CN118520445B

CN118520445B - Identity authentication method and device, storage medium and electronic equipment

Info

Publication number: CN118520445B
Application number: CN202410986129.8A
Authority: CN
Inventors: 邢宏伟; 刘泽建; 范道威
Original assignee: BYD Co Ltd
Current assignee: BYD Co Ltd
Priority date: 2024-07-23
Filing date: 2024-07-23
Publication date: 2024-12-10
Anticipated expiration: 2044-07-23
Also published as: CN118520445A

Abstract

The present application discloses an identity authentication method, device, storage medium, electronic device and computer program product, which belong to the field of automobile technology. The identity authentication method is applied to automobiles, including: when the automobile receives an identity authentication request sent by a device to be authenticated, seed data is generated and sent to the device to be authenticated, so that the device to be authenticated returns a ciphertext and a target authorization certificate according to the seed data; the device to be authenticated is authenticated according to the target authorization certificate, the root certificate, the ciphertext and the seed data, thereby eliminating the need to fix the symmetric password into the code programs of the two parties to the authentication, reducing the risk of password leakage and improving the reliability and security of the authentication.

Description

Identity authentication method and device, storage medium and electronic equipment

Technical Field

The application belongs to the technical field of automobiles, and particularly relates to an identity authentication method, an identity authentication device, a storage medium, electronic equipment and a computer program product.

Background

Automobiles are becoming more popular in daily life, the functions of the automobiles are becoming more powerful, and the quantity and the quality of an on-board ECU (Electronic Control Unit ) system are required to be greater, so that the requirements for access debugging of detection equipment such as diagnostic instruments are increasing.

At present, the traditional electronic architecture system is directly connected with an OBD diagnosis port through a diagnostic instrument, and detection scenes of the diagnostic instrument accessing the ECU in a vehicle system exist in a vehicle research and development stage, a factory assembly stage and an after-sales stage. The UDS protocol (Unified Diagnostic Services, unified diagnostic service) is a standardized standard for diagnostic services, such as reading fault data, configuring relevant business data, etc. The diagnostic instrument may access the car-related services via the UDS protocol. Considering the safety of the automobile, when the diagnostic instrument performs high-risk operation on the automobile, the automobile needs to firstly authenticate the identity of the diagnostic instrument, and the identity authentication only allows the diagnostic instrument to perform high-risk operation on the automobile, otherwise, the high-risk operation is refused. However, the identity authentication mode of the existing diagnostic instrument has relatively high risk of password leakage and relatively low reliability and safety of identity authentication.

Disclosure of Invention

The present application aims to solve at least one of the technical problems existing in the prior art. Therefore, the application provides an identity authentication method, an identity authentication device, a storage medium, electronic equipment and a computer program product, which can improve the reliability and the safety of identity authentication.

In a first aspect, the present application provides an identity authentication method, applied to an automobile, the method comprising:

when an identity authentication request sent by equipment to be authenticated is received, seed data are generated and sent to the equipment to be authenticated, so that the equipment to be authenticated returns ciphertext and a target authorization certificate according to the seed data;

And carrying out identity authentication on the equipment to be authenticated according to the target authorization certificate, the root certificate, the ciphertext and the seed data.

In some embodiments, the authenticating the device to be authenticated according to the target authorization certificate, root certificate, ciphertext, and the seed data includes:

Verifying the target authorization certificate according to the root certificate;

When the verification of the target authorization certificate passes, verifying the ciphertext according to the public key in the target authorization certificate and the seed data;

when the ciphertext verification passes, judging that the identity authentication of the equipment to be authenticated passes;

And when the ciphertext verification fails or the target authorization certificate verification fails, judging that the identity authentication of the equipment to be authenticated fails.

In some embodiments, the verifying the ciphertext from the public key in the target authorization credential and the seed data includes:

decrypting the ciphertext by utilizing the public key in the target authorization certificate to obtain decrypted data;

when the decrypted data and the seed data are the same, judging that the ciphertext verification passes;

and when the decrypted data and the seed data are different, judging that the ciphertext verification fails.

In some embodiments, the verifying the target authorization credential from the root credential includes:

determining a certificate level of the target authorization certificate;

And verifying the target authorization certificate according to the certificate grade and the root certificate.

In some embodiments, the verifying the target authorization credential according to the credential level and the root credential includes:

when the certificate grade indicates that the target authorization certificate is a primary authorization certificate, verifying the target authorization certificate according to a root certificate;

when the certificate grade indicates that the target authorization certificate is a secondary authorization certificate, analyzing a primary authorization certificate from the target authorization certificate, and verifying the target authorization certificate according to the root certificate and the analyzed primary authorization certificate.

verifying the signature in the target authorization certificate by using the public key in the root certificate;

When the signature verification in the target authorization certificate passes, judging that the target authorization certificate passes;

And when the signature verification in the target authorization certificate fails, judging that the verification of the target authorization certificate fails.

In some embodiments, the verifying the target authorization certificate according to the primary authorization certificate parsed from the root certificate includes:

Verifying the signature in the parsed primary authorization certificate by using the public key in the root certificate;

when the signature verification in the analyzed primary authorization certificate passes, verifying the signature in the target authorization certificate by using the public key in the analyzed primary authorization certificate;

And when the signature verification in the primary authorization certificate fails or the signature verification in the target authorization certificate fails, judging that the target authorization certificate fails to verify.

In some embodiments, the identity authentication method further comprises:

And determining identity information of the target authorization certificate according to the target authorization certificate and a preset certificate table, wherein the identity information is used for indicating the vehicle to determine the identity authority of the equipment to be authenticated.

In some embodiments, the target authorization certificate includes at least one controlled object and a permission control level of each controlled object, and the identity authentication method further includes:

When the identity of the equipment to be authenticated passes through authentication, matching the at least one controlled object with the equipment information of the automobile;

taking the authority control level of the controlled object successfully matched as a target level;

And granting the permission of the target grade to the equipment to be authenticated.

