CN120281501A - A method for generating identity endorsement and a management system - Google Patents
A method for generating identity endorsement and a management system Download PDFInfo
- Publication number
- CN120281501A CN120281501A CN202411793639.XA CN202411793639A CN120281501A CN 120281501 A CN120281501 A CN 120281501A CN 202411793639 A CN202411793639 A CN 202411793639A CN 120281501 A CN120281501 A CN 120281501A
- Authority
- CN
- China
- Prior art keywords
- identity
- endorsement
- application
- information
- characterization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Collating Specific Patterns (AREA)
- Document Processing Apparatus (AREA)
Abstract
本发明公开了一种身份签注的生成方法及管理系统。所述的身份签注的生成方法包括:受理身份签注申请,根据身份签注申请编排身份签注成员为签注成员组合,使用非对称密钥算法和公证私钥签名签注成员组合得到数字签名,配置该数字签名到签注成员组合得到身份签注;所述的身份签注的管理系统包括前端应用程序和后台服务程序,所述的前端应用程序包括用户接口、签注封装、签注认定等单元,所述的后台服务程序包括签注服务中心、隐密处理、数字签名处理、特征识别、数据存储等单元。本发明的方法及系统解决现有身份证明存在的携带使用不便和因鉴别困难和信息成员分散等导致被仿冒、私密信息泄露等问题,防止假证或冒用证件滋生社会危害。The present invention discloses a method for generating an identity endorsement and a management system. The method for generating an identity endorsement includes: accepting an identity endorsement application, arranging identity endorsement members into an endorsement member combination according to the identity endorsement application, using an asymmetric key algorithm and a notarized private key to sign the endorsement member combination to obtain a digital signature, and configuring the digital signature to the endorsement member combination to obtain the identity endorsement; the management system for the identity endorsement includes a front-end application and a back-end service program, the front-end application includes a user interface, endorsement encapsulation, endorsement recognition and other units, and the back-end service program includes an endorsement service center, secret processing, digital signature processing, feature recognition, data storage and other units. The method and system of the present invention solve the problems of inconvenience in carrying and using existing identity certificates, counterfeiting due to difficulty in identification and dispersion of information members, and leakage of private information, and prevent fake certificates or counterfeit certificates from causing social harm.
Description
The application relates to a Chinese patent with the name of 'a method and a system for generating identity endorsement' submitted on the 12 th month of 2017 and 26 th month
201711443105.4.
Technical Field
The invention relates to the field of digital identity, in particular to a universal digital identity endorsement.
Background
The internet public key infrastructure (Public Key Infrastructure, PKI for short) is a security system that provides network digital signature services, responsible for asymmetric key and certificate management. The authorization center (CERTIFICATE AUTHORITY, CA for short) is the core of PKI, the digital certificate is the electronic document issued by CA, which is used for the user identification of both communication parties from network end to end, and provides a means for user authentication of both communication parties which are predicted on the Internet, and both communication parties which are predicted can use the digital certificate to confirm the other party. The digital certificate attaching core technology is an asymmetric key algorithm technology, the asymmetric key algorithm uses a public key (called public key for short) and a private key (called private key for short) to encrypt and decrypt information transmitted by communication and verify digital signature, the common asymmetric key algorithm is Ron Adilent (Ron Rivest, ADI SHAMIR, LEN ADLEMAN for short) RSA algorithm, currently, the digital certificate is widely used for user identification (such as a secure hypertext transfer protocol channel (Hyper Text Transfer Protocol over Secure Socket Layer for short) of the communication parties of the Internet, the communication parties need to know and verify the digital certificate of the counterpart in advance, and the communication parties need to apply for and save own certificates, carry, save and use the independent digital certificates are complicated, and a large risk of revealing private keys corresponding to the certificates exists, which cannot be used for general identity authentication of daily activities of social members, and the digital certificate is an electronic document, encrypted is also an electronic document, and the electronic document is extremely inconvenient in practical use, especially in field verification application.
The prior traditional certificate bodies such as identity cards, employee cards, driving cards, graduation cards, qualification cards and the like are the identification cards which are indispensable to social activities of social members (such as organizations, natural persons and the like), the information contained in the traditional certificate bodies is completely transparent and has important private information, the problems of easiness in use such as inconvenience in carrying and use and the like exist naturally, the safety defects such as difficulty in identification (distinguishing) due to the lack of simple and effective identification means, easiness in imitation, easiness in use, leakage of private information and the like exist, the traditional certificate bodies are generally fixed and effective for a long time and are universal to the bottom, the lack of effective dynamic control such as permission on demand and the like is very easy to use due to the fact that the certificate bodies are lost, borrowed and the like, meanwhile, each item of information of the traditional certificate bodies is discrete and isolated, and particularly, the identity characterization (such as face images and the like) of the main identity of the traditional certificate bodies is not associated with the dispersion of identity (such as a certificate body number) and the like, the reliability of the certificate bodies is greatly reduced, the identity bodies are more difficult and the identity bodies are more difficult to identify and complicated and the imitation and the identity bodies are more difficult to use and prevented from becoming. Although with the development of electronic information technology and digital certificate technology, it provides a new possible means for user authentication of both parties of internet communication, because of the professional nature and complicated use of digital certificates, it is difficult to widely deploy and apply, and digital certificates applied to the internet cannot be used for general identification of social members, traditional certificates are developing towards chip cards, but because only special equipment can read chip card information, not only is portable and inconvenient to use, but also the chip certificates and card readers are low in cost, the chip certificates are difficult to fully deploy and use for the whole people, and are limited by the existing chip technology, the chip certificates also have the defects of irrelevant identification (such as face images, etc.) of certificate masters and identification (such as certificate numbers), and the chip certificates still have the problems of traditional paper certificates. In summary, the existing traditional certificate body has the problem of inconvenient carrying and use, and the existing safety defect is easy to be utilized by lawbreakers, and especially the normal social order is seriously affected by impossibility and imitation caused by secret information leakage and certificate identification difficulty, so that great harm is caused to social members and society.
The pattern recognition technology is to combine the computer with optical, acoustic, electronic sensor and mathematical statistics principles closely, and to use the inherent internal and external perception properties of things (such as fingerprint, face image, iris, eye pattern, handwriting, sound, etc.) to identify the identity. Further, the pattern recognition system samples and analyzes the object attributes, extracts the model features thereof and converts the model features into digital code features or feature vectors, and recognizes the features. For example, the fingerprint refers to the lines generated by the uneven skin on the front surface of the tail end of the finger, the lines are regularly arranged to form different patterns, the starting point, the ending point, the combining point and the bifurcation point of the lines are called as the minutiae features of the fingerprint, and the fingerprint identification refers to the identification by comparing the minutiae features of different fingerprints. Face recognition extracts feature vectors from face images, and performs recognition or authentication by comparing or classifying the feature vectors.
The two-dimensional code (2-dimensional code) is characterized by that on the basis of one-dimensional code the code with another dimension having readability is extended, and the information contained in it can be automatically read by means of image input equipment or photoelectric scanning equipment, and it uses a specific geometric figure to record data symbol information according to the black-white alternate graph distributed on the plane according to a certain rule, and on the code formation the concept of "0", "1" bit stream forming internal logic basis of computer can be skillfully utilized, and several geometric forms correspondent to binary system can be used to represent literal numerical information. Common two-dimensional Code system standards include PDF417, QR Code, code 49, code 16K, code One and the like, and the two-dimensional Code has the characteristics of large capacity, strong fault tolerance, easy reading and the like, so that data exchange through two-dimensional Code transmission becomes very simple and convenient.
Chinese patent 201710033091.2 'a unified management method and system for identity endorsement' provides (realizes) a basic (basic) universal digital identity authentication and achieves a remarkable technical effect compared with the traditional identity authentication, but patent 201710033091.2 still does not solve two core problems of universal digital identity authentication, namely, the fact that identity information cannot be associated and integrated into a whole, particularly, the problem of fraudulent use and private information leakage caused by no association between identity characterization (such as face image and the like) and identity identification (such as a certificate number) and the like, which are key difficulties which have long plagued the universal identity authentication. With the continuous development of information technology, identity impersonation is more and more difficult to prevent, especially the harm of private information leakage is more serious, the next generation universal identity authentication needs to be extremely reliable and has privacy (private information) protection characteristics, the invention is further created based on patent 201710033091.2, two core problems of identity authentication are solved, and the requirements of the next generation universal digital identity authentication are met.
In order to solve the problems of inconvenient carrying and use (especially off-line use), safety defect and the like of the conventional identity certificate of the conventional certificate body and the like and protect legal rights and interests of social members from being infringed, the invention provides a method and a system for universal identity certificate of daily activities of the social members, and not only provides the characteristics of simplicity, easiness, close association, reliability and easiness in identification, but also further provides privacy information (privacy) protection and/or dynamic permission applicable protection, and is more convenient and safer (reliable) than the identity certificate of the conventional certificate body and the like, and prevents false certificates or falsified certificates from breeding social hazards.
Disclosure of Invention
In view of the inconvenient carrying and use of the existing identification such as the traditional certificate body and the security defects such as counterfeiting and private information leakage caused by difficulty in identification (differentiation) and incapability of associating and integrating an integrated body (dispersion) of the identification information member due to lack of simple and effective identification (differentiation) means, particularly as the lack of association between the identification and the identification, the digital identification is used as the universal identification for the daily activities of the social members, so that the digital identification is more convenient and easy to use and safe and reliable compared with the existing identification such as the traditional certificate body, and the like, and the invention also meets the extremely reliable and convenient requirements of the next-generation universal identification, thereby bringing great benefits to the social members (public) and society and preventing the false identification or the harm of the using the identification.
The above purpose is realized by the following technical scheme:
The embodiment of the invention provides a highly reliable (safe) and convenient digital identity endorsement, wherein the identity endorsement is a section of byte stream (sequence) data which contains a plurality of information members and is integrated into a whole in a layout way and is used for proving identity or authorization permission matters, and the identity endorsement members can be conveniently processed and realized by using a programming format such as a type length Value (TYPE LENGTH Value, TLV) and the like. The digital identity endorsement is short and small, not only can be directly packaged and used, but also can be expanded and converted into a visible character identity endorsement and converted into a two-dimensional code identity endorsement in a grouping way, the short and small integrated identity endorsement is greatly convenient to use and carry, is not limited by a carrier, and has wide applicability.
The identity endorsement at least comprises legal identity identification and a digital signature member, wherein the legal identity identification is the identity identification according to legal regulations of an identity endorsement body (abbreviated as endorsement owner), the legal identity identification comprises one or more of legal names, legal license numbers and the like, the legal names comprise organization names, natural (personal) names and the like, and the legal license numbers comprise personal identification numbers, personal passport numbers, organization codes, vehicle engine numbers, license numbers and the like.
The identity endorsement may further include one or more members of identity permission applicability details, operation control words, identity association (body link) characterizations, endorsement matter appendices, civil state conditions, and the like, the identity permission applicability details include one or more of identity permission applicability level, identity permission applicability time domain, identity permission applicability region, identity permission applicability object, and the like, the operation control words include, but are not limited to, one or more of version number, identity endorsement length, asymmetric key algorithm type, hash algorithm type, privacy member indication, and the like, the identity association characterizations refer to identifiable identity characterizations (e.g. face images, sounds, fingerprints, handwriting, and the like) of closely associated (link) signers in the identity endorsement, and the identity association characterizations further include identity association (body link) perception characterizations, identity association (body link) gene characterizations, identity association (body link) extension characterizations, and the like. The identity permission applicability level includes a primary (identity verification record), a secondary (business identity binding) and the like, and the rule of the identity permission applicability level is that the permission applicability level of the permission identity endorsement must not be lower than the used endorsement level of the authenticator (the default is the primary). The identity-related perception representation comprises (is divided into) fingerprints, face images, sounds, eye marks, irises, vein marks, handwriting, appearance and the like. The identity-related gene characterization (marking feature) comprises deoxyribonucleic acid (Deoxyribonucleic acid, abbreviated as DNA), blood type, element arrangement and composition structure and the like, and the identity-related extension characterization comprises (is divided into) a residence address, a registration address, an email address, a private (individual) digital certificate signature, a preset identity password, legal information, contact information, a trademark, a bank account number and the like. The above-mentioned time domain for the permission of the identity refers to a valid time range for which the permission of the identity endorsement is applicable. The above-mentioned region for which the identity license is applicable refers to the effective geographical range for which the identity endorsement license is applicable. The endorsement annex described above includes an identity endorsement note interpretation statement annex or an identity endorsement note interpretation statement annex abstract (digest). The identity license applicable object comprises a legal identity or extended characterization feature or identity endorsement of the destination or licensee to which the identity endorsement license is applicable.
