[go: up one dir, main page]

CN114422266A - IDaaS system based on dual verification mechanism - Google Patents

IDaaS system based on dual verification mechanism Download PDF

Info

Publication number
CN114422266A
CN114422266A CN202210196762.8A CN202210196762A CN114422266A CN 114422266 A CN114422266 A CN 114422266A CN 202210196762 A CN202210196762 A CN 202210196762A CN 114422266 A CN114422266 A CN 114422266A
Authority
CN
China
Prior art keywords
identity
encryption key
service providing
authentication
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210196762.8A
Other languages
Chinese (zh)
Inventor
周文明
王志鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhongyue Technology Co ltd
Original Assignee
Shenzhen Zhongyue Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Zhongyue Technology Co ltd filed Critical Shenzhen Zhongyue Technology Co ltd
Priority to CN202210196762.8A priority Critical patent/CN114422266A/en
Publication of CN114422266A publication Critical patent/CN114422266A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses IDaaS system based on dual verification mechanism includes: the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; after the service request equipment sends a first request carrying self identity information to the identity authentication server, the identity information is authenticated by the identity authentication server, and if the received first identity authentication token passes the authentication of the identity management server, the service request equipment receives a random encryption secret key sent by the identity management server. The service providing equipment receives the student privacy data encrypted by the random encryption key, sends a second request carrying the identity information of the equipment to the identity authentication server, receives the first identity authentication token and the second request, receives the random decryption key after the second request is authenticated by the identity management server, and analyzes the encrypted data to recover the student privacy data. By adopting the method and the device, identity authentication attack can be resisted, and the safety of the IDaaS system is improved.

Description

一种基于双重验证机制的IDaaS系统An IDaaS System Based on Double Verification Mechanism

技术领域technical field

本申请涉及信息安全技术领域,尤其涉及一种基于双重验证机制的IDaaS 系统。The present application relates to the technical field of information security, and in particular, to an IDaaS system based on a two-factor authentication mechanism.

背景技术Background technique

智慧校园成为当前校园信息化发展的新趋势。然而,在智慧校园管理系统的建设探索中面临诸多信息安全问题,具体如在智慧校园管理系统建设过程中,经常遭遇到伪造攻击、身份盗窃攻击和身份认证攻击等问题。Smart campus has become a new trend in the development of campus informatization. However, many information security problems are faced in the construction and exploration of the smart campus management system. For example, in the construction of the smart campus management system, problems such as forgery attacks, identity theft attacks and identity authentication attacks are often encountered.

发明内容SUMMARY OF THE INVENTION

基于以上存在的问题以及现有技术的缺陷,本申请提供一种基于双重验证机制的IDaaS系统,采用本申请,通过采用身份验证服务器以及身份管理服务器对通信设备的身份信息进行双重验证,以抵制身份认证攻击或者身份盗窃攻击等,可提高IDaaS系统中的数据安全性。Based on the above problems and the defects of the prior art, the present application provides an IDaaS system based on a double verification mechanism. Using the present application, the identity information of the communication device is double verified by using an identity verification server and an identity management server to resist the Identity authentication attacks or identity theft attacks can improve data security in IDaaS systems.

第一方面,本申请提供了一种基于双重验证机制的IDaaS系统,该系统包括:In a first aspect, the present application provides an IDaaS system based on a two-factor authentication mechanism, the system comprising:

服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备;所述服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备之间通过网络连接;其中,a service requesting device, an authentication server, an identity management server and a service providing device; the service requesting device, the authentication server, the identity management server and the service providing device are connected through a network; wherein,

所述服务请求设备用于:将携带所述服务请求设备的身份信息的第一请求发送给所述身份验证服务器;The service requesting device is configured to: send a first request carrying the identity information of the service requesting device to the identity verification server;

所述身份验证服务器用于:验证所述服务请求设备的身份信息,如果验证通过,则发送由第一加密秘钥加密后的第一身份验证令牌给所述服务请求设备;所述第一身份验证令牌用于:所述身份管理服务器将所述服务请求设备验证为合法与所述身份管理服务器进行通信的已授权设备;The identity verification server is used to: verify the identity information of the service requesting device, and if the verification passes, send a first identity verification token encrypted by the first encryption key to the service requesting device; the first The identity verification token is used for: the identity management server to verify the service requesting device as an authorized device that legally communicates with the identity management server;

所述服务请求设备还用于:将所述第一请求、所述由第一加密秘钥加密后的第一身份验证令牌以及获取的所述服务提供设备的身份信息发送给所述身份管理服务器;The service requesting device is further configured to: send the first request, the first authentication token encrypted by the first encryption key, and the acquired identity information of the service providing device to the identity management server;

所述身份管理服务器用于:验证所述第一请求,如果验证通过,则将由第二加密秘钥加密后的第二身份验证令牌、随机加密秘钥发送给所述服务请求设备;The identity management server is used for: verifying the first request, and if the verification is passed, sending the second identity verification token encrypted by the second encryption key and the random encryption key to the service requesting device;

所述服务请求设备还用于:将由所述随机加密秘钥加密后的学生隐私数据以及所述由第二加密秘钥加密后的第二身份验证令牌给所述服务提供设备;所述第二身份验证令牌用于:所述服务请求服务设备与所述服务提供设备进行通信;所述服务提供设备用于:响应于接收到所述学生隐私数据以及所述第二身份验证令牌,发送携带所述服务提供设备的身份信息的第二请求给所述身份验证服务器;The service requesting device is further configured to: send the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key to the service providing device; The second authentication token is used for: the service requesting service device communicates with the service providing device; the service providing device is used for: in response to receiving the student privacy data and the second authentication token, sending a second request carrying the identity information of the service providing device to the identity verification server;

所述身份验证服务器还用于:验证所述服务提供设备的身份信息,如果验证通过,则将由所述第一加密秘钥加密后的所述第一身份验证令牌发送给所述服务提供设备;The identity verification server is further configured to: verify the identity information of the service providing device, and if the verification passes, send the first identity verification token encrypted by the first encryption key to the service providing device ;

所述服务提供设备还用于:将所述携带所述服务提供设备的身份信息的所述第二请求、所述由第一加密秘钥加密后的所述第一身份验证令牌发送给所述身份管理服务器;The service providing device is further configured to: send the second request carrying the identity information of the service providing device and the first authentication token encrypted by the first encryption key to the server. the identity management server;

所述身份管理服务器还用于:验证所述第二请求,如果验证通过,则将随机解密秘钥以及第二解密秘钥发送给所述服务提供设备;The identity management server is further configured to: verify the second request, and if the verification is passed, send the random decryption key and the second decryption key to the service providing device;

所述服务提供设备用于:通过所述随机解密秘钥以及所述第二解密秘钥将所述由所述随机加密秘钥加密后的学生隐私数据以及所述由第二加密秘钥加密后的第二身份验证令牌进行解析,以获得所述学生隐私数据;其中,所述第二加密秘钥和所述第二解密秘钥为一对秘钥,所述随机加密秘钥和所述随机解密秘钥为一对秘钥。The service providing device is used for: using the random decryption key and the second decryption key to encrypt the student's private data encrypted by the random encryption key and the data encrypted by the second encryption key. The second authentication token is parsed to obtain the student privacy data; wherein, the second encryption key and the second decryption key are a pair of keys, the random encryption key and the The random decryption key is a pair of keys.

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述第一请求用于:所述服务请求设备请求所述身份验证服务器和所述身份管理服务器提供验证令牌以实现所述服务请求设备与所述服务提供设备进行通信;The first request is used for: the service requesting device requests the authentication server and the identity management server to provide a verification token, so as to implement the communication between the service requesting device and the service providing device;

所述身份验证服务器具体用于:验证所述服务请求设备的身份信息,如果验证通过,则将由第一加密秘钥加密后的第一身份验证令牌以及获取的第一时间戳发送给所述服务请求设备;其中,所述第一加密秘钥为所述身份验证服务器与所述身份管理服务器之间的加密秘钥;所述第一时间戳为所述服务请求设备与所述身份验证服务器之间的时间戳;所述第一时间戳用于指示出所述身份验证服务器生成所述第一加密秘钥、所述第一身份验证令牌以及通过所述第一加密秘钥加密所述第一身份验证令牌的时间点;The identity verification server is specifically configured to: verify the identity information of the service requesting device, and if the verification is passed, send the first identity verification token encrypted by the first encryption key and the obtained first timestamp to the Service requesting device; wherein, the first encryption key is the encryption key between the identity verification server and the identity management server; the first timestamp is the service requesting device and the identity verification server time stamp between; the first time stamp is used to indicate that the authentication server generates the first encryption key, the first authentication token, and encrypts the the point in time of the first authentication token;

所述服务请求设备具体还用于:将所述携带所述服务请求设备的身份信息的第一请求、所述由第一加密秘钥加密后的第一身份验证令牌、所述服务提供设备的身份信息以及所述服务请求设备生成的第二时间戳发送给所述身份管理服务器;所述第二时间戳用于指示出所述由第一加密秘钥加密后的第一身份验证令牌、所述服务提供设备的身份信息的获取时间点;The service requesting device is further configured to: send the first request carrying the identity information of the service requesting device, the first authentication token encrypted by the first encryption key, and the service providing device The identity information and the second timestamp generated by the service requesting device are sent to the identity management server; the second timestamp is used to indicate the first authentication token encrypted by the first encryption key. , the acquisition time point of the identity information of the service providing device;

