CN119071007A

CN119071007A - Login verification method, device, electronic device and computer-readable storage medium

Info

Publication number: CN119071007A
Application number: CN202310652289.4A
Authority: CN
Inventors: 穆长春; 狄刚; 刘明君; 赵新宇
Original assignee: Shenzhen Financial Technology Research Institute Financial Technology Research Institute Of People's Bank Of China; Institute of Printing Science and Technology Peoples Bank of China
Current assignee: Shenzhen Financial Technology Research Institute Financial Technology Research Institute Of People's Bank Of China; Institute of Printing Science and Technology Peoples Bank of China
Priority date: 2023-06-02
Filing date: 2023-06-02
Publication date: 2024-12-03

Abstract

The present invention discloses a login verification method, device, electronic device and computer-readable storage medium. The method includes: sending a login request based on a target account to a server; receiving a server signature identity sent by the server, wherein the server signature identity is a signature identity obtained by the server using a server private key to sign the server identity; verifying the server signature identity according to the server public key to obtain a first verification result; if the first verification result is a passed verification, sending the target account signature identity and the target account signature identity certificate to the server; receiving a second verification result sent by the server, and logging in to the server if the second verification result is a passed verification. The present invention solves the technical problem in the related art that when a user logs in to a server from a client, the verification direction is single and there are security risks.

Description

Login verification method, login verification device, electronic equipment and computer readable storage medium

Technical Field

The present invention relates to the field of computers, and in particular, to a login verification method, a login verification device, an electronic device, and a computer readable storage medium.

Background

Under CS (Client-Server) architecture, there are many ways for a Client to log on to a Server, such as password, sms, or token. The methods still have the risks of privacy information disclosure, token credential hijacking and the like, are all traditional 'known', 'possessed', 'all' methods, and the schemes are not based on the verification of cryptography technology, so the security of the related schemes still needs to be improved.

In view of the above problems, no effective solution has been proposed at present.

Disclosure of Invention

The embodiment of the invention provides a login verification method, a login verification device, electronic equipment and a computer readable storage medium, which at least solve the technical problem that in the related art, when a user logs in a server at a client, the verification direction is single and potential safety hazards exist.

According to one aspect of the embodiment of the invention, a login verification method is provided, which comprises the steps of sending a login request based on a target account to a server, receiving a server signature identity identifier sent by the server, wherein the server signature identity identifier is a signature identity identifier obtained by signing the server identity identifier by using a server private key, verifying the server signature identity identifier according to a server public key to obtain a first verification result, and sending a target account signature identity identifier and a target account signature identity credential to the server when the first verification result is verification passing, wherein the target account signature identity identifier is a signature identity identifier obtained by signing the target account identity identifier by using a target account private key, the target account signature identity identifier is a signature identity credential obtained by signing the target account identity credential by using a trusted issuing authority private key, receiving a second verification result sent by the server, and logging in the server when the second verification result is verification passing, wherein the second verification result is the target account signature identity credential which can be obtained by signing the target account credential according to the target public key.

Optionally, before the step of sending the target account signature identity identifier and the target account signature identity credential to the server, the method further comprises the step of sending an authentication request based on the target account to a trusted credential issuing mechanism so that the trusted credential issuing mechanism generates the target account identity credential corresponding to the target account, wherein the authentication request comprises the identity information of the target account, and the step of receiving the target account signature identity credential sent by the trusted credential issuing mechanism.

Optionally, before the login request based on the target account is sent to the server, the method further comprises the steps of determining a target account public key and a target account private key of the target account, sending the target account public key to a blockchain distributed identity management system to generate the target account identity corresponding to the target account public key, and receiving the target account identity sent by the blockchain distributed identity management system.

Optionally, the method for obtaining the server public key comprises at least one of receiving the server public key sent by the server and receiving the server public key sent by the blockchain distributed identity management system.

According to one aspect of the embodiment of the invention, a login verification method is provided, which comprises the steps of receiving a login request sent by a target client, responding to the login request, sending a server signature identity to the target client so that the target client can verify the server signature identity according to a server public key to obtain a first verification result, wherein the server signature identity is a signature identity obtained by signing the server identity by using a server private key, receiving a target account signature identity sent by the target client and a target account signature identity certificate when the first verification result is verification pass, receiving the target account signature identity and the target account signature certificate sent by the target client, wherein the target account signature identity is a signature identity obtained by signing the target account identity by using a target account private key, the target account signature identity certificate is a signature identity obtained by signing the target account identity certificate by using a trusted certificate issuing authority private key, verifying the target account identity and the target account signature certificate according to the target public key, and sending a second verification result to the target client.

Optionally, before receiving the login request sent by the target client, the method further comprises determining a server public key and a server private key of the server, inputting the server public key into a blockchain distributed identity management system to generate the server identity corresponding to the server public key, and receiving the server identity sent by the blockchain distributed identity management system.

Optionally, the method for obtaining the target account public key comprises at least one of receiving the target account public key sent by the target client and receiving the target account public key sent by the blockchain distributed identity management system.

According to one aspect of the embodiment of the invention, a login verification method is provided, which comprises the steps that a target client sends a login request based on a target account to a server, the server receives and responds to the login request sent by the target client, a server signature identity is sent to the target client, the server signature identity is a signature identity obtained by signing the server identity by using a server private key, the target client receives the server signature identity sent by the server and verifies the server signature identity according to a server public key to obtain a first verification result, the target client sends a target account signature identity and a target account signature credential to the server when the first verification result is verification passing, the target account signature identity is a signature identity obtained by signing the target account identity by using a target account private key, the target account signature credential is a signature identity obtained by signing a target identity by using a trusted account signing authority, the server signature credential is received by the server, the target client sends a target client and verifies the target client signature identity according to a second verification result, and the target account signature credential is sent to a second verification result when the second verification result is verification result, and the target account signature credential is verified by the target client, the target client logs in to the server.

According to one aspect of the embodiment of the invention, a login verification method is provided, which comprises the steps of receiving a target account public key, a server public key and a trusted voucher issuing mechanism public key, generating a target account identity corresponding to the target account public key according to the target account public key, generating a server identity corresponding to the server public key according to the server public key, generating a target account identity credential corresponding to the trusted voucher issuing mechanism public key according to the trusted voucher issuing mechanism public key, sending the target account identity to a target client, sending the server identity to a server, sending the target account identity credential to a trusted voucher issuing mechanism, and encrypting the target account identity by using a target client private key to obtain a target signature identity, so that the server signs the server identity by using the server to obtain the server signature identity, and the trusted voucher issuing mechanism uses the trusted voucher to sign the target account identity to obtain the target account identity.

Optionally, the method further comprises the steps of determining a first Key Key-Value corresponding relation, a second Key Key-Value corresponding relation and a third Key Key-Value corresponding relation, wherein the first Key-Value corresponding relation stores the corresponding relation between the target account public Key and the target account identity corresponding to the target account public Key, the second Key-Value corresponding relation stores the corresponding relation between the server public Key and the server identity corresponding to the server public Key, and the third Key-Value corresponding relation stores the corresponding relation between the trusted voucher issuing mechanism public Key and the target account identity corresponding to the trusted voucher issuing mechanism public Key.

Optionally, determining the third Key-Value corresponding relation includes obtaining valid time of a target account identity credential corresponding to the trusted credential issuing mechanism public Key, and determining the third Key-Value corresponding relation according to the corresponding relation between the trusted credential issuing mechanism public Key and the target account identity credential corresponding to the trusted credential issuing mechanism public Key and the valid time of the target account identity credential corresponding to the trusted credential issuing mechanism public Key.

According to one aspect of the embodiment of the invention, a login verification device is provided, which comprises a first sending module, a first receiving module and a first login module, wherein the first sending module is used for sending a login request based on a target account to a server, the first receiving module is used for receiving a server signature identity which is sent by the server, wherein the server signature identity is a signature identity obtained by signing the server identity by using a server private key, the first verification module is used for verifying the server signature identity according to a server public key to obtain a first verification result, the second sending module is used for sending a target account signature identity and a target account signature identity certificate to the server when the first verification result is verification pass, the target account signature identity certificate is a signature identity obtained by signing the target account identity with a target account private key, the target account signature identity certificate is a signature identity certificate obtained by signing the target account identity certificate with a trusted certificate private key, the first login module is used for receiving a second verification result sent by the server, and the second verification result is verification result of the target certificate, and the second verification result is the target account certificate can be obtained according to the second verification result.

According to one aspect of the embodiment of the invention, a login verification device is provided, which comprises a second receiving module, a third sending module, a second verification module and a third receiving module, wherein the second receiving module is used for receiving a login request sent by a target client, the third sending module is used for responding to the login request and sending a server signature identity to the target client so that the target client can verify the server signature identity according to a server public key to obtain a first verification result, the server signature identity is a signature identity obtained by signing the server identity by using a server private key, the third receiving module is used for receiving a target account signature identity and a target account signature identity certificate sent by the target client when the first verification result is verification pass, the target account signature identity is a signature identity obtained by signing the target account identity by using a target account private key, the target account signature identity certificate is a signature identity obtained by signing the target account identity certificate by using a trusted account signing authority private key, the second verification result is obtained by using the target public identity public key and the second verification module, and the target account signature identity certificate is sent to the target account certificate.