The embodiments of the present invention use a user (member) designation that corresponds to a quorum member, including natural (personal) persons, organizations, etc. A social member may apply for an identity endorsement for itself or its legal affiliated entity, including vehicles, real estate, etc., i.e. an identity endorsement principal (abbreviated as endorsement owner) corresponds to or associates with the social member or legal affiliated entity of the social member.
The embodiment of the invention uses a key (called a notarized key for short) for unifying hectometre (evidence) identity endorsements, wherein the notarized key comprises a public and private key pair of a unifying (preset) asymmetric key algorithm, and further can also comprise a key of a unifying symmetric key algorithm.
The embodiment of the invention provides a method for generating an identity endorsement, which comprises the steps of accepting an identity endorsement application, arranging identity endorsement members and signing the identity endorsement members to obtain the identity endorsement.
The method further comprises inputting an identity endorsement application before the identity endorsement application is accepted. The input identity endorsement application specific implementation includes, but is not limited to, a user inputting an identity endorsement application through a front-end Application (APP).
The input identity endorsement application comprises input identity endorsement application information and distribution processing identity endorsement application information. The identity endorsement application information comprises one or more of identity permission applicable rules, operation control words, endorsement item appendices, civil state indications and the like, and the operation control word information comprises one or more of identity association (body link) characterization types, legal identity identification types, asymmetric key algorithm types, hash algorithm types, privacy private member indications and the like.
The distributing and processing of the identity endorsement application information comprises the steps of checking the identity endorsement application information, constructing an identity endorsement application communication protocol message, filling the identity endorsement application information into the identity endorsement application communication protocol message, and sending the identity endorsement application communication protocol message. The specific implementation includes, but is not limited to, the front-end application program constructing an identity endorsement hypertext transfer protocol (HTTP) message, populating the identity endorsement application information into the identity endorsement application HTTP message, and sending the identity endorsement application HTTP message to the background service program via the internet.
The receiving of the identity endorsement application comprises receiving and generating an identity endorsement application communication protocol message, analyzing the identity endorsement application communication protocol message and extracting identity endorsement application information from the identity endorsement application communication protocol message. Specific implementations include, but are not limited to, a background service program receiving and parsing an identity endorsement application communication protocol message.
The step of arranging the identity endorsement members further comprises arranging the identity endorsement members according to the identity endorsement application, and arranging the identity endorsement members to be endorsement member combinations. Specific implementations include, but are not limited to, background service programming identity endorsement members.
The step of compiling the identity endorsement member according to the identity endorsement application comprises selecting an option source of the identity endorsement member from the reserved identity information of the data storage unit or the identity endorsement application information according to the identity endorsement application, and compiling the option source to be the identity endorsement member.
The compiling option source to the identity endorsement member comprises:
compressing the option source, and configuring a compression result of the option source as an identity endorsement member according to the TLV format;
mapping an option source as an internet address, and configuring the internet address as an identity endorsement member;
Converting the option source, and configuring a conversion result of the option source as an identity endorsement member;
Calculating the abstract of the option source by using a hash algorithm, and configuring the abstract of the option source as an identity endorsement member;
Extracting feature vectors (values) of the option sources by using a pattern recognition algorithm, and configuring the feature vectors of the option sources as identity endorsement members;
supplementing Ji Xuanxiang sources, and configuring the supplementing alignment result of the option sources as identity endorsement members;
and setting a default option source, and configuring the default option source as one or more of the identity endorsement members.
The above-mentioned extracting the feature vector (value) of the option source using the pattern recognition algorithm includes extracting one or more feature vectors of face images, fingerprints, eye prints, sounds, handwriting, appearance (look), and the like using the pattern recognition algorithm.
The pattern recognition algorithm includes, but is not limited to, one or more of an image analysis processing algorithm, an image (shape) recognition algorithm, a voice recognition algorithm, a voiceprint recognition algorithm, and the like. The image (shape) recognition algorithm comprises one or more of a deep learning algorithm, a machine learning algorithm, a model feature extraction algorithm, a model feature classification algorithm and the like, wherein the deep learning algorithm comprises a neural network algorithm, a convolutional neural network algorithm and the like, and the machine learning algorithm comprises a support vector machine algorithm, a naive Bayesian classifier, a decision tree, a K neighbor, a K mean value and the like.
The feature vector of the option source extracted by using the pattern recognition algorithm can be the identity perception characteristic feature pre-extracted and stored with the identity information, namely, the feature of the identity perception characteristic attribute pre-extracted by using the pattern recognition algorithm is configured to the identity endorsement member.
The above-described computing the digest of the option source using a hash algorithm includes computing a digest of the random value and the password using a hash algorithm.
The identity endorsement member comprises one or more of legal identity identification, permission applicable rules, operation control words, identity association characterization, endorsement item annex, civil state and the like, wherein,
The operation control word comprises one or more of a version number, an identity association characterization type, a legal identity identification type, an asymmetric key algorithm type, a hash algorithm type, a privacy member indication and the like;
the identity association characterization member comprises one or more of identity association perception characterization, identity association gene characterization, identity association expansion characterization and the like;
The civil condition includes, but is not limited to, one or more of credit worthiness, marital condition, financial condition, educational condition, health condition, legal condition, other party rating, red and black trail, etc.
The selecting the option source of the identity endorsement member from the saved identity information or the identity endorsement application information according to the identity endorsement application, and compiling the option source as the identity endorsement member specifically may include:
setting a default endorsement version number, and configuring the version number as a version number member;
Selecting operation control word information (source) from the identity endorsement application information, and converting configuration operation control word information into operation control word members;
Selecting identity permission application rule information from the identity endorsement application information, and converting the configuration identity permission application rule information into identity permission application rule members;
according to the identity endorsement application, a legal identity is selected from the reserved identity information, and the legal identity is configured as a legal identity member;
And selecting identity association characterization from the retained identity information according to the identity endorsement application, and configuring the identity association characterization as one or more of identity association characterization members and the like.
The step of selecting the identity association token from the retained identity information according to the identity endorsement application, and the step of configuring the identity association token as the identity association token member specifically may include:
According to the identity endorsement application, the identity association characteristic features extracted by using a pattern recognition algorithm are selected from the reserved identity information, and the identity association characteristic features are configured to be identity association characteristic members;
According to the identity endorsement application, selecting identity association characterization attributes from the reserved identity information, extracting the identity association characterization attributes by using a pattern recognition algorithm to obtain identity association characterization features, and configuring the identity association characterization features as identity association characterization members;
According to the identity endorsement application, selecting identity association characterization attributes from the reserved identity information, mapping the identity association characterization attributes to network addresses to obtain identity association characterization network addresses, and configuring the identity association characterization network addresses as identity association characterization members;
And selecting an identity password (an option source) from the identity endorsement application information, calculating the identity password by using a hash algorithm to obtain an identity password abstract, and configuring the identity password abstract as one or more of identity password members.
The above-mentioned selecting the identity permission applicability rule information from the identity endorsement application information, converting the configuration identity permission applicability rule information into the identity permission applicability rule member further includes, but is not limited to, selecting the identity permission applicability time domain information from the identity endorsement application information, converting the configuration identity permission applicability time domain information into the identity permission applicability time domain member, selecting the identity permission applicability level information from the identity endorsement application information, converting the configuration identity permission applicability level information into the identity permission applicability level member, selecting the identity permission applicability object information from the identity endorsement application information, converting the configuration identity permission applicability object information into the identity permission applicability object member, and the like.
The method comprises the steps of selecting identity association characterization features from the stored identity information according to the identity endorsement application, configuring the identity association characterization features to be identity association characterization members further comprises, but is not limited to, selecting face image features from the stored identity information according to the identity endorsement application, and configuring the face image features to be identity association face image members, wherein the face image features are feature vectors extracted from face image images in advance by using an image (shape) recognition algorithm, and the image (shape) recognition algorithm comprises, but is not limited to, a neural network algorithm for deep learning;
The method comprises the steps of selecting identity association characterization attributes from the reserved identity information according to the identity endorsement application, extracting the identity association characterization attributes by using a pattern recognition algorithm to obtain identity association characterization features, wherein the configuration of the identity association characterization features to be identity association characterization members further comprises, but is not limited to, selecting face image images from the reserved identity information according to the identity endorsement application, extracting the face image features from the face image images by using an image (shape) recognition algorithm, and configuring the face image characterization to be an identity association face image member, wherein the image (shape) recognition algorithm comprises, but is not limited to, a neural network algorithm of deep learning, and the face image features comprise, but are not limited to, X-dimensional integers or decimal vectors;
the step of arranging the identity endorsement members into endorsement member combinations includes arranging and associating the identity endorsement members according to a specified format or a default format to form endorsement member combinations, wherein the endorsement member combinations are realized by a section of digital byte stream (sequence).
The layout identity endorsement member may further comprise a hidden (plus) identity endorsement member as described above as an endorsement member combination.
The secret identity endorsement member comprises a secret identity endorsement member which encrypts the secret identity endorsement member or the endorsement member combination by using a symmetric or asymmetric key algorithm, calculates the digest of the secret identity endorsement member or the endorsement member combination by using a hash algorithm and replaces the digest, and the secret identity endorsement member comprises one or more of legal names, legal card numbers and the like. The above-described privacy identity endorsement members are optional steps depending on the implementation.
The step of signing the identity endorsement member to obtain the identity endorsement further comprises the step of calculating the endorsement member combination to obtain a digital signature by using an asymmetric key algorithm and a public and private key signature, and configuring the digital signature to the endorsement member combination (which is the digital signature member of the identity endorsement) to obtain the identity endorsement. It is apparent that the identity endorsement is a digital byte stream (sequence) that integrates multiple identity endorsement members together. The asymmetric key algorithm includes, but is not limited to, a Digital Signature Algorithm (DSA), an elliptic curve cryptography algorithm, and the like.
The step of encapsulating the identity endorsement may further comprise the step of encapsulating the identity endorsement after the step of obtaining the identity endorsement by the signature identity endorsement member.
The packaging identity endorsement further comprises one or more of converting the byte identity endorsement extension into a visible character identity endorsement, converting the identity endorsement grouping into a two-dimensional code identity endorsement, loading the processing identity endorsement into a file, and the like.
The packaging identity endorsement may further comprise outputting the identity endorsement.
The output identity endorsement includes one or more of displaying the identity endorsement, printing the identity endorsement, recording and storing the identity endorsement, and the like. The method specifically comprises the steps of displaying a two-dimensional code type identity endorsement or a visible character type identity endorsement, printing the two-dimensional code type identity endorsement or the visible character type identity endorsement, and recording and storing the two-dimensional code type identity endorsement or the visible character type identity endorsement or the identity endorsement file.
The embodiment of the invention also provides a user registration method before the generation method of the identity endorsement, which comprises the steps of inputting a user registration application, accepting the user registration application, retaining user identity information, responding to a user registration result and outputting the user registration result.
The input user registration application comprises input user registration information and distribution processing user registration application, wherein the distribution processing user registration application comprises checking the user registration information, constructing a user registration application communication protocol message, filling the user registration information into the user registration application communication protocol message, and sending the user registration application communication protocol message. The user registration information comprises one or more of a user login password, a user identifier, identity information associated with a social member corresponding to the user and the like, and the identity information associated with the social member comprises one or more of a perception characterization attribute or feature, a gene characterization feature, an extension characterization feature, a legal identity identifier, a civil emotion condition and the like. Specific implementations include, but are not limited to, a user entering user registration information through a front end Application (APP) and distributing a process user registration application.
The receiving the user registration application includes receiving a user registration application message sent by a user, analyzing the user registration application message, extracting user registration information, and sorting the user registration information. The user registration information is arranged, wherein the user registration information is formed by performing one or more of format conversion, encryption, clipping, compression and the like on the user information.
The step of preserving the user identity information comprises the step of mapping the user identity information into user identity information and storing the user identity information into a data unit.
The above-mentioned retaining of the user identity information further comprises extracting the perceptual token feature from the perceptual token attribute using a pattern recognition algorithm, and then mapping the perceptual token feature to the user identity information for storage in the data storage unit. Specifically including but not limited to extracting face features from the face image using an image (shape) recognition algorithm, and then storing the face features to the user identity information of the data storage unit.
The responding registration result comprises constructing a user registration result communication protocol message, filling the user registration result into the communication protocol message, and sending the user registration result message.
Outputting the registration results includes displaying the user registration results on a user interface.
The user registration further comprises user auditing processing, wherein the user auditing processing comprises auditing the user identity information provided and reserved by the user registration, and the auditing comprises manual confirmation auditing, service program auxiliary auditing and the like.
The embodiment of the invention also provides an identification identity endorsement method after the identity endorsement generation method, which comprises the steps of inputting the identity endorsement, verifying the digital signature of the identity endorsement, identifying the signer associated with the identity endorsement, defining the applicable rule of the identity permission and outputting the identification result.
The input of the identity endorsement includes reading the identity endorsement by using a camera, bluetooth, a keyboard and other devices.
The verifying the digital signature of the identity endorsement includes verifying the digital signature of the identity endorsement using an asymmetric cryptographic algorithm and a notary public key specified or defaulted by an operation control word of the identity endorsement.
The signer identifying the identity endorsement association comprises identifying whether the identity association characterization is matched with the signer, and specific identification confirmation implementation comprises manual identification confirmation and/or program auxiliary identification confirmation. The program assisted authentication confirmation comprises perception characterization feature matching authentication, password matching confirmation and the like. The sensing characteristic feature matching identification comprises, but is not limited to, capturing a face image of a signer, extracting face image features from the face image by using an image (shape) recognition algorithm, and matching the extracted face image features with the identity associated characteristic of the identity signer. The image (shape) recognition algorithm includes but is not limited to a neural network algorithm for deep learning.
The defining the identity permission applicability rule includes one or more of checking an identity permission applicability level, checking an identity permission applicability time domain, checking an identity permission applicability region, checking an identity permission applicability object, and the like, and the step is optionally implemented as a step.
The output of the identification result includes displaying or recording the identification result, wherein the identification result includes recording the identification success and the identification time or displaying the identification failure and the failure reason.
The embodiment of the invention also provides a secret identity endorsement uncovering method after the identity endorsement generating method, which comprises the steps of inputting a secret identity endorsement uncovering application, accepting the secret identity endorsement uncovering application, verifying the digital signature of the identity endorsement, decrypting the encrypted (ciphertext) identity endorsement member of the identity endorsement, responding to the secret identity endorsement result and outputting the secret identity endorsement result.
The input secret identity endorsement application comprises an input identity endorsement application, wherein the input identity endorsement application comprises an identity endorsement reading operation by using an optical device such as a camera, the submitting secret identity endorsement application comprises a secret identity endorsement application message constructing operation, an identity endorsement application message filling operation is carried out, and the secret identity endorsement application message is sent.
The step of accepting the secret uncovering identity endorsement application includes receiving a secret uncovering identity endorsement application message and analyzing the secret uncovering identity endorsement application message to obtain an identity endorsement.
The above-mentioned accepting the secret uncovering identity endorsement application further includes detecting whether the user of the secret uncovering identity endorsement application has the secret uncovering identity endorsement authority.
The verifying the digital signature of the identity endorsement includes verifying the digital signature of the identity endorsement using an asymmetric cryptographic algorithm and a notary public key specified or defaulted by an operation control word of the identity endorsement.
The above-described decrypting the encrypted (ciphertext) identity endorsement member includes performing a decryption calculation on the encrypted (ciphertext) identity endorsement member using a key algorithm and a notarization key to obtain a plaintext of the encrypted (ciphertext) identity endorsement member.
The response secret uncovering identity endorsement result specifically comprises a background system constructing response message, filling the secret uncovering identity endorsement result into the message, and sending the message to the front-end APP.
The outputting of the secret uncovering identity endorsement result specifically comprises receiving reveal the secrets the identity endorsement result message, analyzing the message, extracting the secret uncovering identity endorsement result, and outputting the secret uncovering identity endorsement result information.
The embodiment of the invention also provides a system for generating the identity endorsement, which comprises a front-end application program and a background service program which are connected by using a communication network, wherein,
The front-end application comprises a user interface unit and an endorsement packaging unit, wherein,
The user interface unit is used for inputting application information such as user registration, user login, identity endorsement and the like, distributing and processing the received application information, outputting application processing results such as user registration, user login, identity endorsement and the like,
The endorsement packaging unit is used for packaging the identity endorsement, and specifically comprises an expansion reduction identity endorsement byte code or a grouping translation identity endorsement two-dimensional code. The byte code of the extended restore identity endorsement comprises converting the byte identity endorsement extension into a visible character identity endorsement or converting the visible character identity endorsement into the byte identity endorsement. The grouping translation of the two-dimensional code includes grouping the byte or visible character identity endorsements into two-dimensional code identity endorsements and translating the two-dimensional code identity endorsements into byte or visible character identity endorsements.
The background service program comprises a endorsement service center unit, a crypto (encryption and decryption) processing unit, a digital signature processing unit and a data storage unit, wherein,
The endorsement service center unit is used for accepting applications such as user registration, user login, identity endorsement and the like, distributing and processing the applications, responding to the application processing results, wherein,
The acceptance application includes receiving application messages such as user registration, user login, identity endorsement and the like sent by the user, analyzing the application messages and extracting application information such as user registration, user login, identity endorsement and the like.
The distributing processing registration application comprises the steps of arranging user registration information and reserving user identity information. The step of preserving the user identity information comprises the step of mapping the user identity information after finishing into user identity information and storing the user identity information into a data unit.
The above-mentioned distribution processing login application includes session state information for managing user login, and starts user connection state tracking detection.
The distributing and processing identity endorsement application comprises the steps of arranging an identity endorsement member, notifying (calling) the crypto processing unit crypto identity endorsement member and notifying (calling) the digital signature processing unit signature identity endorsement member. The step of arranging the identity endorsement members comprises arranging the identity endorsement members according to the identity endorsement application, and arranging the identity endorsement members to be endorsement member combinations.
The endorsement service center unit further comprises a public certificate key used by the management system, wherein the public certificate key comprises a key pair (a private key and a public key) of an asymmetric key algorithm, and the public key can also comprise a key of the symmetric key algorithm.
The above-mentioned crypto processing unit is used for encrypting or decrypting identity endorsement member or abstract calculation identity endorsement member.
The digital signature processing unit is used for signing the identity endorsement member by using an asymmetric key algorithm and a public and private key.
The data storage unit is used for storing user identity information, wherein the user identity information comprises one or more of user identification, registration time, login password, endorsement level to be used, legal identity identification, perception characterization characteristics and/or attributes, gene characterization (marking) characteristics, expansion characterization characteristics, civil state and the like.
The background service program may further comprise a feature recognition unit, wherein the feature recognition unit is mainly used for recognizing the features of the perception and characterization attribute by a pattern recognition algorithm.
The pattern recognition algorithm is used for recognizing the characteristics of the perception characterization attributes, and the pattern recognition algorithm is used for extracting the characteristic vector of one or more attributes of face images, fingerprints, sounds, eye marks, irises, handwriting and the like.
The system for generating the identity endorsement further comprises an identity endorsement identification system, and the identity endorsement identification system comprises an endorsement identification unit. The endorsement identification unit is used for identifying the identity endorsement, and the identification of the identity endorsement comprises the steps of verifying a digital signature of the identity endorsement, identifying a signer associated with the identity endorsement and defining applicable rules of identity permission.
The user interface unit of the front-end application program of the system is further used for inputting the identification information of the identity endorsement, distributing the identification information of the identity endorsement and outputting the identification processing result of the identity endorsement.
The identification tag authentication system comprises a endorsement identification unit, and particularly further comprises a front-end application program of the system, wherein the front-end application program further comprises a feature (pattern) recognition unit, and the feature recognition unit is used for recognizing the features of the perception characterization attribute through a pattern recognition algorithm.
The endorsement identification unit of the front-end application program further comprises a preset asymmetric key algorithm notarization public key.
The input of the identification information includes reading the identification by using a camera, bluetooth, keyboard, etc.
The input identity endorsement identification information further includes a perceived characterization attribute of the identity endorsement reader, including but not limited to facial images.
The distributing the processing identity endorsement identification information described above includes the user interface unit informing (invoking) the endorsement identification unit to identify the identity endorsement.
The distribution process identity endorsement identification information described above may also include the user interface unit informing (invoking) the feature (pattern) recognition unit that the pattern recognizes the feature of the perceived characterizations attribute using a recognition algorithm.
The identification tag authentication system comprises a endorsement identification unit, and particularly the background service program of the identification tag authentication system can also comprise the endorsement identification unit.
The generation system of the identity endorsement further comprises a disclosure system of the identity endorsement, wherein,
The user interface unit of the front-end application program is further used for inputting the identity endorsement uncovering application information, distributing and processing the identity endorsement uncovering application information and outputting the identity endorsement uncovering application processing result.
The endorsement service center unit is further used for accepting the identity endorsement uncovering application, distributing and processing the identity endorsement uncovering application, and responding to the processing result of the identity endorsement uncovering application.
The step of accepting the identity endorsement uncovering application includes receiving an identity endorsement uncovering application message sent by a user, analyzing the application message, and extracting application information such as the identity endorsement.
The accepting identity endorsement uncovering application further comprises detecting whether a user of the uncovering identity endorsement application has uncovering identity endorsement authority.
The above-mentioned crypto processing unit is further configured to perform a decryption calculation on the encrypted (ciphertext) identity endorsement member by using a key algorithm, to obtain a plaintext of the encrypted (ciphertext) identity endorsement member.
According to the technical scheme provided by the embodiment of the invention, the embodiment of the invention provides the generation method and the management system of the identity endorsement, new applications are developed and deployed in the existing mobile terminal, the computer and the communication Internet, the existing widely used equipment is fully utilized, the defects of inconvenient carrying and use, counterfeit and private information leakage caused by difficult authentication, scattered information members and the like in the existing traditional identity authentication are reasonably and effectively solved, the contradictory conflict between private information and identity authentication (authentication) and traceability is overcome, and the extremely beneficial technical effect and social effect are obtained. The identity endorsement of the embodiment of the invention is short and small, can be used as an additional anti-counterfeiting function or anti-counterfeiting code of the traditional certificate, and can also replace the traditional certificate to be independently used as a general identity. The invention not only obtains the technical effects of simple and easy-to-use tight-association extremely reliable and easy-to-identify (distinguish) other integrated identity authentication, but also obtains the technical effects of privacy information protection and/or dynamic (i.e. use-by-sign) permission applicable protection and simple and easy-to-use tight-association extremely reliable and easy-to-identify integrated identity authentication.
