US 12,445,301 B2
Identity authentication method and apparatus
Xiaolong Lai, Shaanxi (CN); Jun Cao, Shaanxi (CN); Manxia Tie, Shaanxi (CN); Qin Li, Shaanxi (CN); Xiaorong Zhao, Shaanxi (CN); Bianling Zhang, Shaanxi (CN); and Zhenhai Huang, Shaanxi (CN)
Assigned to CHINA IWNCOMM CO., LTD., Shaanxi (CN)
Appl. No. 18/269,653
Filed by CHINA IWNCOMM CO., LTD., Shaanxi (CN)
PCT Filed Dec. 21, 2021, PCT No. PCT/CN2021/140040
§ 371(c)(1), (2) Date Jun. 26, 2023,
PCT Pub. No. WO2022/135387, PCT Pub. Date Jun. 30, 2022.
Claims priority of application No. 202011569232.0 (CN), filed on Dec. 26, 2020.
Prior Publication US 2024/0323028 A1, Sep. 26, 2024
Int. Cl. H04L 9/32 (2006.01); H04L 9/40 (2022.01)
CPC H04L 9/3247 (2013.01) [H04L 63/0823 (2013.01); H04L 63/10 (2013.01)] 20 Claims
OG exemplary drawing
 
1. An identity authentication method, comprising:
obtaining, by an authentication access controller, an identity ciphertext message sent by a request device, wherein the identity ciphertext message comprises an identity information ciphertext of the request device, and the identity information ciphertext is generated by encrypting to-be-encrypted data comprising a digital certificate of the request device using a message encryption key;
decrypting, by the authentication access controller, the identity information ciphertext of the request device using the message encryption key, to obtain the digital certificate of the request device;
sending, by the authentication access controller, a first authentication request message to a first authentication server trusted by the authentication access controller, wherein the first authentication request message comprises the digital certificate of the request device and a digital certificate of the authentication access controller;
receiving, by the authentication access controller, a first authentication response message sent by the first authentication server, wherein the first authentication response message comprises first authentication result information, a first digital signature, second authentication result information and a second digital signature, the first authentication result information comprises a first verification result of the digital certificate of the authentication access controller, the first digital signature is a digital signature generated by a second authentication server trusted by the request device through calculating to-be-signed data comprising the first authentication result information, the second authentication result information comprises a second verification result of the digital certificate of the request device, and the second digital signature is a digital signature generated by the first authentication server through calculating to-be-signed data comprising the second authentication result information;
verifying, by the authentication access controller, the second digital signature using a public key of the first authentication server; determining, by the authentication access controller, an identity authentication result of the request device according to the second verification result in the second authentication result information when the verification passes; and sending, by the authentication access controller, a third authentication response message to the request device when determining that the identity authentication result of the request device is legal; or
verifying, by the authentication access controller, the second digital signature using the public key of the first authentication server; and sending, by the authentication access controller, the third authentication response message to the request device and determining the identity authentication result of the request device according to the second verification result in the second authentication result information when the verification passes; or
verifying, by the authentication access controller, the second digital signature using the public key of the first authentication server; determining, by the authentication access controller, the identity authentication result of the request device according to the second verification result in the second authentication result information when the verification of the second digital signature passes; and sending, by the authentication access controller, the third authentication response message to the request device;
wherein the third authentication response message comprises an identity authentication result information ciphertext, the identity authentication result information ciphertext is generated by encrypting to-be-encrypted data comprising the first authentication result information and the first digital signature using the message encryption key;
decrypting, by the request device, the identity authentication result information ciphertext using the message encryption key to obtain the first authentication result information and the first digital signature after receiving the third authentication response message; verifying, by the request device, the first digital signature using a public key of the second authentication server; and determining, by the request device, an identity authentication result of the authentication access controller according to the first verification result in the first authentication result information when the verification passes.