According to one aspect of the embodiment of the invention, a login verification device is provided, which comprises a fifth sending module, a sixth sending module, a seventh sending module and a verification module, wherein the fifth sending module is used for sending a login request based on a target account to a server, the sixth sending module is used for receiving and responding to the login request sent by the target client, sending a server signature identity to the target client, the server signature identity is a signature identity obtained by signing the server identity by using a server private key, the third verification module is used for receiving the server signature identity sent by the server and verifying the server signature identity according to a server public key, a first verification result is obtained, the seventh sending module is used for sending a target account signature identity and a target account signature credential to the server under the condition that the first verification result is verification pass, the target account signature identity is obtained by signing the target account identity with a target account private key, the target account signature identity is a target account private key, the target signing authority is used for signing the target account private key, the target account signature is obtained by signing an account certificate and a second signing authority is used for signing an account with a target signing authority, and a target certificate is obtained by verifying the target certificate and a target signing account is obtained by a target certificate, and a target signing module is used for verifying the target certificate is obtained by signing account with the target signing certificate. The system comprises a server, a target client, a second verification result sending module and a second login module, wherein the server is used for sending the second verification result to the target client, and the second login module is used for receiving the second verification result sent by the server by the target client and logging in the server when the second verification result is verification passing.

According to one aspect of the embodiment of the invention, a login verification device is provided, which comprises a fourth receiving module, a generating module, a ninth sending module, a target account identity credential and a trusted credential issuing mechanism, wherein the fourth receiving module is used for receiving a target account public key, the server public key and the trusted credential issuing mechanism public key, the generating module is used for generating a target account identity corresponding to the target account public key according to the target account public key, generating a server identity corresponding to the server public key according to the server public key, and generating a target account identity credential corresponding to the trusted credential issuing mechanism public key according to the trusted credential issuing mechanism public key, the ninth sending module is used for sending the target account identity to a target client, and sending the server identity credential to a trusted credential issuing mechanism, and the target account identity credential is used for enabling the target client to encrypt the target account identity by using a target client private key to obtain the target account identity, enabling the server to use a server private key to sign the server identity to obtain the trusted credential, and enabling the server to sign the server identity to obtain the trusted credential by using the server private key to sign the server identity to obtain the trusted credential.

According to one aspect of an embodiment of the present invention, there is provided an electronic device including a processor, a memory for storing instructions executable by the processor, wherein the processor is configured to execute the instructions to implement any one of the above-described login verification methods.

According to an aspect of an embodiment of the present invention, there is provided a computer-readable storage medium, which when executed by a processor of an electronic device, causes the electronic device to perform any one of the above-described login authentication methods.

In the embodiment of the invention, the target client sends the login request based on the target account to the server, receives the server signature identity sent back by the server, and verifies the server signature identity by using the server public key in the target client to obtain the first verification result, thereby realizing the verification of the target client on the server. And under the condition that the first verification result is verification passing, namely that the target client side successfully verifies the server, sending the target account signature identity identification and the target account signature identity credential to the server, and receiving a second verification result sent by the server, namely that the server verifies the target account of the target client side, and the identity verification of the target account is also realized, and under the condition that the second verification result is verification passing, the target account on the target client side can be logged in to the server, so that the technical problems that in the related technology, when a user logs in to the server at the client side, the verification direction is single and potential safety hazards exist are solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:

FIG. 1 is a flow chart of a login verification method I according to an embodiment of the present invention;

FIG. 2 is a flow chart of a login verification method II according to an embodiment of the present invention;

FIG. 3 is a flow chart of a login verification method three according to an embodiment of the present invention;

FIG. 4 is a flow chart of a login verification method four according to an embodiment of the present invention;

FIG. 5 is a timing diagram of a login verification method according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of roles of a login verification method provided in accordance with an alternative embodiment of the present invention;

FIG. 7 is a block diagram of a first login authentication device according to an embodiment of the present invention;

FIG. 8 is a block diagram of a second login authentication device according to an embodiment of the present invention;

fig. 9 is a block diagram of the structure of a login authentication device three according to an embodiment of the present invention;

fig. 10 is a block diagram of the configuration of a login authentication device four according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, partial terms or terminology appearing in the course of describing embodiments of the application are applicable to the following explanation:

A blockchain is a chain of blocks one by one. Each block holds certain information which is linked in a chain according to the time sequence of their respective generation. This chain is kept in all servers, and the entire blockchain is secure as long as one server in the entire system can work. These servers, referred to as nodes in the blockchain system, provide storage space and computational support for the entire blockchain system. If the information in the blockchain is to be modified, it is necessary to sign consent of more than half of the nodes and modify the information in all the nodes, which are usually held in different subject hands, so it is an extremely difficult thing to tamper with the information in the blockchain. Compared with the traditional network, the blockchain has two core characteristics, namely, the data is difficult to tamper, and the data is not centralized. Based on the two characteristics, the information recorded by the blockchain is more real and reliable.

Digital wallets-digital wallets are of two main types, client and server (digital wallets), meaning an aggregate of information and software-the software providing security for transaction processing, the information including payment information (e.g., credit card number and expiration date) and delivery information.

The signature is that the data encryption uses a key pair of a receiver, any receiver knows the public key and can send a message to the receiver, but only the receiver can decrypt the message by having the private key, the public key and the private key are uniquely corresponding, and the content signed by a certain public key can only be decrypted and verified by the corresponding private key.

Examples

According to an embodiment of the present invention, there is provided an embodiment of a login authentication method, it being noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases the steps shown or described may be performed in an order different from that herein.

Fig. 1 is a flowchart of a login authentication method according to an embodiment of the present invention, as shown in fig. 1, the method comprising the steps of:

step S102, a login request based on a target account is sent to a server;

Step S104, receiving a server signature identity sent by a server, wherein the server signature identity is a signature identity obtained by signing the server identity by using a server private key by the server;

step S106, verifying the server signature identity according to the server public key to obtain a first verification result;

Step S108, if the first verification result is that verification is passed, a target account signature identity and a target account signature identity credential are sent to a server, wherein the target account signature identity is obtained by signing the target account identity by using a target account private key, and the target account signature identity credential is obtained by signing the target account identity credential by using a trusted credential issuing authority private key;

step S110, receiving a second verification result sent by the server, and logging in to the server when the second verification result is verification passing, wherein the second verification result is obtained by the server verifying the target account signature identity according to the target account public key and verifying the target account signature identity certificate by the trusted certificate issuing mechanism public key.

Through the steps, for one side of the target client, the target client sends a login request based on the target account to the server, receives the server signature identity sent back by the server, verifies the server signature identity by using the server public key in the target client, and obtains a first verification result, thereby realizing the verification of the target client on the server. And under the condition that the first verification result is verification passing, namely that the target client side successfully verifies the server, sending the target account signature identity identification and the target account signature identity credential to the server, and receiving a second verification result sent by the server, namely that the server verifies the target account of the target client side, and the identity verification of the target account is also realized, and under the condition that the second verification result is verification passing, the target account on the target client side can be logged in to the server, so that the technical problems that in the related technology, when a user logs in to the server at the client side, the verification direction is single and potential safety hazards exist are solved.

As an alternative embodiment, before sending the login request based on the target account to the server, the method further comprises the step of obtaining the identity of the target account, and there are many ways of obtaining the identity of the target account, for example, determining a target public key and a target private key of the target account, wherein one target account corresponds to one target key pair, and the target key pair comprises the target public key and one target private key. And inputting the target account public key into the blockchain distributed identity management system to generate a target account identity corresponding to the target account public key and receiving the target account identity sent by the blockchain distributed identity management system. The method of the optional embodiment has the advantages of high stability, high usability, low cost and high privacy protection of data encryption by using the blockchain technology distributed system.

As an alternative embodiment, the target client sends a login request based on the target account to the server, so as to realize the operation that the user logs in to the server by the target client using the target account. The target client receives a server signature identity sent by the server, wherein the server signature identity is obtained by signing the server identity by using a server private key. And the target client acquires the server public key, verifies the server signature identity according to the server public key, and obtains a first verification result. The verification of the target client to the server is realized.

It should be noted that, when the target client needs to obtain the server public key first, the target client may receive the server public key sent by the server, or may receive the server public key sent by the blockchain distributed identity management system in various manners. The self-adaptive selection can be performed according to actual application and scenes.

Optionally, after the first verification result is obtained, if the first verification result is that verification is not passed, it may be set that verification of the target client on the server is not passed and login is not possible. And under the condition that the first verification result is that verification is passed, performing verification on the other side, namely verifying the target client by the server, wherein the target client sends a target account signature identity and a target account signature identity credential to the server, the target account signature identity is a signature identity obtained by signing the target account identity by using a target account private key, the target account signature identity credential is a signature identity credential obtained by signing the target account identity credential by using a trusted credential issuing authority private key, and the target client receives a second verification result sent by the server, wherein the second verification result is obtained by verifying the target account signature identity and a trusted credential issuing authority public key by the server according to the target account public key. The verification of the server to the target client and the verification of the server to the identity of the target account are realized. By means of multi-layer verification, the target account on the target client is ensured to be credible, so that the security of logging in the server from the target client by the target account is ensured, and the reliability of the whole process is improved.

It should be noted that, the second verification result is that the server verifies the signature identity of the target account according to the public key of the target account and verifies the signature identity credential of the target account according to the public key of the trusted credential issuing mechanism. I.e. during this process, two verification steps are performed. And the server verifies the signature identity of the target account according to the public key of the target account, so that the target client is verified by the server, and the two-way verification of the target client by the server is completed. And the server verifies the signature identity certificate of the target account according to the public key of the trusted certificate issuing mechanism, and on the basis of bidirectional verification, one layer of verification of the identity reliability of the target account is added, so that the target account on the target client is ensured to be trusted, the security of logging in the server from the target client by the target account is ensured, and the reliability of the whole process is increased. In the dual verification, the verification can be performed sequentially or synchronously, and the method is not limited in the process, and if one verification failure occurs in the dual verification, a second verification result which does not pass the verification is obtained.

