CN110545274A - Method, device and system for UMA service based on people and evidence integration - Google Patents

Method, device and system for UMA service based on people and evidence integration Download PDF

Info

Publication number
CN110545274A
CN110545274A CN201910811610.2A CN201910811610A CN110545274A CN 110545274 A CN110545274 A CN 110545274A CN 201910811610 A CN201910811610 A CN 201910811610A CN 110545274 A CN110545274 A CN 110545274A
Authority
CN
China
Prior art keywords
resource
user
authorization
server
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910811610.2A
Other languages
Chinese (zh)
Inventor
徐睿
杨华飞
郑立
刘坤
马锋
陈梦娴
蔡怡挺
朱犇
王佑
曹国强
游佳
张子谦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Zhejiang Electric Power Co Ltd
NARI Group Corp
Nari Information and Communication Technology Co
Wenzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Zhejiang Electric Power Co Ltd
NARI Group Corp
Nari Information and Communication Technology Co
Wenzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Zhejiang Electric Power Co Ltd, NARI Group Corp, Nari Information and Communication Technology Co, Wenzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201910811610.2A priority Critical patent/CN110545274A/en
Publication of CN110545274A publication Critical patent/CN110545274A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

the invention discloses a method, a device and a system for UMA service based on human-authentication integration, when a resource applicant accesses resources, an authorization server judges whether the resource applicant is a registered user according to a head portrait photo uploaded by the resource applicant through human-authentication integration comparison, if so, an access certificate provided by the applicant is obtained according to a resource authorization strategy, whether the access certificate meets the requirement is judged, if so, the authorization is represented, and if not, the registered user or the access certificate does not meet the requirement, the authorization is not represented; the authorization server uses the private key to issue an access token comprising an authorization result to the client of the resource applicant; the access token is used for providing the resource server with a public key check label, and if the resource server passes the check label and is authorized, the resource is sent to the resource applicant. The invention ensures that the user is a legal user and is certainly a registered user, so the method is not easy to forge and tamper, and effectively ensures the security of authorization.

