Method, device, and system for identity authentication
First Claim
1. An identity authentication method, comprising:
- 1) transmitting, by a first authenticator, a first identity authentication message to a second authenticator, wherein the first identity authentication message comprises a first time-varying parameter which is generated by the first authenticator;
2) transmitting, by the second authenticator, a second identity authentication message to an authentication server, wherein the second identity authentication message comprises an identification of a security domain in which the second authenticator is located, wherein the security domain is a logical partition with a boundary in which the second authenticator and at least one entity share certain public authentication information which is a public key, the second authenticator and the at least one entity in the security domain each has own private authentication information which is used to generate the identity authentication information for authenticating the entity by other authentication device, and the private authentication information is a private key or an anonymous signature secret key;
3) verifying, by the authentication server, after having received the second identity authentication message, legality of the security domain in which the second authenticator is located according to the second identity authentication message, to generate a verification result for the security domain in which the second authenticator is located;
4) returning, by the authentication server, a third identity authentication message to the second authenticator, wherein the third identity authentication message comprises the verification result for the security domain in which the second authenticator is located and the identity authentication information of the authentication server for the information including the verification result for the security domain in which the second authenticator is located;
5) transmitting, by the second authenticator, after having received the third identity authentication message, a fourth identity authentication message to the first authenticator, wherein the fourth identity authentication message comprises the identification of the security domain in which the second authenticator is located, the verification result for the security domain in which the second authenticator is located, the identity authentication information of the authentication server for the information including the verification result for the security domain in which the second authenticator is located and the identity authentication information of the second authenticator for the information including an identifier of the first authenticator and the first time-varying parameter; and
6) verifying, by the first authenticator, after having received the fourth identity authentication message, the fourth identity authentication message including verifying the first time-varying parameter in the fourth identity authentication message, and determining legality of an identity of the second authenticator according to the verification result, wherein the step
6) comprises steps of;
6.1) verifying, by the first authenticator, whether the identity authentication information of the authentication server is valid;
proceeding to step 6.2) in a case that the identity authentication information of the authentication server is valid;
or otherwise, determining that the second authenticator is illegal;
6.2) proceeding to step 6.3) in a case that the security domain in which the second authenticator is located is determined by the first authenticator to be legal according to the verification result for the security domain in which the second authenticator is located;
or otherwise determining that the second authenticator is illegal; and
6.3) acquiring, by the first authenticator, the public authentication information of the security domain in which the second authenticator is located, verifying whether the identity authentication information of the second authenticator is valid according to the public authentication information, and checking whether the identifier of the first authenticator is the same as the identifier of the first authenticator included in the identity authentication information of the second authenticator;
determining that the second authenticator is legal, in a case that the identity authentication information of the second authenticator is valid and the identifier of the first authenticator is the same as the identifier of the first authenticator included in the identity authentication information of the second authenticator;
or otherwise, determining that the second authenticator is illegal.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to the field of identity authentication. Provided are a method, device, and system for identity authentication, solving the technical problem that existing identity authentication technologies are incapable of protecting personal privacy, and that authentication technologies comprising personal privacy must provide a traceability feature. The method for identity authentication mainly comprises: a first authenticator transmitting to a second authenticator a first identity authentication message; the second authenticator transmitting to an authentication server a second identity authentication message; the authentication server verifying the validity of a secure domain where the second authenticator is at on the basis of the second identity authentication message; the authentication server returning to the second authenticator a third identity authentication message; when the third identity authentication message is received by the second authenticator, same transmitting to the first authenticator a fourth identity authentication message.
-
Citations
18 Claims
-
1. An identity authentication method, comprising:
-
1) transmitting, by a first authenticator, a first identity authentication message to a second authenticator, wherein the first identity authentication message comprises a first time-varying parameter which is generated by the first authenticator; 2) transmitting, by the second authenticator, a second identity authentication message to an authentication server, wherein the second identity authentication message comprises an identification of a security domain in which the second authenticator is located, wherein the security domain is a logical partition with a boundary in which the second authenticator and at least one entity share certain public authentication information which is a public key, the second authenticator and the at least one entity in the security domain each has own private authentication information which is used to generate the identity authentication information for authenticating the entity by other authentication device, and the private authentication information is a private key or an anonymous signature secret key; 3) verifying, by the authentication server, after having received the second identity authentication message, legality of the security domain in which the second authenticator is located according to the second identity authentication message, to generate a verification result for the security domain in which the second authenticator is located; 4) returning, by the authentication server, a third identity authentication message to the second authenticator, wherein the third identity authentication message comprises the verification result for the security domain in which the second authenticator is located and the identity authentication information of the authentication server for the information including the verification result for the security domain in which the second authenticator is located; 5) transmitting, by the second authenticator, after having received the third identity authentication message, a fourth identity authentication message to the first authenticator, wherein the fourth identity authentication message comprises the identification of the security domain in which the second authenticator is located, the verification result for the security domain in which the second authenticator is located, the identity authentication information of the authentication server for the information including the verification result for the security domain in which the second authenticator is located and the identity authentication information of the second authenticator for the information including an identifier of the first authenticator and the first time-varying parameter; and 6) verifying, by the first authenticator, after having received the fourth identity authentication message, the fourth identity authentication message including verifying the first time-varying parameter in the fourth identity authentication message, and determining legality of an identity of the second authenticator according to the verification result, wherein the step
6) comprises steps of;6.1) verifying, by the first authenticator, whether the identity authentication information of the authentication server is valid;
proceeding to step 6.2) in a case that the identity authentication information of the authentication server is valid;
or otherwise, determining that the second authenticator is illegal;6.2) proceeding to step 6.3) in a case that the security domain in which the second authenticator is located is determined by the first authenticator to be legal according to the verification result for the security domain in which the second authenticator is located;
or otherwise determining that the second authenticator is illegal; and6.3) acquiring, by the first authenticator, the public authentication information of the security domain in which the second authenticator is located, verifying whether the identity authentication information of the second authenticator is valid according to the public authentication information, and checking whether the identifier of the first authenticator is the same as the identifier of the first authenticator included in the identity authentication information of the second authenticator;
determining that the second authenticator is legal, in a case that the identity authentication information of the second authenticator is valid and the identifier of the first authenticator is the same as the identifier of the first authenticator included in the identity authentication information of the second authenticator;
or otherwise, determining that the second authenticator is illegal. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A first authentication device, comprising:
-
a transmitting unit configured to transmit a first identity authentication message, the first identity authentication message comprising a first time-varying parameter which is generated by the first authentication device to a second authentication device in a security domain which is a logical partition with a boundary in which the second authentication device and at least one entity share certain public authentication information which is a public key, wherein the second authentication device and the at least one entity in the security domain each has own private authentication information which is used to generate the identity authentication information for authenticating the entity by other authentication device, and wherein the transmitting unit comprises a transmitter, and the private authentication information is a private key or an anonymous signature secret key; a receiving unit configured to receive a fourth identity authentication message comprising the first time-varying parameter returned from the second authentication device, wherein the receiving unit comprises a receiver, and wherein the fourth identity authentication message further comprises the identification of the security domain in which the second authentication device is located, the verification result for the security domain in which the second authentication device is located, the identity authentication information of an authentication server for the information including the verification result for the security domain in which the second authentication device is located and the identity authentication information of the second authentication device for the information including an identifier of the first authentication device; and a verification unit configured to verify the fourth identity authentication message comprising verification of the first time-varying parameter and determine the legality of the identity of the second authentication device according to the verification result, wherein the verification unit comprises a processor and a memory, and the verification unit is implemented when instructions stored in the memory are performed by the processor, and wherein the processor is configured to; 6.1) verify whether the identity authentication information of the authentication server is valid;
proceed to step 6.2) in a case that the identity authentication information of the authentication server is valid;
or otherwise, determine that the second authentication device is illegal;6.2) proceed to step 6.3) in a case that the security domain in which the second authentication device is located is determined by the first authentication device to be legal according to the verification result for the security domain in which the second authentication device is located;
or otherwise determine that the second authentication device is illegal; and6.3) acquire the public authentication information of the security domain in which the second authentication device is located, verify whether the identity authentication information of the second authentication device is valid according to the public authentication information, and check whether the identifier of the first authentication device is the same as the identifier of the first authentication device included in the identity authentication information of the second authentication device;
determine that the second authentication device is legal, in a case that the identity authentication information of the second authentication device is valid and the identifier of the first authentication device is the same as the identifier of the first authentication device included in the identity authentication information of the second authentication device;
or otherwise, determine that the second authentication device is illegal. - View Dependent Claims (15)
-
-
16. A second authentication device, comprising:
-
a transmitting unit configured to transmit a second identity authentication message comprising a first time-varying parameter to an authentication server, wherein the second identity authentication message comprises an identification of a security domain in which the second authentication device is located, wherein the transmitting unit comprises a transmitter, the security domain is a logical partition with a boundary in which the second authentication device and at least one entity share certain public authentication information which is a public key, and the second authentication device and the at least one entity in the security domain each has own private authentication information which is used to generate the identity authentication information for authenticating the entity by other authentication device, and the private authentication information is a private key or an anonymous signature secret key; a receiving unit configured to; receive a first identity authentication message sent by a first authentication device, wherein the first identity authentication message comprises the first time-varying parameter, wherein the first time-varying parameter is generated by the first authentication device; receive a third identity authentication message comprising the first time-varying parameter returned from the authentication server, wherein the receiving unit comprises a receiver, and wherein the third identity authentication message comprises a verification result for the security domain in which the second authentication device is located and the identity authentication information of the authentication server for the information including the verification result for the security domain in which the second authentication device is located; and wherein after the receiving unit has received the third identity authentication message returned from the authentication server, the transmitting unit transmits a fourth identity authentication message comprising the first time-varying parameter to the first authentication device, the fourth identity authentication message comprises the identification of the security domain in which the second authentication device is located, the verification result for the security domain in which the second authentication device is located, the identity authentication information of the authentication server for the information including the verification result for the security domain in which the second authentication device is located and the identity authentication information of the second authentication device for the information including an identifier of the first authentication device and the first time-varying parameter, and wherein the fourth identity authentication message is verified and a legality of the second authentication device is determined by the first authentication device by the following steps of; 6.1) verifying whether the identity authentication information of the authentication server is valid;
proceeding to step 6.2) in a case that the identity authentication information of the authentication server is valid;
or otherwise, determining that the second authentication device is illegal;6.2) proceeding to step 6.3) in a case that the security domain in which the second authentication device is located is determined by the first authentication device to be legal according to the verification result for the security domain in which the second authentication device is located;
or otherwise determining that the second authentication device is illegal; and6.3) acquiring the public authentication information of the security domain in which the second authentication device is located, verifying whether the identity authentication information of the second authentication device is valid according to the public authentication information, and checking whether the identifier of the first authentication device is the same as the identifier of the first authentication device included in the identity authentication information of the second authentication device;
determining that the second authentication device is legal, in a case that the identity authentication information of the second authentication device is valid and the identifier of the first authentication device is the same as the identifier of the first authentication device included in the identity authentication information of the second authentication device;
or otherwise, determining that the second authentication device is illegal. - View Dependent Claims (17)
-
-
18. An authentication server, comprising:
-
a receiving unit configured to receive a second identity authentication message comprising a first time-varying parameter sent by a second authentication device, wherein the receiving unit comprises a receiver, wherein the first time-varying parameter is generated by a first authentication device, and wherein the second identity authentication message comprises an identification of a security domain in which the second authentication device is located; a verification unit configured to verify the legality of the security domain in which the second authentication device is located according to the second identity authentication message, to generate the verification result for the security domain in which the second authentication device is located, wherein the verification unit comprises a processor and a memory, the verification unit is implemented when instructions stored in the memory are performed by the processor, and the security domain is a logical partition with a boundary in which the second authentication device and at least one entity share certain public authentication information which is a public key, and the second authentication device and the at least one entity in the security domain each has own private authentication information which is used to generate the identity authentication information for authenticating the entity by other authentication device, and the private authentication information is a private key or an anonymous signature secret key; and a transmitting unit configured to return a third identity authentication message comprising the first time-varying parameter to the second authentication device, wherein the third identity authentication message comprises the verification result for the security domain in which the second authentication device is located and the identity authentication information of the authentication server for the information including the verification result for the security domain in which the second authentication device is located, wherein the transmitting unit comprises a transmitter, wherein after the second authentication device has received the third identity authentication message returned from the authentication server, the second authentication device transmits a fourth identity authentication message comprising the first time-varying parameter to the first authentication device, and wherein the fourth identity authentication message is verified and a legality of the second authentication device is determined by the first authentication device by the following steps of; 6.1) verifying whether the identity authentication information of the authentication server is valid;
proceeding to step 6.2) in a case that the identity authentication information of the authentication server is valid;
or otherwise, determining that the second authentication device is illegal;6.2) proceeding to step 6.3) in a case that the security domain in which the second authentication device is located is determined by the first authentication device to be legal according to the verification result for the security domain in which the second authentication device is located;
or otherwise determining that the second authentication device is illegal; and6.3) acquiring the public authentication information of the security domain in which the second authentication device is located, verifying whether the identity authentication information of the second authentication device is valid according to the public authentication information, and checking whether the identifier of the first authentication device is the same as the identifier of the first authentication device included in the identity authentication information of the second authentication device;
determining that the second authentication device is legal, in a case that the identity authentication information of the second authentication device is valid and the identifier of the first authentication device is the same as the identifier of the first authentication device included in the identity authentication information of the second authentication device;
or otherwise, determining that the second authentication device is illegal;wherein the fourth identity authentication message comprises the identification of the security domain in which the second authentication device is located, the verification result for the security domain in which the second authentication device is located, the identity authentication information of the authentication server for the information including the verification result for the security domain in which the second authentication device is located and the identity authentication information of the second authentication device for the information including an identifier of the first authentication device and the first time-varying parameter.
-
Specification