It should be noted that, when the server needs to obtain the target account public key, the server may also receive the target account public key sent by the target client, for example, and receive the target account public key sent by the blockchain distributed identity management system. The self-adaptive selection can be performed according to actual application and scenes.

As an alternative embodiment, before sending the target account signature identity identifier and the target account signature identity credential to the server, the method further comprises the step of obtaining the target account signature identity credential, for example, sending an authentication request including identity information of the target account to a trusted credential issuing mechanism, wherein the authentication request may be an authentication request including identity information of the target account to authenticate the target account, so that the trusted credential issuing mechanism generates the target account identity credential corresponding to the target account, and the trusted credential issuing mechanism signs the target account identity credential according to a private key of the trusted credential issuing mechanism to obtain the target account signature identity credential and sends the target account signature identity credential to the target client. The target client receives the target account identity credential sent by the trusted credential issuing authority. The trusted credential issuing mechanism can be a generalized identity credential issuing mechanism, can be a third party mechanism, and the target account identity credential is an identity credential issued by the trusted identity credential issuing mechanism for the target account so as to authenticate the identity of the target account or the identity attribute of the target account. The target account identity certificate can be set to be valid period and can be flexibly withdrawn, so that the phenomenon that bad behaviors such as losing trust and the like of the target account can still pass verification can be avoided. Through the authentication of the target account in the trusted voucher issuing mechanism, the security of the target account can be guaranteed, and the reliability of the target account logging in the server from the target client is guaranteed.

It should be noted that, when acquiring the target account identity credential, the target account identity credential corresponding to the third party institution corresponding to the scene may be acquired according to the specific application, and as different third party institutions may authenticate the target account in the scene with different applications, the authentication of the corresponding third party institution is required to be acquired. Optionally, in a service with strict requirements, the identity credentials of multiple third party institutions may be required to be acquired, that is, the identity authentication of the target account may be required to multiple trusted credential issuing institutions. The target account can only log in to the server from the target client if the plurality of identity credentials are authenticated. Through the steps, the application range of the method and the device is expanded, and the authentication of a predetermined number of third party institutions can be obtained according to the actual application scene and the importance degree of the service executed in the scene, so that the security of logging in the target account from the target client to the server is enhanced.

Optionally, after the second verification result is obtained, if the second verification result is that verification is not passed, it may be set that verification of the target client by the server is not passed and login cannot be performed. And under the condition that the second verification result is that the verification is passed, the target account can be logged in to the server from the target client.

It should be noted that, when the server needs to obtain the public key of the trusted credential issuing mechanism, the server may also receive the public key of the trusted credential issuing mechanism sent by the trusted credential issuing mechanism in multiple manners, for example, receive the public key of the trusted credential issuing mechanism sent by the blockchain distributed identity management system. The self-adaptive selection can be performed according to actual application and scenes.

Fig. 2 is a flowchart of a login authentication method according to an embodiment of the present invention, as shown in fig. 2, the method includes the steps of:

Step S202, receiving a login request sent by a target client;

Step S204, a server signature identity is sent to a target client in response to a login request, so that the target client verifies the server signature identity according to a server public key to obtain a first verification result, wherein the server signature identity is obtained by signing the server identity by using a server private key;

step S206, receiving a target account signature identity and a target account signature identity credential sent by a target client when the first verification result is that verification is passed, wherein the target account signature identity is a signature identity obtained by signing the target account identity by using a target account private key, and the target account signature identity credential is a signature identity credential obtained by signing the target account identity credential by using a trusted credential issuing mechanism private key;

Step S208, verifying the signature identity of the target account and the signature identity certificate of the target account according to the public key of the target account and the public key of the trusted certificate issuing mechanism to obtain a second verification node;

Step S210, the second verification result is sent to the target client.

Through the steps, for the server side, the login request sent by the target client is received, the server signature identity is sent to the target client in response to the login request, so that the target client verifies the server signature identity according to the server public key to obtain a first verification result, and verification of the server by the target client is achieved. And under the condition that the first verification result is verification passing, receiving a target account signature identity and a target account signature identity certificate sent by the target client, verifying the target account signature identity according to a target account public key, and verifying the target account signature identity certificate according to a trusted certificate issuing mechanism public key to obtain a second verification result, namely, the verification of the target client by the server is realized, and then the second verification result is sent to the target client, so that the target account on the target client logs in to the server under the condition that the second verification result is verification passing, and further the technical problems that in the related art, when a user logs in the server at the client, the verification direction is single and potential safety hazards exist are solved.

As an alternative embodiment, before the server receives the login request sent by the target client, the method further comprises the step of receiving a server identity, and the method for obtaining the server identity is numerous, for example, determining a server public key and a server private key of the server, wherein one server corresponds to one target key pair, and the target key pair comprises one server public key and one server private key. And inputting the server public key into the blockchain distributed identity management system to generate a server identity corresponding to the server public key and receiving the server identity sent by the blockchain distributed identity management system. The method of the optional embodiment has the advantages of high stability, high usability, low cost and high privacy protection of data encryption by using the blockchain technology distributed system.

As an alternative embodiment, the server receives a login request sent by the target client, so as to realize the operation that the user logs in to the server by the target client by using the target account. The server responds to the login request and sends a server signature identity to the target client so that the target client verifies the server signature identity according to the server public key to obtain a first verification result, wherein the server signature identity is obtained by signing the server identity by using the server private key. The verification of the target client to the server is realized.

Optionally, after the first verification result is obtained, if the first verification result is that verification is not passed, it may be set that verification of the target client on the server is not passed and login is not possible. And under the condition that the first verification result is that verification is passed, performing verification on the other side, namely verifying the target client by the server, and receiving a target account signature identity and a target account signature identity credential sent by the target client by the server, wherein the target account signature identity is a signature identity obtained by signing the target account identity by using a target account private key, and the target account signature identity credential is a signature identity credential obtained by signing the target account identity credential by using a trusted credential issuing authority private key. The server acquires the public key of the target account, verifies the signature identity of the target account according to the public key of the target account, verifies the signature identity certificate of the target account by the public key of the trusted certificate issuing mechanism to obtain a second verification result, and sends the second verification result to the target client. The verification of the server to the target client and the verification of the server to the identity of the target account are realized. The target account identity certificate can be set to be valid period and can be flexibly withdrawn, so that the phenomenon that bad behaviors such as losing trust and the like of the target account can still pass verification can be avoided. Therefore, one layer of verification is added on the basis of the two-way verification, and the target account on the target client is ensured to be credible in a multi-layer verification mode, so that the security of logging in the server from the target client by the target account is ensured, and the reliability of the whole process is increased.

It should be noted that, when the server needs to obtain the public key of the trusted credential issuing mechanism, the server may also receive the public key of the trusted credential issuing mechanism sent by the trusted credential issuing mechanism, for example, and receive the public key of the trusted credential issuing mechanism sent by the blockchain distributed identity management system. The self-adaptive selection can be performed according to actual application and scenes.

Fig. 3 is a flowchart of a login authentication method three according to an embodiment of the present invention, as shown in fig. 3, the method includes the steps of:

Step S302, a target client sends a login request based on a target account to a server;

Step S304, the server receives and responds to the login request sent by the target client and sends a server signature identity to the target client, wherein the server signature identity is obtained by signing the server identity by using a server private key;

Step S306, the target client receives the server signature identity sent by the server, and verifies the server signature identity according to the server public key to obtain a first verification result;

step S308, if the first verification result is that verification is passed, the target client sends a target account signature identity and a target account signature identity credential to the server, wherein the target account signature identity is obtained by signing the target account identity by using a target account private key, and the target account signature identity credential is obtained by signing the target account identity credential by using a trusted credential issuing mechanism private key;

Step S310, the server receives the target account signature identity and the target account signature identity certificate sent by the target client, verifies the target account signature identity according to the target account public key and verifies the target account signature identity certificate according to the trusted certificate issuing mechanism public key, and a second verification result is obtained;

step S312, the server sends a second verification result to the target client;

in step S314, the target client receives the second verification result sent by the server, and logs in to the server if the second verification result is that the verification is passed.

Through the steps, for a system comprising the target client and the server, a login request based on a target account is sent to the server through the target client, the server receives and responds to the login request sent by the target client, the server signs an identity to the target client, the target client receives the server signs an identity sent by the server, verifies the server signs an identity according to a server public key, a first verification result is obtained, and verification of the server by the target client is achieved. And under the condition that the first verification result is verification passing, the target client sends a target account signature identity to the server, the server receives the target account signature identity and the target account signature identity certificate sent by the target client, verifies the target account signature identity according to the target account public key, and verifies the target account signature identity certificate by the trusted certificate issuing mechanism public key to obtain a second verification result, namely, the verification of the target account of the target client by the server and the verification of the user identity reliability are realized, the server sends the second verification result to the target client, the target client receives the second verification result sent by the server, and logs in to the server under the condition that the second verification result is verification passing, so that the technical problem that the verification direction is single and potential safety hazards exist when a user logs in the server in the related technology is solved.

As an alternative embodiment, before the target client sends the login request based on the target account to the server, the method further comprises the step of obtaining the identity of the target account, and there are many ways of obtaining the identity of the target account, for example, determining the target account public key and the target account private key of the target account, wherein one target account corresponds to one target key pair, and the target key pair comprises the target account public key and one target account private key. And inputting the target account public key into the blockchain distributed identity management system to generate a target account identity corresponding to the target account public key and receiving the target account identity sent by the blockchain distributed identity management system. The method of the optional embodiment has the advantages of high stability, high usability, low cost and high privacy protection of data encryption by using the blockchain technology distributed system.

