copyright tracing encryption system and encryption method
CN111639357B (en) Encryption network disk system and authentication method and device thereof
SE540649C2 (en) Method and system for secure password storage
CN113726515B (en) UKEY-based key processing method, storage medium and electronic device
CN114124534A (en) Data interaction system and method
KR101528112B1 (en) Cloud server for authenticating user to access the data server using biometric trait
CN115664728B (en) Method, device, equipment and storage medium for enhancing security of password management application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 100029 Third Floor of Yansha Shengshi Building, 23 North Third Ring Road, Xicheng District, Beijing

Patentee after: GUOZHENGTONG TECHNOLOGY Co.,Ltd.

Address before: 100195 Haidian District, Beijing, 18 apricot Road, No. 1 West Tower, four floor.

Patentee before: GUOZHENGTONG TECHNOLOGY Co.,Ltd.