Description

Method, device and system for UMA service based on people and evidence integration
Technical Field
the invention relates to the technical field of Internet and mobile communication, in particular to a method, a device and a system for UMA service based on testimony of a witness integration.
Background
OAuth is a security protocol used to protect a large and growing world-wide Web API. OAuth is a trust protocol that provides a solution for cross-system authorization, replacing the password sharing counter mode with a trust protocol with higher availability and security. The method is used for connecting different websites and also supports connection between native applications and mobile applications and cloud services. The method is a safety layer in standard protocols in various fields, and covers the wide application fields from medical treatment to identity management and from energy sources to social networks. OAuth has become the dominant security means on the Web today. OAuth is not an authentication framework, but authentication can be added to make OAuth more secure.
Uma (user Managed access) is a protocol built on OAuth 2.0 that allows resource owners to have richer control over access to their resources using authorization servers. Clients accessing the resource may be controlled by the resource owner or may be controlled by other users. The UMA protocol is based on the main functions of OAuth 2.0 construction: user authorization to the user.
The face recognition is a biological recognition technology for identity recognition based on face feature information of people, and the main work is to preprocess a face image, extract a feature value and then confirm the identity through feature value comparison. The technology is mature at present and is widely applied.
the identity document OCR (Optical Character Recognition) technology refers to a process of determining the shape of an identity document by detecting dark and light patterns and then translating the shape into computer characters by a Character Recognition method. The technology can be used for extracting information such as names, identity card numbers, head portrait pictures and the like on the identity documents.
patent application No.: 201510493553.X, a biometric based OAuth service is disclosed, comprising the steps of: the user registers in a system service platform of OAuth;
the system service platform opens OAuth service to the outside; the user accesses the third-party application and selects to authorize through the OAuth system service platform; the OAuth system service platform determines a target intelligent terminal providing authorization; the OAuth system service platform routes an authorization request of a user to a target intelligent terminal; the user selects whether to approve the authorization on the intelligent terminal, if yes, the biological identification information is collected on the intelligent terminal, and if the user selects to reject or does not do any operation, the authorization is rejected; the system judges whether the biological identification information is the biological identification information of the registered user according to the acquisition and identification results, and the system service platform indicates a platform authorization result corresponding to the third party application after acquiring the identification result of the user or refusing the authorization operation.
in the authorization business process of the above patent, there are several disadvantages:
(1) Cannot authorize other users
the third-party application can be authorized only through the system service platform, the resource owner can be the user, and when the resource needing to be accessed needs authorization of other users, the scheme cannot meet the requirements.
(2) High requirement on safety protection capability of intelligent terminal
since the biometric identification and the comparison are performed on the intelligent terminal, the intelligent terminal has safety requirements on storage and transmission of biometric characteristic data, and the Android intelligent terminal with higher market share in the market at present has low safety protection capability, and is easily applied maliciously by root and installation.
(3) The legal identity of the user cannot be confirmed
Registration and use can only be guaranteed to be the same user, but whether the user is a legal user cannot be guaranteed, and in many use scenes, whether the user is a legal user needs to be judged, such as hotels, schools, banks, companies and the like.
Disclosure of Invention
in order to solve the defects in the prior art, the invention provides a method, a device and a system for UMA service based on combination of people and certificates, which solve the problems that the conventional OAuth service based on biological identification cannot verify the real identity of a registrant, cannot authorize other users and has high requirements on the safety protection capability of an intelligent terminal, and have wider application range.
In order to achieve the above purpose, the invention adopts the following technical scheme: a UMA service method based on testimony of a witness unification is characterized in that: the method comprises the following steps:
an authorization server providing UMA service receives registration of a resource server and allocates a resource server ID number and a corresponding public key for the resource server;
the authorization server receives registration of the resource server for the resource, and allocates a unique resource identifier for the resource, and the resource owner configures an authorization strategy through the authorization server;
when a resource applicant accesses resources, an authorization server judges whether the resource applicant is a registered user by human-certificate-integrated comparison according to a head portrait photo uploaded by the resource applicant and pre-stored user registration information, if so, obtains an access certificate provided by the applicant according to a resource authorization strategy, judges whether the access certificate meets the requirement, if so, indicates that the resource applicant is authorized, and if not, does not register the user or does not meet the requirement, does not authorize; the authorization server uses the private key to issue an access token comprising an authorization result to the client of the resource applicant; the access token is used for providing the resource server with a public key check label, if the resource server passes the check label and is authorized, and the resource access times are correct, the resource is sent to the resource applicant.
the UMA service method based on the testimony of a witness unification is characterized in that: the user registration information comprises traditional registration information and a registration identity certificate photo; the traditional registration information comprises a user name, a password, gender, native place and contact way; the registered identity certificate photo is the identity certificate photo collected through the camera, whether the identity certificate photo is real and effective is checked, if the identity certificate is real and effective, the authorization server encrypts and stores the traditional user information and the identity certificate photo and associates the traditional user information and the identity certificate photo.
The UMA service method based on the testimony of a witness unification is characterized in that: whether the identity certificate photo is real and effective is checked, and the method specifically comprises the following steps:
1) an authorization server providing UMA service receives an identity certificate photo shot by a user by using a camera;
2) The authorization server analyzes the identity certificate photo, sends the name, the identity card number and the head portrait data to the database of the public security department, inquires the authenticity of the identity card, and the database of the public security department returns a verification result;
3) if the identity card verification is successful, the authorization server keeps the identity card photo in the database, and if the identity card verification fails, the user is prompted that the identity card verification fails and the identity card photo is deleted.
the UMA service method based on the testimony of a witness unification is characterized in that: the method comprises the following steps of judging whether the registered user is the registered user through the people-certificate-integrated comparison, specifically:
1) the authorization server receives the head portrait photo of the user;
2) extracting the head portrait characteristic value of the user, acquiring the head portrait characteristic value on the identity document stored in the database, comparing the similarity of the two characteristic values, and when the similarity reaches a certain threshold value, the person and the identity document are considered as the same person.
the UMA service method based on the testimony of a witness unification is characterized in that: the access token comprises user information and signature information, wherein the user information comprises a user ID, a requested resource identifier, a resource operation authority, resource access times and whether a user is authorized, and the signature information is data generated by encrypting the user information.
The utility model provides a UMA service's authorization server based on testimony of a witness unification which characterized in that: the method comprises the following steps:
the resource server registration module is used for receiving registration of the resource server and distributing a resource server ID number and a corresponding public key for the resource server;
The resource registration module is used for receiving the registration of the resource server for the resource and distributing a unique resource identifier for the resource, and the resource owner configures an authorization strategy through an authorization server;
The system comprises a person-certificate-integrated verification and resource acquisition module, a resource authorization module and a resource verification module, wherein the person-certificate-integrated verification and resource acquisition module is used for judging whether a registered user is the user according to a head portrait photo uploaded by the resource applicant and pre-stored user registration information through person-certificate-integrated comparison when the resource applicant accesses resources, if so, obtaining an access certificate provided by the applicant according to a resource authorization strategy, judging whether the access certificate meets the requirement, if so, indicating that the access certificate is authorized, and if not, indicating that the registered user is the user or the access certificate does not meet the requirement, indicating that the access certificate is unauthorized; the authorization server uses the private key to issue an access token comprising an authorization result to the client of the resource applicant; the access token is used for providing the resource server with a public key check label, if the resource server passes the check label and is authorized, and the resource access times are correct, the resource is sent to the resource applicant.
The authorization server based on the UMA service integrating the testimony and the testimony is characterized in that: the method comprises the following steps of judging whether the registered user is the registered user through the people-certificate-integrated comparison, specifically:
1) the authorization server receives the head portrait photo of the user;
2) extracting the head portrait characteristic value of the user, acquiring the head portrait characteristic value on the identity document stored in the database, comparing the similarity of the two characteristic values, and when the similarity reaches a certain threshold value, the person and the identity document are considered as the same person.
A UMA service system based on testimony of a witness unification, characterized by: the system comprises a resource server, an authorization server and terminal equipment;
the resource server is used for storing the resources uploaded by the resource owner;
the authorization server is used for providing services meeting the requirements of the UMA protocol, and is used for user registration, user verification, registration of the resource server and resources thereof and generation of access tokens;
The terminal equipment is used for collecting the identity certificate photo and the face head photo and receiving UMA service push information.
The system for UMA service based on testimony of a witness unification is characterized in that: the resource comprises a visible resource such as a document or an authorization certificate.
the system for UMA service based on testimony of a witness unification is characterized in that: and the terminal and the authorization server carry out safe communication through HTTPS.
The invention achieves the following beneficial effects: the invention utilizes the identity document to verify the real identity of the registered personnel, then utilizes the face recognition and OCR technology to confirm that the person and the document are the same person, and utilizes the COTS equipment to obtain the identity document photo and the face head photo, thereby improving the safety and the convenience of the authorization service under the condition of not increasing the hardware cost; the invention has low requirement on COTS equipment, the only requirement is that the invention is provided with a front-facing camera, and the front-facing camera of the intelligent terminal in the current market is standard matching, thus improving the application range of the authorization equipment; the method and the device are not only applied to the third-party application authorization of the user, but also applied to the authorization of the user to other users, and the use scene is wider.
The method has the advantages that the user is guaranteed to be a legal user and is certainly a registered user through the combination of the personal authentication, the authorization certificate is an access token with signature information generated by the authorization server after the verification of the personal authentication, the access token does not contain identity information of the user, the resource server verifies the signature information through a public key obtained when the resource server registers in the authorization server to guarantee the validity of the access token, and the user can be further proved to be authorized. The token with the signature information is not easy to forge and tamper, and the authorization security is effectively ensured.
Drawings
fig. 1 is a flowchart of a method for providing a UMA service based on testimony of a witness unification in an embodiment of the present invention;
FIG. 2 is a flow chart of a user registration in an embodiment of the present invention;
FIG. 3 is a flow chart of identity document photo verification in an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a people-certification-in-one comparison process according to an embodiment of the present invention; .
Detailed Description
the invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Example 1:
a UMA service system based on testimony of a witness unification, including resource server, authorizing server and terminal equipment;
The resource server is used for storing resources uploaded by a resource owner, wherein the resources comprise visible resources such as documents and the like or authorization certificates;
The authorization server provides services meeting the requirements of the UMA protocol, and is used for user registration, user verification, registration of the resource server and the resource thereof, and generation of an access token.
the terminal device is a COTS device (Commercial Off-The-Shelf, a Commercial Off-The-Shelf product or technology, which refers to a software or hardware product that can be purchased and has an open standard-defined interface, and can save cost and time, for example, a mobile phone or a tablet computer is a COTS device), The terminal device runs an APP for acquiring an identity certificate photo and a face portrait and receiving UMA service push information (when a user accesses a certain resource and needs a resource owner to confirm, The push information is sent to The APP to remind The resource owner to confirm), and The terminal and The authorization server perform secure communication through HTTPS.
the UMA service objects are a resource server, a resource owner, a client and a resource applicant. The resource applicant and the resource owner can be the same person, and if the resource applicant and the resource owner are different persons, the authorization of the user to other users is equivalently realized. The resource owner allows other users and third-party clients to access the resource by setting some authorization policy. The resource applicant and the client can obtain the relevant resources by presenting the applicant information or the client information to the authorization server as long as the information meets the authorization policy requirements of the resource owner.
Example 2:
A method for UMA service based on testimony of a witness unification includes the following steps:
step 1, performing traditional information registration and identity certificate photo registration on an authorization server providing UMA service, and encrypting and storing user registration information by the authorization server;
Traditional information registration, which includes a user name/password, gender, native place, contact way, etc., and automatically generates a unique user ID (identity identification number) number for the user, wherein the user name and password can be used as a login credential of the UMA service and also can be used as user authentication information required by a low security level;
Registering the identity certificate photo, acquiring the identity certificate photo through a COTS equipment camera, verifying whether the identity certificate photo is real and effective, and mainly checking whether the name and the number of the identity card are consistent and whether the identity card head photo is true or false; if the identity card is confirmed to be real and effective, the authorization server encrypts and stores the traditional user information and the identity card photo, and associates the traditional user information and the identity card photo; if the identity card photo is invalid, the failure of identity card verification is prompted, and the identity card photo can be selected to be shot again.
Whether the identity certificate photo is real and effective is checked, and the method specifically comprises the following steps:
4) an authorization server providing UMA service receives an identity certificate photo shot by a user by using a camera; the user needs to judge whether the identity certificate photo is clear or not, and if the identity certificate photo is not clear, the user needs to shoot again;
5) The authorization server (needing to obtain the authorization of the public security department) analyzes the identity certificate photo, sends the name, the identity card number and the head portrait data to the database of the public security department, inquires the authenticity of the identity card, and the database of the public security department returns a verification result;
6) if the identity card verification is successful, the authorization server keeps the identity card photo in the database, if the identity card verification fails, the user is prompted that the identity card verification fails and the identity card photo is deleted, and the user can choose to shoot the identity card photo again.
And 2, the authorization server receives the registration of the resource server and distributes the ID number of the resource server and a corresponding public key (the public key can check the access token) for the resource server.
step 3, the authorization server receives the registration of the resource server for the resource, and allocates a unique resource identifier for the resource, and the resource owner configures an authorization strategy through the authorization server;
different resources may be configured with different authorization policies. Resource applicants and their clients (browsers/native applications) need to provide access credentials that can meet authorization policy requirements. For example, the authorization policy requires the use of a bound terminal, and the MAC address of the terminal serves as one of the access certificates. If the resource is not configured with an authorization policy, the resource is deemed inaccessible.
The authorization policy includes, but is not limited to, the following:
1) After the verification of the person-certificate-integrated check, whether the resource owner needs to confirm again and confirm the mode (account password or face recognition and the like) or not;
2) whether an authorized terminal is bound, namely whether a terminal for collecting the face photo is bound with a specific terminal or any terminal;
3) A date range that the resource can access;
4) Defining a particular user access;
5) a limit on the number of times a resource can be accessed;
step 4, when the resource applicant needs to access the resource, the authorization server judges whether the resource applicant is the registered user himself or not through the person-certificate-in-one comparison according to the head portrait photo uploaded by the resource applicant, if so, the authorization server obtains an access certificate provided by the applicant according to the resource authorization strategy, judges whether the access certificate meets the requirement or not, if so, the authorization is represented, and if not, the registered user himself or the access certificate does not meet the requirement, the authorization is not represented; the authorization server uses the private key to issue an access token comprising an authorization result to the client of the resource applicant; the access token is used for being provided for the resource server, the resource server checks the access token through the public key, whether the access token signature is correct is judged, if the access token passes the check, whether the user is authorized and whether the resource access frequency is correct is judged, if the user is authorized and the resource access frequency is correct, the resource corresponding to the accessible resource identifier is obtained, and the resource is returned to the resource applicant.
the access credentials are for example: if the resource owner needs to confirm again, the authorization server reminds the resource owner to confirm the authorization through application message pushing (receiving by the terminal APP); if a binding terminal needs to be provided, an MAC address of the terminal used for collecting the face head portrait needs to be provided;
The access token comprises user information and signature information, wherein the user information comprises a user ID, a requested resource identifier, resource operation authority, resource access times (the resource server and the authorization server have records of the access times, the authorized resource access records are added with 1, the information is used for preventing replay attack), whether the authorization is performed or not, and the signature information is data generated by performing HASH conversion on the user information and then encrypting the user information;
The resource applicant uses a client (which may be a browser or a native application) to log in to the resource server through an account password, and attempts to access a selected resource of the resource server without authorization. The authorization server knows from this initial request which resource the client is trying to access, and further knows the corresponding resource owner and which access credentials the authorization server needs (specifically according to a configuration policy); if the user agrees to authorization, the user uses COTS equipment with a camera to take photos of the head portrait and uploads the photos to an authorization server, and if the user does not agree, the user selects to cancel or does not do any operation;
The people's card verification service in the authorization server utilizes the face recognition technology and the certificate OCR technology to extract and compare the characteristic values of the head portrait photo and the head portrait on the identity card, and people and cards are combined for short and compared, as shown in FIG. 4, people and cards are combined for comparison, and the method comprises the following steps:
1) The authorization server receives the head portrait photo of the user; the user needs to judge whether the identity certificate photo is clear or not, and if the identity certificate photo is not clear, the user needs to shoot again;
2) extracting the head portrait characteristic value of the user, acquiring the head portrait characteristic value on the identity document stored in the database, comparing the similarity of the two characteristic values, and when the similarity reaches a certain threshold value, the person and the identity document are considered as the same person.
the authorization server issues the access token using the private key and issues the access token to the user client, while the resource server may guarantee the legitimacy of the access token by verifying the signature information with the public key obtained at the time of registration with the authorization server.
Example 3:
As shown in fig. 1, a method for UMA service based on testimony-of-person unification includes the following steps:
step 1, a user registers on an authorization server providing UMA service; as shown in fig. 2, the registration includes:
Traditional information registration, which mainly comprises a user name/password, gender, native place, contact way and the like, and automatically generates a unique ID number for a user, wherein the user name and the password can be used as a login certificate of UMA service and can also be used as user authentication with low security level requirement; as shown in figure 2 of the drawings, in which,
registering the identity certificate photo, acquiring the identity certificate photo through a COTS equipment camera, verifying whether the identity certificate photo is real and effective, and mainly checking whether the name and the number of the identity card are consistent and whether the identity card head photo is true or false; if the identity card is confirmed to be real and valid, the authorization server encrypts and stores the user information and the identity card photo, and associates the registered user information and the identity card photo; if the identity card photo is invalid, the failure of identity card verification is prompted, and the identity card photo can be selected to be shot again.
as shown in fig. 3, verifying whether the identity certificate photo is authentic and valid includes the following steps:
1) The user requests for registration service according to the requirement of an authorization server providing the UMA service, and the authorization server waits for receiving the user identity certificate;
2) a user shoots an identity document photo by using a camera;
3) the user needs to judge whether the identity certificate photo is clear or not, and if the identity certificate photo is not clear, the user needs to shoot again;
4) The user submits the photo to an authorization server after confirming that the photo is clear;
6) the authorization server (obtaining the authorization of the public security department) analyzes the identity certificate photo, sends the name, the identity card number and the head portrait data to the public security department, and inquires the authenticity of the identity card; the public security department returns a verification result;
7) if the identity card verification is successful, the authorization server keeps the identity card photo in the database, if the identity card verification fails, the user is prompted that the identity card verification fails and the identity card photo is deleted, and the user can choose to shoot the identity card photo again.
and 2, registering the resource server to an authorization server providing the UMA service, and acquiring the ID number of the resource server distributed by the authorization server and a corresponding public key (the public key can check the access token).
Step 3, the resource server registers the resource to the authorization server to obtain the resource identifier; the resource owner configures an authorization strategy through an authorization server;
The authorization server assigns a unique identifier for the resource and returns the unique identifier for the resource to the resource server along with a URL. The resource server directs the resource owner to the URL, and the resource owner can interactively manage the authorization policy associated with the resource set;
Different resources require different authorization policies. Applicants and their clients (browsers/native applications) need to provide access credentials that can meet the requirements of an authorization policy. A resource is considered inaccessible if no authorization policy is configured for the resource. For example, the authorization policy requires the people to be authenticated, the applicant needs to shoot a face portrait, and the face portrait data is a statement. If the authorization policy requires the use of bound terminals, the MAC address of the terminal must be consistent with the MAC address of the bound terminal.
Some possible authorization policy options are listed below:
1) whether the resource owner needs to confirm again and a confirmation mode (account password or face recognition and the like);
2) whether an authorized terminal is bound, namely whether a terminal for shooting a face photo is bound or any terminal can be used;
3) a date range that the resource can access;
4) Defining a particular user access;
5) A limit on the number of times a resource can be accessed;
step 4, the resource applicant uses the client to access the resource, the authorization server obtains the head portrait photo shot by the user through the terminal, and the head portrait photo is compared through people and certificate, if the user is the user, the access certificate of the user is further obtained according to the resource authorization strategy, and if the user meets the requirement, the authorization is indicated; the method comprises the steps that an authorization server uses a private key to sign an access token including an authorization result to a client, the client sends the access token to a resource server, the resource server checks the access token through the public key and judges whether the signature of the access token is correct or not, if the access token passes the check, whether a user is authorized or not and whether the access frequency is correct or not are judged, if the user is authorized and the access frequency is correct, resources corresponding to an accessible resource identifier are obtained, and the resources are returned to a resource applicant.
the resource applicant uses a client (which may be a browser or a native application) to log in to the resource server through an account password, and attempts to access a selected resource of the resource server without authorization. The resource server knows which resource the client attempts to access from the initial request, and further knows which access credentials the corresponding resource owner and the authorization server need (specifically according to a configuration policy); if the user agrees to authorization, the user uses COTS equipment with a camera to take photos of the head portrait and uploads the photos to an authorization server, and if the user does not agree, the user selects to cancel or does not do any operation;
The people's card verification service in the authorization server utilizes the face recognition technology and the certificate OCR technology to extract and compare the characteristic values of the head portrait photo and the head portrait on the identity card, and the people and the card are combined for short, as shown in FIG. 4; comparing the testimony and the testimony in one, comprising the following steps:
1) The user requests a face recognition service according to the requirement of an authorization server of the UMA service, and the authorization server waits for receiving a head portrait photo of the user;
2) The method comprises the steps that a computer side browser/a mobile side APP applies for camera authority, and a user needs to click to agree;
3) a user shoots a head portrait by using a camera;
4) the user needs to judge whether the identity certificate photo is clear or not, and if the identity certificate photo is not clear, the user needs to shoot again;
5) the user submits the photo to an authorization server after confirming that the photo is clear;
6) the person-certificate checking service in the authorization server extracts the head portrait characteristic value of the user, then obtains the head portrait characteristic value on the identity document stored in the database, compares the similarity of the two characteristic values, and considers that the person and the certificate are the same person when the similarity reaches a certain threshold value.
the authorization server judges whether the registered user is the registered user according to the comparison result of the people and the certificate, if so, the authorization is confirmed according to the configuration strategy whether a resource owner is needed, if so, the system reminds the resource owner to carry out authorization confirmation by pushing application messages (receiving by a terminal APP), and the confirmation mode is according to the configuration strategy;
and (3) the resource server checks the access token through the public key acquired in the step (2), judges whether the signature of the access token is correct, judges whether the user is authorized if the access token passes the check, acquires an accessible resource identifier and a corresponding resource if the user is authorized, and returns the resource to the client.
example 4:
an apparatus for UMA services based on testimonial to human beings, comprising:
the user registration module is used for performing traditional information registration and identity certificate photo registration on an authorization server providing the UMA service, and the authorization server encrypts and stores user registration information;
The resource server registration module is used for authorizing the server to receive the registration of the resource server and distributing a resource server ID number and a corresponding public key for the resource server;
the resource registration module is used for the authorization server to receive the registration of the resource server for the resource and distribute a unique resource identifier for the resource, and the resource owner configures an authorization strategy through the authorization server;
The system comprises a person-certificate-integrated verification and resource acquisition module, a resource application server and a resource authorization server, wherein the person-certificate-integrated verification and resource acquisition module is used for judging whether a registered user is the authorized user or not by person-certificate-integrated comparison according to a head portrait photo uploaded by the resource application server when the resource application user accesses a resource, and if so, obtaining an access certificate provided by the application user according to a resource authorization strategy, judging whether the access certificate meets the requirement or not, if so, indicating that the access certificate is authorized, and if not, indicating that the registered user or the access certificate does not meet the requirement or not; the authorization server uses the private key to issue an access token comprising an authorization result to the client of the resource applicant; the access token is used for providing the resource server with a public key check label, and if the resource server passes the check label and is authorized, the resource is sent to the resource applicant.
The method comprises the following steps of judging whether the registered user is the registered user through the people-certificate-integrated comparison, specifically:
1) the authorization server receives the head portrait photo of the user;
2) Extracting the head portrait characteristic value of the user, acquiring the head portrait characteristic value on the identity document stored in the database, comparing the similarity of the two characteristic values, and when the similarity reaches a certain threshold value, the person and the identity document are considered as the same person.
In the whole process, the personal information of the resource owner and the personal information of the applicant are not disclosed to the resource server or the client. In addition, the two parties do not disclose sensitive personal information to each other. The applicant only needs to provide the certification information to the minimum extent and meet the authorization policy set by the resource owner.
the authorization server is used for registering and verifying the identity of the user and registering the resource server, an applicant does not need to show the identity document to a third party in reality, and the applicant only needs to take a head portrait photo and send the head portrait photo to the authorization server, and the authorization server proves the identity. The problems of identity misuse, abuse and the like caused by personal information leakage to a third party in real life are avoided.
based on the UMA framework and the testimony integration technology, the authorization safety is ensured, the authorization convenience is improved, and the diversification of the authorization equipment can be more suitable for multiple scenes.
the security of authorization is ensured by real person demonstration, but the real person demonstration is not limited to face recognition. Along with the integration of fingerprints and other biological characteristics into the identity card, all the biological characteristic information of the certifiable identity card and the identity card belonging to the same person belongs to the category of the real person demonstration.
after the identity card is successfully verified, the identity card photo can be directly reserved or only the head portrait characteristic value information can be reserved, because some use scenes such as banks can still need to manually compare the identity card head portrait with the real person head portrait;
the user can choose to bind or not bind the terminal, depending on the security level requirements of the usage scenario, and when the security level is higher, it is suggested to bind the terminal.
The access token comprises user information and signature information, wherein the user information comprises a user ID, a requested resource identifier, resource operation authority, resource access times, whether the authorization is performed or not and the like, the signature information is data generated by performing HASH calculation on the user information and then encrypting, and the resource server can verify the signature information through a public key obtained when the resource server registers in the authorization server to ensure the legality of the access token. The present invention is not limited to the method for generating and verifying the token, and all methods for securely ensuring the token transmission and verifying the token are within the scope of the access token generation referred to herein.
The authorization referred to in the invention is not limited to the authorization of other users by the user and the authorization of third-party application by the user, and all the authorization which can not be realized by directly sending the login credentials is within the authorization range referred to in the invention.
the way in which the system alerts the resource owner for authorization confirmation is not limited to application message push, and all methods that can notify the resource owner in time are within the scope of the system alert referred to herein.
The invention has the following beneficial effects:
(1) is safer and more convenient
The popularization of mobile terminals such as smart phones and tablet computers and the use of cameras as the standard of mobile terminals provide wide terminal equipment for face recognition services, and almost everyone carries at least one mobile terminal equipment at present. Although the security problem exists in a plurality of terminal devices, the invention does not need to store the biological characteristic information on the terminal, and has low requirement on the security of the terminal device, so the authorization security and the convenience can be increased under the condition of not increasing the hardware cost.
(2) High applicability
compared with the traditional single account password or biological identification, the person-certificate-in-one authentication is safer, is suitable for the use scene in which the identity of a user must be verified, is also suitable for general authorized login, and has stronger applicability.
(3) Strong expandability
The resource owner can authorize other users, and can also authorize third-party applications (when the applicant is the third-party application), so that the system has stronger expandability.
as will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
these computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
the above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (10)

1. a UMA service method based on testimony of a witness unification is characterized in that: the method comprises the following steps:
An authorization server providing UMA service receives registration of a resource server and allocates a resource server ID number and a corresponding public key for the resource server;
The authorization server receives registration of the resource server for the resource, and allocates a unique resource identifier for the resource, and the resource owner configures an authorization strategy through the authorization server;
when a resource applicant accesses resources, an authorization server judges whether the resource applicant is a registered user by human-certificate-integrated comparison according to a head portrait photo uploaded by the resource applicant and pre-stored user registration information, if so, obtains an access certificate provided by the applicant according to a resource authorization strategy, judges whether the access certificate meets the requirement, if so, indicates that the resource applicant is authorized, and if not, does not register the user or does not meet the requirement, does not authorize; the authorization server uses the private key to issue an access token comprising an authorization result to the client of the resource applicant; the access token is used for providing the resource server with a public key check label, if the resource server passes the check label and is authorized, and the resource access times are correct, the resource is sent to the resource applicant.
2. The method of claim 1, wherein the UMA service is a unified personality and identity based UMA service, comprising: the user registration information comprises traditional registration information and a registration identity certificate photo; the traditional registration information comprises a user name, a password, gender, native place and contact way; the registered identity certificate photo is the identity certificate photo collected through the camera, whether the identity certificate photo is real and effective is checked, if the identity certificate is real and effective, the authorization server encrypts and stores the traditional user information and the identity certificate photo and associates the traditional user information and the identity certificate photo.
3. the method of claim 2, wherein the UMA service is a unified personality and identity based UMA service, comprising: whether the identity certificate photo is real and effective is checked, and the method specifically comprises the following steps:
an authorization server providing UMA service receives an identity certificate photo shot by a user by using a camera;
the authorization server analyzes the identity certificate photo, sends the name, the identity card number and the head portrait data to the database of the public security department, inquires the authenticity of the identity card, and the database of the public security department returns a verification result;
If the identity card verification is successful, the authorization server keeps the identity card photo in the database, and if the identity card verification fails, the user is prompted that the identity card verification fails and the identity card photo is deleted.
4. the method of claim 1, wherein the UMA service is a unified personality and identity based UMA service, comprising: the method comprises the following steps of judging whether the registered user is the registered user through the people-certificate-integrated comparison, specifically:
1) the authorization server receives the head portrait photo of the user;
2) extracting the head portrait characteristic value of the user, acquiring the head portrait characteristic value on the identity document stored in the database, comparing the similarity of the two characteristic values, and when the similarity reaches a certain threshold value, the person and the identity document are considered as the same person.
5. the method of claim 1, wherein the UMA service is a unified personality and identity based UMA service, comprising: the access token comprises user information and signature information, wherein the user information comprises a user ID, a requested resource identifier, a resource operation authority, resource access times and whether a user is authorized, and the signature information is data generated by encrypting the user information.
6. The utility model provides a UMA service's authorization server based on testimony of a witness unification which characterized in that: the method comprises the following steps:
the resource server registration module is used for receiving registration of the resource server and distributing a resource server ID number and a corresponding public key for the resource server;
the resource registration module is used for receiving the registration of the resource server for the resource and distributing a unique resource identifier for the resource, and the resource owner configures an authorization strategy through an authorization server;
the system comprises a person-certificate-integrated verification and resource acquisition module, a resource authorization module and a resource verification module, wherein the person-certificate-integrated verification and resource acquisition module is used for judging whether a registered user is the user according to a head portrait photo uploaded by the resource applicant and pre-stored user registration information through person-certificate-integrated comparison when the resource applicant accesses resources, if so, obtaining an access certificate provided by the applicant according to a resource authorization strategy, judging whether the access certificate meets the requirement, if so, indicating that the access certificate is authorized, and if not, indicating that the registered user is the user or the access certificate does not meet the requirement, indicating that the access certificate is unauthorized; the authorization server uses the private key to issue an access token comprising an authorization result to the client of the resource applicant; the access token is used for providing the resource server with a public key check label, if the resource server passes the check label and is authorized, and the resource access times are correct, the resource is sent to the resource applicant.
7. the authorization server of UMA service based on testimony of a witness unification as claimed in claim 6, wherein: the method comprises the following steps of judging whether the registered user is the registered user through the people-certificate-integrated comparison, specifically:
1) the authorization server receives the head portrait photo of the user;
2) Extracting the head portrait characteristic value of the user, acquiring the head portrait characteristic value on the identity document stored in the database, comparing the similarity of the two characteristic values, and when the similarity reaches a certain threshold value, the person and the identity document are considered as the same person.
8. A UMA service system based on testimony of a witness unification, characterized by: comprising a resource server, an authorization server according to claim 6 or 7 and a terminal device;
the resource server is used for storing the resources uploaded by the resource owner;
The authorization server is used for providing services meeting the requirements of the UMA protocol, and is used for user registration, user verification, registration of the resource server and resources thereof and generation of access tokens;
the terminal equipment is used for collecting the identity certificate photo and the face head photo and receiving UMA service push information.
9. The system of claim 8, wherein the system comprises: the resource comprises a visible resource such as a document or an authorization certificate.
10. the system of claim 8, wherein the system comprises: and the terminal and the authorization server carry out safe communication through HTTPS.
CN201910811610.2A 2019-08-30 2019-08-30 Method, device and system for UMA service based on people and evidence integration Pending CN110545274A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910811610.2A CN110545274A (en) 2019-08-30 2019-08-30 Method, device and system for UMA service based on people and evidence integration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910811610.2A CN110545274A (en) 2019-08-30 2019-08-30 Method, device and system for UMA service based on people and evidence integration

Publications (1)

Publication Number Publication Date
CN110545274A true CN110545274A (en) 2019-12-06

Family

ID=68710990

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910811610.2A Pending CN110545274A (en) 2019-08-30 2019-08-30 Method, device and system for UMA service based on people and evidence integration

Country Status (1)

Country Link
CN (1) CN110545274A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111538973A (en) * 2020-03-26 2020-08-14 成都云巢智联科技有限公司 Personal authorization access control system based on state cryptographic algorithm
CN111726348A (en) * 2020-06-16 2020-09-29 中国建设银行股份有限公司 Service processing method, device and system
CN112464194A (en) * 2020-11-25 2021-03-09 数字广东网络建设有限公司 Resource acquisition method and device, computer equipment and storage medium
CN113821783A (en) * 2021-09-29 2021-12-21 北京云歌科技有限责任公司 Multifunctional security authorization API Key implementation system and method
CN113917961A (en) * 2021-09-22 2022-01-11 广西壮族自治区海洋环境监测中心站 Intelligent laboratory management system and method
CN115242488A (en) * 2022-07-20 2022-10-25 广东瑞普科技股份有限公司 Domestic network security operation and maintenance system and method
CN117544378A (en) * 2023-11-21 2024-02-09 广州方舟信息科技有限公司 Authorization management method, device, equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506562A (en) * 2015-01-13 2015-04-08 东北大学 Two-dimension code and face recognition fused conference identity authentication device and method
CN105453524A (en) * 2013-05-13 2016-03-30 霍约什实验室Ip有限公司 System and method for authorizing access to access-controlled environments
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
CN106603513A (en) * 2016-11-30 2017-04-26 中国人民解放军理工大学 Host identifier-based resource access control method and system
US10021095B1 (en) * 2015-05-29 2018-07-10 Amdocs Development Limited System, method, and computer program for two layer user authentication associated with connected home devices
US10164975B1 (en) * 2016-03-30 2018-12-25 Snap Inc. Authentication via camera

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105453524A (en) * 2013-05-13 2016-03-30 霍约什实验室Ip有限公司 System and method for authorizing access to access-controlled environments
CN104506562A (en) * 2015-01-13 2015-04-08 东北大学 Two-dimension code and face recognition fused conference identity authentication device and method
US10021095B1 (en) * 2015-05-29 2018-07-10 Amdocs Development Limited System, method, and computer program for two layer user authentication associated with connected home devices
CN105577665A (en) * 2015-12-24 2016-05-11 西安电子科技大学 Identity and access control and management system and method in cloud environment
US10164975B1 (en) * 2016-03-30 2018-12-25 Snap Inc. Authentication via camera
CN106603513A (en) * 2016-11-30 2017-04-26 中国人民解放军理工大学 Host identifier-based resource access control method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
沈桐等: "基于OAuth2.0,OpenID Connect 和UMA的用户认证授权系统架构", 《软件》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111538973A (en) * 2020-03-26 2020-08-14 成都云巢智联科技有限公司 Personal authorization access control system based on state cryptographic algorithm
CN111726348A (en) * 2020-06-16 2020-09-29 中国建设银行股份有限公司 Service processing method, device and system
CN112464194A (en) * 2020-11-25 2021-03-09 数字广东网络建设有限公司 Resource acquisition method and device, computer equipment and storage medium
CN113917961A (en) * 2021-09-22 2022-01-11 广西壮族自治区海洋环境监测中心站 Intelligent laboratory management system and method
CN113821783A (en) * 2021-09-29 2021-12-21 北京云歌科技有限责任公司 Multifunctional security authorization API Key implementation system and method
CN113821783B (en) * 2021-09-29 2022-04-08 北京云歌科技有限责任公司 Multifunctional security authorization API Key implementation system and method
CN115242488A (en) * 2022-07-20 2022-10-25 广东瑞普科技股份有限公司 Domestic network security operation and maintenance system and method
CN117544378A (en) * 2023-11-21 2024-02-09 广州方舟信息科技有限公司 Authorization management method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US12126715B2 (en) Methods and systems of providing verification of information using a centralized or distributed ledger
CN110213246B (en) Wide-area multi-factor identity authentication system
CN110545274A (en) Method, device and system for UMA service based on people and evidence integration
US8955069B1 (en) Event-based biometric authentication using mobile device
CN109120597B (en) Identity verification and login method and device and computer equipment
CN110098932B (en) Electronic document signing method based on safe electronic notarization technology
US8813185B2 (en) Ad-hoc user account creation
CN105591744A (en) Network real-name authentication method and system
US11288530B1 (en) Systems and methods for liveness-verified identity authentication
CN109150547A (en) A kind of system and method for the digital asset real name registration based on block chain
CN115842680A (en) Network identity authentication management method and system
CN113239335A (en) Block chain personnel information management system and method based on Baas
CN110995661B (en) Network card platform
KR101122655B1 (en) Method for user verifing process with enhanced security by mobile communication system and mobile communication terminal for use therein
CN115051812A (en) User identity dual-recognition method based on two-dimensional code and biological characteristics
CN103428698A (en) Identity strong authentication method of mobile interconnection participants
CN105743883B (en) A kind of the identity attribute acquisition methods and device of network application
CN113259340B (en) Block chain data processing method and device and electronic equipment
US20240305630A1 (en) Access control to a wireless communication network by authentication based on a biometric print of a user
KR101235608B1 (en) Method and System on Multi Factor Certification Using Device Identification Information and Multimedia Identification Information
CN117061235A (en) Identity authentication method, system, equipment and computer readable storage medium
CN116305280A (en) Personal data management method and system based on digital identity
CN117014146A (en) Unified identity authentication method based on double factors
IT201600115265A1 (en) Process and computer system for the identification and authentication of the digital identity of a subject in possession of a personal telecommunication device.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191206

RJ01 Rejection of invention patent application after publication