In a second aspect, the present application provides another identity authentication method, applied to a device to be authenticated, the identity authentication method comprising:

An identity authentication request is sent to an automobile, so that the automobile returns seed data according to the identity authentication request;

and sending a ciphertext and a target authorization certificate to the automobile so that the automobile can carry out identity authentication on the equipment to be authenticated according to the ciphertext and the target authorization certificate.

In some embodiments, before sending the ciphertext and the target authorization credential to the vehicle, the method further comprises:

Acquiring a target authorization certificate corresponding to the automobile and a private key corresponding to the target authorization certificate;

and generating ciphertext according to the private key and the returned seed data.

In some embodiments, the generating ciphertext from the private key and the returned seed data includes:

And encrypting the returned seed data by using the private key to obtain ciphertext.

In some embodiments, the obtaining the target authorization certificate corresponding to the automobile and the private key of the target authorization certificate includes:

and acquiring a target authorization certificate corresponding to the automobile and a private key corresponding to the target authorization certificate from a local storage area or a manufacturer server of the equipment to be authenticated.

In a third aspect, the present application provides an identity authentication device applied to an automobile, the identity authentication device comprising:

The generation unit is used for generating seed data and sending the seed data to the equipment to be authenticated when receiving an identity authentication request sent by the equipment to be authenticated, so that the equipment to be authenticated returns a ciphertext and a target authorization certificate according to the seed data;

And the authentication unit is used for carrying out identity authentication on the equipment to be authenticated according to the target authorization certificate, the root certificate, the ciphertext and the seed data.

In some embodiments, the authentication unit is specifically configured to:

When the decrypted data and the seed data are matched, judging that the ciphertext verification passes;

and when the decrypted data and the seed data are not matched, judging that the ciphertext verification fails.

In some embodiments, the authentication unit is specifically configured to:

determining a certificate level of the target authorization certificate;

In some embodiments, the authentication unit is specifically configured to:

when the certificate grade indicates that the target authorization certificate is a secondary authorization certificate, analyzing a primary authorization certificate from the target authorization certificate, and checking the target authorization certificate according to the root certificate and the analyzed primary authorization certificate.

In some embodiments, the authentication unit is specifically configured to:

In some embodiments, the authentication unit is further configured to:

In some embodiments, the target authorization certificate includes at least one controlled object and an authority control level of each controlled object, and the identity authentication device further includes an authorization unit for:

In a fourth aspect, the present application provides an identity authentication device applied to a device to be authenticated, the identity authentication device comprising:

the first sending unit is used for sending an identity authentication request to the automobile so that the automobile returns seed data according to the identity authentication request;

The second sending unit is used for sending the ciphertext and the target authorization certificate to the automobile so that the automobile can carry out identity authentication on the equipment to be authenticated according to the ciphertext and the target authorization certificate.

In some embodiments, before sending the ciphertext and the target authorization credential to the vehicle, the second sending unit is further configured to:

In some embodiments, the second sending unit is specifically configured to:

In a fifth aspect, the present application provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the identity authentication method of any one of the above.

In a sixth aspect, the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements any one of the above methods of identity authentication when executing the program.

In a seventh aspect, the application provides a computer program product comprising a computer program which when executed by a processor implements the identity authentication method of any one of the preceding claims.

According to the identity authentication method, the device, the storage medium, the electronic equipment and the computer program product, when the automobile receives the identity authentication request sent by the equipment to be authenticated, the equipment to be authenticated returns the ciphertext and the target authorization certificate according to the seed data by generating the seed data and sending the seed data to the equipment to be authenticated, and the equipment to be authenticated is subjected to identity authentication according to the target authorization certificate, the root certificate, the ciphertext and the seed data, namely, the identity authentication of the equipment to be authenticated of the automobile is realized by adopting the authentication management method based on a PKI system, so that symmetric passwords do not need to be fixedly written into code programs of two authentication parties, the risk of password leakage is reduced, and the authentication reliability and the security are improved.

Drawings

The foregoing and/or additional aspects and advantages of the application will become apparent and may be better understood from the following description of embodiments taken in conjunction with the accompanying drawings in which:

FIG. 1 is a schematic flow chart of an identity authentication method according to an embodiment of the present application;

Fig. 2 is a schematic illustration showing a target authorization certificate according to an embodiment of the present application;

FIG. 3 is another schematic illustration of a target authorization credential according to an embodiment of the present application;

FIG. 4 is another schematic flow chart of an identity authentication method according to an embodiment of the present application;

FIG. 5 is another flow chart of an authentication method according to an embodiment of the present application;

FIG. 6 is a schematic diagram of an identity authentication device according to an embodiment of the present application;

FIG. 7 is a schematic diagram of another configuration of an authentication device according to an embodiment of the present application;

Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application;

fig. 9 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.

Detailed Description

Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the application.

There is a detection scenario where the diagnostics access the ECU in the vehicle system during the vehicle development phase, the factory assembly phase, and the after-market phase. The diagnostic instrument may access the vehicle related services via the UDS (Unified Diagnostic Services, universal diagnostic service) protocol. Considering the safety of the automobile, when the diagnostic instrument performs high-risk operation on the automobile, the automobile needs to firstly authenticate the identity of the diagnostic instrument, and the identity authentication only allows the diagnostic instrument to perform high-risk operation on the automobile, otherwise, the high-risk operation is refused. In an identity authentication embodiment, a diagnostic apparatus side firstly requests a secure random number (seed) from an automobile side to be diagnosed, and after the automobile side returns the seed to the diagnostic apparatus side, the diagnostic apparatus side encrypts data generated according to the seed by adopting a symmetric encryption algorithm and sends the data to the automobile side as a secret key, the automobile side verifies based on the seed and the secret key sent by the diagnostic apparatus side, and service access can be performed only after verification passes.

However, in the identity authentication mode, on one hand, symmetric passwords are required to be fixedly written into authentication code programs in the diagnostic apparatus side and the automobile side in advance, the risk of revealing the passwords through the code programs is relatively high, and once the passwords are revealed, lawless persons can maliciously access or tamper important data in the automobile, privacy data of an automobile owner and the like, so that the privacy of users and even personal safety are jeopardized, and the identity authentication safety and reliability are lower. On the other hand, considering that more automobile controllers are available in the market, for each automobile controller to be diagnosed, authentication code programs containing corresponding passwords are required to be written in the diagnosis equipment side and the automobile side, and different automobile controllers are required to be written with different authentication code programs, so that the flexibility is low.

To solve at least one of the above technical problems, embodiments of the present application provide an identity authentication method, an apparatus, a storage medium, an electronic device, and a computer program product.

Referring to fig. 1, fig. 1 is a flowchart of an identity authentication method according to an embodiment of the present application. The identity authentication method is applied to automobiles. The identity authentication method may comprise the following steps 101 and 102, wherein:

101. When an identity authentication request sent by equipment to be authenticated is received, seed data are generated and sent to the equipment to be authenticated, so that the equipment to be authenticated returns ciphertext and a target authorization certificate according to the seed data;

102. and carrying out identity authentication on the equipment to be authenticated according to the target authorization certificate, the root certificate, the ciphertext and the seed data.

According to the identity authentication method provided by the embodiment of the application, when the automobile receives the identity authentication request sent by the equipment to be authenticated, the identity authentication is performed by introducing the authorization certificate, namely, the authentication management method based on a PKI (Public Key Infrastructure ) system is adopted to realize the identity authentication of the equipment to be authenticated, so that the symmetric password is not required to be fixedly written into code programs of both sides of authentication, the risk of password leakage is reduced, the authentication reliability and the security are improved, and different controllers adopt uniform authentication code programs, and the respective authentication code programs are not required to be independently written for each controller, so that the flexibility is high and the application range is wide.

The above steps 101 and 102 will be described in detail below.

101. When an identity authentication request sent by equipment to be authenticated is received, seed data are generated and sent to the equipment to be authenticated, so that the equipment to be authenticated returns ciphertext and a target authorization certificate according to the seed data.

The device to be authenticated comprises, but is not limited to, diagnostic equipment, sensors and other electronic devices which need to be communicated with the automobile, wherein the diagnostic equipment is a professional instrument for detecting the automobile, can detect the performance of the automobile in real time, and can detect the failure of the automobile, and comprises, but is not limited to, the diagnostic instrument. In this embodiment, an apparatus to be authenticated is taken as a diagnostic apparatus, and an identity authentication method will be described in detail, and identity authentication methods corresponding to other apparatuses to be authenticated will not be described again. For example, when the diagnostic device needs to be connected to the automobile to access the automobile controller or even to perform high-risk operation, the diagnostic device needs to request the automobile for operation permission, and at this time, the diagnostic device generates an identity authentication request and sends the identity authentication request to the automobile.

The seed data is a safe random number generated by the automobile, when the diagnosis equipment takes the safe random number sent by the automobile, a digital certificate (namely a target authorization certificate) which is authorized by the diagnosis equipment manufacturer and a private key corresponding to the certificate are downloaded from a diagnosis equipment manufacturer server or obtained from a local safety area of the diagnosis equipment, the safe random number is encrypted by the private key to obtain a ciphertext, and the data in the manufacturer server and the local safety area are difficult to read and tamper by a third party, so that the risk of revealing the private key is greatly reduced. The digital certificate is also called a public key certificate, and is used for carrying out encrypted link between ownership of a public key and an owner entity, and the digital certificate contains user (issued person) basic information, public key information and signature information. The distribution, authentication and revocation of digital certificates is a primary function of Public Key Infrastructure (PKI), which is a system that distributes and authenticates public keys. The basic architecture of digital certificates is the public key PKI, i.e. encryption and decryption is performed using a pair of keys, wherein a key comprises a private key and a public key, the private key being defined by the user himself, the public key being shareable by a plurality of users only if the user himself knows.

The target authorization certificate may be a primary authorization certificate or a non-primary authorization certificate, where the primary authorization certificate is typically a certificate issued based on a root certificate, i.e. a signed authorization certificate is obtained by using a private key of the root certificate, and the root certificate is the origin of a certificate chain. Root certificates refer in the fields of cryptography and computer security to public key certificates that are not signed or certificates that are self-signed. It is a certificate issued by a Certificate Authority (CA) to itself as the starting point for the trust chain. The root certificate contains the information of the user (i.e. the car manufacturer) and the public key of the user and may also include a self-signature. The root certificate may be stored in a background server of the vehicle manufacturer or in a local storage area of the vehicle (e.g., including but not limited to a secure area provided by dedicated secure hardware), where the data in the manufacturer server and the secure area are difficult to tamper with and read by a third party. Accordingly, the automobile may download the root certificate from the background server, or directly obtain the root certificate from the secure area, or may obtain the root certificate in other manners, which are not limited herein.

The non-primary authorization certificate is the next-stage certificate issued on the basis of the previous-stage certificate, for example, the secondary authorization certificate is a certificate which is signed by using the private key of the primary authorization certificate, and the tertiary authorization certificate is a certificate which is signed by using the private key of the secondary authorization certificate. In general, the authority of the next-stage certificate issued on the basis of the previous-stage certificate cannot be higher than that of the previous-stage certificate. When the target authorization certificate is a primary authorization certificate, the target authorization certificate is an authorization certificate applied by a diagnosis equipment manufacturer to which the diagnosis equipment belongs to an automobile manufacturer to which the automobile belongs, different diagnosis equipment manufacturers can apply authorization certificates for the same automobile to the same automobile manufacturer, and different automobile manufacturers can issue authorization certificates for different automobiles under the self flag to the same diagnosis equipment manufacturer. When the target authorization certificate is a non-primary authorization certificate, the target authorization certificate is an authorization certificate applied by a diagnostic equipment manufacturer to which the diagnostic equipment belongs to other diagnostic equipment manufacturers.