Optionally, after the first verification result is obtained, if the first verification result is that verification is not passed, it may be set that verification of the target client on the server is not passed and login is not possible. And under the condition that the first verification result is that verification is passed, performing verification on the other side, namely verifying the target client by the server, wherein the target client sends a target account signature identity and a target account signature identity credential to the server, the target account signature identity is a signature identity obtained by signing the target account identity by using a target account private key, the target account signature identity credential is a signature identity credential obtained by signing the target account identity credential by using a trusted credential issuing mechanism private key, and the target client receives a second verification result sent by the server, wherein the second verification result is obtained by verifying the target account signature identity and the trusted credential issuing mechanism public key by the server according to the target account public key. The verification of the server to the target client and the verification of the server to the identity of the target account are realized. By means of multi-layer verification, the target account on the target client is ensured to be credible, so that the security of logging in the server from the target client by the target account is ensured, and the reliability of the whole process is improved.

As an alternative embodiment, before the target client sends the target account signature identity identifier and the target account signature identity credential to the server, the method further comprises the step of obtaining the target account signature identity credential, for example, sending an authentication request including identity information of the target account to a trusted credential issuing mechanism, where the authentication request may be an authentication request including identity information of the target account to authenticate the target account, so that the trusted credential issuing mechanism generates the target account identity credential corresponding to the target account, and the trusted credential issuing mechanism signs the target account identity credential according to a private key of the trusted credential issuing mechanism to obtain the target account signature identity credential and sends the target account signature identity credential to the target client. The target client receives the target account signature identity certificate sent by the trusted certificate issuing mechanism. The trusted credential issuing mechanism can be a generalized identity credential issuing mechanism, can be a third party mechanism, and the target account identity credential is an identity credential issued by the trusted identity credential issuing mechanism for the target account so as to authenticate the identity of the target account or the identity attribute of the target account. The target account identity certificate can be set to be valid period and can be flexibly withdrawn, so that the phenomenon that bad behaviors such as losing trust and the like of the target account can still pass verification can be avoided. Through the authentication of the target account in the trusted voucher issuing mechanism, the security of the target account can be guaranteed, and the reliability of the target account logging in the server from the target client is guaranteed.

It should be noted that, when the server needs to obtain the public key of the trusted voucher issuing mechanism, the server may also receive the public key of the trusted voucher issuing mechanism sent by the trusted voucher issuing mechanism in a plurality of ways, for example, the server receives the public key of the trusted voucher issuing mechanism sent by the trusted voucher issuing mechanism, and receives the public key of the trusted voucher issuing mechanism sent by the blockchain distributed identity management system. The self-adaptive selection can be performed according to actual application and scenes.

Fig. 4 is a flowchart of a login authentication method four according to an embodiment of the present invention, as shown in fig. 4, the method includes the steps of:

step S402, receiving a target account public key, a server public key and a trusted voucher issuing mechanism public key;

step S404, generating a target account identity corresponding to the target account public key according to the target account public key, generating a server identity corresponding to the server public key according to the server public key, and generating a target account identity credential corresponding to the trusted credential issuing authority public key according to the trusted credential issuing authority public key;

Step S406, send the target account identity to the target client, send the server identity to the server, and send the target account identity credential to the trusted credential issuing mechanism, where the target client encrypts the target account identity using the target client private key to obtain the target account signature identity, and the trusted credential issuing mechanism signs the target account identity using the trusted credential issuing mechanism private key to obtain the target account signature identity credential, and the server signs the server identity using the server private key to obtain the server signature identity.

Through the steps, for the blockchain distributed identity management system, the target account public key is received, the server public key and the trusted voucher issuing mechanism public key are used for generating the target account identity corresponding to the target account public key according to the target account public key, the server identity corresponding to the server public key is generated according to the server public key, the target account identity corresponding to the trusted voucher issuing mechanism public key is generated according to the trusted voucher issuing mechanism public key, the target account identity corresponding to the trusted voucher issuing mechanism is generated and then sent to the target client, the server identity is sent to the server, and the target account identity is sent to the trusted voucher issuing mechanism, so that the target client uses the target client private key to encrypt the target account identity to obtain the target account signature identity, the trusted voucher issuing mechanism private key signs the target account identity to obtain the target account signature identity, the server identity is signed to obtain the server signature identity, the server identity corresponding to the trusted voucher is generated by the server private key, the target client identity is verified to the server client identity, and the server identity is verified to be safe in a certain degree in a user's security system.

The system realized based on the blockchain technology can store the target account public key, the server public key, the trusted voucher issuing mechanism public key, the corresponding target account identity mark, the server identity mark and the target account identity voucher in a distributed identity document mode, so that the safety, the credibility and the regularity are further improved. Alternatively, for example, the first Key Key-Value correspondence, the second Key Key-Value correspondence, and the third Key Key-Value correspondence may be determined, where the first Key-Value correspondence stores a correspondence of a target account public Key and a target account identity corresponding to the target account public Key, the second Key-Value correspondence stores a correspondence of a server public Key and a server identity corresponding to the server public Key, and the third Key-Value correspondence stores a correspondence of a trusted credential issuing mechanism public Key and a target account identity corresponding to the trusted credential issuing mechanism public Key. The correspondence may be embodied in various forms, such as a lookup table, and the like. The data synchronization is ensured by the block chain distributed identity management system, and the system is not tamperable. The method of the alternative embodiment has the advantages of high stability, high usability, low cost and high privacy protection of data encryption.

Optionally, determining the third Key-Value correspondence includes obtaining a valid time of a target account identity credential corresponding to the trusted credential issuing authority public Key, and determining the third Key-Value correspondence according to the correspondence of the trusted credential issuing authority public Key and the target account identity credential corresponding to the trusted credential issuing authority public Key and the valid time of the target account identity credential corresponding to the trusted credential issuing authority public Key. By setting the validity period for the identity certificate of the target account, the phenomenon that bad behaviors such as losing trust and the like of the target account can still pass verification can be avoided. The security of the target account can be ensured, and the reliability of logging in the server from the target client by the target account in the application is further ensured.

Fig. 5 is a timing chart of a login authentication method according to an embodiment of the present application, and as shown in fig. 5, substantially describes the entire timing flow of the present application, and the following description will be given below:

Pre-operation before target account login:

1) The target client acquires the signature identity of the target account:

S1.1, a target client sends a target account public key to a blockchain distributed identity management system;

S1.2, the blockchain distributed identity management system receives a target account public key, generates a target account identity corresponding to the target account public key according to the target account public key, and then sends the target account identity to a target client;

S1.3, the target client signs the target account identity according to the target account private key to obtain the target account signature identity.

2) The server acquires a server signature identity:

S2.1, a server sends a server public key to a block chain distributed identity management system;

s2.2, the block chain distributed identity management system receives the server public key, generates a server identity corresponding to the server public key according to the server public key, and then sends the server identity to the target client;

S2.3, the server signs the server identity according to the server private key to obtain the server signature identity.

3) The trusted credential issuing mechanism obtains a target identity signature identity credential:

s3.1, the trusted voucher issuing mechanism sends a public key of the trusted voucher issuing mechanism to the blockchain distributed identity management system;

S3.2, the blockchain distributed identity management system receives the public key of the trusted voucher issuing mechanism, generates a target identity voucher corresponding to the public key of the trusted voucher issuing mechanism according to the public key of the trusted voucher issuing mechanism, and then sends the target identity voucher to the target client;

And S3.3, the trusted certificate issuing mechanism signs the target identity certificate according to the private key of the trusted certificate issuing mechanism to obtain the target identity signature identity certificate.

4) The target client acquires a target identity signature identity credential:

s4.1, the target client sends an authentication request based on the target account to a trusted certificate issuing mechanism, wherein the authentication request comprises identity information of the target account;

S4.2, the trusted certificate issuing mechanism receives the authentication request, invokes the target account signature identity certificate according to the authentication request, and sends the target account signature identity certificate to the target client;

S4.3, receiving the target account signature identity certificate sent by the trusted certificate issuing mechanism.

(II) login from the target client to the server:

S5.1, the target client receives login operation of logging in the target account;

s5.2, the target client sends a login request based on the target account to the server,

S5.3, the server receives and responds to the login request sent by the target client, and sends the server signature identity to the target client;

S5.4, the target client receives the server signature identity sent by the server, verifies the server signature identity according to the server public key, and obtains a first verification result;

s5.5, if the first verification result is that verification is passed, the target client sends the target account signature identity and the target account signature identity certificate to the server;

S5.6, the server receives the target account signature identity and the target account signature identity certificate sent by the target client, verifies the target account signature identity according to the target account public key and verifies the target account signature identity certificate according to the trusted certificate issuing mechanism public key, and a second verification result is obtained;

S5.7, the server sends a second verification result to the target client;

S5.8, the target client receives a second verification result sent by the server, and logs in to the server when the second verification result is verification passing.

Through the steps, for the system, a login request based on a target account is sent to a server through a target client, the server receives and responds to the login request sent by the target client, a server signature identity is sent to the target client, the target client receives the server signature identity sent by the server, and verifies the server signature identity according to a server public key to obtain a first verification result, so that verification of the server by the target client is realized. And under the condition that the first verification result is verification passing, the target client sends a target account signature identity to the server, the server receives the target account signature identity and the target account signature identity certificate sent by the target client, verifies the target account signature identity according to the target account public key, and verifies the target account signature identity certificate by the trusted certificate issuing mechanism public key to obtain a second verification result, namely, the verification of the target account of the target client by the server and the verification of the user identity reliability are realized, the server sends the second verification result to the target client, the target client receives the second verification result sent by the server, and logs in to the server under the condition that the second verification result is verification passing, so that the technical problem that the verification direction is single and potential safety hazards exist when a user logs in the server in the related technology is solved.

