CN101291220B - System, device and method for identity security authentication - Google Patents

Abstract

The invention discloses a system, a device and a method for safe identity authentication. The system comprises an identity authentication center, a user identity authentication center and a service processing unit, wherein, the user identity authentication center is used for distributing identity authentication center identification to the identity authentication center and distributing identification to the service processing unit; the identity authentication center is used for distributing user virtual identification uniquely identifying the user to the user register and for sending the user virtual identification and the distributed user identity authentication center identification to the user; and the service processing unit is used for receiving a service request, authenticating theuser according to the user virtual identification and the user identity authentication center identification carried by the request and processing the service request. The system, the device and the method can not only improve the security of the user identity authentication but also effectively protect the privacy of the user identity information.

Description

System, device and method for identity security authentication

technical field

The invention relates to identity authentication technology in the network, in particular to a system, device and method for identity security authentication.

Background technique

With the popularization of telecommunication networks and Internet applications, more and more users begin to receive services through the Internet. When receiving services through the network, identity authentication is required. Most of the networks that provide services currently use user names and passwords to identify user identities, which requires users to frequently input their own user names and passwords. There are disadvantages in this identity authentication method: on the one hand, as users accept more and more different services provided by different networks, users need to input different passwords when performing different network authentications, which causes unnecessary cumbersome processes and memory problems for users. On the other hand, users frequently input user names and passwords in the network, which will correspondingly increase the probability of passwords being maliciously cracked, that is, increase the probability of leakage of users' private information.

In order to overcome the above defects, a technology for managing user identities is proposed in the network. Identity management is the security management of identities, authentication processing of entities providing services to users, and information related to authentication of entities within a certain range. Entities that provide services to users can be any things, people, animals, equipment, objects, groups, organizations, and information objects that are uniquely identified in the network. An entity that provides services to users may have multiple identities in different application scopes. The scope of the authentication process can be within one organization set in the network, or it can span multiple organizations set up in the network.

Since the identity-related information changes with time during the network authentication process, the identity-related information must be managed. Some information about entities providing services to users is informal and changes frequently, and some information is formal and specific, such as users, politically based organizational roles, and financial accounts are usually stable. Identity attributes are usually securely stored in tokens, directories, access devices on the network, or database management systems on the network.

Identity management technology includes the task of consolidating, managing and exchanging information about entities providing services to users in the security and information domains. Establishing an identity authentication management framework in the network can enable service providers (SP, Service Provider) to provide reliable, credible and secure services to users by using authorization, authentication, access control mechanisms and policy management mechanisms in the network.

At present, the user identity authentication management framework established in the network is shown in Figure 1, including: Open ID Server (OpenID Server), Uniform Resource Locator (URL, Uniform ResourceLocator) site, User Agent (User Agent) and User (Consumer ) authentication management module. Wherein, the User Agent is located on the user side of the network, and the OpenID Server, URL site and Consumer authentication management module are located on the network side of the network. In the OpenID Server, the URL corresponding to the user is stored, and the URL corresponding to the user can be stored in an encrypted manner. The entire identity authentication process is the process of confirming that a user has a URL. The specific process is:

In the first step, the User Agent identifies its own authentication (Identity) URL to the URL site, that is, the User Agent adds the address information of the OpenID Server to the webpage set by the URL site.

In the second step, the User Agent submits the claimed Identity (Claimed Identity) to the authentication management module Consumer, which carries the Identity URL and the claimed Identity server, which is called the claimed Identity before identity authentication, because it may be a false statement of the User Agent identity.

In the third step, in order to verify the Identity submitted by the User Agent, the Consumer Authentication Management Module obtains the Identity URL of the User Agent from the Statement Identity server carried by the Identity of the statement, that is, the URL site.

In the fourth step, the Consumer authentication management module compares the obtained Identity URL with the identity URL carried by the declared Identity, establishes a connection with the OpenID Server, obtains a shared key (this step of establishing a connection is optional), and exchanges users When exchanging the Identity URL and the user's URL, since the user's URL may be encrypted and stored in the OpenID Server, the user's URL can be decrypted with the key.