In the process of issuing a digital certificate, a certificate requester firstly generates a pair of asymmetric keys (including a private key and a public key), generates a certificate issuing request according to the public key and other related information (such as own domain name, organization name and the like), and sends the certificate issuing request to the certificate issuer, and the private key is stored. After receiving the request, the certificate issuer determines metadata related to the digital certificate, and signs the metadata by using its own private key (different private keys are set by the certificate issuer for different digital certificates) according to the received public key. The digital certificate is then generated by the certificate issuer from the received public key, metadata and signature information and returned to the certificate requester, who will store the digital certificate in association with the previously generated private key.

For example, taking a device to be authenticated as a diagnostic device, please refer to fig. 2 and fig. 3, fig. 2 is a schematic illustration showing a target authorization certificate provided by an embodiment of the present application, and fig. 3 is another schematic illustration showing a target authorization certificate provided by an embodiment of the present application, where the target authorization certificate in fig. 2 is a primary authorization certificate. The primary authorization certificate mainly comprises a diagnosis device public key, diagnosis device manufacturer information and an automobile manufacturer signature, wherein the diagnosis device manufacturer information is used for identifying a manufacturer of the diagnosis device and comprises a manufacturer name and a number, and the diagnosis device public key is a public key of the current diagnosis device. The target authorization certificate in fig. 3 is a secondary authorization certificate, which is an authorization certificate issued by a primary diagnostic device manufacturer to a secondary diagnostic device manufacturer, and the primary diagnostic device manufacturer is a diagnostic device manufacturer that directly issues the primary authorization certificate by an automobile manufacturer. The secondary authorization certificate mainly comprises a secondary diagnosis device public key, secondary diagnosis device manufacturer information, a primary authorization certificate and a primary diagnosis device manufacturer signature, wherein the secondary diagnosis device manufacturer is a diagnosis device manufacturer granted the secondary authorization certificate by the primary diagnosis device manufacturer, and the secondary diagnosis device public key is a public key of the current diagnosis device (namely, the diagnosis device granted the secondary authorization certificate).

In some embodiments, please refer to fig. 4, fig. 4 is another flow chart of an identity authentication method according to an embodiment of the present application, wherein the step 102 specifically includes:

1021. checking the target authorization certificate according to the root certificate, executing the following step 1022 when the target authorization certificate passes the check, and executing the following step 1023 when the target authorization certificate fails the check;

1022. Checking the ciphertext according to the public key and the seed data in the target authorization certificate, executing the following step 1024 when the ciphertext passes the check, and executing the following step 1023 when the ciphertext fails to check;

1023. Judging that the identity authentication of the equipment to be authenticated fails;

1024. And judging that the identity authentication of the equipment to be authenticated passes.

When the identity authentication is performed, the automobile prior certificate is used for verifying the target authorization certificate, the ciphertext is continuously verified under the condition that the target authorization certificate is verified, the equipment identity authentication to be authenticated is judged to be passed only when the ciphertext and the target authorization certificate are both verified to be passed, and otherwise, the equipment identity authentication to be authenticated is judged to be failed. By arranging two verification procedures, the reliability and the safety of identity authentication can be effectively improved.

In some embodiments, the verifying the target authorization credential according to the root credential in step 1021 may specifically include:

Determining a certificate level of the target authorization certificate;

The certificate level is determined according to the total number of all certificates contained in the target authorization certificate, if the total number is 0, the certificate level indicates that the target authorization certificate is a primary authorization certificate, if the total number is 1, the certificate level indicates that the target authorization certificate is a secondary authorization certificate, if the total number is 2, the certificate level indicates that the target authorization certificate is a tertiary authorization certificate, and so on.

When the total number of all certificates contained in the target authorization certificate is determined, the target authorization certificate is analyzed to determine whether the next-stage certificate is contained in the certificate, if the next-stage certificate is not contained in the certificate, the total number is 0, if the next-stage certificate is contained in the certificate, the next-stage certificate is continuously analyzed to determine whether the next-stage certificate contains the next-stage certificate, if the next-stage certificate is not contained in the certificate, the total number is 1, and if the next-stage certificate is contained in the certificate, the next-stage certificate is continuously analyzed in the same manner until all the certificates are counted.

In some embodiments, the step of verifying the target authorization certificate according to the certificate level and the root certificate may specifically include:

when the certificate grade indicates that the target authorization certificate is a primary authorization certificate, verifying the target authorization certificate according to the root certificate;

When the target authorization certificate does not include other authorization certificates, the target authorization certificate is a primary authorization certificate, such as the authorization certificate shown in fig. 2. When the target authorization credential includes other authorization credentials, it is a non-primary authorization credential, such as the secondary authorization credential described above in fig. 3. When the target authorization certificate is a non-primary authorization certificate, other authorization certificates in the target authorization certificate need to be analyzed, and the verification result of the target authorization certificate is determined based on all the analyzed authorization certificates. For example, the root certificate may verify the correctness of the primary authorization certificate, the primary authorization certificate may verify the correctness of the secondary authorization certificate, and so on, and only if the correctness of all certificates passes, the target authorization certificate is determined to pass.

It is easy to understand that by introducing the primary authorization certificate and the non-primary authorization certificate, the embodiment of the application can realize the application scene that the authorized diagnosis equipment manufacturer authorizes other diagnosis equipment manufacturers based on the issuing flow and the checking flow of the existing authorization certificate, thereby effectively enriching the use scene of the authorization authentication method in the scheme. Meanwhile, different authorization authority information is set in the authorization certificates of different diagnosis equipment manufacturers, so that hierarchical authorization of the diagnosis equipment manufacturers can be realized, and further, the fine management of the authorities is realized.