Drawings
FIG. 1 is a diagram of an embodiment of the system application environment and functionality of the present invention;
FIG. 2 is a diagram of steps of a method for user registration according to the present invention;
FIG. 3 is a diagram illustrating steps of a method for generating an identity endorsement in accordance with an embodiment of the present invention;
FIG. 4 is a diagram of an embodiment of an authentication identity endorsement step of the present invention;
FIG. 5 is a diagram of an embodiment of a secret identity signoff step of the present invention;
Detailed Description
Embodiments of the present invention are described in detail and illustrated in the accompanying drawings.
First, a system for generating an identity endorsement, i.e. the application environment and the functional modules of the present invention, will be described with reference to fig. 1.
The system for generating or managing the identity endorsement comprises a front-end Application program (APP) and a background service program (background system), wherein a front-end APP host comprises a mobile phone or a personal computer and other terminals, and a background system host comprises a computer server or a personal computer and the like. The front end APP includes at least 1001 a user interface unit, and may further include 1002 an endorsement package unit or 1003 an endorsement identification unit. The background system comprises 1014 endorsement service center units, 1015 cryptology (or encryption and decryption) processing units, 1016 digital signature processing units, 1017 data storage units, 1018 feature recognition units (or pattern recognition units), and 1002 units can be located in a front-end APP or the background system according to specific implementation, so that the background system can further comprise 1002 units according to specific implementation. The front-end APP is generally integrated or deployed in a whole, and the specific implementation program comprises a mobile terminal APP, a computer program, a webpage program running on browser software, and the like. The background system is a management service center of the system, and each functional unit can be deployed singly or integrally, and the specific implementation program comprises an Internet website background system or an application server program or a database program and the like. 1017 units are typically deployed separately, with the specific implementation comprising a database or disk data file, etc. The front-end APP and the background system are connected through communication networks such as the Internet and the like, and are connected and communicated by adopting a communication protocol, such as a hypertext transfer protocol (Hypertext transfer protocol, HTTP for short) or an HTTPS protocol. The background system functional units are in communication connection by using a local operating system call interface or a transmission control protocol/Internet interconnection protocol (Transmission Control Protocol/Internet Protocol, short for TCP/IP) and other protocols according to actual deployment. The front-end APP and the background system and the functional units mutually support and cooperatively generate management identity endorsements, so that a basic operation system and environment of the system are formed.
The 1001 unit is responsible for receiving input information, distributing the received input information, and outputting the processing result. Receiving input information includes receiving user input information, network interface input information including a response or detection message sent in the background. The user (or member) input information includes user registration application, user login application, identity endorsement application generation, reveal the secrets identity endorsement application, authentication identity endorsement application, query local identity endorsement, delete local identity endorsement, etc. The step of distributing the received input of the generated identity endorsement application comprises the steps of checking the input information of the generated identity endorsement application, constructing a communication protocol message of the generated identity endorsement application, filling the input information of the generated identity endorsement application into the message, sending the message and the like. Outputting the processing result includes storing result information, printing result information, displaying result information, forwarding result information, playing result information, and the like. Specific implementations of user input information include inputting two-dimensional codes through an optical device, reading information through connection with Bluetooth or wireless local area network (WIFI), reading information through a global positioning system (Global Position System, abbreviated as GPS), inputting information through a user keyboard, reading information through a mobile network, reading information through a microphone, and the like. Forwarding the information includes sending the information to the destination via a communication protocol using bluetooth or WIFI or a mobile network, and playing the information includes playing audio using a speaker.
The 1002 unit is configured to expand and restore byte codes, group and translate two-dimensional codes, load and process, wherein the expanded and restore byte codes include expanding and converting byte identity signatures into visible character identity signatures or restoring visible character identity signatures into byte identity signatures, and the group and translate includes grouping identity signatures into two-dimensional codes or translating two-dimensional codes into identity signatures. For example, the extended conversion byte identity signature is a visible character identity signature, the extended reduction rule comprises a 64-base Code (base 64) and the like, the identity signature is encoded into a two-dimensional Code or the two-dimensional Code identity signature is translated, and the grouped translation standards comprise PDF417, QR Code and the like. The loading processing comprises processing the identity endorsement into a picture or a file with a specified format, and packaging the picture or the file into a two-dimensional code or visible character identity endorsement can break through the limitation of an electronic document and print the picture or the file on an entity object, and can be read through equipment such as a camera, so that the daily communication is greatly facilitated.
The 1003 unit is responsible for authenticating the identity endorsement. The unit 1001 starts the corresponding device to receive the input of the identity endorsement, for example, starts the camera to read the two-dimensional code identity endorsement, and then gives the identity endorsement to the unit 1003 for processing. Authenticating an identity endorsement includes verifying a digital signature of the identity endorsement, identifying an associated signer of the identity endorsement (identity endorsement principal), defining an identity approval applicable criterion for the identity endorsement. The verification identity endorsement digital signature is specifically implemented by decrypting and calculating digital signature members according to an asymmetric key algorithm and a preset notarization public key to obtain a signature digest (digest), calculating all member combinations except the digital signature according to a hash algorithm to obtain a verification digest, and if the signature digest and the verification digest are consistent, the digital signature verification is successful or passed. The asymmetric key algorithm includes but is not limited to digital signature algorithm (Digital Signature Algorithm, abbreviated as DSA), elliptic curve cryptography (Elliptic Curves Cryptography, abbreviated as ECC) algorithm (such as ECC (Ed) 25519 algorithm or national cipher SM 2) and the like, the RSA algorithm is theoretically feasible but not recommended in practice, and the hash algorithm includes but is not limited to message digest (MESSAGE DIGEST, abbreviated as MD), secure hash algorithm (Secure Hash Algorithm, abbreviated as SHA) algorithm and the like. The 1003 unit may preset a digital certificate of the system or a system unified asymmetric key algorithm notarization public key according to specific implementation, wherein the notarization public key is a public key which is publicly unified for hectometre (in-the-air) identity endorsements.
The 1014 unit is used for accepting the applications of user registration, login, identity endorsement, secret uncovering identity endorsement and the like, distributing and processing the applications, and responding to the application processing results. Accepting the application comprises receiving the application message sent by the user, analyzing the application message and extracting the application information. Distributing and processing the application comprises respectively calling related units for processing according to the application type. For example, the registration application includes sorting user registration information and preserving user identity information according to the user registration information, the distribution processing registration application includes recording session state information after user registration, and starting tracking detection of user session state such as using Cookie technology, keep-alive mechanism, background session aging mechanism, etc., and performing user offline processing (for example, closing the keep-alive detection and cleaning the user session state information cache) when detecting interruption of user connection state. The 1014 unit is also responsible for managing (presetting) system uniform notarized keys, including symmetric key algorithm keys and key pairs (private and public keys) of asymmetric key algorithms.
1015 Unit is used to encrypt or decrypt (crypto process) identity endorsement members. The encryption or decryption (steganography) can be realized by using a symmetric key algorithm or an asymmetric key algorithm, or by using a hash algorithm to calculate the digest of the private member of the identity endorsement or the private member of the endorsement member combination and replacing and updating the value of the private member to the digest. Symmetric key algorithms include, but are not limited to, advanced encryption standard (Advanced Encryption Standard, AES for short), rivest Code (RC) algorithm, cross checking (Chacha) algorithm, and the like. The private member (information) typically includes a personal identification number, passport number, organization code, vehicle engine number, name, etc. The encryption and decryption of the symmetric key algorithm are the same key, and the encryption and decryption of the asymmetric key algorithm are public key encryption and private key decryption.
The 1016 unit is responsible for digital signing or verifying identity endorsements using an asymmetric key algorithm, for example, firstly performing digest calculation on members (endorsement member combinations) of the laid-out identity endorsements to obtain a signature digest, then performing calculation on the signature digest according to the asymmetric key signature algorithm by using a private key to obtain a digital signature value, configuring the digital signature value as a digital signature member and laying out the digital signature value to the tail of the members of the laid-out identity endorsements. Verifying the identity endorsement includes verifying the identity endorsement digital signature using an asymmetric key algorithm.
The 1017 unit is mainly used for storing user identity information. The user identity information includes user identification, registration time, login password, used endorsement level, identity identification, perception characterization features or attributes, genetic characterization (marking) features, extension characterization features, civil conditions, and the like. The identity mark refers to the identity mark according to legal regulations of an identity endorsement body, and the perception characteristic feature or attribute and the gene characteristic feature and the expansion characteristic feature refer to the identifiable characteristic of the endorsement body. The data storage unit can be a database program or a custom data file, the user identity information is stored in the database or the file in a table (table), for example, the data storage unit is realized as an Oracle (Oracle) or my structured query language (MySQL) database, the user identity information is queried or updated through the structured query language (Structured Query Language, abbreviated as SQL), and the user identity information stored in the data storage unit is not viewable without authorization and is strictly kept secret. The 1017 unit may further cache login session state information of the user, such as login time, login location, session identification, user identification, etc.
The 1018 unit is primarily configured to extract, identify, or classify feature vectors of perceptually characterizing attributes using a pattern recognition algorithm. Pattern recognition algorithms include, but are not limited to, image analysis processing algorithms, image (shape) recognition algorithms, speech recognition algorithms, voiceprint recognition algorithms, and the like. The image analysis processing algorithm includes denoising processing, graying processing, and the like. Image (shape) recognition algorithms include, but are not limited to, deep learning algorithms, machine learning algorithms, model feature extraction algorithms, model feature classification algorithms, and the like. The voice and voiceprint recognition algorithm comprises a neural network deep learning algorithm, a mathematical equation model algorithm and the like, wherein the mathematical equation model algorithm specifically comprises a hidden Markov model method (Hidden Markov Model, abbreviated as HMM), a Gaussian Mixture Model (GMM) algorithm and the like. The pattern recognition deep learning algorithm comprises a Convolutional Neural Network (CNN) and the like, the pattern recognition machine learning algorithm comprises a support vector machine (Support Vector Machine, abbreviated as SVM), an iterative classification algorithm (AdaBoost) and the like, the pattern recognition model feature extraction algorithm comprises a direction gradient histogram (Histogram of Oriented Gradient, abbreviated as HOG) feature algorithm, a Local binary pattern (Local Binary Pattern: abbreviated as LBP), a template feature (Haar) algorithm, a geometric feature method, a Local feature analysis method (Local FACE ANALYSIS, abbreviated as LFA), a feature face method (Eigen-face) and the like, and the pattern recognition model feature classification algorithm comprises a Bayesian network, a decision tree, a K-nearest neighbor (K-NN), a K-mean (K-means) and the like. For example, the face image recognition method based on deep learning refers to that a face image is input into a neural network, an X-dimensional feature vector is obtained through calculation of the neural network, the X-dimensional feature vector can represent a specific face, the face image identification can simplify and compare Euclidean distance of the X-dimensional vector, the neural network is a pre-trained mathematical model, and the face image can be input into the neural network to output the X-dimensional feature vector. The fingerprint identification method comprises the steps of carrying out image analysis processing on noise points of a fingerprint image to obtain contour lines (ridge lines and valley lines) of the fingerprint image, and extracting characteristic information such as starting points, end points, combination points, bifurcation points and the like of the contour lines.