所述身份管理服务器具体用于:验证所述第一请求是否为合法的已授权的设备所发送,如果验证通过,则将由第二加密秘钥加密后的第二身份验证令牌、随机加密秘钥、第三时间戳以及所述服务提供设备的身份信息发送给所述服务请求设备;其中,所述第二加密秘钥为所述服务请求设备与所述身份管理服务器之间的加密秘钥;所述随机加密秘钥为所述服务请求设备与所述服务提供设备之间的加密秘钥;所述第三时间戳用于指示出所述身份管理服务器生成所述第二加密秘钥以及所述第二身份验证令牌的时间点;The identity management server is specifically used for: verifying whether the first request is sent by a legitimate authorized device, and if the verification is passed, the second identity verification token encrypted by the second encryption key, the random encryption secret key, the third timestamp and the identity information of the service providing device are sent to the service requesting device; wherein, the second encryption key is the encryption key between the service requesting device and the identity management server ; the random encryption key is the encryption key between the service requesting device and the service providing device; the third time stamp is used to indicate that the identity management server generates the second encryption key and the time point of the second authentication token;

所述身份验证服务器具体用于:验证所述服务提供设备的身份信息,如果验证通过,则发送由所述第一加密秘钥加密后的所述第一身份验证令牌、获取的第四时间戳以及所述服务提供设备的用户身份信息给所述服务提供设备;所述第四时间戳用于指示出所述身份验证服务器生成所述第一加密秘钥、所述第一身份验证令牌以及通过所述第一加密秘钥加密所述第一身份验证令牌的时间点;The identity verification server is specifically configured to: verify the identity information of the service providing device, and if the verification is passed, send the first identity verification token encrypted by the first encryption key and the obtained fourth time and the user identity information of the service providing device to the service providing device; the fourth time stamp is used to indicate that the authentication server generates the first encryption key, the first authentication token and the time point at which the first authentication token is encrypted by the first encryption key;

所述服务提供设备还用于:将所述携带所述服务提供设备的身份信息的第二请求、所述由第一加密秘钥加密后的所述第一身份验证令牌、所述服务请求设备的身份信息以及获取的第五时间戳发送给所述身份管理服务器;所述第五时间戳用于指示出第一加密秘钥加密后的所述第一身份验证令牌、所述服务请求设备的身份信息的获取时间点;The service providing device is further configured to: convert the second request carrying the identity information of the service providing device, the first authentication token encrypted by the first encryption key, and the service request The identity information of the device and the obtained fifth timestamp are sent to the identity management server; the fifth timestamp is used to indicate the first authentication token encrypted by the first encryption key, the service request The time of obtaining the device's identity information;

所述身份管理服务器具体还用于:验证所述第二请求,如果验证通过,则将所述随机解密秘钥、所述第二解密秘钥及第六时间戳发送给所述服务提供设备;所述第六时间戳用于指示出随机解密秘钥以及所述第二解密秘钥的生成时间点;The identity management server is further configured to: verify the second request, and if the verification is passed, send the random decryption key, the second decryption key and the sixth timestamp to the service providing device; The sixth time stamp is used to indicate the random decryption key and the generation time point of the second decryption key;

所述服务提供设备具体用于:通过所述随机解密秘钥以及所述第二解密秘钥将所述由所述随机加密秘钥加密后的学生隐私数据以及所述由第二加密秘钥加密后的第二身份验证令牌进行解析,获得所述学生隐私数据。The service providing device is specifically configured to: use the random decryption key and the second decryption key to encrypt the student private data encrypted by the random encryption key and the encrypted data by the second encryption key. After the second authentication token is parsed, the private data of the student is obtained.

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述服务请求设备,具体用于:The service request device is specifically used for:

将携带所述服务请求设备的身份信息ID的第一请求Request1发送给所述身份验证服务器;或者,sending the first request Request 1 carrying the identity information ID of the service requesting device to the authentication server; or,

所述身份验证服务器,具体用于:The authentication server is specifically used for:

验证所述服务请求设备的身份信息IDA,如果验证通过,则将由第一加密秘钥Ek(AS-IDS)加密后的第一身份验证令牌Ek(AS-IDS)(Token1)、获取的第一时间戳T1以及所述服务请求设备的身份信息IDA发送给所述服务请求设备。Verify the identity information ID A of the service requesting device, and if the verification is passed, the first identity verification token E k(AS- IDS) encrypted by the first encryption key E k( AS-IDS) (Token 1 ) , the acquired first timestamp T1 and the identity information ID A of the service requesting device are sent to the service requesting device .

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述服务请求设备具体还用于:The service requesting device is also specifically used for:

将所述携带所述服务请求设备的身份信息IDA的第一请求Request1、所述由第一加密秘钥Ek(AS-IDS)加密后的第一身份验证令牌Ek(AS-IDS)(Token1)、所述服务提供设备的身份信息IDB以及所述服务请求设备生成的第二时间戳T2发送给所述身份管理服务器;或者,The first request Request 1 carrying the identity information ID A of the service requesting device, the first identity verification token E k (AS-IDS) encrypted by the first encryption key E k (AS-IDS) IDS) (Token 1 ), the identity information ID B of the service providing device and the second timestamp T2 generated by the service requesting device are sent to the identity management server; or,

所述身份管理服务器具体用于:The identity management server is specifically used for:

验证所述第一请求Request1是否为合法的已授权的设备所发送,如果验证通过,则将由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌 EK-SAML(IDS-B)(Token2)、随机加密秘钥ERK(A-B)、第三时间戳T3、所述服务请求设备的身份信息IDA以及所述服务提供设备的身份信息IDB发送给所述服务请求设备。Verify whether the first request Request 1 is sent by a legitimate authorized device, and if the verification is passed, the second authentication token E K encrypted by the second encryption key E K-SAML (IDS-B) -SAML(IDS-B) (Token 2 ), random encryption key E RK(AB) , third time stamp T 3 , identity information ID A of the service requesting device, and identity information ID B of the service providing device sent to the service requesting device.

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述服务请求设备具体还用于:The service requesting device is also specifically used for:

将由随机加密秘钥RK(A-B)加密后的学生隐私数据Msg以及所述由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌EK-SAML(IDS-B)(Token2)给所述服务提供设备;其中,所述第二加密秘钥EK-SAML(IDS-B)基于SAML协议所生成;The student private data Msg encrypted by the random encryption key RK (AB) and the second authentication token E K- SAML (IDS-B) encrypted by the second encryption key E K-SAML (IDS-B) B) (Token 2 ) provides the service to the device; wherein, the second encryption key E K-SAML (IDS-B) is generated based on the SAML protocol;

所述服务提供设备具体用于:The service providing equipment is specifically used for:

响应于接收到所述学生隐私数据Msg以及所述由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌EK-SAML(IDS-B)(Token2),发送携带所述服务提供设备的身份信息IDB的第二请求Request2给所述身份验证服务器;In response to receiving the student privacy data Msg and the second authentication token EK-SAML(IDS-B) encrypted by the second encryption key EK -SAML(IDS-B) (Token 2 ) , sending a second request Request 2 carrying the identity information ID B of the service providing device to the authentication server;

所述身份验证服务器,具体还用于:The authentication server is also specifically used for:

验证所述服务提供设备的身份信息IDB,如果验证通过,则将由所述第一加密秘钥Ek(AS-IDS)加密后的所述第一身份验证令牌Ek(AS-IDS)(Token1)、获取的第四时间戳T4以及所述服务提供设备的用户身份信息IDB发送给所述服务提供设备;Verify the identity information ID B of the service providing device, and if the verification is passed, the first identity verification token E k (AS- IDS) encrypted by the first encryption key E k ( AS-IDS) (Token 1 ), the acquired fourth timestamp T4 and the user identity information ID B of the service providing device are sent to the service providing device;

所述服务提供设备具体还用于:The service providing equipment is also specifically used for:

将所述携带所述服务提供设备的身份信息IDB的第二请求Request2、所述由第一加密秘钥Ek(AS-IDS)加密后的所述第一身份验证令牌Ek(AS-IDS)(Token1)、所述服务请求设备的身份信息IDA以及获取的第五时间戳T5发送给所述身份管理服务器;The second request Request 2 carrying the identity information ID B of the service providing device, the first identity verification token E k ( AS-IDS) (Token 1 ), the identity information ID A of the service requesting device and the obtained fifth timestamp T5 are sent to the identity management server;

所述身份管理服务器具体还用于:The identity management server is further used for:

验证所述第二请求Request2,如果验证通过,则将随机解密秘钥RK(A-B) 以及所述第二解密秘钥K-SAML(IDS-B)发送给所述服务提供设备;所述第二解密秘钥K-SAML(IDS-B)基于SAML协议所生成;Verify the second request Request 2 , and if the verification is passed, send the random decryption key RK(AB) and the second decryption key K-SAML(IDS-B) to the service providing device; The second decryption key K-SAML (IDS-B) is generated based on the SAML protocol;

所述服务提供设备具体还用于:The service providing equipment is also specifically used for:

通过所述随机解密秘钥RK(A-B)以及所述第二解密秘钥 K-SAML(IDS-B)将所述由所述随机加密秘钥ERK(A-B)加密后的学生隐私数据 ERK(A-B)(Msg)以及所述由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌 EK-SAML(IDS-B)(Token2)进行解析,获得所述学生隐私数据Msg。Use the random decryption key RK(AB) and the second decryption key K-SAML(IDS-B) to encrypt the student private data E RK encrypted by the random encryption key E RK(AB) (AB) (Msg) and the second authentication token E K-SAML (IDS-B) (Token 2 ) encrypted by the second encryption key E K-SAML (IDS-B ) are parsed to obtain The Student Privacy Data Msg.

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述服务请求设备、所述身份验证服务器以及所述身份管理服务器被部署在雾计算环境中,所述服务提供设备被部署在云计算环境中;The service requesting device, the authentication server, and the identity management server are deployed in a fog computing environment, and the service providing device is deployed in a cloud computing environment;

或者,or,

所述服务请求设备、所述身份验证服务器部署在所述雾计算环境中,所述身份管理服务器以及所述服务提供设备被部署在所述云计算环境中。The service requesting device and the authentication server are deployed in the fog computing environment, and the identity management server and the service providing device are deployed in the cloud computing environment.

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述身份管理服务器具体还用于:The identity management server is further used for:

在将由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌 EK-SAML(IDS-B)(Token2)、随机加密秘钥ERK(A-B)、第三时间戳T3、所述服务请求设备的身份信息IDA以及所述服务提供设备的身份信息IDB发送给所述服务请求设备之前,After the second authentication token E K-SAML(IDS-B) (Token 2 ) encrypted by the second encryption key E K-SAML(IDS-B ), the random encryption key E RK(AB) , the first Before the three time stamps T3, the identity information ID A of the service requesting device and the identity information ID B of the service providing device are sent to the service requesting device,

通过椭圆曲线密码算法生成所述随机加密秘钥ERK(A-B)The random encryption key E RK(AB) is generated by an elliptic curve cryptographic algorithm.

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述身份管理服务器具体还用于:The identity management server is further used for:

在将随机解密秘钥RK(A-B)以及所述第二解密秘钥K-SAML(IDS-B)发送给所述服务提供设备之前,Before sending the random decryption key RK(A-B) and the second decryption key K-SAML(IDS-B) to the service providing device,

通过椭圆曲线密码算法生成所述随机解密秘钥RK(A-B)。The random decryption key RK(A-B) is generated by an elliptic curve cryptographic algorithm.

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述身份验证服务器具体用于:The authentication server is specifically used for:

验证所述服务请求设备的身份信息在所述身份验证服务器的本地数据库或所述身份验证服务器的内存中是否存在,如果存在,则确定出所述服务请求设备的身份信息获得验证通过;Verifying whether the identity information of the service requesting device exists in the local database of the identity verification server or the memory of the identity verification server, and if so, determining that the identity information of the service requesting device has been verified;

或者,or,

所述身份验证服务器具体用于:The authentication server is specifically used for:

验证所述服务提供设备的身份信息在所述身份验证服务器的本地数据库或所述身份验证服务器的内存中是否存在,如果存在,则确定出所述服务提供设备的身份信息获得验证通过。Verify whether the identity information of the service providing device exists in the local database of the identity verification server or the memory of the identity verification server, and if so, it is determined that the identity information of the service providing device has been verified.

结合第一方面,在一些可选的实施例中,In conjunction with the first aspect, in some optional embodiments,

所述身份管理服务器具体用于:The identity management server is specifically used for:

对由第一加密秘钥加密后的第一身份验证令牌解密,根据获得的所述第一身份验证令牌,以验证出所述服务请求设备为合法与所述身份管理服务器进行通信的已授权设备、所述第一请求真实为所述服务请求设备所发送;Decrypt the first identity verification token encrypted by the first encryption key, and according to the obtained first identity verification token, verify that the service requesting device is the one that legally communicates with the identity management server. Authorizing device, the first request is actually sent by the service requesting device;

或者,or,

所述身份管理服务器具体用于:The identity management server is specifically used for:

对由第一加密秘钥加密后的所述第一身份验证令牌解密,根据获得的所述第一身份验证令牌,以验证出所述服务提供设备为合法与所述身份管理服务器进行通信的已授权设备、所述第二请求真实为所述服务提供设备所发送。Decrypt the first identity verification token encrypted by the first encryption key, and verify that the service providing device is legally communicating with the identity management server according to the obtained first identity verification token the authorized device, the second request is actually sent by the service providing device.

本申请提供了一种基于双重验证机制的IDaaS系统,系统包括:服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备;服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备之间通过网络连接;其中,服务请求设备将携带服务请求设备的身份信息的第一请求发送给身份验证服务器后,获得由第一加密秘钥加密后的第一身份验证令牌以及服务提供设备的身份信息,并基于上述第一身份验证令牌,以通过身份管理服务器的验证,如果通过验证,则将接收到身份管理服务器发送的随机加密秘钥以及由第二加密秘钥加密后的第二身份验证令牌,并将由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌发送给服务提供设备。响应于上述接收到的由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌,服务提供设备发送携带服务提供设备的身份信息的第二请求给身份验证设备,如果身份信息被验证通过,服务提供设备将接收到身份验证服务器发送的由所述第一加密秘钥加密后的所述第一身份验证令牌以及上述第二请求,以通过身份管理服务器对第二请求的真实性验证,如果验证通过,服务提供设备将接收身份管理服务器发送的随机解密秘钥以及第二解密秘钥,以实现对由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌进行解析,恢复出学生隐私数据。采用本申请,通过采用身份验证服务器以及身份管理服务器对通信设备的身份信息进行双重验证,以抵制身份认证攻击或者身份盗窃攻击等,可提高IDaaS系统中的信息安全性。This application provides an IDaaS system based on a double verification mechanism, the system includes: a service requesting device, an identity verification server, an identity management server and a service providing device; Connect through a network; wherein, after the service requesting device sends the first request carrying the identity information of the service requesting device to the identity verification server, it obtains the first identity verification token encrypted by the first encryption key and the identity of the service providing device information, and based on the above-mentioned first identity verification token, to pass the verification of the identity management server, if the verification is passed, the random encryption key sent by the identity management server and the second identity encrypted by the second encryption key will be received. The token is verified, and the student's private data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key are sent to the service providing device. In response to the received student privacy data encrypted by the random encryption key and the second identity verification token encrypted by the second encryption key, the service providing device sends a second request carrying the identity information of the service providing device to The identity verification device, if the identity information is verified and passed, the service providing device will receive the first identity verification token encrypted by the first encryption key and the above-mentioned second request sent by the identity verification server to pass the identity verification. The authenticity verification of the second request by the management server, if the verification is passed, the service providing device will receive the random decryption key and the second decryption key sent by the identity management server, so as to realize the encryption of the student's private data by the random encryption key. And the second authentication token encrypted by the second encryption key is parsed to recover the student's private data. By adopting the present application, the information security in the IDaaS system can be improved by using the identity verification server and the identity management server to double-verify the identity information of the communication device to resist identity authentication attacks or identity theft attacks.

附图说明Description of drawings

为了更清楚地说明本申请实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the technical solutions of the embodiments of the present application more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. For those of ordinary skill, other drawings can also be obtained from these drawings without any creative effort.

图1是本申请提供的一种基于双重验证机制的IDaaS系统的结构示意图;Fig. 1 is the structural representation of a kind of IDaaS system based on double verification mechanism provided by this application;

图2是本申请提供的另一种基于双重验证机制的IDaaS系统的结构示意图;2 is a schematic structural diagram of another IDaaS system based on a double verification mechanism provided by the application;

图3是本申请提供的又一种基于双重验证机制的IDaaS系统的结构示意图;3 is a schematic structural diagram of another IDaaS system based on a double verification mechanism provided by the application;

图4是本申请提供的又一种基于双重验证机制的IDaaS系统的结构示意图。FIG. 4 is a schematic structural diagram of another IDaaS system based on a double verification mechanism provided by the present application.

具体实施方式Detailed ways

下面将结合本申请中的附图,对本申请中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the present application will be clearly and completely described below with reference to the accompanying drawings in the present application. Obviously, the described embodiments are part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

为提高IDaaS系统中数据的安全性,抵制伪造攻击、身份盗窃攻击和身份认证攻击,本申请提供了一种基于双重验证机制的IDaaS系统。具体的,参见图1,是本申请提供的一种基于双重验证机制的IDaaS系统的结构流程图,如图 1所示,该系统,可包括但不限于:In order to improve the security of data in the IDaaS system and resist forgery attacks, identity theft attacks and identity authentication attacks, the present application provides an IDaaS system based on a double verification mechanism. Specifically, referring to Fig. 1, it is a structural flow chart of an IDaaS system based on a two-factor authentication mechanism provided by the present application. As shown in Fig. 1, the system may include, but is not limited to:

服务请求设备、身份验证服务器(Authentication Server,AD)、身份管理服务器(Identity Management Server,IDS)及服务提供设备;服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备之间通过通信网络连接;Service requesting equipment, authentication server (Authentication Server, AD), identity management server (Identity Management Server, IDS) and service providing equipment; service requesting equipment, authentication server, identity management server and service providing equipment are connected through a communication network ;

可选的,上述服务请求设备、身份验证服务器以及身份管理服务器被部署在雾计算环境中,上述服务提供设备被部署在云计算环境中;或者,Optionally, the above-mentioned service requesting device, the authentication server, and the identity management server are deployed in a fog computing environment, and the above-mentioned service providing device is deployed in a cloud computing environment; or,

可选的,上述服务请求设备、身份验证服务器部署在雾计算环境中,身份管理服务器以及服务提供设备被部署在云计算环境中。Optionally, the above service requesting device and the authentication server are deployed in a fog computing environment, and the identity management server and the service providing device are deployed in a cloud computing environment.

应当说明的,服务请求设备可包括但不限于:可用于学生隐私数据采集的课堂专用摄像头、可用于学生隐私数据采集的AI智能盒子、可用于学生隐私数据采集的摄像机、或者其他可用于学生隐私数据采集的设备。It should be noted that service request devices may include but are not limited to: classroom-specific cameras that can be used for student privacy data collection, AI smart boxes that can be used for student privacy data collection, cameras that can be used for student privacy data collection, or other that can be used for student privacy data. equipment for data collection.

服务提供设备可包括但不限于:可用于对学生隐私数据进行处理的服务器。Service providing equipment may include, but is not limited to, a server that may be used to process student private data.