In some embodiments, the step of verifying the target authorization credential from the root credential specifically includes:

verifying a signature in the target authorization certificate using a public key in the root certificate;

When the signature verification in the target authorization certificate passes, judging that the verification of the target authorization certificate passes;

When the target authorization certificate is the primary authorization certificate, directly verifying the signature in the primary authorization certificate by using the public key in the root certificate so as to verify the correctness of the primary authorization certificate, and judging that the target authorization certificate passes the verification if the signature passes the verification, otherwise, judging that the verification fails.

In some embodiments, the step of verifying the target authorization certificate according to the root certificate and the parsed primary authorization certificate specifically includes:

When the target authorization certificate is a secondary authorization certificate, the primary authorization certificate needs to be analyzed from the secondary authorization certificate, the signature in the primary authorization certificate is verified by utilizing the public key in the root certificate, the signature of the secondary authorization certificate is verified by utilizing the public key in the primary authorization certificate only when the signature verification of the primary authorization certificate is passed, so that the correctness of the secondary authorization certificate is verified, the target authorization certificate is judged to pass the verification only when the signatures of the primary authorization certificate and the secondary authorization certificate are both verified, and otherwise, the verification is judged to fail.

In some embodiments, the verifying the ciphertext according to the public key and the seed data in the target authorization certificate in step 1022 may specifically include:

Decrypting the ciphertext by using the public key in the target authorization certificate to obtain decrypted data;

And when the target authorization certificate is the primary authorization certificate, decrypting the ciphertext by using the public key of the primary authorization certificate, and if the target authorization certificate is the secondary authorization certificate, decrypting the ciphertext by using the public key of the secondary authorization certificate, wherein a decryption algorithm and an encryption algorithm correspond to each other. And judging whether the decrypted data and the seed data are matched through a set matching rule, for example, directly comparing the decrypted data with the seed data to see whether the decrypted data and the seed data are completely consistent, or converting the decrypted data and/or the seed data through a set conversion algorithm to see whether the decrypted data and/or the seed data are completely consistent, judging that the decrypted data and the seed data are matched if the decrypted data and the seed data are consistent, otherwise judging that the decrypted data and the seed data are not matched.

Furthermore, in some embodiments, the identity authentication method further comprises:

And determining the identity information of the target authorization certificate according to the target authorization certificate and a preset certificate table, wherein the identity information is used for indicating the vehicle to determine the identity authority of the equipment to be authenticated. The preset certificate table may be a revoked certificate table or a trusted certificate table, where the revoked certificate table is used to manage an authorized certificate that needs to be revoked, and the trusted certificate table is used to manage an authorized certificate that needs to be trusted, for example, if a private key of a certain authorized certificate is revealed, the authorized certificate may be added to the revoked certificate table, or the authorized certificate may be removed from the trusted certificate table. The revocation list and the trust list may be stored in a vehicle manufacturer server from which the list may be downloaded online when the vehicle is authorized for authentication of the device to be authenticated. The revocation list and the trust list can also be downloaded into a safety area of the automobile in advance, and the revocation list and the trust list can be obtained from the safety area directly when the automobile performs authorized authentication on equipment to be authenticated.

Specifically, when the preset certificate list is the revoked certificate list, if the matching is successful, the identity verification of the equipment to be authenticated is judged to be failed, and if the matching is failed, the verification results of the certificate verification and the ciphertext verification are adopted. When the preset certificate table is a trust certificate table, if the matching fails, the identity verification of the equipment to be authenticated is judged to fail, and if the matching succeeds, the verification results of the certificate verification and the ciphertext verification are adopted. By setting the revocation list or the trust list, the subsequent automobile can identify the authorization certificate when carrying out identity authentication on the diagnosis equipment originally provided with the authorization certificate with the revealed private key, thereby preventing the operation authority granted to the diagnosis equipment and effectively avoiding illegal use of the authorization certificate with the revealed private key by illegal molecules.

It should be noted that, the automobile manufacturer or the authorized equipment manufacturer may update and maintain the revoked certificate table and the trusted certificate table, for example, the automobile manufacturer periodically checks whether a private key leakage event of the authorized certificate occurs, and once the private key leakage event exists, the corresponding authorized certificate is added into the revoked certificate table or removed from the trusted certificate table, so as to implement dynamic management of the authorized certificate.

Further, with continued reference to fig. 2 and 3, each authorization credential includes authorization rights information including information such as the controlled object that has been authorized and the corresponding rights control level. The controlled object may be a controller in some or all of the vehicles produced by a single vehicle manufacturer, as different vehicle controllers may belong to different vehicle systems, families and/or models of vehicles, e.g., different vehicle controllers may belong to different vehicle systems, or to different family vehicles in the same vehicle system, or to different models of vehicles in the same family of vehicle systems. And because the controllers in a single automobile are numerous, for example, according to the function division, the automobile controllers can comprise intelligent driving controllers, intelligent cabin controllers and the like, and according to the region division, the automobile controllers can comprise left domain controllers, right domain controllers, whole automobile controllers and the like, different controllers or different numbers of controllers can be set as controlled objects for different authority control grades, and the controlled objects can be expressed as xx controllers of xx family xx types.

Typically, the authority control level that the certificate issuer can grant to other users does not exceed the authority control level that he/she is granted, for example, for a diagnostic equipment manufacturer with a primary authority certificate, if he/she has been granted authority a to a certain controller in car a, then if he/she issues a secondary authority certificate to other diagnostic equipment manufacturer, the secondary authority certificate is also an authority certificate to the controller in car a, and the authority control level in the secondary authority certificate is not higher than the level of authority a. The authorization rights information may also include other information such as authorization validity period information, such as a valid period of 2030.1.1 or permanent, without limitation.

In some embodiments, when the target authority certificate includes at least one controlled object and a rights control level of each controlled object, the identity authentication method may further include:

The device information of the automobile mainly comprises identification information of all automobile controllers in the automobile, and the identification information comprises the information for identifying automobile systems, families and models of different automobiles and controller names for identifying different automobile controllers in the same automobile. Since a single car generally includes a plurality of car controllers, by setting contents of authority control levels and controlled objects in a target authority certificate, different car controllers in the same car or car controllers in different cars can be granted with different operation authorities including data inquiry, data modification and control, etc. to the controllers, for example, if the authority control levels are 1, 2 and 3 in order from high to low, the 1-level authority can allow all operations of data inquiry, data modification and control, the 2-level authority allows only data inquiry and data modification operations, the 3-level authority allows only data inquiry operations, etc. Of course, before authorization, in addition to matching the controlled object, it is also necessary to confirm that the authorization deadline is within the validity period.

It can be seen from the foregoing that, when the identity authentication method provided by the embodiment of the application is applied to an automobile, and when an identity authentication request sent by an equipment to be authenticated is received, seed data is generated and sent to the equipment to be authenticated, so that the equipment to be authenticated returns a ciphertext and a target authorization certificate according to the seed data, and the equipment to be authenticated is authenticated according to the target authorization certificate, a root certificate, the ciphertext and the seed data, namely, the identity authentication of the equipment to be authenticated of the automobile is realized by adopting an authentication management method based on a PKI system, so that a symmetric password is not required to be fixedly written into code programs of two parties of authentication, the risk of password leakage is reduced, the reliability and the safety of authentication are improved, and different controllers adopt unified authentication code programs, do not need to independently write respective authentication code programs for each controller, and the method is high in flexibility and wide in application range.

Based on the method described in the above embodiment, correspondingly, the embodiment of the application also provides an identity authentication method which is applied to equipment to be authenticated, wherein the equipment to be authenticated comprises, but is not limited to, diagnostic equipment, sensors and other electronic equipment which need to establish communication connection with the automobile, the diagnostic equipment is a professional instrument for detecting the automobile, the performance of the automobile can be detected in real time, and the automobile fault can be detected, including but not limited to the diagnostic instrument. Referring to fig. 5, fig. 5 is another flow chart of an identity authentication method according to an embodiment of the present application, specifically, the identity authentication method includes the following steps 201 and 202, wherein:

201. an identity authentication request is sent to an automobile, so that the automobile returns seed data according to the identity authentication request;

202. and sending the ciphertext and the target authorization certificate to the automobile so that the automobile can carry out identity authentication on the equipment to be authenticated according to the ciphertext and the target authorization certificate.

In some embodiments, before performing step 202 above, the identity authentication method further includes:

Acquiring a target authorization certificate corresponding to an automobile and a private key corresponding to the target authorization certificate;

In some embodiments, the step of obtaining the target authorization certificate corresponding to the automobile and the private key corresponding to the target authorization certificate specifically includes:

And acquiring a target authorization certificate corresponding to the automobile and a private key corresponding to the target authorization certificate from a local storage area or a manufacturer server of equipment to be authenticated.

When the device to be authenticated gets the security random number sent by the automobile, a digital certificate (namely a target authorization certificate) which is authorized by the device manufacturer to be authenticated and a private key corresponding to the certificate are downloaded from a server of the device manufacturer to be authenticated or a local security area of the server, and seed data is encrypted by the private key to obtain ciphertext. Since the data in the vendor server and the local security area are difficult to read and tamper with by a third party, the risk of private key leakage is greatly reduced.

In some embodiments, the step of generating the ciphertext from the private key and the returned seed data specifically includes:

The device to be authenticated can adopt a contracted encryption algorithm to encrypt the seed data by using a private key of the device to be authenticated. The seed data is a car-generated security random number. In this embodiment, the target authorization certificate includes a public key of the device to be authenticated, and the device to be authenticated encrypts the seed data by using a private key corresponding to the public key to generate the ciphertext. The target authorization certificate may be a primary authorization certificate or a non-primary authorization certificate, where the primary authorization certificate is typically a certificate issued based on a root certificate, i.e. a signed authorization certificate is obtained by using a private key of the root certificate, and the root certificate is the origin of a certificate chain. Root certificates refer in the fields of cryptography and computer security to public key certificates that are not signed or certificates that are self-signed. It is a certificate issued by a Certificate Authority (CA) to itself as the starting point for the trust chain. The root certificate contains the information of the user (i.e. the car manufacturer) and the public key of the user and may also include a self-signature.

The non-primary authorization certificate is the next-stage certificate issued on the basis of the previous-stage certificate, for example, the secondary authorization certificate is a certificate which is signed by using the private key of the primary authorization certificate, and the tertiary authorization certificate is a certificate which is signed by using the private key of the secondary authorization certificate. When the target authorization certificate is a primary authorization certificate, the target authorization certificate is an authorization certificate applied by a diagnosis equipment manufacturer to which the diagnosis equipment belongs to an automobile manufacturer to which the automobile belongs, different diagnosis equipment manufacturers can apply authorization certificates for the same automobile to the same automobile manufacturer, and different automobile manufacturers can issue authorization certificates for different automobiles under the self flag to the same diagnosis equipment manufacturer. When the target authorization certificate is a non-primary authorization certificate, the target authorization certificate is an authorization certificate applied by a diagnostic equipment manufacturer to which the diagnostic equipment belongs to other diagnostic equipment manufacturers.

Each authorization ticket includes authorization rights information including information such as the authorized controlled object and the corresponding rights control class, and authorization validity period information such as a validity period 2030.1.1 or perpetual. The controlled object may be a controller in some or all of the vehicles produced by a single vehicle manufacturer, as different vehicle controllers may correspond to different vehicle systems, families and/or models, e.g., the vehicle controllers in different vehicles may belong to different vehicle systems, or to different families in the same vehicle system, or to different models in the same family in the same vehicle system. And because the controllers in the automobile are numerous, for example, according to the function division, the automobile controller can comprise an intelligent driving controller, an intelligent cabin controller and the like, and according to the region division, the automobile controller can comprise a left domain controller, a right domain controller, a whole automobile controller and the like, so that different controllers or different numbers of controllers can be set as controlled objects for different authority control grades, and the controlled objects can be expressed as xx controllers of xx family xx types.

Specifically, when the device to be authenticated needs to be accessed into the automobile, and access or even high-risk operation is performed on the automobile controller, operation permission is required to be requested to the automobile, at the moment, the device to be authenticated generates an identity authentication request and sends the identity authentication request to the automobile, the automobile returns a safe random number based on the identity authentication request, after the device to be authenticated takes the safe random number, the safe random number is encrypted by using a private key of the device to be authenticated to obtain a ciphertext, and a target authorization certificate and the ciphertext are returned to the automobile together for identity authentication. Only when the identity authentication is passed, the equipment to be authenticated has certain authority to operate the automobile controller, such as data inquiry, data modification, control and the like.

It should be noted that, the specific details of the identity authentication method applied to the device to be authenticated have been described in detail in the embodiment of the identity authentication method applied to the automobile, and are not described herein again.

According to the method described in the above embodiment, the embodiment of the present application further provides an identity authentication device, which is configured to perform the steps in the identity authentication method applied to the automobile. Referring to fig. 6, fig. 6 is a schematic structural diagram of an identity authentication device according to an embodiment of the present application. The identity authentication device 300 is applied to an automobile. Specifically, the identity authentication device 300 includes a generating unit 301 and an authenticating unit 302, where:

The generating unit 301 is configured to generate seed data and send the seed data to the device to be authenticated when receiving an identity authentication request sent by the device to be authenticated, so that the device to be authenticated returns a ciphertext and a target authorization certificate according to the seed data;

And the authentication unit 302 is used for carrying out identity authentication on the equipment to be authenticated according to the target authorization certificate, the root certificate, the ciphertext and the seed data.

In some embodiments, the authentication unit 302 is specifically configured to:

when the verification of the target authorization certificate passes, verifying the ciphertext according to the public key seed data in the target authorization certificate;

In some embodiments, the authentication unit 302 is specifically configured to:

Determining a certificate level of a target authorization certificate;

In some embodiments, the authentication unit 302 is specifically configured to:

When the certificate grade indicates that the target authorization certificate is a secondary authorization certificate, a primary authorization certificate is analyzed from the target authorization certificate, and the target authorization certificate is verified according to the root certificate and the analyzed primary authorization certificate.

In some embodiments, the authentication unit 302 is specifically configured to:

In some embodiments, the authentication unit 302 is further configured to:

And determining the identity information of the target authorization certificate according to the target authorization certificate and a preset certificate table, wherein the identity information is used for indicating the automobile to determine the identity authority of the equipment to be authenticated.

In some embodiments, the target authorization certificate includes at least one controlled object and an authority control level of each controlled object, and the identity authentication device 300 further includes an authorization unit for:

And granting the permission of the target level to the device to be authenticated.

It should be noted that, the specific details of each module unit in the identity authentication device 300 applied to the automobile are described in detail in the embodiment of the identity authentication method applied to the automobile, and are not described herein again.

According to the method described in the above embodiment, the embodiment of the present application further provides an identity authentication device, which is configured to perform the steps in the identity authentication method applied to the device to be diagnosed. Referring to fig. 7, fig. 7 is a schematic structural diagram of an identity authentication device according to an embodiment of the present application. The identity authentication device 400 is applied to equipment to be diagnosed. Specifically, the identity authentication device 400 includes a first sending unit 401 and a second sending unit 402, where:

A first sending unit 401, configured to send an identity authentication request to an automobile, so that the automobile returns seed data according to the identity authentication request;

And the second sending unit 402 is configured to send a ciphertext and a target authorization certificate to the automobile, so that the automobile performs identity authentication on the diagnostic device according to the ciphertext and the target authorization certificate.

In some embodiments, before sending the ciphertext and the target authorization credential to the vehicle, the second sending unit 402 is further configured to:

In some embodiments, the second transmitting unit 402 is specifically configured to:

It should be noted that, the specific details of each module unit in the identity authentication device 400 applied to the device to be authenticated have been described in detail in the embodiment of the identity authentication method applied to the device to be authenticated, which is not described herein.

In some embodiments, the identity authentication device in the embodiments of the present application may be an electronic device, or may be a component in an electronic device, such as an integrated circuit or a chip. The electronic device may be a device to be authenticated or an automobile.

In some embodiments, as shown in fig. 8, an electronic device 500 is further provided in the embodiments of the present application, which includes a processor 501, a memory 502, and a computer program stored in the memory 502 and capable of running on the processor 501, where the program, when executed by the processor 501, implements the respective processes of the embodiments of the identity authentication method, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.

The electronic device in the embodiment of the application includes the mobile electronic device and the non-mobile electronic device.

Fig. 9 is a schematic hardware structure of an electronic device 600 according to an embodiment of the present application.

The electronic device 600 includes, but is not limited to, a radio frequency unit 601, a network module 602, an audio output unit 603, an input unit 604, a sensor 605, a display unit 606, a user input unit 607, an interface unit 608, a memory 609, and a processor 610.

Those skilled in the art will appreciate that the electronic device 600 may further include a power source (e.g., a battery) for powering the various components, which may be logically connected to the processor 610 by a power management system to perform functions such as managing charge, discharge, and power consumption by the power management system. The electronic device structure shown in fig. 9 does not constitute a limitation of the electronic device, and the electronic device may include more or less components than shown, or may combine certain components, or may be arranged in different components, which are not described in detail herein.

It should be appreciated that in embodiments of the present application, the input unit 604 may include a graphics processor (Graphics Processing Unit, GPU) 6041 and a microphone 6042, with the graphics processor 6041 processing image data of still pictures or video obtained by an image capturing apparatus (e.g., a camera) in a video capturing mode or an image capturing mode. The display unit 606 may include a display panel 6061, and the display panel 6061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 607 includes at least one of a touch panel 6071 and other input devices 6072. The touch panel 6071 is also called a touch screen. The touch panel 6071 may include two parts of a touch detection device and a touch controller. Other input devices 6072 may include, but are not limited to, a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and so forth, which are not described in detail herein.

The memory 609 may be used to store software programs as well as various data. The memory 609 may mainly include a first storage area storing programs or instructions and a second storage area storing data, wherein the first storage area may store an operating system, application programs or instructions (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like. Further, the memory 609 may include volatile memory or nonvolatile memory, or the memory 609 may include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable EPROM (EEPROM), or a flash Memory. The volatile memory may be random access memory (Random Access Memory, RAM), static random access memory (STATIC RAM, SRAM), dynamic random access memory (DYNAMIC RAM, DRAM), synchronous Dynamic Random Access Memory (SDRAM), double data rate Synchronous dynamic random access memory (Double DATA RATE SDRAM, DDRSDRAM), enhanced Synchronous dynamic random access memory (ENHANCED SDRAM, ESDRAM), synchronous link dynamic random access memory (SYNCH LINK DRAM, SLDRAM), and Direct random access memory (DRRAM). Memory 609 in embodiments of the present application includes, but is not limited to, these and any other suitable types of memory.

Processor 610 may include one or more processing units and processor 610 integrates an application processor that primarily processes operations involving an operating system, user interface, application program, etc., and a modem processor that primarily processes wireless communication signals, such as a baseband processor. It will be appreciated that the modem processor described above may not be integrated into the processor 610.

The embodiment of the application also provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the processes of the embodiment of the identity authentication method, and can achieve the same technical effects, and in order to avoid repetition, the description is omitted here.

Wherein the processor is a processor in the electronic device described in the above embodiment. The readable storage medium includes computer readable storage medium such as computer readable memory ROM, random access memory RAM, magnetic or optical disk, etc.

The embodiment of the application also provides a computer program product, which comprises a computer program, wherein the computer program realizes the identity authentication method when being executed by a processor.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a computer software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present application.

The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are to be protected by the present application.

The terms first, second and the like in the description and in the claims, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present application may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type, and are not limited to the number of objects, such as the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/", generally means that the associated object is an "or" relationship.

In the description of the present application, "plurality" means two or more.

In the description of the present specification, reference to the terms "one embodiment," "some embodiments," "illustrative embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although embodiments of the present application have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the spirit and scope of the application as defined by the appended claims and their equivalents.

Claims

1. An identity authentication method, characterized in that it is applied to an automobile, said identity authentication method comprising:

When an identity authentication request sent by equipment to be authenticated is received, seed data are generated and sent to the equipment to be authenticated, so that the equipment to be authenticated returns ciphertext and a target authorization certificate according to the seed data, wherein the target authorization certificate is a certificate which is applied for issuing by an equipment manufacturer of the equipment to be authenticated to an automobile manufacturer of the automobile or equipment manufacturers of other equipment, the equipment manufacturers of the other equipment are equipment manufacturers which have been issued by the automobile manufacturer, and the target authorization certificate comprises basic information, a public key and a signature of an issued person;

The identity of the equipment to be authenticated is authenticated according to the target authorization certificate, a root certificate, the ciphertext and the seed data, wherein the root certificate is a certificate issued by the automobile manufacturer to the automobile manufacturer;

the target authorization certificate comprises at least one controlled object and the authority control level of each controlled object, the authority control level granted to other users by a certificate issuer does not exceed the authority control level granted by the certificate issuer, and the identity authentication method further comprises the following steps:

2. The identity authentication method according to claim 1, wherein the authenticating the device to be authenticated according to the target authorization certificate, the root certificate, the ciphertext, and the seed data comprises:

3. The identity authentication method according to claim 2, wherein verifying the ciphertext from the public key and the seed data in the target authorization certificate comprises:

4. The identity authentication method of claim 2, wherein verifying the target authorization credential based on the root credential comprises:

determining a certificate level of the target authorization certificate;

5. The identity authentication method of claim 4, wherein verifying the target authorization credential based on the credential level and a root credential comprises:

6. The identity authentication method of claim 5, wherein verifying the target authorization credential based on the root credential comprises:

7. The identity authentication method of claim 5, wherein verifying the target authorization certificate based on the root certificate and the parsed primary authorization certificate comprises:

8. The identity authentication method of claim 1, further comprising:

And determining identity information of the target authorization certificate according to the target authorization certificate and a preset certificate table, wherein the identity information is used for indicating the automobile to determine the identity authority of the equipment to be authenticated.

9. An identity authentication method, characterized by being applied to a device to be authenticated, comprising:

The method comprises the steps of sending ciphertext and a target authorization certificate to the automobile, so that the automobile carries out identity authentication on equipment to be authenticated according to the ciphertext, a root certificate, seed data and the target authorization certificate, wherein the target authorization certificate comprises at least one controlled object and an authority control level of each controlled object, and the authority control level granted to other users by a certificate issuer does not exceed the authority control level granted by the certificate issuer;

The target authorization certificate is a certificate which is applied for issuing by a device manufacturer to which the device to be authenticated belongs to an automobile manufacturer to which the automobile belongs or a device manufacturer to which other devices belong, the device manufacturer to which the other devices belong is a device manufacturer which has been issued by the automobile manufacturer, the target authorization certificate comprises basic information, a public key and a signature of an issuer, and the root certificate is a certificate issued by the automobile manufacturer to the root certificate.

10. The identity authentication method of claim 9, wherein prior to sending ciphertext and a target authorization credential to the vehicle, the method further comprises:

11. The method of claim 10, wherein the generating ciphertext from the private key and the returned seed data comprises:

12. The method for authenticating an identity according to claim 10, wherein the obtaining the target authorization certificate corresponding to the car and the private key corresponding to the target authorization certificate includes:

13. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the identity authentication method according to any one of claims 1-8 or 9-12.

14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the identity authentication method of any one of claims 1-8 or 9-12 when the program is executed by the processor.

15. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the identity authentication method according to any one of claims 1-8 or 9-12.