Through the system for generating the identity endorsement, user identity information, identity permission applicable rules and the like are arranged as identity endorsement members, the endorsement members are combined, correlated and integrated into a whole to generate the identity endorsement for the universal identity certificate, social members registered as users use and manage the identity endorsement through the identity endorsement system, the identity endorsement not only realizes dynamic (instant sign) permission applicable protection and simple and easy-to-use tightly-correlated and extremely reliable and easy-to-identify integrated identity endorsement, but also further obtains privacy information protection and dynamic permission applicable protection and simple and easy-to-use tightly-correlated and extremely reliable and easy-to-identify integrated identity endorsement through privacy information protection and dynamic permission applicable protection, and effectively prevents imitation and impossibility of lawbreakers and solves the defects in the use process of the traditional identity certificate and other existing identity certificates.
The following detailed description of the invention, along with the associated operations, is provided by way of example and in connection with the above system.
FIG. 2 depicts steps for a social member to register as a user in a system, including in particular:
Step S2001, a registration application is input. And receiving user registration information application input, and distributing and processing the received user registration application input. The 1001 unit of the front end APP receives user registration information input by a user, the user registration information comprises a user login password, a user identifier, identity information associated with a social member corresponding to the user and the like, the identity information associated with the social member comprises a perception characterization attribute or feature, a gene characterization (marking) feature, an extension characterization feature, a legal identity identifier, civil state and the like, the received registration information is subjected to format check, assignment range check and the like, a user registration application communication protocol message is constructed according to a communication protocol, the registration information is filled into the user registration application communication protocol message, and then the message is sent to a background system through HTTPS and other protocols. For example, a social member opens a registration webpage provided by the system of the invention through a browser or opens an application program of a mobile terminal, a user login password, a user identification, an extended characterization feature, legal identity, body shape, blood type, civil state and the like which are input through a keyboard, a face image or a picture of the social member corresponding to the user is shot and read through a camera, or a fingerprint image or a picture is read through a fingerprint identifier, and the registration application is submitted after the registration information is input. The perception characterization comprises face images, shapes, sounds, fingerprints, handwriting and the like, the gene characterization comprises blood types, DNA and the like, the expansion characterization comprises addresses, telephone numbers, identity passwords, bank accounts and the like, the legal identity comprises names or names of social members corresponding to users, identity card numbers and the like, and the civil state comprises marital state (married or unmatched), legal state (crime record), academic state (highest academic), physical state and the like.
Step S2002, a registration application is accepted. Receiving a registration application message sent by a user, analyzing the registration application message, extracting user registration information, and sorting the user registration information. The back office system 1014 unit receives and parses and extracts the user registration information, collates the user registration information including format conversion, encryption, clipping, compression, initializing default values, and the like. For example, format conversion is performed on the date in the user registration information, encryption is performed on user identity private information (such as an identity card number, a bank account number and the like), address compression is performed on the address in the user registration information, and cutting, format conversion and compression are performed on the image in the user registration information. The initialization default value includes information such as initializing a user registration time.
Step S2003, the user identity information is retained. And mapping the user registration information into user identity information and storing the user identity information into a data storage unit. The back office system 1014 unit sends the user registration information to the 1017 unit, and the 1017 unit stores the user registration information as user identity information. Storing user identity information also includes initializing credit worthiness of the user, etc., e.g., 1014 unit maps user registration information to an update (update) command statement in SQL language, which is executed and stored in 1017 unit database. Preserving user identity information may further include extracting feature vectors of the perceptual token attributes from the perceptual token attributes using a pattern recognition algorithm and then storing the feature vectors of the perceptual token attributes to a data storage unit, e.g., 1014 informing 1018 the unit to extract face features from the face image using an image (shape) recognition algorithm (e.g., a neural network algorithm for deep learning) and then storing the face features.
Step S2004, responding to the registration result. After the background system 1014 unit stores the user registration information, it returns the registration result to the front end APP, and at the same time, it can start the audit start time, then it performs the user login process, i.e. records or caches the user login session state information (e.g. login time, user identifier, session identifier), and then it starts the survival detection tracking monitoring user connection session state. If the user is detected to be offline or the user exits from the login message and the user session timing aging mechanism is up, user offline or logout processing is carried out, namely, the user session is closed and the user login session state cache is cleaned. The 1014 unit constructs a registration result communication protocol message, fills in the registration result to the communication protocol message, and sends the registration result message to the front end APP.
Step S2005, a registration result is output. After receiving the registration application result returned by the background system, the front end APP outputs and displays the result to the user for user login processing, namely recording user login session state information for constructing communication protocol messages, and then starting survival detection tracking to monitor the user connection session state. And 1001, receiving the registration result message, analyzing the registration result message, extracting the registration result, and displaying the registration result on the terminal user interface.
The above embodiments describe the process of registering social members as system users, which is a precondition for subsequent user auditing and application of identity endorsements, and the registered user identity information provides information support for subsequent user auditing and application of identity endorsements.
After the user registration is completed, the background system starts user auditing processing according to specific implementation, wherein the user auditing processing comprises auditing information (user identity) provided and stored by a user, particularly identity information associated with a social member corresponding to the user, and the user auditing processing is generally executed in the background. The user auditing process includes manual validation auditing, service program assisted auditing, etc. The manual verification and audit specific method comprises remote video audit, information investigation, individual digital certificate signature audit, on-site door-to-door surface-to-surface verification and the like, the manual verification and audit also comprises recording and storing audit data such as video, images, audio and the like, the service program assisted audit comprises the steps of connecting a third party (such as a government agency identity information base, a academic certificate base, a bank and the like) to carry out auxiliary audit and remotely reading a perception characterization attribute verification audit, for example, the service program assisted audit program transfers a secret value amount to a bank account registered by a user or sends a secret verification code to a mobile phone registered by the user, then the user is checked for reply confirmation and the like, the remotely reading the perception characterization attribute verification comprises remotely reading face image, audio and the like, and the read perception characterization attribute is transmitted to the background, and the background compares or matches the attribute with the corresponding attribute of the record and the verification. The user can further set the used endorsement level (defaults to an identity verification record) of the user according to the identity information of the user after checking, and the used endorsement level is used for classifying and managing the authentication permission applicable level of the identity endorsement. After the user audit is completed, the user can apply for the identity endorsement, and the user audit is a precondition for ensuring the subsequent generation of an effective and reliable identity endorsement.
After the user auditing process is completed, the background system further can also perform preprocessing of user identity information, for example: the 1018 unit extracts feature vectors from the user-provided perceptual token attributes using a pattern recognition algorithm, and then stores the perceptually-characterized feature vectors in a data storage unit, specifically including extracting sample features or feature vectors containing mouth, nose, eye, face contours from face images of corresponding social members of the user using an image (shape) recognition algorithm (e.g., a deep-learning convolutional neural network algorithm), extracting sound sample features from sound audio using a voice print recognition algorithm, and extracting writing handwriting features from writing handwriting graphics using an image (shape) recognition algorithm.
Fig. 3 depicts the main steps of creating or generating an identity endorsement, namely the method of generating an identity endorsement, which specifically comprises:
Step S3001, input an identity endorsement application. Receiving the input of the identity endorsement application, checking the input information of the identity endorsement application, constructing and generating an identity endorsement application communication protocol message, filling the input information of the identity endorsement application into the message, and sending the message to a background system. The user opens the front end APP to log in the system, inputs the identity endorsement application information and submits the identity endorsement application. For example, 1001 unit fills the received sign-on application information into a POST message of HTTPS protocol constructed from session state information, and then sends the POST message to the backend system. The identity endorsement application information may include one or more of identity approval applicable details, operation control words, endorsement event appendices, civil condition indications, etc. The operation control word includes one or more of identity association (subject link) characterization type, legal identity type, etc. For example, the identity association token type is a face image perception token feature type, the identity permission application time domain is 2017, 1 st to 2018, 12 nd 31 st, the identity permission application level is a first-level or default permission application level, and the identity permission application region is within the administrative region of the geographic coordinates read through GPS. The civil state indication includes credit state and highest school.
Step S3002, arranging identity endorsement members. First, the method receives an ID endorsement application, including receiving and generating an ID endorsement application communication protocol message, analyzing the message, and extracting ID endorsement application information. And then compiling the identity endorsement member according to the identity endorsement application information, wherein the compiling step comprises the step of selecting an option source of the identity endorsement member from the retained identity information or the identity endorsement application information of the data storage unit, wherein the option source comprises one or more of information such as perception characterization attribute or characteristic, gene characterization (marking) characteristic, extension characterization characteristic, legal identity, civil state and the like, and the compiling option source is the identity endorsement member. for example, the option source is compressed, and the compression result of the option source is configured as an identity endorsement member according to the TLV format; the method comprises the steps of converting an option source, configuring a conversion result of the option source to be an identity endorsement member, calculating a summary of the option source, configuring the summary of the option source to be the identity endorsement member, extracting a feature vector of a perception characterization attribute option source, configuring the feature vector of the perception characterization attribute option source to be the identity endorsement member, configuring the perception characterization feature option source (a feature value vector of a pre-extraction perception characterization attribute) to be the identity endorsement member, supplementing an alignment (padding) option source, configuring a supplementing alignment result of the option source to be the identity endorsement member, setting a default option source, configuring the default option source to be one or more of the identity endorsement member and the like. Finally, arranging the identity endorsement members as endorsement member combinations, namely, arranging and integrating all the completed identity endorsement members into endorsement member combinations according to a specified format or a default format, wherein the endorsement member groups are a combination sequence of a plurality of identity endorsement members in a specified format, and the endorsement member groups correspond to a byte stream (sequence) in a specified format, so that the endorsement member combinations are obviously small and light through the compiling compression integration technology, and the endorsement member combinations are widely applicable (general) premise. And (5) combining and delivering the well-laid endorsement members to the next step for privacy or signature processing. Selecting the option source from the data storage unit comprises selecting the option source through SQL query statements according to the user identification, the identity association (subject link) characterization type and the legal identity type. Setting default option sources includes setting member values of operation control items, such as signature algorithm members, hash algorithm members, version number members, etc. of operation control words. The layout identity endorsement members comprise the steps of arranging and integrating all members into endorsement member combinations according to a format, wherein the specific endorsement member combination format is as follows { version number } { identity permission applicable rule } { identity association characterization } { legal identity }. The method comprises the steps that 1014 units analyze HTTPS protocol generated identity endorsement application information, extract identity endorsement application information, select identity endorsement member option sources from 1017 units, arrange identity endorsement members according to the selected option sources, and send the identity endorsement to 1015 units for privacy processing or 1016 units for signature processing. The identity endorsement members typically include a type (type), a length (length), and a value (value), which may implicitly default to the identity endorsement format without explicit placeholder presence for short, lightweight identity endorsement members. Identity-related characterizations refer to authenticatable signature characterizations (master binding or correspondence) that closely relate to a signer in an identity endorsement, such as: the identity association is characterized as a face image perception characterization feature, the face image perception characterization feature is a plurality of features including a face outline of a user or an X-dimensional feature vector of a face, the X-dimensional feature vector can be a vector array of integer values between 64 (dimensions) -1 and 1 or between 64 dimensions-127 and 127, the 80-dimensional feature vector can be a vector array of integer values between-127 and 127, the plurality of features including a face outline of 68 coordinate points form a vector array, the features or feature vectors are extracted from a face image of the identity information of the user, can be extracted in advance or extracted in real time when being extracted, a face image selection source is selected from the retained identity information of the data storage unit, and then a deep learning image recognition algorithm (such as a convolutional neural network algorithm) of a pattern recognition algorithm is called 1018 unit to extract the face image feature from the face image. The configuration of the face image perception representation as the endorsement member is specifically that a TLV format member is created, the type (type) of the TLV member is set as the face image perception representation, the length (length) of the TLV member is set as the feature vector array length, and the value (value) of the TLV member is set as the X-dimensional feature vector. Legal identity includes the name and identification card number of the individual social member, the name and organization code of the organization social member, and the like.
Step S3003, the member is signed with a secret identity. This step is an optional step, and if there is no private member requiring privacy or the operation control word contains an indication of a non-privacy private member, this step is not performed, and depending on the implementation, the step of processing the privacy endorsement member may be combined with the step of processing the endorsement member by the endorsement member, i.e. the step of processing the endorsement member by the endorsement member may also include the step of processing the privacy endorsement member, and the step of processing the privacy endorsement member as an independent step is for better logic clarity. The secret identity endorsement specifically comprises encrypting the private identity endorsement member using a symmetric key algorithm or an asymmetric key algorithm, and also calculating the digest of the private identity endorsement member and replacing the digest with a hash algorithm. For example, 1015 unit encrypts the ID card number value in the ID card number member of legal ID by AES algorithm, the plaintext ID card number value of the ID card number member of legal ID after encryption has been replaced and updated to ID card number ciphertext, or 1015 unit calculates abstract to name value of name member of legal ID by SHA algorithm to obtain abstract result value, then replaces and updates name value of name member of legal ID to abstract result value, 1015 unit returns the endorsement member combination to 1014 unit, 1014 unit sends the endorsement member combination to 1016 unit for signature.
Step S3004, sign-on member. And calculating the signature member combination by using an asymmetric key algorithm and a public and private key signature to obtain a digital signature, configuring the digital signature, and laying out the digital signature into the signature member combination to obtain the identity signature. For example, the signature member combination is calculated according to a hash algorithm to obtain a digest to be signed, the digest to be signed is calculated according to an asymmetric key signature algorithm and a public and private key to obtain a digital signature value, and the digital signature value is configured into the digital signature member and is distributed to the tail part of the identity signature or is replaced into the digital signature member of the identity signature. For example, firstly, a digest to be signed is obtained by SHA3 calculation, then, the signature calculation is carried out by using ecc25519, and finally, a byte (native) identity endorsement in a format of { version number: 1} { permission applicable rule: 1,2017010120181231 } { longitude and latitude } { face image feature vector } { name and identity card number } { digital signature }, wherein the identity endorsement is a digital byte (byte) stream (sequence) integrating a plurality of identity endorsement members into a whole according to a specified format, and the identity endorsement format and the member are combined with a public key disclosing unified notations for identifying or tracing the prover of identity evidence. The 1016 unit is responsible for signing the identity endorsement and then returns the signed identity endorsement to the 1014 unit.
Step S3005, packaging the identity endorsement. The packaging of the identity endorsement comprises one or more of expanding a byte (native) identity endorsement into a visible character (i.e. character string) identity endorsement, grouping the identity endorsements into two-dimensional code type identity endorsements, loading the processing identity endorsements into files and the like, and the loaded identity endorsements are convenient for storage, transmission and management. The encapsulation of the identity endorsement is specific depending on the implementation, for example, byte identity endorsements are converted into visible character identity endorsements by using base64 rule extension, bytes or visible character identity endorsements are grouped into two-dimensional Code type identity endorsements by adopting QR Code standard, the two-dimensional Code type identity endorsements are loaded into a combined image private group (Joint Photographic Experts Group, JPEG for short) or a portable network graphic format (Portable Network Graphic Format, PNG for short) file, the visible character identity endorsements are loaded into a text (txt) file or a portable document format (Portable Document Format, PDF for short), and the byte identity endorsements are loaded into a native byte (or binary) file. The 1002 unit is responsible for packaging the identity endorsement, the processing format is performed according to the control word indication, the control word indicates the format of the identity endorsement, if no explicit indication exists, the processing is carried out according to the default format, and after the 1002 unit packages the identity endorsement, the identity endorsement is returned to 1014 or 1001 unit.
Step S3006, outputting the identity endorsement. The 1001 unit receives the identity endorsement returned by the 1002 unit or the 1014 unit and outputs the identity endorsement. Outputting the identity endorsement includes recording (or storing) the identity endorsement in the local device, displaying the identity endorsement on a user interface, printing the identity endorsement onto a location of a specified entity, transmitting the identity endorsement over a network to a specified destination, such as via a Common Internet File System (CIFS), file Transfer Protocol (FTP), etc. Storing the identity endorsement in the local device includes using a local file store or using a local database store. For example, 1001 unit displays a two-dimensional code type identity endorsement or visible character identity endorsement on a user interface, prints the two-dimensional code type identity endorsement or visible character identity endorsement to a designated entity (e.g., paper), and saves the two-dimensional code type identity endorsement or visible character identity endorsement or identity endorsement profile to a file storage system or database. Obviously, the self-part endorsement is short and small, the packaged identity endorsement is not limited by a carrier, and the byte (or binary) identity endorsement can also be directly implanted into the IC (Integrated Circuit) chip.
The above embodiment describes the process of generating an identity signature, based on a unified public certificate key architecture, by means of technologies such as a pattern recognition algorithm, an arrangement technology, a privacy algorithm, an asymmetric key signature algorithm and the like, and organically combining information such as identity information, permission applicable rules and the like, the information is mutually supported and cooperated to generate an integrated digital identity signature for universal identity, all members of the identity signature are closely combined into a whole, so that the convenience reliability and easy authentication of the identity signature are greatly improved, and the identity signature format and the member combination disclose a unified public certificate key to identify or trace the proving person of the identity certificate. The identity endorsement also introduces permission applicability rules, and realizes a dynamic permission applicability protection mechanism of the limit of the geographical range of the time range of the instant sign, thereby further preventing the easy impossibility of a license caused by the universality. The identity endorsement introduces civil conditions to provide additional transparent information, so that the identity proving capability is further enhanced. The identity endorsement not only realizes the dynamic (i.e. use-in-use-sign) permission applicable protection and the simple and easy-to-use close-association extremely reliable and easy-to-identify integrated identity attestation, but also further obtains the private information protection and the dynamic permission applicable protection as well as the simple and easy-to-use close-association extremely reliable and easy-to-identify integrated identity attestation through the fact that the identity endorsement does not contain the public private identity information after the private member of the secret association identity endorsement.
The following describes the detailed steps of generating an identity endorsement containing an identity password, including in particular:
Step S3011, input an identity endorsement application. The user logs in the system and then submits the application information of the identity endorsement. The input permission applicability level is two-level, the identity association characterization type is a face image and identity password type, the permission applicability time domain is 2017, 1 month, 1 day to 2017, 1 month, 2 days, and the legal identity identification type is an identity card.
Step S3012, arranging identity endorsement members. According to the user identification (the conversation identification can be extracted from the identity endorsement application message, and the user identification is selected from the conversation state cache according to the conversation identification), selecting the option sources such as the user name, the identity card number, the preset identity password, the face image line mark and the like from the data storage unit. The compiling of the face image identity association token comprises mapping the face image to an internet address (for example: www.xxx.com/yyyzzz = wwww & aaaa=hhhhh) of an externally accessible face image, configuring the internet address (or: hyperlink address) to the identity association token member, and the compiling of the identity password identity association token comprises generating a random value (NONCE) using a random algorithm, connecting the NONCE and the identity password to obtain a random password string, calculating the random password string using a hash algorithm to obtain an identity password digest, and then configuring the NONCE and the identity password digest to the identity password member of the identity association token. Compiling the legal identity comprises assigning a configuration name and an identification card number to the legal identity member. Compiling identity permissions applicability rules includes setting the permission applicability level to 2 and the permission applicability time domain to 2017010120170102. The programming of the operation control word includes setting the version number to 1, hashing algorithm to 3 (representing SHA 3), asymmetric key algorithm to 2 (representing ECC 25519), etc. Layout identity endorsement members such as { version number: 1} { hash algorithm: 3} { asymmetric key algorithm: 2} { permission applicability level: 2} { permission applicability time domain: 2017010120170102} { internet address of face image }, nonce+identity password digest } { name, identity card number } { N-byte blank digital signature }.
Step S3013, encrypt the identity endorsement member. A legal identity member (e.g., name and ID card number) is encrypted using the AES algorithm and a notary key, e.g., the encrypted identity endorsement member is shown as { version number: 1} { hash algorithm: 3} { asymmetric key algorithm: 2} { permission applicability level: 2, permission applicability time domain: 2017010120170102} { Internet address of face image, NONCE+ID password digest } { name and ID card number ciphertext } { N-byte blank digital signature }.
Step S3014, sign-on members. The combination of SHA3, ECC25519 and public and private keys is used for carrying out signature calculation on { version number: 1} { hash algorithm: 3} { asymmetric key algorithm: 2} { permission applicability level: 2} { permission applicability time domain: 2017010120170102} { internet address of face image } { NONCE+identity password digest } { name and identity card number ciphertext } endorsement member to obtain a digital signature value, and { N bytes blank digital signature } is replaced by the digital signature value to obtain an identity endorsement.
Step S3015, respond to the identity endorsement application. And constructing an identity endorsement application result communication protocol message, filling the identity endorsement application result communication protocol message, and sending the identity endorsement application result message to the front-end APP. The 1014 unit is responsible for constructing the message or sending the message. Depending on the implementation, the identity code digest may be set to a blank value before populating the identity endorsement with the communication protocol message.
Step S3016, packaging the identity endorsement. And receiving an identity endorsement application result message input by a network, analyzing the message, extracting the identity endorsement, expanding the identity endorsement into visible character identity endorsements, grouping the visible character identity endorsements into two-dimensional code identity endorsements, and loading the two-dimensional code of the identity endorsement into a JPEG file. The 1001 unit is responsible for receiving the identity endorsement application result message and extracting the identity endorsement, and the 1001 unit gives the identity endorsement to the 1002 unit for encapsulation.
Step S3017, output an identity endorsement. The identity endorsement JPEG file is stored.
The identity signature containing the identity password can be used for manually confirming the authentication reference, meanwhile, the identity password is required to be input during authentication, the counterfeit caused by the inextensibility of authentication is prevented, and particularly, the loss caused by the impossibility of authentication to a user due to the inextensibility of authentication is prevented when the bundled business is handled.
The following describes the detailed steps of generating an identity endorsement containing an endorsement item appendix, the specific implementation comprising:
In step S3021, an identity endorsement application is input. The user logs in the system, submits after inputting the application information, the input permission applicability level is first level, the identity association characterization type is fingerprint type, the permission applicability time domain is 2017, 1 month, 1 day to 2017, 1 month, 2 days, and the legal identity identification type identity card. The endorsement item annex source is an agreement contract content summary, for example, an XXX garden XXX house lease contract from 2017 month 1 month to 2018 month 12 is signed with the XXX, and the endorsement item annex source comprises a permission item content summary. The operation control word also has a tag containing an extended feature address and a telephone number.
In step S3022, identity endorsement members are programmed. Selecting option sources such as user name, ID card number, fingerprint feature, address and telephone number from a data storage unit according to user identification, compiling fingerprint identity association characterization comprises configuring fingerprint feature as identity association fingerprint member, compiling endorsement item annex comprises calculating endorsement item annex source (i.e. protocol contract content summary) to obtain endorsement item abstract by using hash algorithm (such as SHA 3), and configuring endorsement item abstract as endorsement item annex member. The compiling of the address expansion feature includes compressing the administrative domain name using the administrative domain name to replace the address prefix, and configuring the compressed address as an expansion feature member.
In step S3023, the member is signed with a secret. The legal identification members (e.g., name, identification numbers) are encrypted using the ECC25519 algorithm. For example, if the identity card name member of the legal identity tag is in TLV format, the VALUE (corresponding name) of the identity card name member in TLV format is encrypted by using ECC25519 algorithm to obtain an encryption result ciphertext, and the VALUE (VALUE) of the identity card name member is replaced and updated to be the encryption result ciphertext.
In step S3024, the identity endorsement member is signed. Signature computation is performed on the identity endorsement member combinations using the ECC25519 and SHA3 algorithms to obtain digital signatures, and the digital signature is configured to the endorsement member combinations to obtain byte (native) identity endorsements.
In step S3025, the identity endorsement is packaged. The extended identity endorsements are visible character identity endorsements, the grouped visible character identity endorsements are two-dimensional code type identity endorsements, and the loading identity endorsement two-dimensional code is a PNG file. The grouping annotation item annex source is an annotation item annex two-dimensional code, and the loading annotation item annex two-dimensional code is a PNG file.
In step S3026, an identity endorsement is output. And printing an identity endorsement two-dimensional code PNG file and an endorsement item annex two-dimensional code PNG file.
The comment item annex identity endorsement contains the explanation and the declaration explanation of the item, is easy to identify and impossible to impersonate, solves the problem that the fingerprint press print and handwriting signature are difficult to identify in the past, and simultaneously realizes the special purpose (one card is one) of the instant sign instead of the universal use of one card, thereby thoroughly solving the problem of certificate impersonation.
The following describes the detailed steps for generating vehicle and driver identity endorsements, the specific implementation comprising:
Step S3031, an identity endorsement application is input. The user logs in the system, submits after inputting the application information, the input permission applicability level is first level, the identity association characterization type is appearance (shape) feature type, the permission applicability time domain is 2017, 1 month, 1 day to 2019, 12 month and 31 days, and the legal identity type is a driving license. The permission applicable object is a driver's identity endorsement. Civil conditions include vehicle health, vehicle credit, and vehicle violations.
Step S3032, the identity endorsement member is programmed. And selecting the option sources such as the vehicle engine number, the vehicle health condition, the vehicle credit condition, the vehicle violation condition and the like from the data storage unit according to the user identification and the license plate number. The compiling of the identity association token includes creating a path for accessing an image of the appearance (shape) of the vehicle corresponding to the license plate number of the database, formatting the path into an externally accessible internet address, configuring the internet address as an identity association token member, the compiling of the legal identity token includes configuring the license plate number and the vehicle engine number as legal identity token members, the compiling of the licensing applicable object includes restoring the identity endorsement byte code of the driver, and then configuring the byte identity endorsement as a licensing applicable object member. Compiling the civil state of the country includes configuring a TLV pattern of use, such as good vehicle health, good vehicle credit, no-violation recording of the vehicle, etc., as a member of the civil state of the country.
Step S3033, the member is signed by the privacy identity. The legal identity member (e.g., vehicle engine number) is encrypted using the ECC25519 algorithm, e.g., if the identity member is in TLV format, the VALUE of the legal identity member (corresponding to the vehicle engine number) in TLV format is encrypted using the ECC25519 algorithm and the public key to obtain an encryption result ciphertext, and the VALUE (VALUE) of the legal identity member is updated (replaced) to the encryption result ciphertext.
Step S3034, sign-on members. Signature calculation is carried out on the endorsement member combination by using an ECC25519 and SHA3 algorithm to obtain a digital signature, and the digital signature is configured to the endorsement member combination to obtain an identity endorsement. For example, 1016 unit calculates signature digest by using SHA3 algorithm digest and signature digest by using ECC25519 algorithm and public certificate private key signature and digital signature by using digital signature, and lays out digital signature member to signature member combination and identity signature.
Step S3035, the identity endorsement is packaged. The extended identity endorsement is an identity endorsement, the grouped identity endorsement is a two-dimensional code type identity endorsement, and the loading identity endorsement two-dimensional code is a PNG file.
Step S3036, the identity endorsement is output. And printing the identity endorsement two-dimensional code PNG file.
The identity endorsement comprises permission applicable object members, limits the application range of the identity endorsement, is bound with the physical appearance (shape), is easy to identify, and cannot be used falsely.
FIG. 4 depicts an embodiment of the authentication identity endorsement step, which includes:
In step S4001, an identity endorsement is entered. Methods of entering identity endorsements include, but are not limited to, camera reading, bluetooth reading, WIFI reading, keyboard entry, and the like. For example, a user starts a camera device through a front-end APP, scans an identity endorsement two-dimensional code image, converts the two-dimensional code image into an identity endorsement, and restores the identity endorsement to be a byte identity endorsement. After the 1001 unit scans the two-dimensional code image of the identity endorsement, the two-dimensional code image is handed over 1002 unit to translate the two-dimensional code and/or restore the identity endorsement to a byte (native) identity endorsement.
Step S4002, verifying the digital signature of the identity endorsement. And decrypting the digital signature of the identity endorsement according to the asymmetric key algorithm and calculating the digital signature of the identity endorsement by the public key of the notarization to obtain a signature digest, calculating other members except the digital signature in the identity endorsement according to the hash algorithm to obtain a verification digest, if the verification digest is consistent with the signature digest, verifying the signature successfully, otherwise, transferring the step S4005 to process if the verification digest is failed (the reason is that the digital signature is invalid). The specific types of the asymmetric key algorithm and the hash algorithm are determined according to the operation control words of the identity endorsement, and if the operation control words of the identity endorsement are not specified, the default algorithm type of the system is used. The verification of the digital signature of the identity endorsement uses a public key of a public unification asymmetric key algorithm, such as a public key of a public certificate preset by the front-end APP1003 unit.
Step S4003, identify identity endorsement association signer. Identifying identity endorsement-associated signers includes identifying whether the identity-associated (subject-linked) representation matches the signer (whether the primary certificate corresponds), including manual identification verification (identification) and/or program-assisted identification verification (identification). The manual authentication confirmation comprises authentication confirmation of whether the face image perception representation is matched with the signer, whether the communication mode is matched with the signer, whether the position address is matched with the address where the signer is located, and the like. Program assisted authentication validation includes perceptual characterization feature matching authentication, cryptographic matching validation, and the like. For example, when the perceived characterization feature is a fingerprint, the identifier inputs (or reads) the perceived characterization of the signer through the fingerprint device, matches the perceived characterization of the signer with the fingerprint feature of the identity-related characterization member of the identity endorsement, if the fingerprint features are similar, the authentication is successful, otherwise the authentication fails (because of identity mismatch) to step S4005, when the perceived characterization feature is the perceived characterization of the face image, the identifier can pick up the face image of the signer (entity natural person) on site through optical equipment such as a camera, or pick up the face image digital or paper photo of the signer, the feature recognition unit extracts the face image feature points or feature vectors of the signer according to the face image by using an image recognition algorithm, and matches the extracted face image feature points or feature vectors with the face image feature of the identity-related characterization member, if the authentication is successful, otherwise the authentication fails (because of identity mismatch) to step S4005. As a specific implementation, the front-end APP further includes a feature recognition unit 1004, the feature recognition unit 1004 prefabricates a trained convolutional neural network, inputs a face image into the convolutional neural network to extract an X-dimensional feature vector of the face image, calculates euclidean distance between face image features represented by identity association and the X-dimensional feature vector representing and identifying source face images, and if the euclidean distance is smaller than a specified threshold, the matching is successful, otherwise, the matching is failed.
Step S4004 defines an identity permission applicability rule, including one or more of checking an identity permission applicability level, checking an identity permission applicability time domain, checking an identity permission applicability region, checking an identity permission applicability object, and the like, which is an optional step depending on the implementation. Verifying the identity license applicable time domain includes detecting whether the license applicable time domain of the identity endorsement contains an authentication time, and the license aging implementation is typically a time range, such as 2016-12-01 to 2016-12-31. Checking the license applicable level, namely detecting whether the license applicable level of the license endorsement is lower than the licensed endorsement level, and if the detection result is lower than the licensed endorsement level, checking failure (the reason: the license applicable level is invalid). Checking the licensed applicable territory includes detecting whether the current authenticated geographic location is included in the licensed applicable territory, failing authentication if the current authenticated geographic location is not included in the licensed applicable territory (because the licensed applicable territory is invalid), such as Beijing, and failing authentication if the authenticated location is not in Beijing. Verifying a licensing applicable object implementation includes detecting whether an authenticator is an authorized object of an identity endorsement or an authentication licensing destination object.
Step S4005, outputting the authentication result. The front-end APP displays or records the identification result. The front-end APP1003 unit returns the authentication result to 1001 unit, and 1001 unit displays or records the authentication result, for example, records authentication success and authentication time or displays authentication failure and failure cause.
The identification method of the identity endorsement enables identity authentication and authentication (identification) of two parties in communication to be simple, reliable and dynamic license-on-demand protection by disclosing the cooperation of unified signature verification, identity identification association signer, definition permission applicable rules and the like, is particularly used for the fact that identity association characterization members of the identity identification association signer are closely associated with other identity endorsement members to be integrated, the integrated identity endorsement greatly improves the reliability and the easy authentication of the identity authentication, effectively prevents the problem of using the identity endorsement, and the method of the impossibly identifying the identity endorsement does not need to carry out reliable and accurate identification of the identity authentication, solves the problem that privacy (private information) protection is incompatible (conflicted) with the identity authentication and effectively protects the identity private information.
Fig. 5 illustrates an embodiment of the step of secret identity endorsement, which includes:
In step S5001, a secret identity endorsement application is input. A user logs in the self-endorsement system through the front-end APP, inputs the identity endorsement and submits a secret uncovering identity endorsement application. For example, a user inputs a user identifier and a login password through a 1001 unit of a front-end APP to log in an identity endorsement system, a camera is started to scan an identity endorsement two-dimensional code image and convert the two-dimensional code image to obtain a byte (original) identity endorsement, then an identity endorsement application message is constructed according to a login session state (for example, an HTTPS POST message is created, a session identifier is filled in a POST message header), the identity endorsement obtained by filling in the scanning is filled in a message Body (Body) of the identity endorsement application message, and finally the identity endorsement-filled identity endorsement application message is sent to a background system.
Step S5002, accept the application for secret uncovering identity endorsement. The background system receives the secret uncovering identity endorsement application message containing the identity endorsement content, analyzes the secret uncovering identity endorsement application message to obtain a session identifier and an identity endorsement, selects a user identifier from a session state buffer after the user logs in according to the session identifier, then detects whether the applied user has secret uncovering identity endorsement authority according to the user identifier, and if the user does not have the secret uncovering identity endorsement authority, the step 5005 is transferred to respond to the secret uncovering failure (the reason is that the secret uncovering identity endorsement authority is not available) for processing. And analyzing the secret identity endorsement application message, and extracting the identity endorsement. The 1014 unit is responsible for receiving the secret uncovering identity endorsement application message and analyzing the secret uncovering identity endorsement application message to obtain a session identification and an identity endorsement, then selecting the secret uncovering identity endorsement authority of the user from the data storage unit according to the user identification, responding to the secret uncovering identity endorsement failure result if the user does not have the reveal the secrets identity endorsement authority, and invoking 1016 the digital signature of the identity endorsement if the user has the secret uncovering identity endorsement authority.
Step S5003, verifying the digital signature of the identity endorsement. The background system verifies the digital signature of the identity endorsement using the asymmetric cryptographic algorithm specified by the operation control word of the identity endorsement or a default asymmetric cryptographic algorithm and a notary public key. The 1014 unit transmits the identity endorsement and invokes or informs 1016 unit to verify the digital signature of the identity endorsement, 1016 unit is responsible for verifying the digital signature of the identity endorsement and returning a verification result to 1014 unit, if the verification of the digital signature of the identity endorsement fails, the process directly goes to step 5005 to respond to the failure of uncovering the secret identity endorsement (because the digital signature of the identity endorsement is invalid), otherwise, the 1015 unit is invoked to decrypt the identity endorsement.
In step S5004, the encrypted (ciphertext) identity endorsement member is decrypted. The background system uses a key algorithm and a unified key to perform decryption calculation on the encrypted (ciphertext) identity endorsement member to obtain the plaintext of the encrypted identity endorsement member, wherein the key algorithm type is determined by the encryption algorithm type or the default algorithm of the operation control word of the identity endorsement. For example, the encrypted identity endorsement is a symmetric encryption algorithm, and then is decrypted by using a symmetric key, and the encrypted identity endorsement is an asymmetric encryption algorithm, and then is decrypted by using a private key of the asymmetric key. The 1014 unit passes the identity endorsement and the unified key (symmetric key or asymmetric key's private key) and invokes or informs 1015 unit to decrypt the encrypted (ciphertext) identity endorsement member and returns the decrypted encrypted (ciphertext) identity endorsement member plaintext (value) (e.g., name and identification card number) to 1014 unit.
In step S5005, the secret identity endorsement result is responded. The background system builds response information, fills in secret uncovering identity endorsement results to the information, and sends the information to the front-end APP. The 1015 unit is responsible for constructing a response message according to the received message type and the communication protocol requirements, filling in the secret uncovering result (reveal the secrets failure and reason, secret uncovering success and secret information plaintext of the encrypted (ciphertext) identity endorsement member) and sending the message to the front-end APP.
Step S5006, outputting the secret identity endorsement result. The front end APP receives the secret uncovering identity endorsement result message input by the network, analyzes the message, extracts the secret uncovering identity endorsement result, and outputs the secret uncovering identity endorsement result, for example, printing, recording and displaying the plaintext of the secret information. The 1001 unit of the front-end APP is responsible for receiving the secret uncovering result message, analyzing the message and outputting the secret uncovering result, for example, the 1001 unit displays and/or records the reveal the secrets failure result of the key member plaintext after reveal the secrets of the identity endorsement or the 1001 unit displays the identity endorsement.
The secret uncovering method of the identity endorsement guarantees legal authority of the identity endorsement as a general identity document and due archival persistence of the identity document (certificate), can guarantee to follow-up complaints (backtracking) after using the identity endorsement through uncovering the secret identity endorsement, and reasonably and effectively eliminates the problem that private information (privacy) protection is incompatible (conflicted) with the backtracking of the identity document. The identity endorsement not only well protects the private information of the identity, but also fully maintains the essential characteristics of daily general identity evidence (credentials), the authority of the user for uncovering the private identity endorsement is strictly limited, and the user has the authority of uncovering the private identity endorsement only when the user is required to be trusted by the public and has an organization with specified qualification, generally, the user corresponding to the trust organization such as government departments, courts and the like has the authority of uncovering the private identity endorsement, thereby effectively protecting the private information and maintaining the traceability characteristics of the identity evidence.
Although the foregoing is only a preferred embodiment of the present invention, the scope of the embodiment of the present invention is not limited thereto, and any changes or substitutions that are easily contemplated by those skilled in the art within the technical scope of the embodiment of the present invention should be covered by the scope of the embodiment of the present invention. Therefore, the protection scope of the embodiments of the present invention should be subject to the protection scope of the claims.
Claims (10)
1. A method of generating an identity endorsement, comprising the steps of:
Accepting an identity endorsement application;
Compiling identity endorsement members according to the identity endorsement application;
Layout identity endorsement members are endorsement member combinations;
And using an asymmetric key algorithm and a public certificate private key signature endorsement member to combine to obtain a digital signature, and configuring the digital signature to the endorsement member to combine to obtain an identity endorsement.
2. The method of claim 1, wherein prior to accepting the identity endorsement application, further comprising:
an identity endorsement application is entered. The input identity endorsement application comprises input identity endorsement application information and distribution processing identity endorsement application information.
3. The method of claim 1, wherein accepting an identity endorsement application comprises:
And receiving and generating an identity endorsement application message, analyzing the identity endorsement application message and extracting the identity endorsement application information from the identity endorsement application message.
4. The method of claim 1, wherein compiling the identity endorsement member based on the identity endorsement application comprises:
And selecting an option source of the identity endorsement member from the reserved identity information or the identity endorsement application information according to the identity endorsement application, and compiling the option source as the identity endorsement member.
5. The method of claim 4, wherein the programming option source is an identity endorsement member comprising:
calculating a digest of the random value and/or the password by using a hash algorithm, and configuring the digest as an identity endorsement member;
Extracting the characteristics of the perception characterization attribute by using a pattern recognition algorithm, and configuring the characteristics of the perception characterization attribute as identity endorsement members;
The mapping option source is an internet address, and the internet address is configured as one or more of the identity endorsement members.
6. The method of claims 1, 4 and 5, wherein the identity endorsement member comprises:
One or more of legal identity identification, identity permission applicable rules, identity association characterization, endorsement item annex and the like, wherein the legal identity identification comprises one or more of legal name, legal card number and the like without limitation,
The identity association characterization includes but is not limited to one or more of identity association sensing characterization, identity association gene characterization, identity association extension characterization and the like,
The identity permission applicability rule comprises one or more of an identity permission applicability level, an identity permission applicability time domain, an identity permission applicability region, an identity permission applicability object and the like.
7. A method according to claims 1, 4, 5, and 6 wherein said compiling an identity endorsement member according to the identity endorsement application includes, but is not limited to:
selecting identity permission application rule information from the identity endorsement application, and configuring the identity permission application rule information as an identity permission application rule member;
according to the identity endorsement application, a legal identity is selected from the reserved identity information, and the legal identity is configured as a legal identity member;
And selecting identity association characterization from the retained identity information according to the identity endorsement application, and configuring the identity association characterization as one or more of identity association characterization members and the like. The identity association characterization is selected from the retained identity information according to the identity endorsement application, and the configuration of the identity association characterization as the identity association characterization member further comprises:
According to the identity endorsement application, the identity association characterization feature pre-extracted by a pattern recognition algorithm is selected from the reserved identity information, and the identity association characterization feature is configured as an identity association characterization member;
According to the identity endorsement application, selecting identity association characterization attributes from the reserved identity information, extracting the identity association characterization attributes by using a pattern recognition algorithm to obtain identity association characterization features, and configuring the identity association characterization features as identity association characterization members;
And selecting identity association characterization attributes from the reserved identity information according to the identity endorsement application, mapping the identity association characterization attributes to network addresses, and configuring the network addresses to one or more of identity association characterization members.
8. The method of claim 1, wherein the layout identity endorsement member is an endorsement member combination and further comprising a privacy identity endorsement member. The secret identity endorsement member includes encrypting the secret identity endorsement member by using a key algorithm or calculating the digest of the secret identity endorsement member by using a hash algorithm and replacing and updating, and the secret identity endorsement member includes one or more of legal names, legal card numbers and the like.
9. The method of claim 1, wherein configuring the digital signature to be combined with the endorsement member to obtain the identity endorsement further comprises encapsulating the identity endorsement. The packaging identity endorsement comprises one or more of converting byte identity endorsement expansion into visible character identity endorsement, converting identity endorsement grouping into two-dimensional code type identity endorsement, loading and processing identity endorsement into file and the like.
10. The method according to claim 1 or 9, wherein said packaging identity endorsement is further followed by:
and outputting the identity endorsement. The output identity endorsement comprises one or more of displaying the identity endorsement, printing the identity endorsement, recording and storing the identity endorsement and the like.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411793639.XA CN120281501A (en) | 2017-01-13 | 2017-12-26 | A method for generating identity endorsement and a management system |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710032938 | 2017-01-13 | ||
| CN201711443105.4A CN108304701A (en) | 2017-01-13 | 2017-12-26 | A method and system for generating an identity signature |
| CN202411793639.XA CN120281501A (en) | 2017-01-13 | 2017-12-26 | A method for generating identity endorsement and a management system |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711443105.4A Division CN108304701A (en) | 2017-01-13 | 2017-12-26 | A method and system for generating an identity signature |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN120281501A true CN120281501A (en) | 2025-07-08 |
Family
ID=62867561
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411793639.XA Pending CN120281501A (en) | 2017-01-13 | 2017-12-26 | A method for generating identity endorsement and a management system |
| CN201711443105.4A Pending CN108304701A (en) | 2017-01-13 | 2017-12-26 | A method and system for generating an identity signature |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711443105.4A Pending CN108304701A (en) | 2017-01-13 | 2017-12-26 | A method and system for generating an identity signature |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN120281501A (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109582927B (en) * | 2018-12-06 | 2023-07-04 | 公安部交通管理科学研究所 | Text endorsement layout generation method, device and system of card type certificate |
| CN109598247B (en) * | 2018-12-07 | 2022-09-06 | 黑龙江大学 | Two-dimensional code identity authentication method based on vein image detail point and grain characteristics |
| JP7526655B2 (en) * | 2020-12-10 | 2024-08-01 | 富士通株式会社 | Information processing program, information processing method, information processing device, and information processing system |
| CN114398102B (en) * | 2022-01-18 | 2023-08-08 | 杭州米络星科技(集团)有限公司 | Application package generation method and device, compiling server and computer readable storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101075316A (en) * | 2007-06-25 | 2007-11-21 | 陆航程 | Method for managing electronic ticket trade certification its carrier structure, system and terminal |
| US20120138679A1 (en) * | 2010-12-01 | 2012-06-07 | Yodo Inc. | Secure two dimensional bar codes for authentication |
| CN103593618A (en) * | 2013-10-28 | 2014-02-19 | 北京实数科技有限公司 | Verification method and system for adoptability of electronic data evidence |
| CN105913358A (en) * | 2016-03-31 | 2016-08-31 | 程卫中 | Self-service service system for basic service of public security organization |
| CN106097223B (en) * | 2016-06-15 | 2020-05-08 | 广州市华标科技发展有限公司 | A certificate declaration management system and declaration management method |
-
2017
- 2017-12-26 CN CN202411793639.XA patent/CN120281501A/en active Pending
- 2017-12-26 CN CN201711443105.4A patent/CN108304701A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| CN108304701A (en) | 2018-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11895239B1 (en) | Biometric electronic signature tokens | |
| US11671267B2 (en) | System and method for verifying an identity of a user using a cryptographic challenge based on a cryptographic operation | |
| KR102545407B1 (en) | Distributed document and entity validation engine | |
| KR101853610B1 (en) | Digital signature authentication system based on biometric information and digital signature authentication method thereof | |
| US7024562B1 (en) | Method for carrying out secure digital signature and a system therefor | |
| US7840034B2 (en) | Method, system and program for authenticating a user by biometric information | |
| US10320807B2 (en) | Systems and methods relating to the authenticity and verification of photographic identity documents | |
| KR100486062B1 (en) | Biometric certificates | |
| US20240214392A1 (en) | Unified authentication system for decentralized identity platforms | |
| CN106656511A (en) | Method and system for uniformly managing identity endorsement | |
| US11681787B1 (en) | Ownership validation for cryptographic asset contracts using irreversibly transformed identity tokens | |
| CN120281501A (en) | A method for generating identity endorsement and a management system | |
| KR20110113205A (en) | How to safely create a virtual majority joint contract that can be physically represented | |
| CN118133357B (en) | Multi-source information fusion electronic signature generation and anti-counterfeiting method and system | |
| CN117981272A (en) | Decentralized zero-trust identity verification and authentication system and method | |
| US8316454B2 (en) | Method and system for protection of user information registrations applicable in electoral processes | |
| WO2023239760A1 (en) | Computer-implemented user identity verification method | |
| KR102250732B1 (en) | Method of registering and retrieving customer information | |
| Singhal | Security analysis of aadhaar authentication process and way forward | |
| Mohamed et al. | Protecting wireless data transmission in mobile application systems using digital watermarking technique | |
| US12395354B1 (en) | Multi-layered verification of digital appearances | |
| RU2787577C2 (en) | Signing device and signing method | |
| EP4193283B1 (en) | Method for generating a secure digital document stored on a mobile terminal and associated with a digital identity | |
| US11764970B2 (en) | Method of verifying partial data based on collective certificate | |
| WO2024261467A1 (en) | Recording a reference to a document |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |