CN118157988A - Cross-network identity authentication method and system - Google Patents
Cross-network identity authentication method and system Download PDFInfo
- Publication number
- CN118157988A CN118157988A CN202410558020.4A CN202410558020A CN118157988A CN 118157988 A CN118157988 A CN 118157988A CN 202410558020 A CN202410558020 A CN 202410558020A CN 118157988 A CN118157988 A CN 118157988A
- Authority
- CN
- China
- Prior art keywords
- data
- identity authentication
- identity
- application
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000005540 biological transmission Effects 0.000 claims abstract description 38
- 238000000586 desensitisation Methods 0.000 claims abstract description 25
- 238000000605 extraction Methods 0.000 claims abstract description 12
- 238000013075 data extraction Methods 0.000 claims abstract description 8
- 150000003839 salts Chemical class 0.000 claims description 37
- 238000004422 calculation algorithm Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000012423 maintenance Methods 0.000 claims description 5
- 238000004519 manufacturing process Methods 0.000 claims description 2
- 230000002427 irreversible effect Effects 0.000 abstract description 9
- 230000007246 mechanism Effects 0.000 abstract description 3
- 230000006872 improvement Effects 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000001174 ascending effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a cross-network identity authentication method and system. The cross-network identity authentication method comprises the following steps: s1, data extraction; s2, data desensitization; s3, data confusion; s4, cross-network transmission; s5, access authentication; s6, identity authentication. The cross-network identity authentication method of the invention generates the irreversible message abstract based on the extraction and desensitization of the personnel basic data of the internal network, and the irreversible message abstract is transmitted to the external network in a cross-network manner to provide a personnel identity authentication mechanism so as to safely and reliably provide identity authentication services for different applications of the external network under the condition that the personnel basic data is stored in the internal network and the internal and external networks are physically isolated.
Description
Technical Field
The invention relates to a cross-network identity authentication method and system, in particular to a cross-network identity authentication method and system based on data abstraction desensitization.
Background
In order to prevent data leakage and ensure data security, personnel basic information data (such as information of names, license numbers, personnel types, levels, families and the like) are generally stored independently in an intranet and are strictly limited to be accessed, and are physically isolated from an extranet. Daily office, business and socialization applications typically run on the internet or local area network (i.e. "extranet"), and user identity needs to be verified during registration/login applications in order to ensure proper access and use by authorized users. According to relevant regulations such as security, data protection and the like, the related information of the intranet personnel cannot be directly exported to the extranet for use.
In view of the foregoing, it is necessary to propose a cross-network identity authentication method based on data abstraction desensitization to solve the above problems.
Disclosure of Invention
The invention aims to provide a cross-network identity authentication method for realizing identity authentication between an intranet and an extranet.
In order to achieve the above object, the present invention provides a cross-network identity authentication method, including:
S1, data extraction: according to the application identity authentication requirement, data extraction is carried out from the personnel basic data, and extraction data is obtained;
S2, data desensitization: generating a message digest based on the extracted data, the application identification, and the salt value to complete a data desensitization process; the salt value is calculated based on the application identifier; the application identifier refers to a unique identifier of an application in a certain network domain;
S3, data confusion: randomly acquiring confusion data, randomly doping the confusion data and the message abstract, and forming transmission data after doping; the confusion data is randomly extracted from the new message abstract; the new message digest is generated based on an application identification, extracted data, a salt value, and a current timestamp;
S4, cross-network transmission: using unidirectional transmission equipment to export the transmission data to an identity authentication database in a cross-network manner; the transmission data comprises confusion data and a message abstract;
S5, access authentication: sending an identity authentication request to perform access authentication, verifying the validity of access, and forwarding the identity authentication request of the authorized application to perform identity authentication;
S6, identity authentication: desensitizing user identity information in the identity authentication request, obtaining an identity message abstract corresponding to the identity authentication request, comparing the identity message abstract with transmission data in the identity authentication database, and authenticating the user; the identity message digest is generated based on an application identifier, user identity information and a salt value; the user identity information refers to information of the same data item extracted from the identity authentication request as the extracted data.
As a further improvement of the present invention, when data is extracted in S1, data items are extracted according to a minimum principle;
in S6, the data item contained in the user identity information is the same as the extracted data item.
As a further improvement of the present invention, in S2, the message digest is generated in the following manner:
Message digest = application identity + one-way hash algorithm (extraction data + salt);
Salt = (application identifier+n) ×random number;
Where N represents a positive integer and + represents string concatenation.
As a further improvement of the present invention, the new message digest is generated by:
new message digest = application identity + one-way hash algorithm (extracted data + salt + current timestamp);
Salt = (application identifier+n) ×random number;
Where N represents a positive integer and + represents string concatenation.
As a further improvement of the present invention, in S3, the amount of confusion data is not less than one third of the amount of new message digests.
As a further development of the invention, the application identification is represented by a string of 36 system length 4, the application identification of each network domain being incremented at fixed intervals.
As a further improvement of the present invention, the cross-network identity authentication method further includes: before the step S2, data abstraction is carried out; the data abstraction concrete is as follows: according to the data types limiting the application access rights, the levels of different data types are abstracted, and the levels of different data types are corresponding to the application access rights.
In order to achieve the above object, the present invention further provides a cross-network identity authentication system, which can execute the cross-network identity authentication method, and the cross-network identity authentication system includes:
the data making system is used for processing basic data of personnel;
the identity authentication system provides identity authentication services for different applications;
And the data making system and the identity authentication system are physically isolated in the network domain, and data transmission is carried out through a single transmission device.
As a further improvement of the invention, the data making system comprises a data desensitizing unit, a digest encrypting unit, a personnel basic database and an identity authentication identifying unit.
As a further development of the invention, the personnel basic database is used for storing personnel basic information full data.
As a further improvement of the invention, the data desensitization unit extracts data from the personnel basic database according to the application identity authentication requirement, performs data abstraction according to the stipulated rule, then invokes the abstract encryption service to desensitize the related data, generates a message abstract and stores the message abstract in the identity identification database.
As a further improvement of the invention, the digest encryption calculates the encryption by means of an irreversible one-way hash algorithm of SM3, SHA-256, etc.
As a further improvement of the present invention, the authentication system includes an access authentication service unit configured to deploy an access authentication service, and to authorize and verify an application accessing the authentication service, an application service unit, and a data service unit; the application service unit is configured to perform an identity authentication service, a data maintenance service, a digest encryption service, and the like; the data service unit is configured to be connected to the identity authentication identification database and store the derived desensitized personnel identity information abstract and other attribute information
As a further improvement of the invention, the identity authentication system further comprises a security protection unit, wherein the security protection unit is configured to perform vulnerability scanning, attack detection, security audit and antivirus, and comprises a firewall, a WEB application firewall, a database firewall and other devices which can be connected to other areas in series, so as to monitor and protect the devices and traffic in the identity authentication system.
The beneficial effects of the invention are as follows:
according to the cross-network identity authentication method, the irreversible message abstract is generated based on extraction and desensitization of the personnel basic data of the intranet, and the cross-network information is transmitted to the personnel identity authentication mechanism, so that identity authentication services are safely and reliably provided for different applications of the extranet under the condition that the personnel basic data are stored in the intranet and the physical isolation of the intranet and the extranet, and the information risk caused by analysis or continuous tracking in data transmission can be effectively reduced.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a cross-network identity authentication method of the present invention;
FIG. 2 is a schematic diagram of a cross-network identity authentication system of the present invention;
Fig. 3 is a flow chart of the cross-network authentication system of fig. 2 when implementing a personal authentication request.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
In this case, in order to avoid obscuring the present invention due to unnecessary details, only the structures and/or processing steps closely related to the aspects of the present invention are shown in the drawings, and other details not greatly related to the present invention are omitted.
In addition, it should be further noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, the cross-network identity authentication method provided by the present invention includes:
S1, data extraction: according to the application identity authentication requirement, data extraction is carried out from the personnel basic data, and extraction data is obtained;
S2, data desensitization: generating a message digest based on the extracted data, the application identification, and the salt value to complete a data desensitization process; the salt value is calculated based on the application identifier; the application identifier refers to a unique identifier of an application in a certain network domain;
S3, data confusion: randomly acquiring confusion data, randomly doping the confusion data and the message abstract, and forming transmission data after doping; the confusion data is randomly extracted from the new message abstract; the new message digest is generated based on an application identification, extracted data, a salt value, and a current timestamp;
S4, cross-network transmission: using unidirectional transmission equipment to export the transmission data to an identity authentication database in a cross-network manner; the transmission data comprises confusion data and a message abstract;
S5, access authentication: sending an identity authentication request to perform access authentication, verifying the validity of access, and forwarding the identity authentication request of the authorized application to perform identity authentication;
S6, identity authentication: desensitizing user identity information in the identity authentication request, obtaining an identity message abstract corresponding to the identity authentication request, comparing the identity message abstract with transmission data in the identity authentication database, and authenticating the user; the identity message digest is generated based on an application identifier, user identity information and a salt value; the user identity information refers to information of the same data item extracted from the identity authentication request as the extracted data.
The following description will be made in detail for S1 to S6.
S1 specifically comprises the following steps: according to the application identity authentication requirement, data items are extracted from the basic data (namely personnel identity information) of the intranet personnel according to a minimum principle, and preferably, the extracted data, namely the personnel identity information, can be set according to the requirement, namely specific extracted fields are set. In a preferred embodiment of the present invention, when an application provides access only to a certain group and grants access rights according to personnel category and level, only 3 fields of "personnel identification", "personnel category", "level" are extracted. Wherein "person identification" is used to define access groups, "person category" and "level" are used to define access rights.
S2 specifically comprises the following steps: and (3) taking the extracted data and the application identifier and the salt value as input, and adopting a single hash algorithm to perform data desensitization processing to generate a message digest.
In the present invention, message digest = application identity + SM3 (extracted data + salt value). Specifically, the application identifier is a unique mark which is randomly generated by the system, the application identifier is added in the desensitization process, so that the same person can be ensured to hold different identity identifiers in different applications, behavior data of the user in different applications can be effectively prevented from being gathered, analyzed and tracked, and the privacy leakage risk is effectively reduced. It should be noted here that SM3 is only an exemplary one-way hashing algorithm, and other algorithms such as SHA-256 may be used instead.
Meanwhile, in order to reduce the risk of collision with the database, the salt value transformation is added to the selected data in the desensitization process, and then calculation is carried out to generate an irreversible message digest.
For example, the application identifier may be represented by a string of 36 bins of length 4, and it is set to use only a partial interval value, such as 100000 (255 s for 36 bins) to 1600000 (yakg for 36 bins), allocated to different network domains for use, and each network domain application identifier is incremented at fixed intervals, for example, every interval 25, so that 150 network domains can be supported and each network domain does not exceed 500 application uses. For example: the ascending order of application identifiers allocated by the first network domain is as follows: 100000 (36 in system 255 s), 100025 (36 in system 256H), …. The application identifiers are distributed by an administrator according to the rules and stored in the intranet, so that safety is ensured.
Further, the salt value we take the application identity as input, generated using the following algorithm, ensures that the salt value used in calculating the message digest for each application is unique. The random number value can be set in a fixed range, for example, the range can be set to be a certain value in 1-100, and the salt value is calculated in the following way:
Salt = (application identifier+n) ×random number
Wherein N represents a positive integer, the number can be set based on the generation requirement of the character string, for example, 7000, etc., the extracted data and the salt value are spliced to form a character string, then the character string is processed by adopting a cryptographic algorithm, for example, an SM3 algorithm, to obtain a hash value, and then the hash value obtained after application identification and processing is spliced to obtain the message digest. In this embodiment, the calculation of the message digest may be expressed as follows:
Message digest = application identity + SM3 (extracted data + salt value)
In the desensitization process, the unique salt value is added to ensure that the same person can keep different identity marks in different applications, so that behavior data of the same user in different applications can be effectively prevented from being gathered, analyzed and tracked, and privacy leakage risks can be effectively reduced.
S3 specifically comprises the following steps: the random generation part confusion data is doped into a message abstract generated by data desensitization, and transmission data is acquired, so that the safety is further improved.