In the fifth step, the Consumer authentication management module confirms the identity to the User Agent, carrying the OpenID Server to be redirected to by the UserAgent and the URL of the user.

In the sixth step, User Agent logs in to OpenIDServer through cookie or other authentication mechanisms, and enters the user's URL when logging in.

In the seventh step, after the OpenID Server authenticates the User Agent, it sends a response message to the User Agent, carrying information redirected back to the Consumer authentication management module.

When the OpenID Server authenticates the User Agent, it compares the URL of the user stored by itself (if encrypted, it can be decrypted to obtain the URL of the user) and the URL entered by the User Agent when logging in. If they are the same, the authentication is passed.

In the eighth step, the User Agent sends a response message to the Consumer authentication management module.

In this way, the identity authentication of the User Agent is completed, the User Agent can request related services in the network, and the network side can process the services requested by the user. In the architecture shown in Figure 1, OpenID Server and URL site are on the same server or completely separated.

The architecture shown in Figure 1 uses the URL to authenticate the identity of the user, so it is only applicable to the Internet, not to the mobile network. In addition, the means for user identity authentication is single, and only URL can be used for user identity authentication.

The architecture shown in FIG. 1 cannot meet the requirement for privacy protection of user identities when authenticating user identities. The privacy protection of stored user identity information on the network side is realized by encrypting user identity information, but this method brings problems such as low efficiency and complex key management, and the security of protecting user identity information privacy is not high. In addition, when authenticating the user's identity, the real URL of the user is still used for authentication, which will reduce the security of the user's identity authentication.

Contents of the invention

An embodiment of the present invention provides an identity security authentication system, which can not only improve the security of user identity authentication, but also effectively protect the privacy of user identity information.

The embodiment of the present invention also provides an identity security authentication device, which can not only improve the security of user identity authentication, but also effectively protect the privacy of user identity information.

An embodiment of the present invention provides a method for identity security authentication, which can not only improve the security of identity authentication, but also effectively protect the privacy of user identity information.

According to above-mentioned purpose, the technical scheme of the embodiment of the present invention is realized like this:

A system for identity security authentication, including an identity authentication center, a user identity authentication center and a business processing unit, wherein,

The identity authentication center is used to assign user identity authentication center identifiers to the user identity authentication center, and assign identifiers to business processing units; the user identity authentication center is used to register users and assign user virtual identity identifiers that uniquely identify users, Sending the user's virtual identity and the identity of the user authentication center to the user;

The service processing unit is configured to receive a service request, authenticate the user according to the virtual ID carried in the request and the ID of the user identity authentication center, and process the request.

A method for identity security authentication, the identity authentication center assigns the user identity authentication center identifier to the user identity authentication center, and assigns the identifier to the business processing unit; After the user's virtual identity is identified, send the user's virtual identity and the user identity authentication center identifier to the user; the service processing unit receives the service request sent by the user, and according to the user identity authentication center identifier and the user virtual identity carried by the request Identifies the request to be processed.

A device for controlling user identity authentication, including a user identity authentication center unit, a service processing control unit, and an identity authentication management unit, wherein,

The user identity authentication center unit is used to assign identifiers to the user identity authentication center, manage and authenticate the user identity authentication center, and set the interaction strategy of the user identity authentication center;

The business processing control unit is used to assign identifiers to entities providing business processing, manage and authenticate entities providing business processing, and set interaction strategies for entities providing business processing;

The identity authentication management unit is used to control the interaction between the user identity authentication center unit and the service processing control unit.

It can be seen from the above scheme that in the embodiment of the present invention, a user identity authentication center for authenticating different business types of users is set in the network, and the identity authentication center controls and manages the user identity authentication center and business processing units that process different types of services. The service request of this type of service adopts the corresponding user identity information authentication. Therefore, the embodiment of the present invention can effectively protect the privacy of the user identity information because the user identity information can be stored separately according to the service type. In addition, after the user registers, the user identity authentication center assigns the user a virtual identity (UVID, UserVirtual Identity) that uniquely identifies the user, and the user directly uses the UVID to send a service request to the business processing unit. After the business processing unit authenticates according to the UVID, Process the business request. Therefore, since the embodiment of the present invention carries UVID when initiating service requests of different types of services, it not only improves the security of user identity authentication, but also does not cause unnecessary cumbersome procedures and memory difficulties to users.

Description of drawings

FIG. 1 is a schematic diagram of a user identity authentication management architecture established in a network in the prior art;

Fig. 2 is a schematic diagram of the user identity authentication management framework established in the network according to the embodiment of the present invention;

3 is a flowchart of a method for user identity authentication in a network according to an embodiment of the present invention;

FIG. 4 is a flow chart of a method for SP processing a service request according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of an apparatus for controlling user identity authentication according to an embodiment of the present invention.

Detailed ways

In order to make the object, technical solution and advantages of the present invention clearer, the embodiments of the present invention will be further described in detail below in conjunction with the accompanying drawings.

The embodiment of the present invention establishes a user identity authentication management framework in the network, which can manage different user identity information of a user according to the business type, effectively protecting the privacy of the user identity information; User virtual identity UVID authentication improves the efficiency and security of user identity authentication.

Fig. 2 is a schematic diagram of the user identity authentication management architecture set up in the network according to the embodiment of the present invention, including: a user identity authentication center (UIAC, User Identity Authentication Center), an identity authentication center (IDAC, Identity Authentication Center) and a business processing unit, wherein ,

UIAC, for registering the user, assigning a UVID that uniquely identifies the user, and sending the UVID and the UIAC identifier to the user;

The service processing unit is configured to receive a service processing request, authenticate the user according to the UVID and UIAC identifier carried in the request, and process the service request;

The IDAC is used to manage the UIAC, assign UIAC IDs, manage service processing units, and assign service processing unit IDs.

In the embodiment of the present invention, the management framework further includes a user, configured to register with the UIAC, receive the UVID and the UIAC identifier sent by the UIAC, and send a service request carrying the UVID and the UIAC identifier to the service processing unit.

In this embodiment, there may be multiple UIACs, which respectively store the user identity information of different types of services of the user, and respectively authenticate the user according to the user identity information of different types of services of the user.

Multiple UIACs interact directly. After one UIAC assigns a UVID to the user when registering the user for the first time, when other UIACs register the user's identity information for other types of services, no UVID is assigned to the user, and other UIACs interact. It is known that a UVID has been allocated to the user, and the UVID is associated with the stored user identity information of the corresponding type of service.

In this embodiment, the service processing unit is an SP, of course, it may also include a network and/or devices in the network.

In this embodiment, the identity information and authority level of the service processing unit may be stored in the IDAC, and used for directly authenticating the service processing unit, or provided to a corresponding UIAC.

In IDAC, it specifically includes: User Identity Authentication Center Unit (UIACU, User Identity Authentication Center Unit), which is used to control and manage at least one UIAC; Network Identity Management Unit (NIDU, Network Identity Unit), which is used for network identity information. Control management; device identity management unit (DIDU, Device Identity Unit), used to manage and control device identity information in the network; service provider identity management unit (SPIDU, ServiceProvider Identity Unit), used to control service provider identity information Perform management control; Identity Authentication Management Unit (IDAMU, Identity Authentication Manage Unit) is used to control and realize the information exchange between UIACU, NIDU, DIDU, SPIDU and IDAMU respectively.

In this embodiment, there may be multiple UIACUs, corresponding to control and manage different UIACs. Correspondingly, there may be multiple NIDUs, and multiple DIDUs, respectively managing and controlling different devices that store different device identity information; there may also be multiple SPIDUs, respectively managing and controlling SPs that store different SP identity information.

In this embodiment, the IDAC may only include SPIDUs.

In this embodiment, NIDU, DIDU and SPIDU may be collectively referred to as a service processing control unit. When the IDAC only includes SPIDU, the service processing control unit may only include SPIDU.

Each functional module in FIG. 2 will be described in detail below.

IDAC is the most authoritative authentication management unit in the network. It directly manages and controls each service processing unit and each UIAC. Users can interact with IDAC through UIAC.

The functions provided by IDAC are: it can authenticate SP identity, network identity, device identity and UIAC identity; it can store and manage SP identity information, network identity information, device identity information and UIAC identity information, which can be stored centrally or separately in different In the corresponding unit of the corresponding unit, the storage form can be a list of identity information, and can also be directly stored in different corresponding units; it can realize the interaction of different identity information, such as sending the managed SP list to the UIAC, and realize the communication between the business processing unit and the UIAC. exchange of information between them.

UIACs can generally be divided according to service types, which enables user identity information to be stored in different UIACs according to service types, and the corresponding UVIDs that uniquely identify users can also be stored in different UIACs. That is to say, each UIAC stores part of the user's identity information, so the privacy of the user's identity information can be well protected. Each UIAC has an identity, which is authenticated and assigned to the UIAC by the UIACU in the IDAC. The UIAC stores a list of service processing units capable of providing this service type, such as a list of SPs, which can be obtained from the IDAC or directly interact with the SP, and can be obtained from the SP. UIAC can authenticate user registration with the user according to the set authentication method, for example, AKA, PKI and other authentication methods can be used, or the authentication method can be determined according to the security level required by the user's business type for authentication. After the authentication is passed, UIAC assigns a unique UVID and validity period to the user, which is associated with the stored SP list. The validity period is generally set according to the security level of the business type. The higher the security level of the business type, the longer the validity period of the UVID. shorter. The UIAC that provides other types of business services for the user can obtain the UVID assigned to the user by the UIAC from the UIAC that has authenticated the user. When the user registers in another UIAC next time, after successful registration, the user identity information corresponding to the service type is stored in the UIAC, and the UIAC does not need to allocate a UVID for the user again. When the validity of the UVID expires or the user's identity information changes, the user can apply to the current UIAC to update the UVID or update his own identity information. When the user needs to apply for a service after registration, he can send a service request carrying UVID and UIAC identification to the service processing unit that handles this type of service, and the service processing unit will process the service request.

In this embodiment, the UIAC can acquire the user identity information module and send the user identity information module, wherein the acquiring user identity information module is used to acquire the user identity information, and the sending user identity information module is used to send the user identity information The information is sent to the corresponding business processing unit.

SP, identified by SP ID, that is, SPID is allocated by SPIDU in IDAC, SP can store SP identity information and SP list, and classify SP identity and associate with UVID and UIAC ID according to the service type that SP can provide, and SP The list is being sent to the corresponding UIAC. The SP that receives the service request can authenticate the UVID and UIAC identifier carried in the service request, query and obtain the identity information of the user who needs to apply for the service. If the SP has a local database and a permission level for downloading user identity information, the permission level can be assigned by the SPIDU in IDAC according to the SP level, and the user identity information can be directly obtained from UIAC and encrypted and stored locally. Regularly update user identity information. In addition, the UIAC can also be directly associated with the corresponding SP to ensure that the user identity information in the SP is the latest identity information of the user.

UIACU is used to process UIAC-related services, such as authenticating UIAC and assigning UIAC identification, sending a list of service processing units to UIAC, etc. It is located in IDAC and is a logical module for IDAC to manage and control UIAC.

NIDU is used to process network-related services, such as authenticating network identities, storing and managing network identity information, etc. It is a logical module for IDAC to manage and control the network.

DIDU is used to process services related to devices in the network, such as authenticating device identities, storing and managing device identity information, etc. It is a logical module for IDAC to manage and control devices in the network.

SPIDU is used to process services related to service provider units, such as authenticating SP identity, storing and managing SP identity information, etc. It is a logic module of IDAC management and control service provider unit.

IDAMU is used to control the information interaction between UIACU, NIDU, DIDU and SPIDU, and is a logical module for IDAC to uniformly manage UIACU, NIDU, DIDU and SPIDU.

The embodiment of the present invention also provides a method for user identity authentication in the network, as shown in Figure 3, the specific steps are:

Step 300, UIAC receives user registration, and authenticates the user.

The authentication method can adopt the existing AKA and PKI, or obtain the service type registered by the user, and perform authentication according to the authentication method corresponding to the security level of the set service type.

In this step, when the user initiates service registration, the UIAC that handles the service type is authenticated, that is, the UIAC stores the user identity information corresponding to the service type, which is not all the identity information of the user, and is convenient for protecting the user identity information privacy.

Step 301, after the user passes the authentication, the UIAC judges whether the user has been assigned a UVID, if yes, execute step 302; if not, execute step 303.

In this embodiment, there are several ways to determine whether the user has been assigned a UVID.

In the first way, the UIAC can access the UIAC that has assigned a UVID to the user, and determine whether the user identity information of the user is associated with a UVID, and if so, determine that the user has been assigned a UVID;

In the second way, when the user is assigned a UVID, the UIAC that assigns the UVID to the user determines the UIAC that manages other part of the user identity information of the user through the IDAC, and directly sends the UVID to other users of the user. The UIAC that manages part of the user's identity information, and the UIAC that manages other parts of the user's identity information of the user associate the received UVID with the stored part of the user's identity information, so as to determine whether the user is assigned a UVID .

In step 302, the UIAC returns a registration pass message to the user, carrying the UVID and UIAC identifier already assigned to the user, and then proceeds to step 304.

In step 303 , after the UIAC assigns a UVID to the user, it returns a registration pass message to the user, carrying the UVID and UIAC identifier, and proceeds to step 304 .

After the UVID is allocated to the user, the UVID can be directly sent to the UIAC that manages other parts of the user's identity information.

Step 304: After receiving the registration pass message, the user sends a service request carrying the UIAC identifier and UVID to the service processing unit, and the service processing unit processes the service request after receiving the service request.

In this embodiment, the UVID assigned to the user may also have an expiration date. In step 301, it may be further judged whether the expiration date of the UVID assigned to the user has arrived. If yes, then directly execute 303, otherwise, execute step 302 .

Taking the service processing unit as an SP as an example, the following describes in detail how the service processing unit processes the service request when it receives it.

Fig. 4 is the flow chart of the method for SP processing business request of the embodiment of the present invention, and its specific steps are:

Step 401, the SP receives the service request sent by the user, and the request includes the user's UVID and UIAC identifier.

In step 402, the SP authenticates the service request, and after the authentication is passed, step 403 is executed.

There are two ways to go through the authentication process:

In one way, the SP has a local database and the permission level for downloading user identity information. At this time, the SP stores the identity information of the served user corresponding to the UVID and UIAC identifier (the identity information is obtained from the UIAC), and directly performs authentication. The authentication adopts The method can be prior art.

In the second way, if the SP does not store the user identity information corresponding to the UVID and the UIAC identifier, it sends a user identity information query request including the SP identifier and UVID to the UIAC that has the service request carrying the UIAC identifier, and the UIAC judges the stored service processing Whether there is the SP corresponding to the SP logo in the unit list and whether the SP has the authority to obtain the user's identity information, if so, then send the user's identity information to the SP (when sending, encryption means can be used to protect the safe transmission of the user's identity information ), the SP performs authentication according to the obtained user identity information; otherwise, an authentication failure message is returned to the SP, and the authentication fails this time.

The situation of using these two methods is different. When the SP receives the service request sent by the user, it will judge whether the user identity information corresponding to the UVID and the UIAC is stored. If yes, use the first method; if not, then There are three possibilities. The first possibility is that the SP is processing the user's business request for the first time. The other is that the SP does not have a local database and has the authority to download user identity information. The third possibility is that the SP does not have the authority level to download user identity information. , the second method can be adopted at this time.

Step 403, the SP sends user authentication success information to the user, and executes the service request.

In the embodiment of the present invention, the user can also update the user identity information stored in the UIAC, that is, send an update identity information request carrying the user's updated identity information to the UIAC, and the UIAC updates the stored user identity information, and corresponds to the user UVID sends the updated identity information to IDAC so that it can be managed by the corresponding UIACU in IDAC, or directly provided to the service processing unit for authentication when processing service requests.

The embodiment of the present invention also provides a device for controlling user identity authentication. As shown in FIG. 5, the device includes: UIACU, service processing control unit and IDAMU, wherein,

The UIACU is used to assign an ID to the UIACU, manage and authenticate the UIACU, and set an interaction strategy of the UIACU;

The business processing control unit is used to assign identifiers to entities providing business processing, manage and authenticate entities providing business processing, authenticate entities providing business processing, and set interaction strategies for entities providing business processing;

The IDAMU is used to control the interaction between the user identity authentication center unit and the service processing control unit.

In this embodiment, the entity that provides service processing may be an SP, or may be a network or device that provides service. Of course, the entity that provides business processing is preferably SP.

In this embodiment, the service processing control unit may only include SPIDU, or may include SPIDU, NIDU or/and DIDU, wherein,

NIDU is used to control and manage network identity information, assign identifiers to the network, and set information exchange policies for the network;

DIDU, Device Identity Unit, is used to manage and control device identity information in the network, assign identities to devices, and set information interaction policies for devices;

SPIDU, Service ProviderIdentity Unit, is used to manage and control SP identity information, assign identifiers to SP, and set information interaction policies for SP;

IDAMU, Identity Authentication Center Unit, is used to control the information exchange between UIACU, NIDU, DIDU, SPIDU and IDAMU respectively.

In this embodiment, the NIDU, DIDU and SPIDU may be referred to as service processing control units, which respectively process different service processing units. Of course, when the service processing unit only includes SP, the service processing control unit also includes SPIDU.

In this embodiment, the network may actually be a network that provides business services, such as the Internet or a next-generation network, or a local area network.

It can be seen from the above solutions that the system, method and device provided by the embodiments of the present invention can bring the following technical effects:

The authentication method between the UIAC and the user can be negotiated, so the system shown in Figure 2 can be applied to various network environments, that is, to safely manage and protect user identity information in various network environments;

UIAC assigns the user a UVID that uniquely identifies the user, and the user does not need to memorize multiple passwords for accessing different business processing units, which will not cause unnecessary cumbersome processes and memory difficulties to the user;

The user's identity information is stored in different UIACs according to the business type, that is, the user's identity information is stored in a distributed manner, which more effectively guarantees the privacy of the user's identity information;

Users can easily manage their own identity information, such as updating information, setting access permissions for their own information, etc.

The above is the description of the specific embodiments of the present invention, and the method of the present invention can be appropriately improved during the specific implementation process to meet the specific needs of specific situations. Therefore, it can be understood that the specific implementation manners according to the present invention are only exemplary, and are not intended to limit the protection scope of the present invention.

Claims (16)

1. A system for identity security authentication, characterized in that it includes an identity authentication center, a user identity authentication center and a business processing unit, wherein, The identity authentication center is used to assign user identity authentication center identifiers to user identity authentication centers, and assign identifiers to business processing units; The user identity authentication center is used to register the user, assign a user virtual identity uniquely identifying the user, and send the user virtual identity and the user identity authentication center identity to the user; The service processing unit is configured to receive a service request, authenticate the user according to the virtual ID carried in the request and the ID of the user identity authentication center, and process the request. 2. The system according to claim 1, characterized in that it comprises at least one user identity authentication center, and the user identity authentication center is used to register different types of services of users respectively. 3. The system according to claim 1, wherein the user identity authentication center includes a module for obtaining user identity information and a module for sending user identity information, wherein, The obtaining user identity information module is used to obtain user identity information, The module for sending user identity information is configured to send user identity information to a corresponding service processing unit. 4. The system according to claim 1, wherein the identity authentication center comprises a user identity authentication center unit, a service processing control unit and an identity authentication management unit, wherein, The user identity authentication center unit is used to assign identifiers to the user identity authentication center, manage and authenticate the user identity authentication center, and set the interaction strategy of the user identity authentication center; The business processing control unit is used to assign identifiers to business processing units, manage and authenticate business processing units, and set interaction strategies for business processing units; The identity authentication management unit is used to control the interaction between the user identity authentication center unit and the service processing control unit. 5. The system according to claim 4, wherein the service processing unit comprises a service provider. 6. The system according to claim 5, wherein the service processing control unit includes a service provider identity management unit for authenticating and managing service providers, assigning service provider identifications to service providers, and setting service providers The provider's interaction strategy. 7. The system according to claim 4, wherein the service processing unit comprises a network and/or a device. 8. The system according to claim 7, wherein the service processing control unit further comprises a network identity management unit and/or a device identity management unit, wherein, The network identity management unit is used for authenticating and managing network identities, assigning network identities to networks, and setting interaction strategies for network identities; The device identity management unit is used for authenticating and managing device identities, assigning device identities to devices, and setting interaction strategies for devices. 9. A method for identity security authentication, characterized in that, the identity authentication center assigns the user identity authentication center logo for the user identity authentication center, and assigns a logo for the business processing unit; the method also includes: The user identity authentication center registers the user, and after assigning a user virtual identity uniquely identifying the user to the user, sends the user virtual identity and the user identity authentication center identity to the user; The service processing unit receives the service request sent by the user, and processes the request according to the ID of the user identity authentication center and the virtual ID of the user carried in the request. 10 . The method according to claim 9 , wherein the user identity authentication center classifies different types of services of users and registers different types of services of users. 11 . 11. The method according to claim 10, characterized in that, the user identity authentication center sets the ways of registering different types of services of users corresponding to the security levels of different types of services. 12. The method according to claim 9, wherein before assigning a user virtual identity that uniquely identifies the user to the user, further comprising: Judging whether the user has been assigned a virtual user ID, if not, assigning a virtual user ID to the user; if yes, not assigning a virtual user ID to the user. 13. The method according to claim 12, further comprising: Judging whether the user's virtual identity is within the set validity period, if yes, proceed to the step of not allocating the user's virtual identity to the user; if not, reassigning the user's virtual identity to the user. 14. The method according to claim 9, wherein the processing of the request according to the ID of the user identity authentication center carried in the request and the virtual ID of the user is as follows: Judging whether the user's virtual identity and corresponding user identity information are stored, if so, authenticating the user according to the information, and executing the request; If not, send a query request to the user identity authentication center with the identity of the user identity authentication center, the user identity authentication center determines that the user identity information corresponding to the user's virtual identity identity is stored, sends the user identity information, and responds to the user according to the received information. Authenticate, execute the request. 15. A device for controlling user identity authentication, characterized in that it includes a user identity authentication center unit, a business processing control unit, and an identity authentication management unit, wherein, The user identity authentication center unit is used to assign identifiers to the user identity authentication center, manage and authenticate the user identity authentication center, and set the interaction strategy of the user identity authentication center; The business processing control unit is used to assign identifiers to entities that provide business processing, manage and authenticate entities that provide business processing, and set interaction strategies for entities that provide business processing; The identity authentication management unit is used to control the interaction between the user identity authentication center unit and the service processing control unit. 16. The device according to claim 15, wherein the service processing control unit comprises a service provider identity management unit.

Images