应当说明的,上述通信网络可包括但不限于下述方式:It should be noted that the above-mentioned communication network may include but not be limited to the following methods:

方式1:有线方式(如:网线或光纤)的通信网络;Mode 1: Communication network in wired mode (such as network cable or optical fiber);

方式2:无线方式(如:WIFI6或5G)的通信网络;Mode 2: wireless communication network (such as: WIFI6 or 5G);

方式3:上述有线方式和无线方式相结合的通信网络。Mode 3: a communication network in which the above wired mode and wireless mode are combined.

服务请求设备可用于:将携带服务请求设备的身份信息的第一请求发送给身份验证服务器;其中,The service requesting device may be configured to: send the first request carrying the identity information of the service requesting device to the authentication server; wherein,

服务请求设备的身份信息,可包括但不限于:服务请求设备所在的地理位置和/或设备唯一标识码;The identity information of the service requesting device, which may include but is not limited to: the geographic location of the service requesting device and/or the unique identification code of the device;

其中,设备唯一标识码,可包括但不限于:服务请求设备的设备唯一标识 (UniqueDevice Identifier,UDID)、IMEI码(International Mobile Equipment Identity)、厂商标识符(IDFV)、通用唯一识别码、MAC地址、IP地址或其他唯一标识。The device unique identification code may include, but is not limited to: the unique device identifier (UDID) of the service requesting device, the IMEI code (International Mobile Equipment Identity), the manufacturer identifier (IDFV), the universal unique identification code, the MAC address , IP address or other unique identifier.

身份验证服务器可用于:验证服务请求设备的身份信息,如果该身份信息验证通过,则发送由第一加密秘钥加密后的第一身份验证令牌给服务请求设备;其中,第一身份验证令牌可用于:身份管理服务器将服务请求设备验证为合法与身份管理服务器进行通信的已授权设备;The identity verification server can be used to: verify the identity information of the service requesting device, and if the identity information is verified, send the first identity verification token encrypted by the first encryption key to the service requesting device; wherein, the first identity verification token The card can be used for: the identity management server to authenticate the service requesting device as an authorized device legitimately communicating with the identity management server;

其中,第一加密秘钥可包括但不限于:非对称加密算法中的公钥,或者对称加密算法中的密钥。The first encryption key may include, but is not limited to: a public key in an asymmetric encryption algorithm, or a key in a symmetric encryption algorithm.

应当说明的,身份验证服务器,用于验证服务请求设备的身份信息的具体过程如下:It should be noted that the specific process used by the identity verification server to verify the identity information of the service requesting device is as follows:

身份验证服务器具体可用于:验证身份验证服务器的身份验证服务器的本地数据库或身份验证服务器的内存中是否存在上述身份信息,如果存在,则确定出服务请求设备的身份信息获得验证通过。The identity verification server can be specifically used to: verify whether the identity information exists in the local database of the identity verification server or the memory of the identity verification server, and if so, determine that the identity information of the service requesting device has been verified.

应当说明的,服务请求设备还可用于:将携带服务请求设备的身份信息的第一请求、由第一加密秘钥加密后的第一身份验证令牌以及获取的服务提供设备的身份信息发送给身份管理服务器;其中,第一请求,可用于:服务请求设备请求身份验证服务器和身份管理服务器提供验证令牌以实现服务请求设备与服务提供设备进行学生隐私数据等信息通信;It should be noted that the service requesting device can also be used to: send the first request carrying the identity information of the service requesting device, the first identity verification token encrypted by the first encryption key, and the acquired identity information of the service providing device to the service requesting device. An identity management server; wherein, the first request can be used for: a service requesting device requests an identity verification server and an identity management server to provide a verification token to implement information communication such as student privacy data between the service requesting device and the service providing device;

身份管理服务器可用于:验证第一请求,如果验证通过,则将由第二加密秘钥加密后的第二身份验证令牌、随机加密秘钥发送给服务请求设备;The identity management server can be used to: verify the first request, and if the verification passes, send the second identity verification token encrypted by the second encryption key and the random encryption key to the service requesting device;

具体的,身份管理服务器具体可用于:解密出由第二加密秘钥加密后的第二身份验证令牌,以验证第一请求是否为合法的已授权的设备所发送,如果验证通过,则将由第二加密秘钥加密后的第二身份验证令牌、随机加密秘钥发送给所述服务请求设备。第二身份验证令牌用于:服务请求服务设备与服务提供设备进行通信;Specifically, the identity management server can be specifically used to: decrypt the second identity verification token encrypted by the second encryption key to verify whether the first request is sent by a legitimate authorized device, and if the verification is passed, the The second identity verification token encrypted by the second encryption key and the random encryption key are sent to the service requesting device. The second authentication token is used for: the service requesting service device communicates with the service providing device;

服务请求设备还可用于:将由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌给服务提供设备;其中,学生隐私数据,可包括但不限于:学生的人脸图像、学生的考试成绩、学生的课堂成绩、学生的考勤成绩、学生的成长档案、或者学生的家庭背景等。The service requesting device can also be used for: sending the student private data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key to the service providing device; wherein, the student private data may include but not limited to : The student's face image, the student's test score, the student's class score, the student's attendance score, the student's growth profile, or the student's family background, etc.

服务提供设备可用于:响应于接收到学生隐私数据以及第二身份验证令牌,发送携带服务提供设备的身份信息的第二请求给身份验证服务器;The service providing device may be configured to: in response to receiving the student privacy data and the second identity verification token, send a second request carrying the identity information of the service providing device to the identity verification server;

身份验证服务器还用于:验证服务提供设备的身份信息在身份验证服务器的本地数据库或身份验证服务器的内存中是否存在,如果存在,则确定出所述服务提供设备的身份信息获得验证通过,如果验证通过,则发送由第一加密秘钥加密后的第一身份验证令牌发送给服务提供设备;The identity verification server is also used to: verify whether the identity information of the service providing device exists in the local database of the identity verification server or the memory of the identity verification server, and if so, determine that the identity information of the service providing device is verified and passed, if If the verification is passed, the first authentication token encrypted by the first encryption key is sent to the service providing device;

服务提供设备还可用于:将携带服务提供设备的身份信息的第二请求、由第一加密秘钥加密后的第一身份验证令牌发送给身份管理服务器;The service providing device can also be used for: sending the second request carrying the identity information of the service providing device and the first authentication token encrypted by the first encryption key to the identity management server;

身份管理服务器还用于:通过第一解密秘钥来解密出由第一加密秘钥加密后的第一身份验证令牌,以验证第二请求是否为合法的已授权的设备所发送,以验证第二请求,如果验证通过,则将随机解密秘钥以及第二解密秘钥发送给服务提供设备;其中,第二请求,可用于:服务请求设备请求身份验证服务器和所述身份管理服务器提供验证令牌以实现服务提供设备与服务请求设备之间进行学生隐私数据通信;The identity management server is also used for: decrypting the first identity verification token encrypted by the first encryption key through the first decryption key, to verify whether the second request is sent by a legitimate authorized device, to verify The second request, if the verification is passed, send the random decryption key and the second decryption key to the service providing device; wherein, the second request can be used for: the service requesting device requests the identity verification server and the identity management server to provide verification Tokens to enable student privacy data communication between the service providing device and the service requesting device;

其中,第一解密秘钥和上述第一加密秘钥为一对秘钥,其中,第一解密秘钥可包括但不限于:非对称加密算法中的私钥,或者对称加密算法中的秘钥。The first decryption key and the above-mentioned first encryption key are a pair of keys, wherein the first decryption key may include but is not limited to: a private key in an asymmetric encryption algorithm, or a key in a symmetric encryption algorithm .

服务提供设备用于:通过随机解密秘钥以及第二解密秘钥将由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌进行解析,以获得上述学生隐私数据;其中,第二加密秘钥和第二解密秘钥为一对秘钥,随机加密秘钥和随机解密秘钥为一对秘钥。应当说明的,服务提供设备的身份信息,可包括但不限于:服务提供设备所在的地理位置和/或设备唯一标识码;The service providing device is used to: parse the student's private data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key through the random decryption key and the second decryption key, so as to obtain the above-mentioned Student privacy data; wherein, the second encryption key and the second decryption key are a pair of keys, and the random encryption key and the random decryption key are a pair of keys. It should be noted that the identity information of the service providing device may include, but is not limited to: the geographic location where the service providing device is located and/or the unique identification code of the device;

其中,设备唯一标识码,可包括但不限于:服务提供设备的设备唯一标识(UniqueDevice Identifier,UDID)、IMEI码(International Mobile Equipment Identity)、厂商标识符(IDFV)、通用唯一识别码、MAC地址、IP地址或其他唯一标识。Wherein, the device unique identification code may include, but is not limited to: Unique Device Identifier (UDID), IMEI (International Mobile Equipment Identity), Vendor Identifier (IDFV), Universal Unique Identification Code, MAC address of the service providing device , IP address or other unique identifier.

本申请中,服务请求设备将携带服务请求设备的身份信息的第一请求发送给身份验证服务器后,获得由第一加密秘钥加密后的第一身份验证令牌以及服务提供设备的身份信息,并基于上述第一身份验证令牌,以通过身份管理服务器的验证,如果通过验证,则将接收到身份管理服务器发送的随机加密秘钥以及由第二加密秘钥加密后的第二身份验证令牌,并将由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌发送给服务提供设备;应当说明的,身份管理服务器可基于共享属性对由第一加密秘钥加密的第一身份验证令牌进行解密。In this application, after the service requesting device sends the first request carrying the identity information of the service requesting device to the identity verification server, it obtains the first identity verification token encrypted by the first encryption key and the identity information of the service providing device, And based on the above-mentioned first identity verification token, to pass the verification of the identity management server, if the verification is passed, the random encryption key sent by the identity management server and the second identity verification order encrypted by the second encryption key will be received. card, and send the student's private data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key to the service providing device; it should be noted that the identity management server can be based on the shared attribute. The first authentication token encrypted with an encryption key is decrypted.

响应于上述接收到的由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌,服务提供设备发送携带服务提供设备的身份信息的第二请求给身份验证设备,如果身份信息被验证通过,服务提供设备将接收到身份验证服务器发送的由所述第一加密秘钥加密后的第一身份验证令牌以及上述第二请求,以通过身份管理服务器对第二请求的真实性验证,如果验证通过,服务提供设备将接收身份管理服务器发送的随机解密秘钥以及第二解密秘钥,以实现对由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌进行解析,恢复出学生隐私数据。In response to the received student privacy data encrypted by the random encryption key and the second identity verification token encrypted by the second encryption key, the service providing device sends a second request carrying the identity information of the service providing device to The identity verification device, if the identity information is verified and passed, the service providing device will receive the first identity verification token encrypted by the first encryption key and the above-mentioned second request sent by the identity verification server to pass the identity management server. For the authenticity verification of the second request, if the verification is passed, the service providing device will receive the random decryption key and the second decryption key sent by the identity management server, so as to realize the encryption of the student's private data encrypted by the random encryption key and the The second authentication token encrypted by the second encryption key is parsed to recover the student's private data.

为提高IDaaS系统中数据的安全性,抵制伪造攻击、身份盗窃攻击和身份认证攻击,本申请提供了另一种基于双重验证机制的IDaaS系统。具体的,In order to improve the security of data in the IDaaS system and resist forgery attacks, identity theft attacks and identity authentication attacks, this application provides another IDaaS system based on a double verification mechanism. specific,

参见图2,是本申请提供的一种基于双重验证机制的IDaaS系统的结构示意图,如图2所示,该系统可包括但不限于:Referring to FIG. 2, it is a schematic structural diagram of an IDaaS system based on a double verification mechanism provided by the present application. As shown in FIG. 2, the system may include but is not limited to:

服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备;其中,服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备之间通过通信网络连接,具体描述可参见图1实施例,此处不再赘述。Service requesting device, authentication server, identity management server, and service providing device; wherein, the service requesting device, the authentication server, the identity management server and the service providing device are connected through a communication network. It is not repeated here.

服务请求设备可用于:将携带服务请求设备的身份信息的第一请求发送给身份验证服务器;其中,第一请求可用于:服务请求设备请求身份验证服务器和身份管理服务器提供验证令牌以实现服务请求设备与服务提供设备进行通信;The service requesting device can be used for: sending a first request carrying the identity information of the service requesting device to the authentication server; wherein, the first request can be used for: the service requesting device requests the authentication server and the identity management server to provide a verification token to realize the service The requesting device communicates with the service providing device;

应当说明的,服务请求设备具体可用于:It should be noted that the service request equipment can be specifically used for:

将携带服务请求设备的身份信息ID(Identity)的第一请求Request1发送给身份验证服务器;Send the first request Request 1 carrying the identity information ID (Identity) of the service requesting device to the authentication server;

身份验证服务器可用于:验证服务请求设备的身份信息,如果身份信息验证通过,则发送由第一加密秘钥加密后的第一身份验证令牌、获取的第一时间戳以及服务请求设备的身份信息给服务请求设备;其中,第一加密秘钥为身份验证服务器与身份管理服务器之间的加密秘钥;第一时间戳为服务请求设备与份验证服务器之间的时间戳。其中,第一时间戳,可为身份验证服务器基于数字签名技术所生成,或者由其他时间戳服务中心设备所生成。第一时间戳用于指示出身份验证服务器生成第一加密秘钥、第一身份验证令牌以及通过第一加密秘钥加密第一身份验证令牌的时间点。The identity verification server can be used to: verify the identity information of the service requesting device, and if the identity information verification is passed, send the first identity verification token encrypted by the first encryption key, the obtained first timestamp and the identity of the service requesting device information to the service requesting device; wherein, the first encryption key is the encryption key between the identity verification server and the identity management server; the first timestamp is the timestamp between the service requesting device and the authentication server. The first timestamp may be generated by the identity verification server based on a digital signature technology, or generated by other timestamp service center devices. The first timestamp is used to indicate the time point when the authentication server generates the first encryption key, the first authentication token, and encrypts the first authentication token by using the first encryption key.

举例来说,身份验证服务器具体可用于:For example, an authentication server can specifically be used to:

验证服务请求设备的身份信息IDA,如果身份信息IDA存在于服务请求设备中,即身份信息IDA获得验证通过,则发送由第一加密秘钥Ek(AS-IDS)加密后的第一身份验证令牌Ek(AS-IDS)(Token1)、获取的第一时间戳T1以及服务请求设备的身份信息IDA给服务请求设备。Verify the identity information ID A of the service requesting device, if the identity information ID A exists in the service requesting device, that is, the identity information ID A is verified and passed, then send the first encrypted by the first encryption key E k (AS-IDS) . An identity verification token E k (AS-IDS) (Token 1 ), the acquired first timestamp T 1 and the identity information ID A of the service requesting device are given to the service requesting device.

服务请求设备还可用于:将携带服务请求设备的身份信息的第一请求、由第一加密秘钥加密后的第一身份验证令牌、服务提供设备的身份信息以及获取的第二时间戳发送给身份管理服务器;此处的第一身份令牌,可用于服务请求设备与身份管理服务器进行通信。其中,第二时间戳,可为服务请求设备基于数字签名技术所生成,或者由其他时间戳服务中心设备所生成。第二时间戳用于指示出由第一加密秘钥加密后的第一身份验证令牌、服务提供设备的身份信息的获取时间点。The service requesting device may also be configured to: send the first request carrying the identity information of the service requesting device, the first authentication token encrypted by the first encryption key, the identity information of the service providing device, and the acquired second timestamp. To the identity management server; the first identity token here can be used for the service requesting device to communicate with the identity management server. The second time stamp may be generated by the service requesting device based on a digital signature technology, or may be generated by other time stamping service center devices. The second timestamp is used to indicate the acquisition time point of the first identity verification token encrypted by the first encryption key and the identity information of the service providing device.

举例来说,服务请求设备具体还可用于:For example, the service request device can also be used specifically to:

将携带服务请求设备的身份信息IDA的第一请求Request1、由第一加密秘钥Ek(AS-IDS)加密后的第一身份验证令牌Ek(AS-IDS)(Token1)、服务提供设备的身份信息IDB以及获取的第二时间戳T2发送给身份管理服务器;The first request Request 1 carrying the identity information ID A of the service requesting device and the first authentication token E k(AS-IDS) (Token 1 ) encrypted by the first encryption key E k (AS-IDS ) , the identity information ID B of the service providing device and the acquired second time stamp T 2 are sent to the identity management server;

身份管理服务器可用于:验证第一请求是否为合法的已授权的设备所发送,如果验证通过,则将由第二加密秘钥加密后的第二身份验证令牌、随机加密秘钥、第三时间戳、服务请求设备的身份信息以及服务提供设备的身份信息发送给服务请求设备;其中,第二加密秘钥为服务请求设备与身份管理服务器之间的加密秘钥;随机加密秘钥为服务请求设备与服务提供设备之间的加密秘钥;第二身份令牌,用于服务请求设备与服务提供设备进行通信。其中,第三时间戳,可为身份管理服务器基于数字签名技术所生成,或者由其他时间戳服务中心设备所生成。第三时间戳用于指示出身份管理服务器生成第二加密秘钥以及第二身份验证令牌的时间点。The identity management server can be used to: verify whether the first request is sent by a legitimate authorized device, and if the verification is passed, the second identity verification token encrypted by the second encryption key, the random encryption key, the third time The stamp, the identity information of the service requesting device and the identity information of the service providing device are sent to the service requesting device; wherein, the second encryption key is the encryption key between the service requesting device and the identity management server; the random encryption key is the service request The encryption key between the device and the service providing device; the second identity token is used for the service requesting device to communicate with the service providing device. The third timestamp may be generated by the identity management server based on the digital signature technology, or generated by other timestamp service center devices. The third timestamp is used to indicate the time point when the identity management server generates the second encryption key and the second authentication token.

举例来说,身份管理服务器具体可用于:验证第一请求Request1是否为合法的已授权的设备所发送,如果第一请求Request1被验证通过,则将由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌EK-SAML(IDS-B)(Token2)、随机加密秘钥 ERK(A-B)、第三时间戳T3、服务请求设备的身份信息IDA以及服务提供设备的身份信息IDB发送给服务请求设备。For example, the identity management server can be specifically used to verify whether the first request Request 1 is sent by a legitimate authorized device, and if the first request Request 1 is verified and passed, the second encryption key E K-SAML ( IDS-B) encrypted second authentication token E K-SAML(IDS-B) (Token 2 ), random encryption key E RK(AB) , third time stamp T 3 , identity information of the service requesting device ID A and ID B of the service providing device are sent to the service requesting device.

身份管理服务器还可用于:Identity Management Server can also be used to:

在将由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌 EK-SAML(IDS-B)(Token2)、随机加密秘钥ERK(A-B)、第三时间戳T3、服务请求设备的身份信息IDA以及服务提供设备的身份信息IDB发送给服务请求设备之前,After the second authentication token E K-SAML(IDS-B) (Token 2 ) encrypted by the second encryption key E K-SAML(IDS-B ), the random encryption key E RK(AB) , the first Before the three time stamps T3, the identity information ID A of the service requesting device and the identity information ID B of the service providing device are sent to the service requesting device,

通过椭圆曲线密码算法(Elliptic curve cryptography,ECC)生成随机加密秘钥ERK(A-B)A random encryption key E RK(AB) is generated by elliptic curve cryptography (ECC) .

应当说明的,身份管理服务器还可用于:将由第二加密秘钥加密后的第二身份验证令牌、随机加密秘钥、第三时间戳、服务请求设备的身份信息以及服务提供设备的身份信息发送给服务请求设备之前,It should be noted that the identity management server can also be used to: encrypt the second authentication token encrypted by the second encryption key, the random encryption key, the third timestamp, the identity information of the service requesting device and the identity information of the service providing device. Before sending to the service requesting device,

还将通过椭圆曲线密码算法生成随机加密秘钥。A random encryption key will also be generated by elliptic curve cryptography.

服务请求设备还可用于:将由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌发送给服务提供设备。The service requesting device can also be used for: sending the student private data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key to the service providing device.

举例来说,服务请求设备具体还可用于:For example, the service request device can also be used specifically to:

将由随机加密秘钥RK(A-B)加密后的学生隐私数据Msg以及由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌EK-SAML(IDS-B)(Token2)发送给服务提供设备;其中,第二加密秘钥EK-SAML(IDS-B)基于SAML协议所生成。The student private data Msg encrypted by the random encryption key RK (AB) and the second authentication token E K-SAML (IDS- B) encrypted by the second encryption key E K-SAML (IDS-B) (Token 2 ) is sent to the service providing device; wherein, the second encryption key E K-SAML (IDS-B) is generated based on the SAML protocol.

服务提供设备具体可用于:响应于接收到学生隐私数据以及第二身份验证令牌,发送携带服务提供设备的身份信息的第二请求给身份验证服务器。The service providing device may be specifically configured to: in response to receiving the student privacy data and the second identity verification token, send a second request carrying the identity information of the service providing device to the identity verification server.

举例来说,服务提供设备具体用于:响应于接收到由随机秘钥加密的学生隐私数据Msg以及由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌EK-SAML(IDS-B)(Token2),发送携带服务提供设备的身份信息的第二请求Request2给身份验证服务器。For example, the service providing device is specifically configured to: in response to receiving the student privacy data Msg encrypted by the random key and the second authentication token encrypted by the second encryption key E K-SAML (IDS-B) E K-SAML(IDS-B) (Token 2 ), sending a second request Request 2 carrying the identity information of the service providing device to the authentication server.

身份验证服务器具体可用于:验证服务提供设备的身份信息,如果身份验证服务器的数据库存在上述服务提供设备的身份信息,则验证通过,如果验证通过,则发送由第一加密秘钥加密后的第一身份验证令牌、身份验证服务器生成的第四时间戳以及服务提供设备的用户身份信息给所述服务提供设备;其中,第四时间戳,可为身份验证服务器基于数字签名技术所生成,或者由其他时间戳服务中心设备所生成。第四时间戳用于指示出身份验证服务器生成第一加密秘钥、第一身份验证令牌以及通过第一加密秘钥加密第一身份验证令牌的时间点。The identity verification server can be specifically used for: verifying the identity information of the service providing device, if the identity information of the above-mentioned service providing device exists in the database of the identity verification server, the verification is passed, and if the verification is passed, the first encryption key encrypted by the first encryption key is sent. An identity verification token, a fourth timestamp generated by the identity verification server, and user identity information of the service providing device are sent to the service providing device; wherein, the fourth timestamp can be generated by the identity verification server based on a digital signature technology, or Generated by other timestamp service center equipment. The fourth timestamp is used to indicate the time point when the authentication server generates the first encryption key, the first authentication token, and encrypts the first authentication token by using the first encryption key.

举例来说,身份验证服务器,具体可用于:验证服务提供设备的身份信息IDB,如果验证通过,则发送由第一加密秘钥Ek(AS-IDS)加密后的第一身份验证令牌 Ek(AS-IDS)(Token1)、身份验证服务器生成的第四时间戳T4以及服务提供设备的用户身份信息IDB给服务提供设备。For example, the identity verification server can be specifically used to: verify the identity information ID B of the service providing device, and if the verification passes, send the first identity verification token encrypted by the first encryption key E k (AS-IDS) E k(AS-IDS) (Token 1 ), the fourth timestamp T 4 generated by the authentication server, and the user identity information ID B of the service providing device are sent to the service providing device.

服务提供设备具体还可用于:将携带服务提供设备的身份信息的第二请求、由第一加密秘钥加密后的第一身份验证令牌、服务请求设备的身份信息以及服务提供设备生成的第五时间戳发送给身份管理服务器;其中,第五时间戳,可为服务提供设备基于数字签名技术所生成,或者由其他时间戳服务中心设备所生成。第五时间戳用于指示出第一加密秘钥加密后的第一身份验证令牌、服务请求设备的身份信息的获取时间点。Specifically, the service providing device can also be used to: send the second request carrying the identity information of the service providing device, the first authentication token encrypted by the first encryption key, the identity information of the service requesting device, and the first request generated by the service providing device. Five time stamps are sent to the identity management server; wherein, the fifth time stamp may be generated by the service providing device based on digital signature technology, or generated by other time stamp service center devices. The fifth timestamp is used to indicate the acquisition time point of the first identity verification token encrypted by the first encryption key and the identity information of the service requesting device.

举例来说,服务提供设备还用于:将携带服务提供设备的身份信息IDB的第二请求Request2、由第一加密秘钥Ek(AS-IDS)加密后的第一身份验证令牌 Ek(AS-IDS)(Token1)、服务请求设备的身份信息IDA以及服务提供设备生成的第五时间戳T5发送给身份管理服务器。For example, the service providing device is further configured to: send the second request Request 2 carrying the identity information ID B of the service providing device, the first authentication token encrypted by the first encryption key E k (AS-IDS) E k(AS-IDS) (Token 1 ), the identity information ID A of the service requesting device, and the fifth time stamp T 5 generated by the service providing device are sent to the identity management server.

身份管理服务器具体还可用于:解密出由第一加密秘钥加密后的第一身份验证令牌,并根据第一身份验证令牌确认出服务提供设备为合法的已授权的设备所发送,则验证通过,且将随机解密秘钥、第二解密秘钥、第六时间戳、服务请求设备的身份信息以及服务提供设备的身份信息发送给服务提供设备。其中,第六时间戳,可为身份管理服务器基于数字签名技术所生成,或者由其他时间戳服务中心设备所生成。第六时间戳用于指示出随机解密秘钥以及第二解密秘钥的生成时间点。The identity management server can also be specifically used for: decrypting the first identity verification token encrypted by the first encryption key, and confirming that the service providing device is sent by a legitimate authorized device according to the first identity verification token, then The verification is passed, and the random decryption key, the second decryption key, the sixth timestamp, the identity information of the service requesting device and the identity information of the service providing device are sent to the service providing device. The sixth timestamp may be generated by the identity management server based on the digital signature technology, or generated by other timestamp service center devices. The sixth time stamp is used to indicate the generation time point of the random decryption key and the second decryption key.

举例来说,身份管理服务器具体还用于:验证第二请求Request2,如果验证通过,则将随机解密秘钥RK(A-B)、所述第二解密秘钥K-SAML(IDS-B)、第六时间戳T6、服务请求设备的身份信息IDA以及服务提供设备的身份信息IDB发送给服务提供设备;第二解密秘钥K-SAML(IDS-B)基于SAML协议所生成。For example, the identity management server is further configured to: verify the second request Request 2 , and if the verification is passed, the random decryption key RK(AB), the second decryption key K-SAML(IDS-B), The sixth timestamp T 6 , the identity information ID A of the service requesting device and the identity information ID B of the service providing device are sent to the service providing device; the second decryption key K-SAML (IDS-B) is generated based on the SAML protocol.

身份管理服务器具体还用于:The identity management server is also used specifically to:

在将随机解密秘钥RK(A-B)以及第二解密秘钥K-SAML(IDS-B)发送给服务提供设备之前,Before sending the random decryption key RK(A-B) and the second decryption key K-SAML(IDS-B) to the service providing device,

通过椭圆曲线密码算法(ECC)生成随机解密秘钥RK(A-B)。A random decryption key RK(A-B) is generated by Elliptic Curve Cryptography (ECC).

服务提供设备可用于:通过随机解密秘钥以及第二解密秘钥将由随机加密秘钥加密后的学生隐私数据以及由第二加密秘钥加密后的第二身份验证令牌进行解析,获得学生隐私数据。The service providing device can be used to: parse the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key by using the random decryption key and the second decryption key to obtain the student's privacy data.

举例来说,服务提供设备具体用于:通过随机解密秘钥RK(A-B)以及第二解密秘钥K-SAML(IDS-B)将由随机加密秘钥ERK(A-B)加密后的学生隐私数据 ERK(A-B)(Msg)以及由第二加密秘钥EK-SAML(IDS-B)加密后的第二身份验证令牌 EK-SAML(IDS-B)(Token2)进行解析,恢复出学生隐私数据Msg。For example, the service providing device is specifically used for: using the random decryption key RK(AB) and the second decryption key K-SAML(IDS-B) to encrypt the student's private data encrypted by the random encryption key E RK(AB) E RK(AB) (Msg) and the second authentication token E K-SAML(IDS-B) (Token 2 ) encrypted by the second encryption key E K-SAML(IDS-B ) are parsed and recovered Out student privacy data Msg.

应当说明的,图2实施例中未详细进行解释的定义或说明,可参考图1实施例。It should be noted that, for definitions or descriptions that are not explained in detail in the embodiment of FIG. 2 , reference may be made to the embodiment of FIG. 1 .

参见图3,是本申请提供的又一种基于双重验证机制的IDaaS系统的结构示意图,该系统,可包括但不限于:服务请求设备、身份验证服务器、身份管理服务器及服务提供设备;其中,服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备之间通过通信网络连接;Referring to FIG. 3, it is a schematic structural diagram of another IDaaS system based on a two-factor authentication mechanism provided by the present application. The system may include, but is not limited to: a service requesting device, an identity verification server, an identity management server, and a service providing device; wherein, The service requesting device, the authentication server, the identity management server and the service providing device are connected through a communication network;

应当说明的,服务请求设备、身份验证服务器以及身份管理服务器被部署在雾计算环境中,上述服务提供设备被部署在云计算环境中。It should be noted that the service requesting device, the authentication server, and the identity management server are deployed in a fog computing environment, and the above-mentioned service providing device is deployed in a cloud computing environment.

应当说明的,服务请求设备、身份验证服务器、身份管理服务器及服务提供设备的具体功能的实现,可参考图1-2实施例,此处不再赘述。It should be noted that, for the realization of the specific functions of the service requesting device, the identity verification server, the identity management server, and the service providing device, reference may be made to the embodiments in FIGS. 1-2 , which will not be repeated here.

参见图4,是本申请提供的又一种基于双重验证机制的IDaaS系统的结构示意图,该系统,可包括但不限于:服务请求设备、身份验证服务器、身份管理服务器及服务提供设备;其中,服务请求设备、身份验证服务器、身份管理服务器以及服务提供设备之间通过通信网络连接;Referring to FIG. 4, it is a schematic structural diagram of another IDaaS system based on a two-factor authentication mechanism provided by the present application. The system may include, but is not limited to: a service requesting device, an authentication server, an identity management server, and a service providing device; wherein, The service requesting device, the authentication server, the identity management server and the service providing device are connected through a communication network;

应当说明的,上述服务请求设备、身份验证服务器以及身份管理服务器被部署在雾计算环境中,上述服务提供设备被部署在云计算环境中。It should be noted that the above service requesting device, the authentication server and the identity management server are deployed in a fog computing environment, and the above service providing device is deployed in a cloud computing environment.

应当说明的,服务请求设备、身份验证服务器、身份管理服务器及服务提供设备的具体功能的实现,可参考图1-2实施例,此处不再赘述。It should be noted that, for the realization of the specific functions of the service requesting device, the identity verification server, the identity management server, and the service providing device, reference may be made to the embodiments in FIGS. 1-2 , which will not be repeated here.

本领域普通技术人员可以意识到,结合本申请中所公开的实施例描述的各示例的内容,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art can realize that the content of each example described in conjunction with the embodiments disclosed in this application can be implemented in electronic hardware, computer software or a combination of the two, in order to clearly illustrate the interoperability of hardware and software Alternatively, the components and steps of each example have been described generally in terms of functionality in the foregoing description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的设备、系统的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, for the specific working process of the above-described device and system, reference may be made to the corresponding process in the foregoing method embodiments, which will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的设备或系统,可以通过其它的方式实现。系统或设备的这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方式来实现所描述的设备的功能,但是这种实现不应认为超出本申请的范围。In the several embodiments provided in this application, it should be understood that the disclosed device or system may be implemented in other manners. Whether these functions of the system or device are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different ways to implement the functionality of the described devices for each particular application, but such implementations should not be considered beyond the scope of this application.

Claims (10)

1. An IDaaS system based on a dual authentication mechanism, comprising:
the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; the service request equipment, the identity authentication server, the identity management server and the service providing equipment are connected through a network; wherein,
the service request device is configured to: sending a first request carrying identity information of the service request device to the identity authentication server;
the authentication server is configured to: verifying the identity information of the service request equipment, and if the identity information passes the verification, sending a first identity verification token encrypted by a first encryption key to the service request equipment; the first authentication token is to: the identity management server verifies the service request equipment as authorized equipment which is legal and communicates with the identity management server;
the service request device is further configured to: sending the first request, the first authentication token encrypted by the first encryption key and the acquired identity information of the service providing equipment to the identity management server;
the identity management server is configured to: the first request is verified, and if the first request passes the verification, a second identity verification token and a random encryption key which are encrypted by a second encryption key are sent to the service request equipment;
the service request device is further configured to: the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key are sent to the service providing equipment; the second authentication token is to: the service request service device communicates with the service providing device; the service providing device is configured to: in response to receiving the student privacy data and the second authentication token, sending a second request carrying identity information of the service providing device to the authentication server;
the authentication server is further configured to: verifying the identity information of the service providing equipment, and if the identity information passes the verification, sending the first identity verification token encrypted by the first encryption key to the service providing equipment;
the service providing device is further configured to: sending the second request carrying the identity information of the service providing equipment and the first identity authentication token encrypted by the first encryption key to the identity management server;
the identity management server is further configured to: verifying the second request, and if the second request passes the verification, sending the random decryption key and the second decryption key to the service providing equipment;
the service providing device is configured to: analyzing the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key through the random decryption key and the second decryption key to obtain the student privacy data; the second encryption key and the second decryption key are a pair of keys, and the random encryption key and the random decryption key are a pair of keys.
2. The dual authentication mechanism-based IDaaS system of claim 1,
the first request is to: the service request equipment requests the identity authentication server and the identity management server to provide authentication tokens so as to realize the communication between the service request equipment and the service providing equipment;
the authentication server is specifically configured to: verifying the identity information of the service request equipment, and if the identity information passes the verification, sending a first identity verification token encrypted by a first encryption key and the acquired first timestamp to the service request equipment; the first encryption key is an encryption key between the authentication server and the identity management server; the first timestamp is a timestamp between the service request device and the authentication server; the first timestamp is used to indicate a point in time at which the authentication server generated the first encryption key, the first authentication token, and encrypted the first authentication token with the first encryption key;
the service request device is further specifically configured to: sending the first request carrying the identity information of the service request device, the first authentication token encrypted by the first encryption key, the identity information of the service providing device and a second timestamp generated by the service request device to the identity management server; the second timestamp is used for indicating the acquisition time point of the first authentication token encrypted by the first encryption key and the identity information of the service providing equipment;
the identity management server is specifically configured to: verifying whether the first request is sent by a legal authorized device, and if the first request is passed through the verification, sending a second identity verification token, a random encryption key, a third timestamp and the identity information of the service providing device to the service request device, wherein the second identity verification token, the random encryption key and the third timestamp are encrypted by a second encryption key; wherein the second encryption key is an encryption key between the service request device and the identity management server; the random encryption key is an encryption key between the service request device and the service providing device; the third timestamp is used to indicate a point in time at which the identity management server generates the second encryption key and the second authentication token;
the authentication server is specifically configured to: verifying the identity information of the service providing equipment, and if the identity information passes the verification, sending the first identity verification token encrypted by the first encryption key, the obtained fourth timestamp and the user identity information of the service providing equipment to the service providing equipment; the fourth timestamp is used to indicate a point in time at which the authentication server generated the first encryption key, the first authentication token, and encrypted the first authentication token with the first encryption key;
the service providing device is further configured to: sending the second request carrying the identity information of the service providing device, the first authentication token encrypted by the first encryption key, the identity information of the service requesting device and the acquired fifth timestamp to the identity management server; the fifth timestamp is used for indicating the first authentication token encrypted by the first encryption key and the acquisition time point of the identity information of the service request device;
the identity management server is further specifically configured to: verifying the second request, and if the second request passes the verification, sending the random decryption key, the second decryption key and a sixth timestamp to the service providing equipment; the sixth timestamp is used for indicating a generation time point of the random decryption key and the second decryption key;
the service providing device is specifically configured to: and analyzing the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key through the random decryption key and the second decryption key to obtain the student privacy data.
3. The dual authentication mechanism-based IDaaS system of claim 2,
the service request device is specifically configured to:
a first Request carrying the identity information ID of the service Request equipment1Sending the information to the identity authentication server; or,
the identity authentication server is specifically configured to:
verifying the identity information ID of the service request deviceAIf the verification is passed, the first encryption key E is usedk(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) The first time stamp T obtained1And identity information ID of the service request deviceAAnd sending the request message to the service request device.
4. The dual authentication mechanism-based IDaaS system of claim 3,
the service request device is further specifically configured to:
the ID carrying the identity information of the service request equipmentAFirst Request of1Said first encryption key Ek(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) Identity information ID of the service providing apparatusBAnd a second time stamp T generated by the service request device2Sending the information to the identity management server; or,
the identity management server is specifically configured to:
verifying the first Request1Whether it is sent by a legitimate authorized device, and if the authentication is passed, it will be sent by a second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Random encryption key ERK(A-B)A third time stamp T3Identity information ID of the service request deviceAAnd identity information ID of the service providing apparatusBAnd sending the request message to the service request device.
5. The dual authentication mechanism-based IDaaS system of claim 4,
the service request device is further specifically configured to:
will be encrypted by a random encryption key RK(A-B)Encrypted student privacy data Msg and second encryption secretKey EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Providing the service providing device; wherein the second encryption key EK-SAML(IDS-B)Generated based on the SAML protocol;
the service providing device is specifically configured to:
in response to receiving the student privacy data Msg and the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Sending ID carrying the service providing deviceBSecond Request of2Providing the identity authentication server;
the identity authentication server is specifically further configured to:
verifying the identity information ID of the service providing deviceBIf the verification is passed, the first encryption key E is usedk(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) The fourth timestamp T of the acquisition4And user identity information ID of the service providing apparatusBSending the service request to the service providing equipment;
the service providing device is further specifically configured to:
the ID carrying the identity information of the service providing equipmentBSecond Request of2Said first encryption key Ek(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) Identity information ID of the service request deviceAAnd the acquired fifth time stamp T5Sending the information to the identity management server;
the identity management server is further specifically configured to:
verifying the second Request2Transmitting a random decryption key RK (A-B) and the second decryption key K-SAML (IDS-B) to the service providing apparatus if the authentication is passed; the second decryption key K-SAML (IDS-B) is generated based on a SAML protocol;
the service providing device is further specifically configured to:
the random encryption key E is encrypted by the random decryption key RK (A-B) and the second decryption key K-SAML (IDS-B)RK(A-B)Encrypted private data E of studentsRK(A-B)(Msg) and said second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) And analyzing to obtain the student privacy data Msg.
6. The dual authentication mechanism-based IDaaS system of claim 5,
the service request device, the authentication server and the identity management server are deployed in a fog computing environment, and the service providing device is deployed in a cloud computing environment;
or,
the service request device, the authentication server are deployed in the fog computing environment, and the identity management server and the service providing device are deployed in the cloud computing environment.
7. The dual authentication mechanism-based IDaaS system of claim 5,
the identity management server is further specifically configured to:
will be encrypted by the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Random encryption key ERK(A-B)A third time stamp T3Identity information ID of the service request deviceAAnd identity information ID of the service providing apparatusBBefore being sent to the service request device,
generating the random encryption key E by an elliptic curve cryptographic algorithmRK(A-B)。
8. The dual authentication mechanism-based IDaaS system of claim 5,
the identity management server is further specifically configured to:
before sending the random decryption key RK (a-B) and the second decryption key K-SAML (IDS-B) to the service providing device,
and generating the random decryption key RK (A-B) by an elliptic curve cryptography algorithm.
9. The dual authentication mechanism-based IDaaS system of claim 1,
the authentication server is specifically configured to:
verifying whether the identity information of the service request equipment exists in a local database of the identity verification server or a memory of the identity verification server, and if so, determining that the identity information of the service request equipment passes verification;
or,
the authentication server is specifically configured to:
and verifying whether the identity information of the service providing equipment exists in a local database of the identity verification server or a memory of the identity verification server, and if so, determining that the identity information of the service providing equipment passes verification.
10. The dual authentication mechanism-based IDaaS system of claim 1,
the identity management server is specifically configured to:
decrypting the first authentication token encrypted by the first encryption key, and verifying that the service request device is an authorized device which is legal to communicate with the identity management server and the first request is really sent by the service request device according to the obtained first authentication token;
or,
the identity management server is specifically configured to:
and decrypting the first authentication token encrypted by the first encryption key, and verifying that the service providing equipment is authorized equipment which is legally communicated with the identity management server and the second request is really sent by the service providing equipment according to the obtained first authentication token.
CN202210196762.8A 2022-02-28 2022-02-28 IDaaS system based on dual verification mechanism Pending CN114422266A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210196762.8A CN114422266A (en) 2022-02-28 2022-02-28 IDaaS system based on dual verification mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210196762.8A CN114422266A (en) 2022-02-28 2022-02-28 IDaaS system based on dual verification mechanism

Publications (1)

Publication Number Publication Date
CN114422266A true CN114422266A (en) 2022-04-29

Family

ID=81262004

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210196762.8A Pending CN114422266A (en) 2022-02-28 2022-02-28 IDaaS system based on dual verification mechanism

Country Status (1)

Country Link
CN (1) CN114422266A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116755842A (en) * 2023-08-15 2023-09-15 中移(苏州)软件技术有限公司 Identity authentication system deployment method, device, equipment and storage medium
CN118118221A (en) * 2024-01-19 2024-05-31 中国华能集团有限公司北京招标分公司 Encryption and decryption service method and system based on identity management

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2384040A1 (en) * 2010-04-29 2011-11-02 Research In Motion Limited Authentication server and method for granting tokens
WO2016141856A1 (en) * 2015-03-07 2016-09-15 华为技术有限公司 Verification method, apparatus and system for network application access
CN106161032A (en) * 2015-04-24 2016-11-23 华为技术有限公司 A kind of identity authentication method and device
CN106302502A (en) * 2016-04-03 2017-01-04 北京动石科技有限公司 A kind of secure access authentication method, user terminal and service end
US20170012949A1 (en) * 2006-04-25 2017-01-12 Stephen Laurence Boren Dynamic identity verification and authentication continuous, dynamic one-time-pad/one-time passwords and dynamic distributed key infrastructure for secure communications with a single key for any key-based network security controls
CN108702297A (en) * 2017-02-01 2018-10-23 陈大昭 Authentication server, authentication system and method
CN109492358A (en) * 2018-09-25 2019-03-19 国网浙江省电力有限公司信息通信分公司 A kind of open interface uniform authentication method
US20200065464A1 (en) * 2018-08-24 2020-02-27 Baskaran Dharmarajan Identification service based authorization
CN111212095A (en) * 2020-04-20 2020-05-29 国网电子商务有限公司 Authentication method, server, client and system for identity information
CN112448810A (en) * 2019-08-31 2021-03-05 华为技术有限公司 Authentication method and device
CN112788033A (en) * 2021-01-13 2021-05-11 京东方科技集团股份有限公司 Authentication method and authentication system
CN114070614A (en) * 2021-11-15 2022-02-18 中国工商银行股份有限公司 Identity authentication method, device, equipment, storage medium and computer program product

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170012949A1 (en) * 2006-04-25 2017-01-12 Stephen Laurence Boren Dynamic identity verification and authentication continuous, dynamic one-time-pad/one-time passwords and dynamic distributed key infrastructure for secure communications with a single key for any key-based network security controls
EP2384040A1 (en) * 2010-04-29 2011-11-02 Research In Motion Limited Authentication server and method for granting tokens
WO2016141856A1 (en) * 2015-03-07 2016-09-15 华为技术有限公司 Verification method, apparatus and system for network application access
CN106161032A (en) * 2015-04-24 2016-11-23 华为技术有限公司 A kind of identity authentication method and device
CN106302502A (en) * 2016-04-03 2017-01-04 北京动石科技有限公司 A kind of secure access authentication method, user terminal and service end
CN108702297A (en) * 2017-02-01 2018-10-23 陈大昭 Authentication server, authentication system and method
US20200065464A1 (en) * 2018-08-24 2020-02-27 Baskaran Dharmarajan Identification service based authorization
CN109492358A (en) * 2018-09-25 2019-03-19 国网浙江省电力有限公司信息通信分公司 A kind of open interface uniform authentication method
CN112448810A (en) * 2019-08-31 2021-03-05 华为技术有限公司 Authentication method and device
CN111212095A (en) * 2020-04-20 2020-05-29 国网电子商务有限公司 Authentication method, server, client and system for identity information
CN112788033A (en) * 2021-01-13 2021-05-11 京东方科技集团股份有限公司 Authentication method and authentication system
CN114070614A (en) * 2021-11-15 2022-02-18 中国工商银行股份有限公司 Identity authentication method, device, equipment, storage medium and computer program product

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
C. RUPA等: ""Enhancing the Access Privacy of IDaaS System Using SAML Protocol in Fog Computing"", 《IEEE ACCESS》, 24 September 2020 (2020-09-24), pages 2 - 4 *
L. LI ET AL: ""A Networking Identity Authentication Scheme Combining Fingerprint Coding and Identity Based Encryption"", 《2007 IEEE INTELLIGENCE AND SECURITY INFORMATICS, NEW BRUNSWICK》 *
贾英涛;郑建德;: "J2EE平台双因素认证的设计与实现", 厦门大学学报(自然科学版), no. 01 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116755842A (en) * 2023-08-15 2023-09-15 中移(苏州)软件技术有限公司 Identity authentication system deployment method, device, equipment and storage medium
CN116755842B (en) * 2023-08-15 2023-10-31 中移(苏州)软件技术有限公司 Identity verification system deployment method, device, equipment and storage medium
CN118118221A (en) * 2024-01-19 2024-05-31 中国华能集团有限公司北京招标分公司 Encryption and decryption service method and system based on identity management

Similar Documents

Publication Publication Date Title
CN111212095B (en) Authentication method, server, client and system for identity information
CN111416807B (en) Data acquisition method, device and storage medium
CN108206831B (en) Electronic seal realization method, server, client and readable storage medium
CN109309565A (en) Method and device for security authentication
CN109218825B (en) Video encryption system
US20090144541A1 (en) Method and apparatus of mutual authentication and key distribution for downloadable conditional access system in digital cable broadcasting network
US8274401B2 (en) Secure data transfer in a communication system including portable meters
JP2005102163A (en) Equipment authentication system, server, method and program, terminal and storage medium
CN102624740A (en) A data interaction method and client and server
KR101452708B1 (en) CE device management server, method for issuing DRM key using CE device management server, and computer readable medium
JP6012888B2 (en) Device certificate providing apparatus, device certificate providing system, and device certificate providing program
US20110320359A1 (en) secure communication method and device based on application layer for mobile financial service
KR101531662B1 (en) Method and system for mutual authentication between client and server
EP2856729A2 (en) A scalable authentication system
CN110611679A (en) Data transmission method, device, equipment and system
CN114422266A (en) IDaaS system based on dual verification mechanism
CN111756528A (en) Quantum session key distribution method and device and communication architecture
CN114745180B (en) Access authentication method, device and computer equipment
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
CN114091009B (en) Method for establishing safety link by using distributed identity mark
CN112417502B (en) Distributed instant messaging system and method based on block chain and decentralized deployment
KR20200043855A (en) Method and apparatus for authenticating drone using dim
CN109981667B (en) User data transmission method and device
CN113886781B (en) Multi-authentication encryption method, system, electronic device and medium based on block chain
JP4282272B2 (en) Privacy protection type multiple authority confirmation system, privacy protection type multiple authority confirmation method, and program thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220429

RJ01 Rejection of invention patent application after publication