Based on the foregoing embodiments and optional embodiments, an optional implementation is provided, and is specifically described below.

The invention provides a login verification method in an alternative embodiment, which is based on the scene of a digital wallet, realizes verifiable credentials of various generalized identities of a user by means of asymmetric cryptographic technology and distributed identity technology, helps the user to carry out login verification by means of verifiable identity credentials based on cryptographic technology, and further carries out distributed verification by means of multiple parties, thereby realizing bidirectional authentication of a client and a server and multiple authentication of the client, and further improving safety and credibility. The following describes alternative embodiments of the present invention in detail:

Fig. 6 is a schematic diagram of roles of a login verification method according to an alternative embodiment of the present invention, and as shown in fig. 6, the roles and systems included in the alternative embodiment of the present invention include a digital wallet App user (same as the target client), a digital wallet server (same as the server), a trusted credential issuing mechanism (same as the trusted credential issuing mechanism), and a blockchain distributed identity management system. The above-described roles are described below:

1) Digital wallet App user-consumer using digital wallet App to make transaction payment.

2) And the digital wallet server is used for providing digital wallet service for the user after verifying the identity of the user.

3) The trusted credential issuing mechanism provides various trusted credentials for users (individual users or enterprise users), and in the scheme, the users are mainly subjected to online verification, and verifiable electronic credentials corresponding to the trusted credentials are issued.

4) And the block chain distributed identity management system is a system realized based on a block chain technology, and is used for issuing a distributed identity for a related party to generate and manage a distributed identity document.

Before describing the method steps provided by the alternative embodiments of the present invention, the relevant parameters are described, where the following parameters are defined:

1) TID, user distributed identity, is the identity ID issued by the distributed identity management system. Tid_wallet_a represents the ID of digital wallet user a (as with the target account identity described above), tid_a represents the server, i.e., the identity ID of institution a (as with the server identity described above), tid_ issuer represents the ID of the identity credential trusted issuing institution (as with the target account identity described above).

2) Pk_user/Sk_user: the public and private key of the digital wallet user, generated locally in the digital wallet. The public and private keys of the user a are Pk_user_a (same as the public key of the target account)/Sk_user_a (same as the private key of the target account). The key pair of digital wallet user a is used primarily by means of a signature to declare to the digital wallet server that its submitted TID belongs to the user. In order to enhance security, the public keys in the scheme are public key certificates.

3) Pk_ Regi/Sk_ Regi in this scenario, pk_ Regi/Sk_ Regi are mainly used by organizations to apply TIDs to blockchain distributed identity management systems. The public and private keys of the mechanism A are Pk_ Regi _A (same as the server public key) and Sk_ Regi _A (same as the server private key). The public key in the public and private keys of the organization A is used for applying for the TID, and the private key can be used for proving that the TID belongs to the organization from the signature to other parties. In order to enhance security, the public keys in the scheme are public key certificates.

4) Pk_ issuer/sk_ issuer public and private keys of identity credential issuing authorities, where there are n generalized identity credential issuing authorities, the public and private key pairs are respectively used with pk_ issuer _1/sk_ issuer _1, pk_ issuer _2/sk_ issuer _2. In this embodiment, taking a generalized identity credential issuing authority as an example, the public-private key pair uses pk_ issuer _1 (same as the above-mentioned trusted credential issuing authority public key)/sk_ issuer _1 (same as the above-mentioned trusted credential issuing authority private key), respectively. In order to enhance security, the public keys in the scheme are public key certificates. The generalized identity credential issuing authority may issue a trusted credential CREDENTIAL _v1_a (as the target account identity credential described above) to the digital wallet user a.

5) Initializing TID-DOC identity documents, namely in a blockchain distributed identity management system, each TID-DOC is a table of a Key-Value database, and the TID-DOC corresponding to each TID-DOC can be found through TID. When a digital wallet user, a digital wallet server and a generalized identity credential issuing mechanism apply for TID, the distributed identity management system writes information such as the corresponding binding relation between the TID and a public key thereof, for example, the corresponding relation between Pk_user_a and TID_wall_a, in a document. The TID-DOC guarantees non-falsification through the block chain ledger synchronization.

6) And updating the TID-DOC, namely after the digital wallet user adds a certificate issued by a new generalized identity certificate issuing mechanism, updating the TID-DOC identity document of the user by a blockchain distributed identity management system, for example, issuing a trusted certificate CREDENTIAL _V1_a (same as the target account identity certificate) to the digital wallet user a by a trusted mechanism Veri1, and adding the valid time of the certificate CREDENTIAL _V1_a, the verification relationship of the CREDENTIAL _V1_a and the Pk_Veri1_veri public key by the TID-DOC. After the TID-DOC identity document is updated, the falsification is guaranteed to be impossible through the block chain account book synchronization.

7) CREDENTIAL can verify identity credentials, namely identity credentials signed by a generalized identity credential issuing mechanism, such as a digital wallet user a submits relevant information to a mechanism granting certain identity attributes (physical credentials) to the user, and after relevant verification (password/face/identity card verification and the like), the generalized identity credential issuing mechanism carries out electronic signature on the credentials, which indicates that the user is authenticated to have the identity attributes. In this scenario CREDENTIAL the identity credential includes identity attribute information, and a signature on the identity attribute information.

8) And the blockchain distributed identity management system is a blockchain platform which is responsible for issuing DIDs to various roles and creating and maintaining DID documents. Each operation mechanism, generalized identity certificate issuing mechanism, performs secure interaction with the blockchain distributed system through an API.

The TID-DOC document in the blockchain is illustrated below:

Table 1 shows the Key-Value document corresponding to the target account, as shown in Table 1:

TABLE 1

Table 2 shows Key-Value documents corresponding to the feasible credential issuing mechanism, as shown in Table 2:

TABLE 2

Table 3 shows Key-Value documents corresponding to the servers, as shown in Table 3:

TABLE 3 Table 3

The method for realizing the optional implementation mode of the invention comprises the following three stages of generating the distributed identity mark and the identity document of the digital wallet user a and the mechanism, obtaining the verifiable identity certificate for login by the digital wallet user a, and logging in the digital wallet server by the digital wallet client. The following is a detailed description of the three phases:

1. digital wallet user a and institution's distributed identity and identity document generation:

S6.1, the user and the organization generate a key pair for registering the TID, wherein the digital wallet user a generates a key pair Pk_user_a (with the target account public key)/Sk_user_a (with the target account private key), and the organization A generates Pk_ Regi _A (with the server public key)/Sk_ Regi _A (with the server private key).

S6.2, a feasible credential issuing mechanism generates a credential verifiable credential issuing public-private key, wherein the public-private key can be generated for n identity credential issuing mechanisms of a user issuing a credential, and the n identity credential issuing mechanisms are respectively represented by Pk_ issuer _1/Sk_ issuer _1, pk_ issuer _2/Sk_ issuer _2, pk_ issuer _n/Sk_ issuer _n, and by Pk_ issuer _1 (same as the trusted credential issuing mechanism public key) and Sk_ issuer _1 (same as the trusted credential issuing mechanism private key) by taking one identity authentication as an example.

S6.3, the digital wallet user a, the organization A, respectively submits hand over to the collective or the state keys Pk_user_a, pk_ Regi _A to the blockchain distributed identity management system.

S6.4, the block chain distributed identity management system generates an identity identifier TID_wall_a (same as the identity identifier of the target account) and a TID_A (same as the identity identifier of the server) of each system.

S6.5, the blockchain distributed identity management system generates an identity document, namely a digital Wallet user a identity document, namely a TID-doc_Wallet_a, an operation mechanism A identity document, namely a TID-doc_A, wherein each identity document records the binding relation between each ID and a public key thereof and other attributes, namely the corresponding binding relation between the Wallet user a identity TID TID_wallet_a and the Wallet user a public key Pk_user_a, and the corresponding binding relation between the identity document of the operation mechanism A and the public key thereof is recorded.

S6.6, the block chain distributed identity management system transmits respective identity marks TIDs to the digital wallet user a, namely the TIDs_wallet_a are transmitted to the digital wallet user a and the TIDs_A are transmitted to the mechanism A, and the identity documents are automatically synchronized through the block chain to prevent tampering.

2. The digital wallet user a obtains verifiable identity credentials for login:

S7.1, the digital wallet user a initiates verifiable electronic identity credential applications to n generalized identity credential issuing mechanisms based on the identity credentials (physical credentials) issued by the generalized identity credential issuing mechanisms, and the user submits relevant information according to the generalized identity credential issuing mechanisms, executes relevant verification means and performs identity verification.

S7.2, the generalized identity credential issuing mechanism generates an identity credential CREDENTIAL _V1_a of the digital wallet user a according to the verifiable identity credential template and signs by using a private key Sk_ issuer _1 of the digital wallet user a. (credentials may be set for a validity period and may be revoked flexibly).

S7.3, the generalized identity credential issuing mechanism issues a verifiable identity credential to the digital wallet user a and stores the digital wallet user a in a local place.

3. Digital wallet user a logs in to the digital wallet server by the digital wallet client:

S8.1, the digital wallet user a applies for logging in a server through an App client, namely logs in to an organization A, the organization A signs the distributed identity TID_A by using a private key Sk_ Regi _A thereof to obtain a signed distributed identity TID_A (the signed distributed identity TID_A is the same as the server signature identity), and the signed distributed identity TID_A and a public key Pk_ Regi _A are issued to the user a.

It should be noted that, because the public key pk_ Regi _a already exists in the blockchain system, the public key may not be issued, and the user a may go to the blockchain system to obtain the public key.

S8.2, the digital wallet user a receives the signed distributed identity identifier TID_A sent by the mechanism A, verifies the signature of the distributed identity identifier TID_A by using the public key Pk_ Regi _A of the mechanism A, and accordingly completes authentication of the server to obtain a first verification result.

And S8.3, under the condition that the first verification result is that verification is passed, the digital wallet user a signs the TID_wallet_a by using the private key Sk_user_a to obtain a signed distributed identity TID_wallet_a (together with the target account signature identity), and sends the signed distributed identity TID_wallet_a together with the public key Pk_user_a and a verifiable credential CREDENTIAL _V1_a (together with the target account signature identity credential) issued by the generalized identity credential issuing mechanism to the mechanism A.

It should be noted that, because the public key pk_ Regi _a exists in the blockchain system, the public key pk_ issuer _1 may not be issued, and the mechanism a may be able to go to the blockchain system to obtain.

S8.4, the organization A verifies the signature of the organization A to the TID_wall_a through the public key Pk_user_a, confirms that the TID_wall_a belongs to the client user, verifies CREDENTIAL _V1_a through the public key Pk_ issuer _1, verifies the validity and plays a role of verifying the client through multiple factors for the second time.

And S8.5, after the verification is completed, the digital wallet user a logs in to the digital wallet server through the digital wallet client.

The login verification method provided by the alternative embodiment of the invention helps the user to carry out login verification through the verifiable identity credentials based on the cryptography technology by realizing the verifiable credentials of various generalized identities of the user by means of the asymmetric cryptography technology and the distributed identity technology, and further carries out distributed verification by means of multiple parties, thereby realizing the bidirectional authentication of the client and the server and the multiple authentication of the client, and further improving the safety and the credibility

It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.

From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method of the various embodiments of the present invention.

According to an embodiment of the present invention, there is further provided an apparatus for implementing the login verification method, and fig. 7 is a block diagram of a login verification apparatus according to an embodiment of the present invention, and as shown in fig. 7, the apparatus includes a first sending module 702, a first receiving module 704, a first verification module 706, a second sending module 708, and a first login module 710, which are described in detail below.

The system comprises a first sending module 702 used for sending a login request based on a target account to a server, a first receiving module 704 connected to the first sending module 702 and used for receiving a server signature identity identifier sent by the server, wherein the server signature identity identifier is a signature identity identifier obtained by signing the server identity identifier by using a server private key, a first verification module 706 connected to the first receiving module 704 and used for verifying the server signature identity identifier according to a server public key to obtain a first verification result, a second sending module 708 connected to the first verification module 706 and used for sending the target account signature identity identifier and the target account signature identity identifier to the server under the condition that the first verification result is verification pass, the target account signature identity identifier is a signature identity identifier obtained by signing the target account identity identifier by using a target account private key, the target account signature identity identifier is a signature identity identifier obtained by signing the target account identity identifier by using a trusted certificate issuing mechanism private key, and a first login module 710 connected to the second sending module 708 and used for sending the second verification result of the server and the second verification result is a target certificate, and the second verification result is sent to the target account certificate under the condition that the second verification result is verification pass.

Here, the first sending module 702, the first receiving module 704, the first verifying module 706, the second sending module 708 and the first login module 710 correspond to steps S102 to S110 in the login verifying method, and the plurality of modules are the same as examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in the foregoing embodiments.

According to an embodiment of the present invention, there is further provided an apparatus for implementing the login authentication method two, and fig. 8 is a block diagram of a login authentication apparatus two according to an embodiment of the present invention, as shown in fig. 8, where the apparatus includes a second receiving module 802, a third sending module 804, a third receiving module 806, a second authentication module 808, and a fourth sending module 810, and the details of the apparatus are described below.

The system comprises a first receiving module 802 for receiving a login request sent by a target client, a third sending module 804 connected to the first receiving module 804 and used for responding to the login request and sending a server signature identity to the target client so that the target client can verify the server signature identity according to a server public key to obtain a first verification result, wherein the server signature identity is a signature identity obtained by signing the server identity by using a server private key, a third receiving module 806 connected to the third sending module 804 and used for receiving a target account signature identity sent by the target client and a target account signature identity credential when the first verification result is verification pass, a second verification module 808 connected to the third receiving module 806 and used for sending a target account signature identity credential according to the target public key and a target public key to the second verification module 810 and used for obtaining a second verification result when the target account signature identity is obtained by signing the target account identity by using a target account private key, and the second verification module 808 and the second verification module is used for sending the second verification result.

Here, the second receiving module 802, the third sending module 804, the third receiving module 806, the second verifying module 808, and the fourth sending module 810 correspond to steps S202 to S210 in the login verifying method, and the plurality of modules are the same as the examples and the application scenarios implemented by the corresponding steps, but are not limited to those disclosed in the foregoing embodiments.

According to an embodiment of the present invention, there is further provided an apparatus for implementing the login authentication method III, and fig. 9 is a block diagram of a login authentication apparatus III according to an embodiment of the present invention, and as shown in fig. 9, the apparatus includes a fifth sending module 902, a sixth sending module 904, a third authentication module 906, a seventh sending module 908, a fourth authentication module 910, an eighth sending module 912, and a second login module 914, which are described in detail below.

A fifth sending module 902, configured to send a login request based on a target account to a server by a target client, a sixth sending module 904, connected to the fifth sending module 902, configured to receive and respond to the login request sent by the target client by the server, and send a server signature identity to the target client, where the server signature identity is a signature identity obtained by signing the server identity using a server private key, a third verification module 906, connected to the sixth sending module 904, configured to receive the server signature identity sent by the server by the target client and verify the server signature identity according to a server public key, to obtain a first verification result, a seventh sending module 908, connected to the third verification module 906, configured to send the target account signature identity and a target account signature identity to the server if the first verification result is verification passed, where the target account signature identity is a signature identity obtained by signing the target account identity using a target account private key, the target account signature identity is a signature identity obtained by signing a target account private key, and a fourth verification result is obtained by signing the target client by signing a target client by a third verification module 906, and a fourth verification module 908, and a fourth verification module is configured to send a certificate to the target credential to receive the target account signature identity by signing module 910 and a fourth verification result, and obtain a target credential by signing module 908, the second login module 914 is connected to the eighth sending module 912, and is configured to receive the second verification result sent by the server and login the target client to the server if the second verification result is verification passing.

Here, the fifth sending module 902, the sixth sending module 904, the third verifying module 906, the seventh sending module 908, the fourth verifying module 910, the eighth sending module 912, and the second login module 914 correspond to steps S302 to S314 in the login verification method, and the plurality of modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the foregoing embodiments.

According to an embodiment of the present invention, there is further provided an apparatus for implementing the login verification method four, and fig. 10 is a block diagram of a login verification apparatus four according to an embodiment of the present invention, as shown in fig. 10, where the apparatus includes a fourth receiving module 1002, a generating module 1004, and a ninth transmitting module 1006, and the details of the apparatus are described below.

The system comprises a fourth receiving module 1002 for receiving a public key of a target account, a server public key and a public key of a trusted voucher issuing mechanism, a generating module 1004 connected to the fourth receiving module 1002 for generating a target account identity corresponding to the public key of the target account according to the public key of the target account, generating a server identity corresponding to the server public key according to the public key of the server, and generating a target account identity credential corresponding to the public key of the trusted voucher issuing mechanism according to the public key of the trusted voucher issuing mechanism, a ninth transmitting module 1006 for transmitting the target account identity to a target client, transmitting the server identity to the server, and transmitting the target account identity credential to the trusted voucher issuing mechanism, and encrypting the target account identity by the target client using a private key of the target client to obtain a target account signature identity, and signing the server identity by the server using the private key to obtain the server signature identity, and signing the target account identity by the trusted voucher issuing mechanism using the private key to obtain the target account signature.

Here, the fourth receiving module 1002, the generating module 1004, and the ninth transmitting module 1006 correspond to steps S402 to S406 in implementing the login verification method, and the plurality of modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in the above embodiments.

According to another aspect of the embodiment of the invention, there is provided an electronic device, including a processor and a memory for storing instructions executable by the processor, wherein the processor is configured to execute the instructions to implement any one of the above login verification methods.

The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the login verification method and apparatus in the embodiments of the present invention, and the processor executes the software programs and modules stored in the memory, thereby executing various functional applications and data processing, that is, implementing the login verification method described above. The memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located relative to the processor, which may be connected to the computer terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The processor can call information and an application program stored in a memory through a transmission device to execute the following steps of sending a login request based on a target account to a server, receiving a server signature identity mark sent by the server, wherein the server signature identity mark is a signature identity mark obtained by signing the server identity mark by using a server private key, verifying the server signature identity mark according to a server public key to obtain a first verification result, and sending the target account signature identity mark and a target account signature identity credential to the server when the first verification result is verification passing, wherein the target account signature identity mark is a signature identity mark obtained by signing the target account identity mark by using a target account private key, the target account signature identity credential is a signature identity credential obtained by signing the target account identity credential by using a trusted credential issuing mechanism private key, receiving a second verification result sent by the server, and logging in the server when the second verification result is verification passing, wherein the second verification result is obtained by the server according to the target account public signature identity mark and the trusted public credential issuing mechanism identity credential.

Optionally, the processor may further execute program code for sending the target account signature identity and the target account signature identity credential to the server, and further including sending an authentication request based on the target account to the trusted credential issuing mechanism, so that the trusted credential issuing mechanism generates the target account identity credential corresponding to the target account, wherein the authentication request includes identity information of the target account, and receiving the target account signature identity credential sent by the trusted credential issuing mechanism.

Optionally, the processor may further include program code for determining a target account public key and a target account private key of the target account before sending the login request based on the target account to the server, sending the target account public key to the blockchain distributed identity management system to generate a target account identity corresponding to the target account public key, and receiving the target account identity sent by the blockchain distributed identity management system.

Optionally, the processor may further execute program code for obtaining the server public key by at least one of receiving the server public key sent by the server and receiving the server public key sent by the blockchain distributed identity management system.

The processor can call information and an application program stored in a memory through a transmission device to execute the following steps of receiving a login request sent by a target client, responding to the login request, sending a server signature identity to the target client so that the target client can verify the server signature identity according to a server public key to obtain a first verification result, wherein the server signature identity is a signature identity obtained by signing the server identity by using a server private key, receiving a target account signature identity and a target account signature identity credential sent by the target client when the first verification result is verification pass, wherein the target account signature identity is a signature identity obtained by signing the target account identity by using a target account private key, the target account signature credential is a signature identity credential obtained by signing the target account identity credential by using a trusted account signing authority private key, obtaining a second verification result according to the target public key verification target account signature identity and a trusted credential signing authority public key, and sending the second verification result to the target client.

Optionally, the processor may further include program code for determining a server public key and a server private key of the server before receiving the login request sent by the target client, inputting the server public key to the blockchain distributed identity management system to generate a server identity corresponding to the server public key, and receiving the server identity sent by the blockchain distributed identity management system.

Optionally, the processor may further execute program code for obtaining the target account public key by at least one of receiving the target account public key sent by the target client and receiving the target account public key sent by the blockchain distributed identity management system.

The processor can call information and application programs stored in the memory through the transmission device to obtain a first verification result, the target client sends a target account signature identity and a target account signature identity certificate to the server under the condition that the first verification result is verification pass, the target client receives and responds to the login request sent by the target client and sends a server signature identity identifier to the target client, the server signature identity identifier is a signature identity identifier obtained by signing the server identity identifier by using a server private key, the target client receives the server signature identity identifier sent by the server and verifies the server signature identity identifier according to a server public key to obtain a first verification result, the target client sends the target account signature identity identifier and the target account signature identity certificate to the server under the condition that the first verification result is verification pass, the target account signature identity identifier is a signature identity identifier obtained by signing the target account identity identifier by using a target account private key, the target account signature identity certificate is a signature identity certificate obtained by signing the target account identity identifier by using a trusted certificate issuing mechanism key, the target client receives the target client and verifies the target client public identity certificate according to a second verification result, and the target client sends a second verification result to the target client is verified by signing the second verification result.

The processor may call the information and the application program stored in the memory through the transmission device to perform the steps of receiving a target account public key, generating a target account identity corresponding to the target account public key according to the target account public key, generating a server identity corresponding to the server public key according to the server public key, generating a target account identity credential corresponding to the trusted credential issuing mechanism public key according to the trusted credential issuing mechanism public key, transmitting the target account identity to the target client, transmitting the server identity to the server, and transmitting the target account identity credential to the trusted credential issuing mechanism, for enabling the target client to encrypt the target account identity using the target client private key to obtain a target account signature identity, enabling the server to sign the server identity using the server private key to obtain the server signature identity, and enabling the trusted credential issuing mechanism to sign the target account identity using the trusted credential issuing mechanism private to obtain the target account signature identity.

Optionally, the above processor may further execute program code for: determining a first Key Key-Value corresponding relation, a second Key Key-Value corresponding relation and a third Key Key-Value corresponding relation, wherein the first Key-Value corresponding relation stores the corresponding relation between a target account public Key and a target account identity corresponding to the target account public Key, the second Key-Value corresponding relation stores the corresponding relation between a server public Key and a server identity corresponding to the server public Key, and the third Key-Value corresponding relation stores the corresponding relation between a trusted voucher issuing mechanism public Key and a target account identity corresponding to the trusted voucher issuing mechanism public Key.

Optionally, the processor may further execute program code for determining a third Key-Value correspondence, including obtaining a valid time of the target account identity credential corresponding to the trusted credential issuing authority public Key, and determining the third Key-Value correspondence according to the correspondence of the trusted credential issuing authority public Key and the target account identity credential corresponding to the trusted credential issuing authority public Key and the valid time of the target account identity credential corresponding to the trusted credential issuing authority public Key.

According to another aspect of embodiments of the present invention, there is also provided a computer-readable storage medium, which when executed by a processor of an electronic device, causes the electronic device to perform the login authentication method of any one of the above.

Alternatively, the computer readable storage medium may be a non-transitory computer readable storage medium, for example, a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.

Alternatively, in this embodiment, the computer-readable storage medium may be used to store the program code executed by the login authentication method provided in the above embodiment.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for sending a login request based on a target account to a server, receiving a server signature identity sent by the server, wherein the server signature identity is a signature identity obtained by signing the server identity with a server private key, verifying the server signature identity according to a server public key to obtain a first verification result, sending the target account signature identity and a target account signature identity credential to the server if the first verification result is verification pass, wherein the target account signature identity is a signature identity obtained by signing the target account identity with a target account private key, the target account signature identity credential is a signature identity credential obtained by signing the target account identity credential with a trusted account issuing authority private key, receiving a second verification result sent by the server, and logging in to the server if the second verification result is verification pass, wherein the second verification result is a signature identity credential obtained by the server according to the target public identity and the trusted account signing authority.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for performing the steps of, before sending the target account signature identity and the target account signature identity credential to the server, sending a target account-based authentication request to the trusted credential issuing authority to cause the trusted credential issuing authority to generate a target account identity credential corresponding to the target account, wherein the authentication request includes identity information of the target account, and receiving the target account signature identity credential sent by the trusted credential issuing authority.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for performing the steps of determining a target account public key and a target account private key of the target account, sending the target account public key to the blockchain distributed identity management system to generate a target account identity corresponding to the target account public key, and receiving the target account identity sent by the blockchain distributed identity management system, before sending the target account-based login request to the server.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for performing at least one of the steps of obtaining a server public key comprising receiving a server public key sent by a server and receiving a server public key sent by a blockchain distributed identity management system.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for receiving a login request sent by a target client, sending a server signature identity to the target client in response to the login request, so that the target client verifies the server signature identity according to a server public key to obtain a first verification result, wherein the server signature identity is a signature identity obtained by signing the server identity using a server private key, receiving a target account signature identity and a target account signature identity credential sent by the target client if the first verification result is verification pass, wherein the target account signature identity is a signature identity obtained by signing the target account identity using a target account private key, and the target account signature identity credential is a signature identity credential obtained by signing the target account identity using a trusted issuing authority private key, verifying the target account signature identity according to the target account public key and the trusted issuing authority public key to obtain a second verification result, and sending the second verification result to the target client.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for determining a server public key and a server private key of the server prior to receiving the login request sent by the target client, inputting the server public key to the blockchain distributed identity management system to generate a server identity corresponding to the server public key, and receiving the server identity sent by the blockchain distributed identity management system.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for performing at least one of the steps of obtaining the target account public key includes receiving the target account public key sent by the target client, and receiving the target account public key sent by the blockchain distributed identity management system.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for performing the steps of the target client sending a login request based on a target account to the server, the server receiving and responding to the login request sent by the target client, sending a server signature identity to the target client, wherein the server signature identity is a signature identity obtained by signing the server identity with a server private key, the target client receiving the server signature identity sent by the server and verifying the server signature identity according to a server public key to obtain a first verification result, the target client sending a target account signature identity and a target account signature credential to the server if the first verification result is verification pass, the target account signature identity being a signature identity obtained by signing the target account identity with a target account private key using a target account private key, the server receiving the target account identity sent by the target client and a target public key, and verifying the server signature identity according to the server public key, the second verification result being a second verification result, the target account signature credential being a second verification result, and the second verification result being a target account signature credential being sent by the target client.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for receiving a target account public key, generating a target account identity corresponding to the target account public key according to the target account public key, generating a server identity corresponding to the server public key according to the server public key, generating a target account identity credential corresponding to the trusted credential issuing authority public key according to the trusted credential issuing authority public key, transmitting the target account identity to the target client, transmitting the server identity to the server, and transmitting the target account identity credential to the trusted credential issuing authority, for encrypting the target account identity using the target client private key to obtain a target account signature identity, and for causing the server to use the server private key to sign the server identity to obtain the server signature identity, and for causing the trusted credential issuing authority to use the trusted credential issuing authority private key to sign the target account identity to obtain the target account credential.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for determining a first Key-Value correspondence, a second Key-Value correspondence, and a third Key-Value correspondence, where the first Key-Value correspondence stores a correspondence of a target account public Key and a target account identity corresponding to the target account public Key, the second Key-Value correspondence stores a correspondence of a server public Key and a server identity corresponding to the server public Key, and the third Key-Value correspondence stores a correspondence of a trusted credential issuing mechanism public Key and a target account identity corresponding to the trusted credential issuing mechanism public Key.

Optionally, in this embodiment, the computer readable storage medium is configured to store program code for determining a third Key-Value correspondence comprising obtaining a valid time of a target account identity credential corresponding to the trusted credential issuing authority public Key, determining the third Key-Value correspondence based on the correspondence of the trusted credential issuing authority public Key and the target account identity credential corresponding to the trusted credential issuing authority public Key, and the valid time of the target account identity credential corresponding to the trusted credential issuing authority public Key.

The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes a U disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, etc. which can store the program code.

The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims

1. A login verification method, comprising:

Send a login request based on the target account to the server;

Receiving a server signature identity identifier sent by the server, wherein the server signature identity identifier is a signature identity identifier obtained by the server using a server private key to sign the server identity identifier;

Verifying the server signature identity according to the server public key to obtain a first verification result;

If the first verification result is that the verification is passed, sending the target account signature identity and the target account signature identity certificate to the server, wherein the target account signature identity is a signature identity obtained by signing the target account identity using the target account private key, and the target account signature identity certificate is a signature identity certificate obtained by signing the target account identity certificate using the private key of the trusted certificate issuing institution;

Receive a second verification result sent by the server, and log in to the server if the second verification result is verification passed, wherein the second verification result is obtained by the server verifying the target account signature identity based on the target account public key and the target account signature identity certificate based on the public key of the trusted certificate issuing agency.

2. The method according to claim 1, characterized in that before sending the target account signing identity identifier and the target account signing identity credential to the server, it also includes:

Sending an authentication request based on the target account to a trusted credential issuing authority, so that the trusted credential issuing authority generates the target account identity credential corresponding to the target account, wherein the authentication request includes identity information of the target account;

Receive the target account signed identity credential sent by the trusted credential issuing authority.

3. The method according to claim 1, characterized in that before sending the login request based on the target account to the server, it also includes:

Determine a target account public key and a target account private key of the target account;

Sending the target account public key to the blockchain distributed identity management system to generate the target account identity corresponding to the target account public key;

Receive the target account identity sent by the blockchain distributed identity management system.

4. The method according to claim 3 is characterized in that the way of obtaining the server public key includes at least one of the following: receiving the server public key sent by the server, receiving the server public key sent by the blockchain distributed identity management system.

5. A login verification method, characterized by comprising:

Receive the login request sent by the target client;

In response to the login request, sending the server signature identity to the target client, so that the target client verifies the server signature identity according to the server public key to obtain a first verification result, wherein the server signature identity is a signature identity obtained by signing the server identity using the server private key;

If the first verification result is that the verification is passed, receiving the target account signature identity and the target account signature identity credential sent by the target client, wherein the target account signature identity is a signature identity obtained by signing the target account identity using the target account private key, and the target account signature identity credential is a signature identity credential obtained by signing the target account identity credential using the private key of the trusted credential issuing institution;

Verifying the target account signature identity identifier according to the target account public key and the target account signature identity certificate according to the public key of the trusted certificate issuing agency to obtain a second verification result;

Send the second verification result to the target client.

6. The method according to claim 5, characterized in that before receiving the login request sent by the target client, it also includes:

Determining a server public key and a server private key of the server;

Input the server public key into the blockchain distributed identity management system to generate the server identity corresponding to the server public key;

Receive the server identity sent by the blockchain distributed identity management system.

7. The method according to claim 6 is characterized in that the way of obtaining the target account public key includes at least one of the following: receiving the target account public key sent by the target client, and receiving the target account public key sent by the blockchain distributed identity management system.

8. A login verification method, characterized by comprising:

The target client sends a login request based on the target account to the server;

The server receives and responds to the login request sent by the target client, and sends a server signature identity to the target client, wherein the server signature identity is a signature identity obtained by signing the server identity using a server private key;

The target client receives the server signature identity identifier sent by the server, and verifies the server signature identity identifier according to the server public key to obtain a first verification result;

If the first verification result is that the verification is passed, the target client sends the target account signature identity and the target account signature identity certificate to the server, wherein the target account signature identity is a signature identity obtained by signing the target account identity using the target account private key, and the target account signature identity certificate is a signature identity certificate obtained by signing the target account identity certificate using the private key of the trusted certificate issuing institution;

The server receives the target account signature identity and the target account signature identity certificate sent by the target client, and verifies the target account signature identity and the target account signature identity certificate according to the target account public key and the public key of the trusted certificate issuing authority to obtain a second verification result;

The server sends the second verification result to the target client;

The target client receives a second verification result sent by the server, and when the second verification result is verification passed, the target client logs in to the server.

9. A login verification method, characterized by comprising:

Receive the target account public key, server public key and trusted certificate issuing authority public key;

Generate a target account identity corresponding to the target account public key based on the target account public key, generate a server identity corresponding to the server public key based on the server public key, and generate a target account identity credential corresponding to the trusted credential issuing authority public key based on the trusted credential issuing authority public key;

The target account identity identifier is sent to the target client, and the server identity identifier is sent to the server, and the target account identity certificate is sent to the trusted certificate issuing agency, so that the target client uses the target client private key to encrypt the target account identity identifier to obtain the target account signature identity identifier, and the trusted certificate issuing agency uses the trusted certificate issuing agency private key to sign the target account identity identifier to obtain the target account signature identity certificate, and the server uses the server private key to sign the server identity identifier to obtain the server signature identity identifier.

10. The method according to claim 9, further comprising:

Determine a first key-value correspondence, a second key-value correspondence, and a third key-value correspondence, wherein the first Key-Value correspondence stores a correspondence between the target account public key and the target account identity identifier corresponding to the target account public key, the second Key-Value correspondence stores a correspondence between the server public key and the server identity identifier corresponding to the server public key, and the third Key-Value correspondence stores a correspondence between the public key of the trusted credential issuing agency and the target account identity credential corresponding to the public key of the trusted credential issuing agency.

11. The method according to claim 10, characterized in that determining the third Key-Value correspondence relationship comprises:

Obtain the validity period of the target account identity certificate corresponding to the public key of the trusted certificate issuing institution;

The third Key-Value correspondence is determined based on the correspondence between the public key of the trusted credential issuing agency and the target account identity credential corresponding to the public key of the trusted credential issuing agency, and the validity period of the target account identity credential corresponding to the public key of the trusted credential issuing agency.

12. A login verification device, comprising:

A first sending module, used for sending a login request based on a target account to a server;

A first receiving module is used to receive a server signature identity identifier sent by the server, wherein the server signature identity identifier is a signature identity identifier obtained by the server using a server private key to sign the server identity identifier;

A first verification module, used to verify the server signature identity according to the server public key to obtain a first verification result;

A second sending module is used to send the target account signature identity and the target account signature identity certificate to the server when the first verification result is that the verification is passed, wherein the target account signature identity is a signature identity obtained by signing the target account identity using the target account private key, and the target account signature identity certificate is a signature identity certificate obtained by signing the target account identity certificate using the private key of the trusted certificate issuing institution;

The first login module is used to receive a second verification result sent by the server, and log in to the server if the second verification result is verification passed, wherein the second verification result is obtained by the server verifying the target account signature identity identifier based on the target account public key and the target account signature identity certificate based on the public key of the trusted certificate issuing agency.

13. A login verification device, comprising:

A second receiving module is used to receive a login request sent by a target client;

A third sending module is used to send the server signature identity identifier to the target client in response to the login request, so that the target client verifies the server signature identity identifier according to the server public key to obtain a first verification result, wherein the server signature identity identifier is a signature identity identifier obtained by signing the server identity identifier using the server private key;

A third receiving module is used to receive the target account signature identity and the target account signature identity certificate sent by the target client when the first verification result is that the verification is passed, wherein the target account signature identity is a signature identity obtained by signing the target account identity using the target account private key, and the target account signature identity certificate is a signature identity certificate obtained by signing the target account identity certificate using the private key of the trusted certificate issuing institution;

A second verification module is used to verify the target account signature identity identifier according to the target account public key and the target account signature identity certificate according to the public key of the trusted certificate issuing agency to obtain a second verification result;

A fourth sending module is used to send the second verification result to the target client.

14. A login verification device, comprising:

A fifth sending module, used for the target client to send a login request based on the target account to the server;

A sixth sending module, configured for the server to receive and respond to the login request sent by the target client, and to send a server signature identity to the target client, wherein the server signature identity is a signature identity obtained by signing the server identity using a server private key;

A third verification module is used for the target client to receive the server signature identity sent by the server, and verify the server signature identity according to the server public key to obtain a first verification result;

a seventh sending module, configured to, when the first verification result is that the verification is passed, cause the target client to send a target account signature identity identifier and a target account signature identity credential to the server, wherein the target account signature identity identifier is a signature identity identifier obtained by signing the target account identity identifier using the target account private key, and the target account signature identity credential is a signature identity credential obtained by signing the target account identity credential using the private key of a trusted credential issuing institution;

A fourth verification module is used for the server to receive the target account signature identity and the target account signature identity certificate sent by the target client, and verify the target account signature identity according to the target account public key and the public key of the trusted certificate issuing agency to verify the target account signature identity certificate, to obtain a second verification result;

An eighth sending module, configured for the server to send the second verification result to the target client;

The second login module is used for the target client to receive the second verification result sent by the server, and when the second verification result is verification passed, the target client logs in to the server.

15. A login verification device, comprising:

A fourth receiving module, used to receive the target account public key, the server public key and the public key of the trusted certificate issuing agency;

A generating module, configured to generate a target account identity corresponding to the target account public key based on the target account public key, generate a server identity corresponding to the server public key based on the server public key, and generate a target account identity certificate corresponding to the trusted certificate issuing authority public key based on the trusted certificate issuing authority public key;

The ninth sending module is used to send the target account identity identifier to the target client, send the server identity identifier to the server, and send the target account identity certificate to the trusted certificate issuing agency, so that the target client uses the target client private key to encrypt the target account identity identifier to obtain the target account signature identity identifier, so that the trusted certificate issuing agency uses the trusted certificate issuing agency private key to sign the target account identity identifier to obtain the target account signature identity certificate, and so that the server uses the server private key to sign the server identity identifier to obtain the server signature identity identifier.

16. An electronic device, comprising:

processor;

a memory for storing instructions executable by the processor;

The processor is configured to execute the instructions to implement the login verification method as described in any one of claims 1 to 11.

17. A computer-readable storage medium, characterized in that when the instructions in the computer-readable storage medium are executed by a processor of an electronic device, the electronic device is enabled to execute the login verification method as described in any one of claims 1 to 11.