The method for calculating the message digest in S2 is generally adopted to generate the confusion data of which the quantity is not less than one third of that of the message digest, and the method for calculating the application identifier and the salt value required by generating the confusion data is consistent with that used in S2 by performing secondary transformation on the extraction data and the time stamp to generate the extraction data required by the confusion data.
Illustratively, the new message digest data is used in the obfuscation data generation, and not less than one third of the number of new message digest data is extracted from the resulting new message digest as obfuscation data. The specific calculation mode of the new message digest data is as follows:
new message digest = application identity + SM3 (extracted data + salt + current timestamp)
The same method in the step S2 can be adopted for the calculation method of the application identifier and the salt value; the extracted data, the salt value and the current timestamp are spliced to form a character string, then the character string is processed by adopting a cryptographic algorithm, for example, an SM3 algorithm is adopted for processing, and the processed data is spliced with the application identifier to form a new message abstract. One third of the amount of data is then randomly extracted from the new message digest as obfuscated data.
And after the confusion data are obtained, randomly doping the message digest obtained in the step S2 by using the confusion data to obtain transmission data. The random doping method can use any doping method in the prior art, and can achieve the aim of mixing the real message digest with the confusion data.
In this example, it can be seen that the number of new message digests is consistent with the number of message digests. The confusion data is mainly used for generating a false message digest to be doped with a real message digest and used as transmission data to be transmitted into an identity authentication database in a cross-network mode, so that the real personnel number of each transmission is protected.
The algorithm can ensure that the new message digests which are generated by the same person each time and serve as confusion are different, and can well mask the change quantity of the person when the person changes. For example, there are 90 people initially, 120 people total after doping (where 90 people message digests are fixed, 30 people message digests are random-i.e. doped); after a period of time, the 30 people have changed (leave and new recruiter) and the new message digest is generated 60 from the previous change. Such an arrangement makes it possible that the number of message digests of persons in which the change occurs may be different each time data is exported to the external network, and the number of message digests of fixed persons may also be changed, so that it is not easy to perceive or analyze how many real persons are, and the risk of using the data caused by the analysis is prevented.
In a preferred embodiment of the present invention, the step S3 of data obfuscating the message digest (i.e. doping the message digest with obfuscated data) further includes obtaining a plurality of sets of obfuscated data, performing an obfuscating doping operation on the message digest, and then obtaining a plurality of sets of different transmission data, and performing application identifier matching on each set of transmission data. Here, for a specific doping operation, a method commonly used in the art may be adopted, and will not be described herein.
The same person is in different applications, and the generated identity message digests are different. And, the person identity message digests are typically generated in batches by the application, while the obfuscation data is generated. The transmission data includes an identity message digest and obfuscation data, i.e. doping data therebetween.
S4 specifically comprises the following steps: and transmitting data to an identity authentication database by adopting unidirectional transmission equipment (optical disk, network gate, optical gate and the like) in a cross-network way. When performing cross-network derivation, we can determine which application in which network domain the transmission data specifically belongs to through the application identifier included in the message digest, and, for example, we can determine which application in which network domain the group of message digests belongs to through the first 4-bit character of the message digest, that is, the application identifier, so as to determine which application specifically corresponds to.
S5 specifically comprises the following steps: the application acquires an identity authentication request with an application identifier and user identity information, sends the identity authentication request to perform access authentication, verifies the validity of access, and forwards the identity authentication request of the authorized application to perform identity authentication.
The access authentication is generally performed on the identity authentication request by using dedicated software (API gateway) or hardware (access authentication server), and it is firstly determined whether the request source IP address is legal, and then it is determined whether the request source application is authorized by the (identity authentication system).
Illustratively, the access authentication procedure is as follows: when the application system applies for using the identity authentication service, an administrator distributes a unique application identifier and an access key for the application system, and meanwhile, the application system is required to provide an interface address for receiving the access key so as to push the changed access key periodically. The application identifier is generally bound with the authority of the application system, and the access authentication service can judge whether the interface requested by the application is legal or not through the application identifier.
When the application interacts with the identity authentication system, a request with an access key, an application identifier and user identity information is sent to an access authentication service (which can be generally realized by deploying API gateway software or special hardware), and after the access authentication is passed, the access authentication service forwards the request to a corresponding identity authentication service interface for subsequent identity verification or inquiry. In a more specific embodiment, the authentication can be judged according to the application identifier, only the application identifier issued in advance can pass authentication verification, further, when the application identifier is issued, the IP address of the application server can be graded, only the request with the corresponding application identifier sent by the IP address can pass authentication, and the secret key is used for protecting transmission data and used in encryption and decryption.
S6 is specifically as follows: desensitizing the user identity information in the identity authentication request, obtaining an identity message abstract corresponding to the identity authentication request, comparing the identity message abstract with the information abstract in the identity authentication database, and authenticating the user.
The user identity information desensitization can be performed according to the method S2, the configuration of the encryption and decryption server needs to be consistent with that used in the step S2, in a real application scene, 2 identical encryption and decryption servers are generally used and are respectively placed in a data making system and an identity authentication system for application program call, the same personnel data are ensured to generate the same desensitized data, and developers and operation and maintenance personnel are invisible to desensitization algorithms, salt values and the like, so that the safety is further ensured.
Illustratively, the identity message digest is calculated as follows: the identity authentication service firstly obtains the application identifier and the identity information in the application request, and calculates an identity message digest according to the algorithm in S2, namely, message digest=application identifier+sm3 (extraction data+salt value), wherein the identity information at this time is the extraction data and can be expressed as:
identity message digest = application identity + SM3 (identity information + salt value)
Comparing the calculated identity message abstract with the message abstract which is stored in the database and transited from the intranet, if the identity is the same, indicating that the identity is legal, and returning true by the identity authentication service; otherwise, the identity is not existed, and the identity authentication service returns false.
If the application is to acquire personnel attribute information corresponding to the identity, such as personnel gender, age, department, access right and the like, during the data production process, personnel attribute information can be extracted and the mapping relation is saved while personnel message abstract is generated, and then the personnel attribute information is synchronously transmitted to the identity authentication database through unidirectional transmission equipment. The application sends the request with the application identification, the user identity information and the fields of the required query attribute to the access authentication service, and after the request passes, the access authentication service forwards the request to the identity authentication service. The identity authentication service calculates an identity message abstract of the person in the request, then compares the identity message abstract, acquires attribute information of the person according to the requirement field, and returns the attribute information to the application.
In connection with an instance, such as querying for access rights to Zhang three, examples of pseudocode for an application to send requested content to an authentication service are as follows:
example of a request header for a/(header portion)
{
KeyVersion = v_1.0// version number
AppId = 255 s// application identity
Ts= 1667537805211// timestamp
}
Example of content requested by the/(body portion)
{
"data": [
{
"X0": "Zhang Sanzhi"// person name
"X1": "1101082020091012311561"// personnel identification number
"X2": "access rights"// required query properties
}
]
}
Table 1 example of an attribute lookup table in an authentication database
In the authentication database, the attribute query representation is shown in table 1, for example, wherein different message digests correspond to specific attribute values of fields related to the user identity, i.e. the attribute information is typically stored in dictionary form.
Further, after the identity information of the user is authenticated, the attribute information (such as authority information generated by abstraction) of the user can be queried through the matched identity information, so that the identity information can be conveniently checked.
Illustratively, in a scenario where personnel rights are required to be acquired, such as determining whether personnel can enter and exit certain places, the data making system generates different places-entering and exiting rights according to personnel types and levels, and the rights are stored in the identity authentication database as attributes and identity message summaries in a cross-network transmission manner, as shown in table 1. After the identity information of the user passes the authentication, the staff judges whether the user can enter or exit according to the user authority fed back by the identity authentication system.
Further, the invention further comprises the step of carrying out data abstraction before the step S2, wherein the data abstraction is as follows: and abstracting the extracted data according to the agreed rules. The data abstraction concrete is as follows: according to the data types limiting the application access rights, the levels of different data types are abstracted, and the levels of different data types are corresponding to the application access rights.
Illustratively, in a preferred real-time example of the present invention, as shown in Table 1, assuming that application access rights are defined according to person categories and levels, person categories A1 and B2, person categories A2 and B4 have person rights of C1, person categories A1 and B3, person categories A2 and B5 have person rights of C2, abstract logic is shown in Table 1. After data abstraction, the rights replace the personnel category and level 2 information items as newly generated information items. This step may be skipped if such information is not required for identity authentication.
Table 1 personnel rights abstract logical table
It should be noted that, the data abstraction step may be omitted, and if the identity authentication does not need such information, the step may be skipped; that is, the selection of the data abstraction step may be selected according to the actual situation of the user.
Referring to fig. 2, the invention further provides a cross-network identity authentication system, which can execute the cross-network identity authentication method, and the cross-network identity authentication system comprises:
the data making system is used for processing basic data of personnel;
the identity authentication system provides identity authentication services for different applications;
And the data making system and the identity authentication system are physically isolated in the network domain, and data transmission is carried out through a single transmission device.
The data making system is arranged in an intranet and used for data extraction, abstraction, desensitization and confusion to generate a message abstract, and the identity authentication system is arranged in an extranet (Internet or local area network) and provides identity authentication services for different applications.
Further, the data making system comprises a data desensitizing unit, a digest encrypting unit, a personnel basic database and an identity authentication identifying unit.
In the invention, a data desensitization unit extracts data from a personnel basic database according to application identity authentication requirements, performs data abstraction according to agreed rules, then invokes abstract encryption service to desensitize related data, generates a message abstract and stores the message abstract in an identity identification database.
In this embodiment, the digest encryption unit generally uses irreversible one-way hash algorithms such as SM3 and SHA-256 to calculate the encrypted data, and the irreversible one-way hash algorithm can be implemented by software or by special hardware encryption equipment.
The personnel basic database stores personnel basic information full data, and the identity authentication identification unit stores message digests generated after data desensitization.
In a preferred embodiment of the present invention, the data making system further includes a data maintenance unit configured to export the message digest and other attribute information (such as the authority generated by the abstraction) in the authentication identifier library to generate a data file, and sign the data file to prevent tampering.
Furthermore, the data making system is also used for calling the attribute information of the user after the identity information of the user is authenticated, so that the user can conveniently inquire the attribute information.
The identity authentication system comprises an access authentication service unit, an application service unit and a data service unit, wherein the access authentication service unit is configured to deploy an access authentication service and authorize and verify an application accessing the identity authentication service.
The access authentication service unit is configured to: and after the application is requested to access the authentication service, authorizing and verifying the application accessing the authentication service, wherein only the authorized application can call the authentication service. The application service unit is configured to perform an identity authentication service, a data maintenance service, a digest encryption service, and the like; when the identity authentication service is executed, the application service unit is configured to receive an identity authentication request of the application, call the abstract encryption service to desensitize the identity information of the personnel in the request, and then compare the desensitized information with the abstract information in the identity authentication identification database to return an identity authentication checking result.
In a preferred embodiment of the present invention, the identity authentication system further includes a security protection unit, where the security protection unit is configured to perform vulnerability scanning, attack detection, security audit, and antivirus, and the security protection unit includes a firewall, a WEB application firewall, a database firewall, and other devices that may be connected in series to other areas, so as to monitor and protect devices and traffic in the identity authentication system.
Preferably, the identity authentication system also comprises a data service unit configured to connect to said identity authentication identification database, storing the derived desensitized personnel identity information summary and other attribute information.
Referring to fig. 3, when the cross-network identity authentication system of the present invention performs cross-network identity authentication according to the cross-network identity authentication method, the application may choose to first perform preliminary authentication on user information by using a third party identity authentication system, for example, use a trusted identity authentication platform (CTID) of a first institute of public security or an electronic identity identification (eID) authentication platform of a third institute of public security to authenticate the public identity of the user, so that the number of illegal requests can be effectively reduced, and the security of the self identity authentication system can be improved. After passing through the third party identity authentication system, the application sends a request containing an application identifier and user identity information to an access authentication service, and the access authentication service verifies whether the request is legal or not according to the application identifier and forwards the user identity information of the legal request to the identity authentication service. The identity authentication service calls a data encryption service to perform data desensitization on the user identity information to generate a message abstract, then compares the message abstract with the data in an identity authentication identification library, and returns whether the identity authentication passes or not or other attribute information (such as abstract generated rights).
In summary, the cross-network authentication method of the invention generates the irreversible message digest based on the extraction and desensitization of the personnel basic data of the intranet, and the irreversible message digest is transmitted to the personnel authentication mechanism through the intranet, so as to safely and reliably provide the identity authentication service for different applications of the extranet under the condition that the personnel basic data is stored in the intranet and the physical isolation of the intranet and the extranet.
The above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made thereto without departing from the spirit and scope of the technical solution of the present invention.
Claims (10)
1. The cross-network identity authentication method is characterized by comprising the following steps of:
S1, data extraction: according to the application identity authentication requirement, data extraction is carried out from the personnel basic data, and extraction data is obtained;
S2, data desensitization: generating a message digest based on the extracted data, the application identification, and the salt value to complete a data desensitization process; the salt value is calculated based on the application identifier; the application identifier refers to a unique identifier of an application in a certain network domain;
S3, data confusion: randomly acquiring confusion data, randomly doping the confusion data and the message abstract, and forming transmission data after doping; the confusion data is randomly extracted from the new message abstract; the new message digest is generated based on an application identification, extracted data, a salt value, and a current timestamp;
S4, cross-network transmission: using unidirectional transmission equipment to export the transmission data to an identity authentication database in a cross-network manner; the transmission data comprises confusion data and a message abstract;
S5, access authentication: sending an identity authentication request to perform access authentication, verifying the validity of access, and forwarding the identity authentication request of the authorized application to perform identity authentication;
S6, identity authentication: desensitizing user identity information in the identity authentication request, obtaining an identity message abstract corresponding to the identity authentication request, comparing the identity message abstract with transmission data in the identity authentication database, and authenticating the user; the identity message digest is generated based on an application identifier, user identity information and a salt value; the user identity information refers to information of the same data item extracted from the identity authentication request as the extracted data.
2. The cross-network identity authentication method according to claim 1, wherein when data is extracted in S1, the data item is extracted according to a minimum principle;
in S6, the data item contained in the user identity information is the same as the extracted data item.
3. The cross-network identity authentication method according to claim 1, wherein in S2, a message digest is generated by:
Message digest = application identity + one-way hash algorithm (extraction data + salt);
Salt = (application identifier+n) ×random number;
Where N represents a positive integer and + represents string concatenation.
4. The cross-network identity authentication method according to claim 1, wherein the generation mode of the new message digest is as follows:
new message digest = application identity + one-way hash algorithm (extracted data + salt + current timestamp);
Salt = (application identifier+n) ×random number;
Where N represents a positive integer and + represents string concatenation.
5. The cross-network identity authentication method according to claim 1, wherein in S3, the amount of confusion data is not less than one third of the amount of new message digests.
6. The cross-network identity authentication method of claim 1, wherein the application identity is represented by a string of 36-ary length 4, the application identity of each network domain being incremented at fixed intervals.
7. The cross-network identity authentication method according to claim 1, characterized in that the cross-network identity authentication method further comprises: before the step S2, data abstraction is carried out; the data abstraction concrete is as follows: according to the data types limiting the application access rights, the levels of different data types are abstracted, and the levels of different data types are corresponding to the application access rights.
8. A cross-network identity authentication system, characterized in that the cross-network identity authentication method according to any one of claims 1 to 7 can be performed, the cross-network identity authentication system comprising:
the data making system is used for processing basic data of personnel;
the identity authentication system provides identity authentication services for different applications;
And the data making system and the identity authentication system are physically isolated in the network domain, and data transmission is carried out through a single transmission device.
9. The cross-network identity authentication system of claim 8, wherein the data production system comprises a data desensitization unit, a digest encryption unit, a personnel base database, and an identity authentication identification unit.
10. The cross-network identity authentication system of claim 8, further comprising an access authentication service unit, an application service unit, and a data service unit, the access authentication service unit configured to deploy an access authentication service, and to authorize and verify applications accessing the identity authentication service; the application service unit is configured to perform an identity authentication service, a data maintenance service, a digest encryption service, and the like; the data service unit is configured to be connected to the identity authentication identification database and store the derived desensitized personnel identity information abstract and other attribute information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410558020.4A CN118157988B (en) | 2024-05-08 | 2024-05-08 | Cross-network identity authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410558020.4A CN118157988B (en) | 2024-05-08 | 2024-05-08 | Cross-network identity authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118157988A true CN118157988A (en) | 2024-06-07 |
| CN118157988B CN118157988B (en) | 2024-07-09 |
Family
ID=91300999
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410558020.4A Active CN118157988B (en) | 2024-05-08 | 2024-05-08 | Cross-network identity authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118157988B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119135366A (en) * | 2024-07-17 | 2024-12-13 | 中央军委后勤保障部信息中心 | Method, device, electronic device and storage medium for multi-subject cross-network trust transmission |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030093681A1 (en) * | 2001-10-15 | 2003-05-15 | Wettstein Gregory H. | Digital identity creation and coalescence for service authorization |
| CN108768970A (en) * | 2018-05-15 | 2018-11-06 | 腾讯科技(北京)有限公司 | A kind of binding method of smart machine, identity authentication platform and storage medium |
| CN112383401A (en) * | 2020-11-10 | 2021-02-19 | 中国科学院大学 | User name generation method and system for providing identity authentication service |
| CN112733107A (en) * | 2021-04-02 | 2021-04-30 | 腾讯科技(深圳)有限公司 | Information verification method, related device, equipment and storage medium |
-
2024
- 2024-05-08 CN CN202410558020.4A patent/CN118157988B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030093681A1 (en) * | 2001-10-15 | 2003-05-15 | Wettstein Gregory H. | Digital identity creation and coalescence for service authorization |
| CN108768970A (en) * | 2018-05-15 | 2018-11-06 | 腾讯科技(北京)有限公司 | A kind of binding method of smart machine, identity authentication platform and storage medium |
| CN112383401A (en) * | 2020-11-10 | 2021-02-19 | 中国科学院大学 | User name generation method and system for providing identity authentication service |
| CN112733107A (en) * | 2021-04-02 | 2021-04-30 | 腾讯科技(深圳)有限公司 | Information verification method, related device, equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119135366A (en) * | 2024-07-17 | 2024-12-13 | 中央军委后勤保障部信息中心 | Method, device, electronic device and storage medium for multi-subject cross-network trust transmission |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118157988B (en) | 2024-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111797427B (en) | Blockchain user identity supervision method and system giving consideration to privacy protection | |
| US6263434B1 (en) | Signed group criteria | |
| US11606201B2 (en) | Cryptographic systems and methods using distributed ledgers | |
| CN108370381A (en) | For using client honey guide to detect the system and method for advanced attacker | |
| CN109729080A (en) | Access attack guarding method and system based on block chain domain name system | |
| US8176539B2 (en) | Methods for protecting against cookie-poisoning attacks in networked-communication applications | |
| CN113225324B (en) | Block chain anonymous account creation method, system, device and storage medium | |
| CN111901346A (en) | Identity authentication system | |
| CN112804269B (en) | Method for realizing website interface anti-crawler | |
| CN118157988B (en) | Cross-network identity authentication method and system | |
| Accorsi | Log data as digital evidence: What secure logging protocols have to offer? | |
| CN110943840B (en) | Signature verification method | |
| KR20010109175A (en) | Method for restricting the use of a computer file with biometrics information, method for log-in into a computer system, and recording media | |
| CN113992365A (en) | Key distribution method and device and electronic equipment | |
| Said et al. | A multi-factor authentication-based framework for identity management in cloud applications | |
| CN111932261A (en) | Asset data management method and device based on verifiable statement | |
| CN117749476A (en) | Trusted secure connection method and device based on encryption algorithm and electronic equipment | |
| Kang et al. | A study on the needs for enhancement of personal information protection in cloud computing security certification system | |
| US7739500B2 (en) | Method and system for consistent recognition of ongoing digital relationships | |
| CN116305183A (en) | Data processing method, data processing end, storage medium and electronic equipment | |
| CN110532741B (en) | Personal information authorization method, certification center and service provider | |
| CN115603913B (en) | Data processing method, device, computer equipment, storage medium and program product | |
| Naedele et al. | Trust and tamper-proof software delivery | |
| CN119383406B (en) | Control method and system for LED display screen with protection function | |
| CN114005190B (en) | Face recognition method for class attendance system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |