Unified identity authentication method, device and system based on quantum secure middleware

By integrating a security chip into the mobile terminal and the identity authentication server, and using a quantum key management system to encrypt login requests in conjunction with JWT technology, the uniformity and security issues of identity authentication in mobile applications are solved. This achieves encrypted data transmission and resistance to replay attacks, ensuring the security of user credentials and data.

CN115567223BActive Publication Date: 2026-06-19CHINA TELECOM QUANTUM TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM QUANTUM TECH CO LTD
Filing Date
2022-09-29
Publication Date
2026-06-19

Smart Images

  • Figure CN115567223B_ABST
    Figure CN115567223B_ABST
Patent Text Reader

Abstract

This invention discloses a unified identity authentication method, apparatus, and system based on quantum-secure middleware. The method includes: intercepting login request information submitted by a mobile terminal to an identity authentication server, and requesting an authentication key from a quantum key management system via a first security chip; encrypting the login request information using the authentication key to obtain login authentication information and forwarding it to the identity authentication server; receiving ciphertext information returned by the identity authentication server, the ciphertext information carrying a token and an AppTicketId; accessing an application server based on the ciphertext information; and receiving the App_Token returned by the application server to complete the unified identity authentication login. This invention, based on its integrated security chip, requests an authentication key from a quantum key management system, encrypts the login request using the authentication key, and sends it to the identity authentication server, thus solving the problem of encrypted data transmission during unified identity authentication; it also enables token distribution, achieving resistance to replay attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of security application technology, specifically to a unified identity authentication method, device, and system based on quantum secure middleware. Background Technology

[0002] With the continuous development of internet and mobile technologies, numerous mobile applications exist in the high-security industry. Each mobile application employs different authentication methods and protocols, resulting in fragmented authentication systems and a lack of unified authentication functionality across multiple systems and accounts. Furthermore, the user authentication process in mobile applications presents numerous security vulnerabilities, leading to serious issues such as stolen authentication credentials and data tampering. Therefore, ensuring the security of user credentials, authentication protocols, and process data during mobile user authentication in open networks is of paramount importance.

[0003] Among related technologies, Chinese invention patent document CN106685998A describes an SSO authentication method based on a CAS unified authentication service middleware. The implementation steps are as follows: When a user logs in, the mobile application unified service middleware intercepts and stores the TGT returned by the request. When the user needs to call other system interfaces on the client side, the middleware is responsible for determining whether the user has already logged into this system. If not, it first uses the previous TGT to exchange for a Ticket for the corresponding system using CAS, and then uses the Ticket to exchange for a Session Cookie from the corresponding CAS client, thereby completing the authentication process for that system. Finally, it uses the Cookie to access the client service interface, achieving unified identity authentication login for multiple business systems. However, this solution has the following problem:

[0004] (1) The unified identity authentication process interaction protocol in this scheme is mainly based on HTTP or HTTPS for data transmission. HTTP protocol transmission is in plaintext, and the identity authentication process data has no protection measures, which poses a risk of data theft and tampering. HTTPS protocol relies on traditional public key digital certificates, which requires applying for a certificate, importing the certificate into the server device, and managing the imported certificate, which increases processing complexity. At the same time, as the data encryption key is used more frequently, the key is reused, and the security will decrease with use.

[0005] (2) In this scheme, CAS client interaction and CAS authentication server interaction are used to distribute cookies and store them in a unified service middleware. The middleware carries cookies to access the application system, which poses a risk of cookie replay attack.

[0006] Among related technologies, Chinese invention patent document CN112865966A describes an identity authentication method based on quantum key encryption. The implementation steps are as follows: S1: The quantum key management server generates an encryption quantum key, the client obtains the identity authentication information, and the client's encryption module uses the encryption quantum key to encrypt the identity authentication information to obtain encrypted identity authentication information; S2: The identity authentication server receives the encrypted identity authentication information, and the quantum key management server generates a decryption quantum key; S3: The identity authentication server receives the decryption quantum key and uses the decryption quantum key to decrypt the encrypted identity authentication information to obtain decrypted identity authentication information; S4: The identity authentication server compares the decrypted identity authentication information with the information in the database module; S5: The client's decryption module decrypts the encrypted comparison information to obtain a comparison success message or a comparison failure message.

[0007] The proposed solution discloses the process by which a client or authentication server obtains a quantum key from a quantum key management server through an encryption module to perform data encryption. However, it does not address how the encryption module securely obtains the quantum key from the quantum key management server, how to ensure the integrity of data transmission between the client and the authentication server, how to resolve replay attacks during client-authenticator interactions, or how to ensure secure unified authentication between the client and the authentication server. These are all issues that urgently need to be addressed. Summary of the Invention

[0008] The technical problem to be solved by this invention is how to achieve security in the unified identity authentication process of mobile terminals.

[0009] The present invention solves the above-mentioned technical problems through the following technical means:

[0010] On one hand, this invention proposes a unified identity authentication method based on quantum-secure middleware, applied to a mobile terminal. The mobile terminal integrates a first security chip and an application client. The first security chip stores a quantum key pre-loaded by a quantum key management system. The method includes:

[0011] The system intercepts the login request information submitted by the application client to the identity authentication server and requests the authentication key from the quantum key management system through the first security chip.

[0012] The login request information is encrypted using the authentication key to obtain login authentication information, which is then forwarded to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information.

[0013] Receive encrypted information returned by the identity authentication server, the encrypted information carrying a global token identifier Token and an application identity ticket AppTicketId;

[0014] Access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server;

[0015] The application server receives the application token identifier App_Token returned by the application server to complete the unified identity authentication login. The App_Token is generated by the application server based on the response information.

[0016] This invention intercepts login requests from the client when submitting them to the identity authentication server. Based on its integrated security chip, it requests an authentication key from the quantum key management system. The login request is then encrypted using this authentication key and sent to the identity authentication server. This solves the problem of encrypted data transmission during unified identity authentication, achieving one key per authentication process with no correlation between keys. Furthermore, the identity authentication server and application server integrate JWT technology to implement token distribution, replacing the cookie session mechanism and preventing replay attacks. This further ensures the security of user credentials and authentication protocol data during mobile user identity authentication in open networks.

[0017] Furthermore, the step of intercepting the login request information submitted by the application client to the identity authentication server and requesting the authentication key from the quantum key management system via the first security chip includes:

[0018] The system intercepts the login request information submitted by the application client to the identity authentication server, and parses the login request information to obtain the application identifier AppId and login authentication credential information.

[0019] Send a username validity verification request to the identity authentication server.

[0020] If the username is invalid, obtain the login failure response returned by the identity authentication server;

[0021] When the username is valid, receive the challenge random number sent by the identity authentication server;

[0022] The authentication key is requested from the quantum key management system through the first security chip.

[0023] Further, the step of requesting the authentication key from the quantum key management system through the first security chip includes:

[0024] A key request is initiated to the first security chip to obtain the key serial number Z, key B, and the first security chip identifier ITa from the first security chip;

[0025] Based on the application identifier AppId, a session identifier SessionId is created, and an authentication key acquisition request is initiated to the quantum key management system. The authentication key acquisition request carries the key sequence number Z and the request ciphertext. The request ciphertext is obtained by encrypting the first time-varying parameter, the first security chip identifier IDa and the session identifier SessionId using the key B.

[0026] The system receives a first authentication key response information returned by the quantum key management system. The first authentication key response information carries the key sequence number Z and the response ciphertext. The response ciphertext is obtained by encrypting the second time-varying parameter, the first security chip identifier IDa, the session identifier SessionId, and the authentication key AuthKey using the key B.

[0027] The key ciphertext is decrypted using the key sequence number Z to obtain the authentication key AuthKey, and the application identifier AppId, authentication key AuthKey, and session identifier SessionId are cached.

[0028] Further, the step of encrypting the login request information using the authentication key to obtain login authentication information and forwarding it to the identity authentication server includes:

[0029] The login request information is encrypted using the authentication key and encryption algorithm to obtain the login authentication information. The login authentication information includes ciphertext login information and MAC value login information. The ciphertext login information carries time-varying parameters, login authentication credentials, application identifier AppId, and challenge random number.

[0030] The login authentication information and the session identifier (SessionId) are forwarded to the identity authentication server.

[0031] Furthermore, after receiving the encrypted information returned by the identity authentication server, the method further includes:

[0032] The ciphertext information is decrypted using the authentication key, and the decrypted information is compared with the message authentication code.

[0033] When the encrypted information is successfully decrypted and the comparison results match, the step of accessing the application server is executed;

[0034] If the encrypted information fails to be decrypted or the comparison results are inconsistent, the login attempt is deemed unsuccessful.

[0035] Furthermore, the encrypted information carries a Token, AppTicketId, MAC value, and application identifier AppId. Accessing the application server based on the encrypted information includes:

[0036] Using the authentication key and encryption algorithm, the AppTicketId and the third time-varying parameter are calculated to obtain the AppTicketId ciphertext and the request information MacT value.

[0037] The encrypted AppTicketId, the MacT value of the request information, and the SessionId are forwarded to the application server to access the application server.

[0038] Furthermore, the method also includes: based on the App_Token, completing the call to the service interface of the application server, specifically:

[0039] Intercept access requests sent to the application server;

[0040] The App_Token is queried based on the application identifier AppId to obtain a new access request, and the new access request carries the App_Token;

[0041] Send a new access request to the application server so that the application server can verify whether the App_Token is valid;

[0042] When the application server verifies the validity of the App_Token, the application content returned by the application server is obtained;

[0043] When the application server verifies that the App_Token is invalid, it requests an authentication key from the quantum key management system via the first security chip.

[0044] Furthermore, when the AppTokenId cannot be obtained through the App_Token, the method further includes:

[0045] The mobile terminal is then prompted to re-enter the login state.

[0046] Furthermore, this invention proposes a unified identity authentication method based on quantum-secure middleware, applied to an identity authentication server. The identity authentication server integrates a second security chip, which stores a quantum key pre-filled by the quantum key management system. The method includes:

[0047] Receive username verification requests sent by mobile terminals;

[0048] When the username verification is valid, a challenge random number is sent to the mobile terminal so that the mobile terminal can calculate the login authentication information. The login authentication information includes the login information MAC value and the login information ciphertext. The login information ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number.

[0049] The system receives the login authentication information sent by the mobile terminal and requests an authentication key from the quantum key management system through the second security chip to decrypt the login authentication information.

[0050] When the plaintext verification of the login authentication information is successful, encrypted information is generated and returned to the mobile terminal. The encrypted information includes Token, AppTicketId, response information MACβ, and application identifier AppId.

[0051] The system receives an access request sent by the application server and returns response information to the application server when the access request is verified to be valid, so that the application server generates an App_Token based on the response information and returns it to the mobile terminal. The access request is generated by the mobile terminal based on the encrypted information.

[0052] Further, the step of requesting an authentication key from the quantum key management system via the second security chip to decrypt the login authentication information includes:

[0053] Based on the login authentication information, a key request is initiated to the second security chip to obtain the key sequence number Y, key C, and second security chip identifier ID β returned by the second security chip;

[0054] An authentication key acquisition request is initiated to the quantum key management system, so that the quantum key management system acquires the authentication key AuthKey and generates a second authentication key response message. The second authentication key acquisition request includes a key sequence number Y and key encryption information, which carries a third time-varying parameter, a second security chip identifier IDβ, and a session identifier SessionId.

[0055] Receive the second authentication key response message returned by the quantum key management system, and decrypt the authentication key response information using the key sequence number Y to obtain the authentication key AuthKey;

[0056] The login authentication information is decrypted using the authentication key AuthKey to obtain the plaintext login authentication information, which includes the user login authentication credentials, the challenge random number, the application identifier AppId, and the login information MAC value.

[0057] Furthermore, the method also includes:

[0058] The login authentication information in plaintext is verified;

[0059] If the verification fails, a login authentication failure message is returned to the mobile terminal;

[0060] Upon successful verification, CAS and JWT technologies are combined to generate a token and an AppTicketId.

[0061] The ciphertext information is obtained by using the authentication key AuthKey in combination with the encryption algorithm to calculate the token, AppTicketId, and the third time-varying parameter.

[0062] Furthermore, when the mobile terminal needs to maintain a login session for an extended period, the method further includes:

[0063] The validity period of the token and the App_Token is set to long-term.

[0064] Furthermore, this invention also proposes a unified identity authentication device based on quantum-secure middleware. The device is a mobile terminal, which integrates a secure middleware, a first secure chip, and an application client. The first secure chip stores a quantum key pre-filled by the quantum key management system. The secure middleware includes:

[0065] The authentication key acquisition module is used to intercept the login request information submitted by the application client to the identity authentication server, and request the authentication key from the quantum key management system through the first security chip;

[0066] The login request module is used to encrypt the login request information using the authentication key, obtain login authentication information, and forward it to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information.

[0067] The encrypted receiving module is used to receive encrypted information returned by the identity authentication server. The encrypted information carries a global token identifier Token and an application identity ticket AppTicketId.

[0068] An access module is used to access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server.

[0069] The authentication login module is used to receive the application token identifier App_Token returned by the application server and complete the unified identity authentication login. The App_Token is generated by the application server based on the response information.

[0070] Furthermore, this invention also proposes a unified identity authentication device based on quantum-secure middleware. The device is an identity authentication server, which integrates a second security chip storing a quantum key pre-loaded by the quantum key management system. The identity authentication server includes:

[0071] The username verification module is used to receive username validity verification requests sent by mobile terminals.

[0072] The random number sending module is used to send a challenge random number à to the mobile terminal when the username verification is valid, so that the mobile terminal can calculate the login authentication information. The login authentication information includes the login information MAC value and the login information ciphertext. The login information ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number à.

[0073] The login request receiving module is used to receive the login authentication information sent by the mobile terminal, and request the authentication key from the quantum key management system through the second security chip to decrypt the login authentication information;

[0074] The ciphertext generation module is used to generate ciphertext information and return it to the mobile terminal when the plaintext verification of the login authentication information is successful. The ciphertext information includes Token, AppTicketId, response information MACβ, and application identifier AppId.

[0075] An access receiving module is used to receive access requests sent by the application server, and return response information to the application server when verifying the legality of the access request, so that the application server generates an App_Token based on the response information and returns it to the mobile terminal. The access request is generated by the mobile terminal based on the encrypted information.

[0076] Furthermore, this invention proposes a unified identity authentication system based on quantum-safe middleware. The system includes a mobile terminal, an application server, an identity authentication server, and a quantum key management system. The quantum key management system is connected to the mobile terminal and the identity authentication server, respectively. The mobile terminal is connected to the application server and the identity authentication server, respectively. The application server is connected to the identity authentication server.

[0077] The mobile terminal integrates a security middleware, a first security chip, and an application client. The first security chip stores a quantum key pre-loaded by the quantum key management system. The identity authentication server integrates a second security chip, which stores a quantum key pre-loaded by the quantum key management system. The security middleware includes:

[0078] The authentication key acquisition module is used to intercept the login request information submitted by the application client to the identity authentication server, and request the authentication key from the quantum key management system through the first security chip;

[0079] The login request module is used to encrypt the login request information using the authentication key, obtain login authentication information, and forward it to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information.

[0080] The encrypted receiving module is used to receive encrypted information returned by the identity authentication server. The encrypted information consists of a global token identifier Token and an application identity ticket AppTicketId.

[0081] An access module is used to access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server.

[0082] The authentication login module is used to receive the application token identifier App_Token returned by the application server and complete the unified identity authentication login. The App_Token is generated by the application server based on the response information.

[0083] The advantages of this invention are:

[0084] (1) When the client submits a login request to the identity authentication server, the present invention intercepts the login request and requests the authentication key from the quantum key management system based on its integrated security chip. The login request is then encrypted with the authentication key and sent to the identity authentication server, which solves the problem of data encryption transmission in the unified identity authentication process, realizes one key per authentication, and the keys are not related to each other. Furthermore, the identity authentication server and the application server can realize token distribution by integrating JWT technology, which replaces the cookie session mechanism and realizes anti-replay attack, further ensuring the security of user credentials and authentication protocol process data in the mobile terminal user identity authentication process in the open network.

[0085] (2) It solves the problem of unauthorized interception and unauthorized tampering of user authentication credential data and identity authentication server distribution data in the unified identity authentication process of mobile terminals; it also prevents the decryption of public key cryptography algorithms based on the big factorization problem and the security threats brought by future quantum computers.

[0086] Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. Attached Figure Description

[0087] Figure 1 This is a flowchart illustrating the unified identity authentication method based on quantum-secure middleware in the first embodiment of the present invention;

[0088] Figure 2 This is a flowchart illustrating the unified identity authentication method based on quantum-secure middleware in the second embodiment of the present invention;

[0089] Figure 3 This is a schematic diagram of the structure of the unified identity authentication device based on quantum-secure middleware in the third embodiment of the present invention;

[0090] Figure 4 This is a schematic diagram of the structure of the unified identity authentication device based on quantum-secure middleware in the fourth embodiment of the present invention;

[0091] Figure 5 This is a schematic diagram of the structure of the unified identity authentication system based on quantum-secure middleware in the fifth embodiment of the present invention;

[0092] Figure 6 This is a schematic diagram of the process by which a mobile terminal obtains an authentication key from a quantum key management system in the fifth embodiment of the present invention;

[0093] Figure 7 This is a schematic diagram of the unified identity authentication process performed by the mobile terminal in the fifth embodiment of the present invention. Detailed Implementation

[0094] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below in conjunction with the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0095] like Figure 1As shown, the first embodiment of the present invention proposes a unified identity authentication method based on quantum-secure middleware, applied to a mobile terminal. The mobile terminal integrates a first security chip and an application client. The first security chip stores a quantum key pre-filled by a quantum key management system. The method includes the following steps:

[0096] S101. Intercept the login request information submitted by the application client to the identity authentication server, and request the authentication key from the quantum key management system through the first security chip.

[0097] S102. Encrypt the login request information using the authentication key to obtain login authentication information and forward it to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information.

[0098] S103. Receive encrypted information returned by the identity authentication server, wherein the encrypted information carries a global token identifier Token and an application identity ticket AppTicketId.

[0099] S104. Access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server.

[0100] S105. Receive the application token identifier App_Token returned by the application server and complete the unified identity authentication login. The App_Token is generated by the application server based on the response information.

[0101] It should be noted that Token: represents a global token identifier, generated by the identity authentication server, and is mainly used to maintain whether the application needs to re-enter the login page.

[0102] AppTicketId: Represents an application identity ticket, generated by the identity authentication server. One application corresponds to one AppTicketId, which is mainly used to exchange for the application token identifier App_Token.

[0103] App_Token: Represents an application token identifier, generated by the application server. After the mobile terminal obtains it, subsequent requests to the application server will use this App_Token to request data, without needing to re-enter the username and password.

[0104] It should be understood that Token, AppTicektId, and App_Token all have a certain validity period. If the validity period is exceeded, it is necessary to obtain and generate them again.

[0105] In this embodiment, by intercepting the login request information submitted by the mobile terminal to the identity authentication server and requesting the authentication key from the quantum key management system through its integrated first security chip, the login request information is encrypted using the authentication key. This solves the problem of unauthorized interception and unauthorized tampering of user authentication credential data and identity authentication server-distributed data in the unified identity authentication process of the mobile terminal. Furthermore, the identity authentication server and application server implement token distribution to replace the cookie session mechanism, thereby achieving resistance to replay attacks. This also solves the problem of cookie replay attack risk when the mobile application server integrates the CAS client and the CAS authentication server to interact and distribute cookies and store them in the unified service middleware, and the middleware carries the cookies when accessing the application system.

[0106] In one embodiment, step S101, in which the mobile terminal obtains the authentication key from the quantum key management system, includes the following steps:

[0107] S111. Intercept the login request information submitted by the application client to the identity authentication server, and parse the login request information to obtain the application identifier AppId and login authentication credential information.

[0108] It should be noted that when a user enters their authentication credentials on the mobile application's login screen, the request is intercepted when it is sent to the identity authentication server, which then parses out the application identifier (AppId) and the user authentication credentials information.

[0109] It should be noted that user authentication credentials include, but are not limited to, username, password, verification code, and other information.

[0110] S112. Send a request to the identity authentication server to verify the validity of the username.

[0111] S113. If the username is invalid, obtain the login failure response returned by the identity authentication server.

[0112] S114. When the username is valid, receive the challenge random number sent by the identity authentication server.

[0113] It should be understood that, in this embodiment, before applying to the quantum key management system to obtain the authentication key, a request to verify the validity of the username is first sent to the identity authentication server. The identity authentication server verifies whether the username is valid; if invalid, a login failure status is sent to the application client; if valid, a challenge random number is received from the identity authentication server.

[0114] S115. Request the authentication key from the quantum key management system through the first security chip.

[0115] It should be noted that the quantum key management system pre-fills and stores the quantum key into the first security chip integrated in the mobile terminal, and records the correspondence between the stored first security chip identifier IDa and the filled quantum key.

[0116] By obtaining authentication keys from the quantum key management system, the problem of data encryption transmission in the unified identity authentication process is solved, realizing one key per authentication and no correlation between keys.

[0117] In one embodiment, step S115 specifically includes the following steps:

[0118] S1151. Initiate a key request to the first security chip to obtain the key serial number Z, key B, and the first security chip identifier IDa from the first security chip.

[0119] S1152. Based on the application identifier AppId, create a session identifier SessionId and send an authentication key acquisition request to the quantum key management system. The authentication key acquisition request carries the key sequence number Z and the request ciphertext. The request ciphertext is obtained by encrypting the first time-varying parameter, the first security chip identifier IDa, and the session identifier SessionId using the key B.

[0120] It should be noted that the first time-varying parameter is a string of random numbers generated within the first security chip. In practical applications, the mobile terminal initiates a request to the first security chip to obtain it. This embodiment uses key B to encrypt the first time-varying parameter, the first security chip identifier IDa, and the session identifier SessionId to obtain the request ciphertext. This ensures that the ciphertext messages encrypted with key B are different, enhancing the confidentiality and orderlessness of information transmission.

[0121] It should be noted that the quantum key management system obtains the corresponding key B injected into the first security chip based on the key sequence number Z and decrypts the request ciphertext. It also distributes the authentication key AuthKey based on the first security chip identifier IDa and the session identifier SessionId. Then, it returns the first authentication key response message to the application terminal: key sequence number Z + key B encrypted (second time-varying parameter + first security chip identifier IDa + session identifier SessionId + authentication key AuthKey).

[0122] It should be noted that this second time-varying parameter is a string of truly random numbers generated by the quantum key management system calling its random number generator.

[0123] S1153. Receive the first authentication key response information returned by the quantum key management system. The first authentication key response information carries the key sequence number Z and the response ciphertext. The response ciphertext is obtained by encrypting the second time-varying parameter, the first security chip identifier IDa, the session identifier SessionId, and the authentication key AuthKey using the key B.

[0124] S1154. Use the key sequence number Z to decrypt the key ciphertext, obtain the authentication key AuthKey, and cache the application identifier AppId, authentication key AuthKey and session identifier SessionId.

[0125] It should be noted that the mobile terminal obtains the first authentication key response message, and uses the key sequence number Z and the corresponding key B to decrypt the first authentication key response message, obtain the authentication key AuthKey, and cache the relationship data of the application identifier AppId, the authentication key AuthKey, and the session identifier SessionId.

[0126] In one embodiment, step S102, encrypting the login request information using the authentication key to obtain login authentication information and forwarding it to the identity authentication server, includes the following steps:

[0127] S121. Using the authentication key and encryption algorithm, the login request information is encrypted to obtain the login authentication information. The login authentication information includes ciphertext login information and MAC value login information. The ciphertext login information carries time-varying parameters, login authentication credentials, application identifier AppId, and challenge random number.

[0128] S122. Forward the login authentication information and the session identifier SessionId to the identity authentication server.

[0129] It should be noted that the mobile terminal uses the authentication key AuthKey in combination with SM4 and HAMC-SM3 encryption algorithms to operate the login request information and calculate the login authentication information. The login authentication information includes the login information MAC value and the login information ciphertext. The login information ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number, and forwards the login information ciphertext, login information MAC value and session identifier SessionId information to the identity authentication server.

[0130] The authentication server receives the encrypted login information and its MAC value, and initiates a key request to its integrated second security chip. The second security chip returns a key sequence number Y, a key C, and a second security chip identifier IDβ. The second security chip stores a quantum key pre-loaded by a quantum key management system, and the quantum key management system records the correspondence between the stored second security chip identifier IDβ and the loaded quantum key. The authentication server requests an authentication key from the quantum key management system based on the second security chip, receives the second authentication key response information returned by the quantum key management system, and decrypts the second authentication key response message using the key sequence number Y corresponding to the key C to obtain the authentication key AuthKey. The authentication server then decrypts the login authentication information using the authentication key AuthKey to obtain the user's login authentication credentials, challenge random number à, application identifier AppId, and login information MAC value data.

[0131] In one embodiment, the identity authentication server verifies the user's login authentication credentials, challenge random number, and login information MAC value data. Upon successful verification, the identity authentication server generates a Token and an AppTicketId based on integrated CAS and JWT technologies. Then, it combines the authentication key AuthKey obtained from the quantum key management system with the SM4 algorithm to encrypt the time-varying parameters, Token, and AppTicketId to obtain the response encrypted information. Furthermore, it uses the HMAC-SM3 algorithm combined with the authentication key to calculate the time-varying parameters, Token, and AppTicketId to obtain the MACβ value. Simultaneously, it returns ciphertext information to the application client, which includes the response encrypted information, the MACβ value, and the application identifier AppId.

[0132] In one embodiment, the steps of the identity authentication server verifying the validity of the user login authentication credentials, the challenge random number, and the login information MAC value data include:

[0133] The identity authentication server uses the HMAC-SM3 algorithm to calculate the message authentication code MAC, and synchronously verifies whether the MAC value, MAC, challenge random number, and user login authentication credentials are valid.

[0134] If the verification fails, the security middleware is notified of the login failure, and the security middleware then returns the failure information to the mobile application.

[0135] If the verification is successful, the identity authentication server uses CAS and JWT technologies to generate a Token and an AppTicketId.

[0136] It should be noted that this embodiment uses the HMAC-SM3 algorithm to perform operations on relevant information to obtain a string MACà. This operation is irreversible, and the information before the operation cannot be derived from the string.

[0137] In one embodiment, step S103, receiving the encrypted information returned by the identity authentication server, includes the following steps:

[0138] S131. Decrypt the ciphertext information using the authentication key, and compare the decrypted information with the message authentication code.

[0139] S132. When the encrypted information is successfully decrypted and the comparison results are consistent, execute the step of accessing the application server.

[0140] S133. If the encrypted information fails to be decrypted or the comparison results are inconsistent, the login is determined to have failed.

[0141] It should be noted that the client sends the MAC value of the data to the identity authentication server. The identity authentication server performs the same operation to generate MACa, verifies MAC and MACa. After the verification is successful, the identity authentication server generates a Token and an AppTicketId, and calculates MACβ based on the data, and then sends it to the client. The client decrypts the data and generates MACββ, and verifies whether MACβ and MACββ are consistent. The integrity of the stored data is ensured through verification.

[0142] Furthermore, when the mobile terminal receives the encrypted information returned by the identity authentication server, it uses the authentication key AuthKey obtained from the quantum key management system to decrypt the encrypted information, obtain the token and AppTicketId, and uses the HMAC-SM3 algorithm to calculate the message authentication code MACββ value, and then compares whether MACβ and MACββ are consistent.

[0143] If the encrypted information is successfully decrypted and the comparison information matches, proceed to step S104.

[0144] If the encrypted information fails to be decrypted or the comparison information is inconsistent, the login failure status will be returned.

[0145] It should be noted that this embodiment uses the HMAC-SM3 algorithm to perform operations on relevant information to obtain a string MACββ. This operation is irreversible, and the information before the operation cannot be derived from the string.

[0146] In one embodiment, in step S104, the mobile terminal accesses the application server based on the encrypted information, specifically as follows:

[0147] The mobile terminal uses the authentication key AuthKey in combination with the national cryptographic SM4 algorithm and HMAC-SM3 algorithm to calculate the request ciphertext information and the request information MacT value based on the third time-varying parameter and AppTicketId respectively; and forwards the request ciphertext information, MacT value and session identifier SessionId information to access the application server.

[0148] It should be noted that the third time-varying parameter is a string of random numbers generated within the second security chip.

[0149] The application server forwards the encrypted request information, MacT value, and SessionId information to the identity authentication server. The identity authentication server verifies the validity of this information and, if the verification is valid, responds with user information to the application server. The application server then generates an App_Token based on the user information and JWT technology and sends it to the mobile terminal.

[0150] This way, the mobile terminal will have the three pieces of information: AppId, Token, and App_Token, confirming that the mobile terminal login was successful.

[0151] In one embodiment, after step S105, the method further includes the following steps:

[0152] S106. Based on the App_Token, complete the call to the service interface of the application server.

[0153] Furthermore, the process of calling the service interface on the application server side is as follows:

[0154] S161. Intercept the access request when sending it to the application server;

[0155] S162. Query the App_Token according to the application identifier AppId to obtain a new access request, and the new access request carries the App_Token;

[0156] S162. Send a new access request to the application server so that the application server can verify whether the App_Token is valid;

[0157] S163. When the application server verifies the validity of the App_Token, obtain the application content returned by the application server;

[0158] S164. When the application server verifies that the App_Token is invalid, step S101 is executed.

[0159] It should be noted that when the App_Token is invalid, a 401 or 403 error is returned, indicating that the App_Token is invalid. At this time, the mobile terminal obtains a new authentication key from the quantum key management system through the first security chip. After obtaining the AppTicketId through the identity authentication server using the authentication key, the stored token, the national cryptographic SM4 algorithm, and the HMAC-SM3 algorithm, the mobile terminal obtains a new App_Token from the application server.

[0160] In one embodiment, when the AppTokenId cannot be obtained through the App_Token, the method further includes:

[0161] The mobile terminal is then prompted to re-enter the login state.

[0162] It should be noted that when the stored token expires, the TicektId may not be obtainable through App_Token. In this case, a response will be sent to the mobile terminal to re-enter the login state.

[0163] In addition, such as Figure 2 As shown, the second embodiment of the present invention also proposes a unified identity authentication method based on quantum-secure middleware, applied to an identity authentication server. The identity authentication server integrates a second security chip, which stores a quantum key pre-filled by the quantum key management system. The method includes the following steps:

[0164] S201. Receive a username validity verification request sent by the mobile terminal.

[0165] It should be noted that the mobile terminal sends a username verification request to the identity authentication server, and the identity authentication server verifies whether the username is valid; if it is invalid, the server responds to the mobile terminal with a login failure status; if it is valid, the server executes step S202.

[0166] S202. When the username verification is valid, a challenge random number is sent to the mobile terminal so that the mobile terminal can calculate the login authentication information. The login authentication information includes the login information MAC value and the login information ciphertext. The login information ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number.

[0167] It should be noted that the mobile terminal receives the challenge random number sent by the identity authentication server. The mobile terminal uses the authentication key AuthKey obtained by the quantum key management system and combines it with the SM4 and HAMC-SM3 algorithms to operate the login request information and calculate the login authentication information. The login information ciphertext includes the login authentication ciphertext and the login information MAC value. The login authentication ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number (à), and forwards the login information ciphertext, login information MAC and session identifier SessionId information to the identity authentication server.

[0168] S203. Receive the login authentication information sent by the mobile terminal, and request the authentication key from the quantum key management system through the second security chip to decrypt the login authentication information.

[0169] S204. When the plaintext verification of the login authentication information is successful, generate encrypted information and return it to the mobile terminal. The encrypted information includes Token, AppTicketId, response information MACβ, and application identifier AppId.

[0170] S205. Receive an access request sent by the application server, and return response information to the application server when verifying the validity of the access request, so that the application server generates an App_Token based on the response information and returns it to the mobile terminal. The access request is generated by the mobile terminal based on the encrypted information.

[0171] In this embodiment, the identity authentication server receives the login authentication information sent by the mobile terminal and requests the authentication key from the quantum key management system through the second security chip to decrypt the login authentication information. The identity authentication server and the application server integrate JWT technology to implement a token distribution mechanism, replacing the cookie session mechanism and achieving resistance to replay attacks. By using CAS and JWT technology in combination on the identity authentication server to complete business application management, user identity authentication and authorization, token maintenance, and using the key filled in the security chip to interact with the quantum key management system to obtain the authentication key, the security of user credentials and authentication protocol process data in the mobile terminal user identity authentication process in the open network is guaranteed.

[0172] In one embodiment, step S203 includes the following steps:

[0173] S231. Based on the login authentication information, initiate a key request to the second security chip to obtain the key sequence number Y, key C and second security chip identifier ID β returned by the second security chip.

[0174] S232. Initiate an authentication key acquisition request to the quantum key management system, so that the quantum key management system can acquire the authentication key AuthKey and generate a second authentication key response message. The authentication key acquisition request includes a key sequence number Y and key encryption information. The key encryption information carries a time-varying parameter, a second security chip identifier IDβ, and a session identifier SessionId.

[0175] S233. Receive the second authentication key response message returned by the quantum key management system, and decrypt the second authentication key response information using the key sequence number Y to obtain the authentication key AuthKey.

[0176] S234. Use the authentication key AuthKey to decrypt the login authentication information to obtain plaintext login authentication information, which includes user login authentication credentials, challenge random number, application identifier AppId, and login information MAC value.

[0177] It should be noted that the identity authentication server obtains the second authentication key response message, decrypts the response message using the key sequence number Y corresponding to the key C, and obtains the plaintext authentication key AuthKey; it then decrypts the login authentication information using the authentication key AuthKey in combination with the national cryptographic SM4 algorithm, and obtains the user login authentication credentials, challenge random number à, application identifier AppId, and login information MAC value data.

[0178] In one embodiment, the method further includes the following steps:

[0179] The login authentication information in plaintext is verified;

[0180] If the verification fails, a login authentication failure message is returned to the mobile terminal;

[0181] Upon successful verification, CAS and JWT technologies are combined to generate a token and an AppTicketId.

[0182] The authentication key AuthKey is used in conjunction with an encryption algorithm to perform calculations on the token, AppTicketId, and time-varying parameters to obtain the ciphertext information.

[0183] It should be noted that the identity authentication server uses the HMAC-SM3 algorithm to calculate MACà, and simultaneously verifies the validity of the MAC value, MACà, challenge random numberà, and user login authentication credentials. If the verification fails, a failure message is returned to the mobile application. If the verification succeeds, the identity authentication server uses CAS and JWT technologies to generate a Token and an AppTicketId. Simultaneously, using the authentication key AuthKey combined with the national cryptographic SM4 algorithm and the HMAC-SM3 algorithm, the server calculates the response ciphertext and response information MACβ based on the time-varying parameters, the Token, and the AppTicketId. The server then simultaneously sends the ciphertext, MACβ, and application identifier AppId to the mobile terminal.

[0184] Furthermore, when the mobile terminal receives the encrypted information, it uses the authentication key AuthKey in conjunction with the national cryptographic SM4 algorithm and the HMAC-SM3 algorithm to calculate the encrypted request information and the MacT value of the request information based on the time-varying parameters and AppTicketId. It then forwards the encrypted request information, the MacT value, and the session identifier SessionId information to access the application server; the application server then forwards the information to the identity authentication server to verify its legitimacy.

[0185] The authentication server obtains the authentication key AuthKey based on the session identifier SessionId, decrypts the encrypted information, obtains the TicektId and MacT values, and performs a validity check. If the verification fails, a login failure message is returned to the mobile terminal. If the verification is successful, the server responds with user information to the application server, enabling the application server to generate an App_Token for the mobile terminal based on the user information and JWT technology. This ensures that the mobile terminal possesses the three pieces of information: AppId, Token, and App_Token, and the mobile terminal successfully logs in.

[0186] In one embodiment, when the mobile terminal needs to maintain a login session for an extended period, the method further includes:

[0187] The validity period of the token and the App_Token is set to long-term.

[0188] It should be understood that the validity period in this embodiment can be set according to the actual situation, and is not specifically limited here.

[0189] like Figure 3As shown, the third embodiment of the present invention proposes a unified identity authentication device based on quantum-secure middleware. The device is a mobile terminal 10, which integrates a secure middleware 11, a first secure chip 12, and an application client 13. The first secure chip 12 stores a quantum key pre-filled by the quantum key management system. The secure middleware 11 includes:

[0190] The authentication key acquisition module 111 is used to intercept the login request information submitted by the application client 13 to the identity authentication server, and request the authentication key from the quantum key management system through the first security chip;

[0191] The login request module 112 is used to encrypt the login request information using the authentication key, obtain login authentication information, and forward it to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information.

[0192] The encrypted receiving module 113 is used to receive encrypted information returned by the identity authentication server, wherein the encrypted information carries a token and an AppTicketId;

[0193] Access module 114 is used to access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server.

[0194] The authentication login module 115 is used to receive the App_Token returned by the application server and complete the unified identity authentication login. The App_Token is generated by the application server based on the response information.

[0195] In one embodiment, the authentication key acquisition module 111 specifically includes:

[0196] The parsing unit is used to intercept the login request information submitted by the application client to the identity authentication server, and parse the login request information to obtain the application identifier AppId and login authentication credential information;

[0197] The username verification request unit is used to send a username validity verification request to the identity authentication server.

[0198] The receiving unit is used to obtain the login failure response returned by the identity authentication server when the username is invalid;

[0199] The receiving unit is also used to receive a challenge random number sent by the identity authentication server when the username is valid;

[0200] A key request unit is used to request the authentication key from the quantum key management system through the first security chip.

[0201] In one embodiment, the key request unit is specifically used to perform the following steps:

[0202] A key request is initiated to the first security chip to obtain the key serial number Z, key B, and the first security chip identifier ITa from the first security chip;

[0203] Based on the application identifier AppId, a session identifier SessionId is created, and an authentication key acquisition request is initiated to the quantum key management system. The authentication key acquisition request carries the key sequence number Z and the request ciphertext, which is obtained by encrypting the time-varying parameter, chip IDa and session identifier SessionId using the key B.

[0204] The system receives a first authentication key response information returned by the quantum key management system. The first authentication key response information carries the key sequence number Z and the response ciphertext. The response ciphertext is obtained by encrypting the time-varying parameters, chip IDa, session identifier SessionId and authentication key AuthKey using the key B.

[0205] The key ciphertext is decrypted using the key sequence number Z to obtain the authentication key AuthKey, and the application identifier AppId, authentication key AuthKey, and session identifier SessionId are cached.

[0206] In one embodiment, the login request module 112 is specifically used for:

[0207] The login request information is encrypted using the authentication key and encryption algorithm to obtain the login authentication information. The login authentication information includes ciphertext login information and MAC value login information. The ciphertext login information carries time-varying parameters, login authentication credentials, application identifier AppId, and challenge random number.

[0208] The login authentication information and the session identifier (SessionId) are forwarded to the identity authentication server.

[0209] In one embodiment, the security middleware further includes a decryption verification module, used for:

[0210] The ciphertext information is decrypted using the authentication key, and the decrypted information is compared with the message authentication code.

[0211] When the encrypted information is successfully decrypted and the comparison results match, the step of accessing the application server is executed;

[0212] If the encrypted information fails to be decrypted or the comparison results are inconsistent, the login attempt is deemed unsuccessful.

[0213] In one embodiment, the access module is specifically used for:

[0214] Using the authentication key and encryption algorithm, the AppTicketId and time-varying parameters are calculated to obtain the AppTicketId ciphertext and the request information MacT value.

[0215] The encrypted AppTicketId, the MacT value of the request information, and the SessionId are forwarded to the application server to access the application server.

[0216] This embodiment utilizes symmetric key technology implemented with secure middleware, combined with national cryptographic algorithms and a quantum key management system, to achieve data confidentiality and integrity protection for the unified identity authentication process in mobile applications. Furthermore, based on the symmetric key technology implemented with secure middleware, the identity authentication server and application server integrate JWT technology to implement a token distribution mechanism, replacing the cookie session mechanism and achieving a method to resist replay attacks.

[0217] It should be noted that other embodiments or implementation methods of the unified identity authentication device based on quantum-secure middleware described in this invention can refer to the first embodiment of the above method, and will not be repeated here.

[0218] In addition, such as Figure 4 As shown, the fourth embodiment of the present invention proposes a unified identity authentication device based on quantum-secure middleware. The device is an identity authentication server 20, which integrates a second security chip 21. The second security chip 21 stores a quantum key pre-filled by the quantum key management system. The identity authentication server 20 includes:

[0219] Username verification module 22 is used to receive username validity verification requests sent by mobile terminals;

[0220] The random number sending module 23 is used to send a challenge random number à to the mobile terminal when the username verification is valid, so that the mobile terminal can calculate the login authentication information. The login authentication information includes the login information MAC value and the login information ciphertext. The login information ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number à.

[0221] The login request receiving module 24 is used to receive the login authentication information sent by the mobile terminal, and request the authentication key from the quantum key management system through the second security chip to decrypt the login authentication information;

[0222] The ciphertext generation module 25 is used to generate ciphertext information and return it to the mobile terminal when the plaintext verification of the login authentication information is successful. The ciphertext information includes Token, AppTicketId, response information MACβ, and application identifier AppId.

[0223] Access receiving module 26 is used to receive access requests sent by the application server, and return response information to the application server when verifying the legality of the access request, so that the application server generates an App_Token based on the response information and returns it to the mobile terminal. The access request is generated by the mobile terminal based on the encrypted information.

[0224] In one embodiment, the login request receiving module 24 is specifically used for:

[0225] Based on the login authentication information, a key request is initiated to the second security chip to obtain the key sequence number Y, key C, and second security chip identifier ID β returned by the second security chip;

[0226] An authentication key acquisition request is initiated to the quantum key management system, so that the quantum key management system acquires the authentication key AuthKey and generates a second authentication key response message. The authentication key acquisition request includes a key sequence number Y and key encryption information, which carries a time-varying parameter, a second security chip identifier IDβ, and a session identifier SessionId.

[0227] Receive the second authentication key response message returned by the quantum key management system, and decrypt the second authentication key response information using the key sequence number Y to obtain the authentication key AuthKey;

[0228] The login authentication information is decrypted using the authentication key AuthKey to obtain the plaintext login authentication information, which includes the user login authentication credentials, the challenge random number, the application identifier AppId, and the login information MAC value.

[0229] In one embodiment, the identity authentication server further includes: a verification module, used for:

[0230] The login authentication information in plaintext is verified;

[0231] If the verification fails, a login authentication failure message is returned to the mobile terminal;

[0232] Upon successful verification, CAS and JWT technologies are combined to generate a token and an AppTicketId.

[0233] The ciphertext generation module is used to perform calculations on the token, AppTicketId, and the third time-varying parameter using the authentication key AuthKey in combination with the encryption algorithm when the verification module outputs a successful verification result, in order to obtain the ciphertext information.

[0234] In one embodiment, the identity authentication server further includes:

[0235] The expiration setting module is used to set the validity period of the token and the App_Token to a long-term period when the mobile terminal needs to maintain a login session for a long time.

[0236] This embodiment utilizes symmetric key technology implemented with secure middleware, combined with national cryptographic algorithms and a quantum key management system, to achieve data confidentiality and integrity protection for the unified identity authentication process in mobile applications. Furthermore, based on the symmetric key technology implemented with secure middleware, the identity authentication server and application server integrate JWT technology to implement a token distribution mechanism, replacing the cookie session mechanism and achieving a method to resist replay attacks.

[0237] It should be noted that other embodiments or implementation methods of the unified identity authentication device based on quantum-secure middleware described in this invention can refer to the second embodiment of the above method, and will not be repeated here.

[0238] In addition, such as Figure 3 and Figure 5 As shown, the fifth embodiment of the present invention also proposes a unified identity authentication system based on quantum-secure middleware. The system includes a mobile terminal 10, an application server 30, an identity authentication server 20, and a quantum key management system 40. The quantum key management system 40 is connected to the mobile terminal 10 and the identity authentication server 20, respectively. The mobile terminal 10 is connected to the application server 30 and the identity authentication server 20, respectively. The application server 30 is connected to the identity authentication server 20.

[0239] The mobile terminal 10 integrates a security middleware 11, a first security chip 12, and an application client 13. The first security chip 12 stores a quantum key pre-filled by the quantum key management system. The identity authentication server 20 integrates a second security chip 21, which stores a quantum key pre-filled by the quantum key management system. The security middleware 11 includes:

[0240] The authentication key acquisition module 111 is used to intercept the login request information submitted by the application client 13 to the identity authentication server, and request the authentication key from the quantum key management system through the first security chip;

[0241] The login request module 112 is used to encrypt the login request information using the authentication key, obtain login authentication information, and forward it to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information.

[0242] The encrypted receiving module 113 is used to receive encrypted information returned by the identity authentication server, wherein the encrypted information is composed of a token and an AppTicketId.

[0243] Access module 114 is used to access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server.

[0244] The authentication login module 115 is used to receive the App_Token returned by the application server and complete the unified identity authentication login. The App_Token is generated by the application server based on the response information.

[0245] Specifically, in this embodiment, the security chip integrated in the mobile terminal and the identity authentication server complies with the certificate issued by the State Commercial Cryptography Administration, possesses security protection capabilities, and initially writes ID information into the security chip, enabling it to interface with the quantum key management system to achieve the key filling function within the security chip. The security chip can specifically be a SIM card or a USB key shield; this embodiment does not impose any specific limitations.

[0246] The security middleware is located between the security chip and the mobile terminal, and realizes functions such as symmetric key management, cryptographic algorithm management (HMAC-SM3, SM4 and other algorithms), identity authentication management, and data storage.

[0247] The identity authentication server uses a combination of CAS and JWT technologies to complete functions such as business application management, user identity authentication and authorization, token maintenance, and obtaining authentication keys by interacting with the quantum key management system using keys filled in the security chip.

[0248] The quantum key management system is used to complete the key filling in the security chip. After the terminal integrates the security chip, the security middleware uses the key filled in the security chip to interact with the quantum key management system to obtain authentication keys, security chip authentication and other functions.

[0249] The application client is an APP application installed on a mobile device, and the application server integrates JWT technology as a provider of mobile terminal service capabilities.

[0250] Furthermore, during the initialization of the quantum key management, the quantum key is filled and stored in the security chip integrated into the mobile terminal and the identity authentication server, and the correspondence between the stored security chip and the key is recorded.

[0251] In one embodiment, such as Figure 4 As shown, the identity authentication server 20 includes:

[0252] Username verification module 22 is used to receive username validity verification requests sent by mobile terminals;

[0253] The random number sending module 23 is used to send a challenge random number à to the mobile terminal when the username verification is valid, so that the mobile terminal can calculate the login authentication information. The login authentication information includes the login information MAC value and the login information ciphertext. The login information ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number à.

[0254] The login request receiving module 24 is used to receive the login authentication information sent by the mobile terminal, and request the authentication key from the quantum key management system through the second security chip to decrypt the login authentication information;

[0255] The ciphertext generation module 25 is used to generate ciphertext information and return it to the mobile terminal when the plaintext verification of the login authentication information is successful. The ciphertext information includes Token, AppTicketId, response information MACβ, and application identifier AppId.

[0256] Access receiving module 26 is used to receive access requests sent by the application server, and return response information to the application server when verifying the legality of the access request, so that the application server generates an App_Token based on the response information and returns it to the mobile terminal. The access request is generated by the mobile terminal based on the encrypted information.

[0257] Furthermore, the workflow of the unified identity authentication system based on quantum-secure middleware in this embodiment is as follows:

[0258] (1) When the mobile terminal enters the login interface, the user enters the user authentication credentials. The security middleware receives this request and parses out the AppId and user authentication credentials information.

[0259] (2) The security middleware sends a username verification request to the identity authentication server. The identity authentication server verifies whether the username is valid. If it is invalid, it responds to the security middleware with a login failure status. The security middleware receives the login failure status information and returns it to the mobile terminal. If it is valid, the security middleware receives the username validity status and the challenge random number à, and proceeds to step (3).

[0260] (3) After receiving the valid status, the security middleware proceeds with the process of obtaining the authentication key, as shown in the example. Figure 6 As shown in the flowchart;

[0261] 3-1) The security middleware sends a key request to the security chip (SIM card), and the security chip returns the key serial number Z, key B, and chip IDa;

[0262] 3-2) The security middleware generates a session identifier (SessionId). Simultaneously, it initiates a request to the quantum key management system to obtain the authentication key. The authentication key request message is encrypted with the key sequence number Z + key B (time-varying parameters + chip IDa + session identifier SessionId).

[0263] 3-3) The quantum key management system obtains the corresponding key B injected into the security chip based on the key sequence number Z, decrypts the ciphertext of the authentication key information, and distributes the ciphertext of the authentication key AuthKey based on the decrypted information.

[0264] 3-4) The security middleware obtains the ciphertext of the authentication key AuthKey, decrypts the response message using the key sequence number Z corresponding to key B, obtains the plaintext of the key AuthKey, and caches the application identifier AppId, authentication key AuthKey, session identifier SessionId, challenge random number à data.

[0265] (4) Instance-based Figure 6 After obtaining the authentication key AuthKey from the flowchart, as in the example... Figure 7 As shown, unified identity authentication based on security middleware is performed.

[0266] 4-1) The security middleware uses the authentication key AuthKey in combination with the SM4 and HAMC-SM3 algorithms to process the login request information, calculate the ciphertext of the login information (time-varying parameters + login authentication credentials + application identifier AppId + challenge random number) and the MAC value of the login information, and forwards the ciphertext of the login information, the MAC value of the login information, and the session identifier SessionId information to the identity authentication server.

[0267] 4-2) The authentication server receives the information and sends a key request to the security chip (USBKey). The security chip returns the key serial number Y, the key C, and the second security chip identifier ID β.

[0268] 4-3) The identity authentication server initiates a request to the quantum key management system to obtain the authentication key, and the authentication key request information is: key sequence number Y + key C encrypted (time-varying parameter + second security chip identifier IDβ + session identifier SessionId).

[0269] 4-4) The quantum key management system obtains the corresponding key C injected into the security chip based on the key sequence number Y and decrypts the request information. Based on the decrypted information, it distributes the AuthKey ciphertext, which is consistent with the security middleware.

[0270] 4-5) The authentication server obtains the encrypted authentication key AuthKey, and decrypts the response message using the key C corresponding to the key sequence number Y in step 4-2) to obtain the plaintext authentication key AuthKey. The server then decrypts the encrypted login information from step S16 using the authentication key AuthKey and the national cryptographic SM4 algorithm to obtain the user login authentication credentials, challenge random number à, application identifier AppId, and login information MAC value data.

[0271] 4-6) The identity authentication server uses the HMAC-SM3 algorithm to calculate Macà, and synchronously verifies whether the Mac value, Macà, challenge random numberà, and user login authentication credentials are valid.

[0272] If the verification fails, the security middleware is notified of the login failure, and the security middleware then returns the failure information to the mobile application.

[0273] If the verification is successful, the identity authentication server uses CAS and JWT technologies to generate a Token and an AppTicketId. Simultaneously, using the authentication key AuthKey combined with the national cryptographic SM4 algorithm and the HMAC-SM3 algorithm, it calculates the ciphertext response information and the response information MACβ for (time-varying parameters + Token + AppTicketId). The ciphertext information, MACβ, and application identifier AppId are then synchronously sent to the security middleware.

[0274] 4-7) The security middleware receives the information, uses the AuthKey obtained in step 3-4) to decrypt the response message, obtains the Token and AppTicketId, calculates the Macββ value using the HMAC-SM3 algorithm, and compares whether MACβ and Macββ are consistent.

[0275] If the decryption response information is successfully compared and matches, proceed to steps 4-8.

[0276] If the decryption response fails or the MAC value does not match, a login failure is returned to the client.

[0277] 4-8) At this point, the security middleware uses the authentication key AuthKey in conjunction with the national cryptographic SM4 algorithm and the HMAC-SM3 algorithm to calculate the ciphertext request information and the MacT value of the request information based on (time-varying parameters + AppTicketId). It then forwards the ciphertext request information, the MacT value, and the session identifier SessionId information to the application server; the application server forwards the information to the identity authentication server to verify its validity.

[0278] 4-9) The authentication server obtains the AuthKey based on the SessionId, decrypts the information, obtains the TicektId and MacT values, and performs a validity check.

[0279] If the verification fails, a failure message is responded. The security middleware obtains the failure message and returns a login failure message to the mobile terminal.

[0280] If the verification is successful, the application server sends user information to the application server. The application server then uses the user information and JWT technology to generate an App_Token and sends it to the security middleware. The security middleware then possesses the AppId, Token, and App_Token, and returns the App_Token to the mobile client, thus successfully logging in on the mobile device.

[0281] (5) Make API calls to the application server.

[0282] 5-1) When a mobile terminal accesses the service interface of the application server, the security middleware intercepts the request, queries the App_Token based on the AppId, and forwards the request to the application server synchronously with the App_Token.

[0283] 5-2) The application server interface verifies the App_Token to be valid, and then returns the content to the mobile terminal.

[0284] 5-3) When the App_Token verification is invalid, a 401 or 403 error is returned, indicating that the App_Token is invalid. In this case, the security middleware does not return this error to the mobile terminal, but instead repeats the instance. Figure 6 The process involves obtaining a new authentication key, using the authentication key, the stored token, the national cryptographic SM4 algorithm, and the HMAC-SM3 algorithm to obtain the AppTicketId from the identity authentication server, and then proceeding to steps 4-7) and 4-8) to obtain a new App_Token.

[0285] 5-4) In step 5-3), it is also possible that TicektId cannot be obtained through App_Token, such as when the stored Token expires. In this case, the security middleware will respond to the client to re-enter the login state and execute step (1).

[0286] 5-5) When mobile terminals need to maintain login sessions for a long time, the validity period of Token and App_Token can be set to a long time on the identity authentication server. This reduces the problem of App_Token expiration after it is distributed.

[0287] This invention utilizes symmetric key technology implemented with secure middleware, combined with national cryptographic algorithms and a quantum key management system, to achieve data confidentiality and integrity protection for the unified identity authentication process in mobile applications. Furthermore, based on the symmetric key technology implemented with secure middleware, the identity authentication server and application server integrate JWT technology to implement a token distribution mechanism, replacing the cookie session mechanism and achieving a method to resist replay attacks.

[0288] Addressing the growing impact of increasingly severe cyberattacks on the security of the unified identity authentication process. This includes preventing unauthorized interception and alteration of user authentication credential data and server-side distribution data during the mobile terminal unified identity authentication process. It also involves mitigating security threats posed by future quantum computers and quantum algorithms, such as preventing the decryption of public-key cryptography algorithms based on the large factorization problem: using quantum symmetric keys, which cannot be decrypted through large factorization; and mitigating security threats from future quantum computers: using quantum-secure cryptography for encrypted transmission is theoretically completely secure and reliable.

[0289] It should be noted that the logic and / or steps represented in the flowchart or otherwise described herein, for example, can be considered as a sequenced list of executable instructions for implementing logical functions, and can be embodied in any computer-readable medium for use by, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a processor-included system, or other system that can fetch and execute instructions from, an instruction execution system, apparatus, or device). For the purposes of this specification, "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transmit programs for use by, or in conjunction with, an instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of computer-readable media include: an electrical connection having one or more wires (electronic device), a portable computer disk drive (magnetic device), random access memory (RAM), read-only memory (ROM), erasable and editable read-only memory (EPROM or flash memory), fiber optic devices, and portable optical disc read-only memory (CDROM). Alternatively, the computer-readable medium may be paper or other suitable media on which the program can be printed, since the program can be obtained electronically, for example, by optically scanning the paper or other medium, followed by editing, interpreting, or otherwise processing as necessary, and then stored in a computer memory.

[0290] It should be understood that various parts of the present invention can be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, multiple steps or methods can be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented using any one or a combination of the following techniques known in the art: discrete logic circuits having logic gates for implementing logical functions on data signals, application-specific integrated circuits (ASICs) having suitable combinational logic gates, programmable gate arrays (PGAs), field-programmable gate arrays (FPGAs), etc.

[0291] In the description of this specification, references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.

[0292] Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the description of this invention, "a plurality of" means at least two, such as two, three, etc., unless otherwise explicitly specified.

[0293] Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments within the scope of the present invention.

Claims

1. A unified identity authentication method based on quantum-safe middleware, characterized in that, The invention is applied to a mobile terminal, which integrates a first security chip and an application client. The first security chip stores quantum keys pre-loaded by a quantum key management system. The mobile terminal also integrates a security middleware, which performs the following steps: The system intercepts the login request information submitted by the application client to the identity authentication server, and requests the authentication key from the quantum key management system through the first security chip. This includes parsing the login request information to obtain the application identifier AppId and login authentication credential information, and initiating a key request to the first security chip to obtain the key serial number Z, key B and the first security chip identifier ITa from the first security chip. Based on the application identifier AppId, a session identifier SessionId is created, and an authentication key acquisition request is initiated to the quantum key management system. The authentication key acquisition request carries the key sequence number Z and the request ciphertext, which is obtained by encrypting the time-varying parameters, the first security chip identifier IDa, and the session identifier SessionId using the key B. First authentication key response information returned by the quantum key management system is received. The first authentication key response information carries the key sequence number Z and the response ciphertext, which is obtained by encrypting the first time-varying parameters, the first security chip identifier IDa, the session identifier SessionId, and the authentication key AuthKey using the key B. The key ciphertext is decrypted using the key sequence number Z to obtain the authentication key AuthKey, and the application identifier AppId, the authentication key AuthKey, and the session identifier SessionId are cached. The login request information is encrypted using the authentication key to obtain login authentication information, which is then forwarded to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information. Receive encrypted information returned by the identity authentication server, the encrypted information carrying a global token identifier Token and an application identity ticket AppTicketId; Access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server; The application server receives the application token identifier App_Token returned by the application server to complete the unified identity authentication login. The App_Token is generated by the application server based on the response information.

2. The quantum secure middleware based unified identity authentication method of claim 1, wherein, The interception of the login request information submitted by the application client to the identity authentication server, and the request to obtain the authentication key through the first security chip to the quantum key management system, includes: The system intercepts the login request information submitted by the application client to the identity authentication server, and parses the login request information to obtain the application identifier AppId and login authentication credential information. Send a username validity verification request to the identity authentication server; If the username is invalid, obtain the login failure response returned by the identity authentication server; When the username is valid, receive the challenge random number sent by the identity authentication server; The authentication key is requested from the quantum key management system through the first security chip. 3.The quantum secure middleware based uniform identity authentication method according to claim 1, wherein, The step of encrypting the login request information using the authentication key to obtain login authentication information and forwarding it to the identity authentication server includes: The login request information is encrypted using the authentication key and encryption algorithm to obtain the login authentication information. The login authentication information includes ciphertext login information and MAC value login information. The ciphertext login information carries time-varying parameters, login authentication credentials, application identifier AppId, and challenge random number. The login authentication information and the session identifier (SessionId) are forwarded to the identity authentication server. 4.The quantum secure middleware based uniform identity authentication method according to claim 1, wherein, After receiving the encrypted information returned by the identity authentication server, the method further includes: The ciphertext information is decrypted using the authentication key, and the decrypted information is compared with the message authentication code. When the encrypted information is successfully decrypted and the comparison results match, the step of accessing the application server is executed; If the encrypted information fails to be decrypted or the comparison results are inconsistent, the login attempt is deemed unsuccessful. 5.The quantum secure middleware based uniform identity authentication method according to claim 4, characterized in that, The encrypted information carries a token, an AppTicketId, a MAC value, and an application identifier (AppId). Accessing the application server based on the encrypted information includes: Using the authentication key and encryption algorithm, the AppTicketId and the third time-varying parameter are calculated to obtain the AppTicketId ciphertext and the request information MacT value. The encrypted AppTicketId, the MacT value of the request information, and the SessionId are forwarded to the application server to access the application server.

6. The quantum secure middleware based unified identity authentication method of claim 5, wherein, The method further includes: based on the App_Token, completing the call to the service interface of the application server, specifically: Intercept access requests sent to the application server; The App_Token is queried based on the application identifier AppId to obtain a new access request, and the new access request carries the App_Token; Send a new access request to the application server so that the application server can verify whether the App_Token is valid; When the application server verifies the validity of the App_Token, the application content returned by the application server is obtained; When the application server verifies that the App_Token is invalid, it requests an authentication key from the quantum key management system via the first security chip.

7. The quantum secure middleware based unified identity authentication method of claim 6, wherein, When the AppTicektId cannot be obtained through the App_Token, the method further includes: The mobile terminal is then prompted to re-enter the login state.

8. A unified identity authentication method based on quantum secure inter- mediary, characterized in that, The method, applied to an identity authentication server, integrates a second security chip storing a quantum key pre-loaded by a quantum key management system. Receive username verification requests sent by mobile terminals; When the username verification is valid, a challenge random number is sent to the mobile terminal so that the mobile terminal can calculate the login authentication information. The login authentication information includes the login information MAC value and the login information ciphertext. The login information ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number. The system receives the login authentication information sent by the mobile terminal and requests an authentication key from the quantum key management system via the second security chip to decrypt the login authentication information. This includes initiating a key request to the second security chip based on the login authentication information to obtain the key sequence number Y, key C, and second security chip identifier ID ß returned by the second security chip; initiating an authentication key acquisition request to the quantum key management system so that the quantum key management system acquires the authentication key AuthKey and generates a second authentication key response message. The authentication key acquisition request includes the key sequence number Y and key encryption information, which carries a time-varying parameter, the second security chip identifier ID ß, and a session identifier SessionId; receiving the second authentication key response message returned by the quantum key management system and decrypting the second authentication key response information using the key sequence number Y to obtain the authentication key AuthKey; and using the authentication key AuthKey to decrypt the login authentication information to obtain plaintext login authentication information, which includes user login authentication credentials, a challenge random number à, an application identifier AppId, and a login information MAC value. When the plaintext verification of the login authentication information is successful, encrypted information is generated and returned to the mobile terminal. The encrypted information includes a global token identifier Token, an application identity ticket AppTicketId, a response information MAC be, and an application identifier AppId. The system receives an access request sent by the application server and returns response information to the application server when verifying the validity of the access request. This enables the application server to generate an application token identifier App_Token based on the response information and return it to the mobile terminal. The access request is generated by the mobile terminal based on the encrypted information. 9.The quantum secure middleware based uniform identity authentication method according to claim 8, wherein, The method further includes: The login authentication information in plaintext is verified; If the verification fails, a login authentication failure message is returned to the mobile terminal; Upon successful verification, a Token and AppTicketId are generated using a combination of CAS and JWT technologies. The authentication key AuthKey is used in conjunction with an encryption algorithm to perform calculations on the Token, AppTicketId, and the third time-varying parameter to obtain the ciphertext information. 10.The quantum secure middleware based uniform identity authentication method according to claim 8, wherein, When the mobile terminal needs to maintain a login session for an extended period, the method further includes: The validity period of the Token and the App_Token is set to long-term.

11. A unified identity authentication device based on quantum-secure middleware, characterized in that, The device is a mobile terminal, which integrates a security middleware, a first security chip, and an application client. The first security chip stores quantum keys pre-filled by the quantum key management system. The security middleware includes: The authentication key acquisition module is used to intercept the login request information submitted by the application client to the identity authentication server, and request the authentication key from the quantum key management system through the first security chip; The login request module is used to encrypt the login request information using the authentication key, obtain login authentication information, and forward it to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information. The encrypted receiving module is used to receive encrypted information returned by the identity authentication server. The encrypted information carries a global token identifier Token and an application identity ticket AppTicketId. An access module is used to access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server. The authentication login module is used to receive the application token identifier App_Token returned by the application server and complete the unified identity authentication login. The App_Token is generated by the application server based on the response information. The authentication key acquisition module includes: The parsing unit is used to parse the login request information to obtain the application identifier AppId and login authentication credential information; A key request unit is configured to perform the following steps: initiate a key request to the first security chip to obtain a key sequence number Z, a key B, and a first security chip identifier ITa from the first security chip; create a session identifier SessionId based on the application identifier AppId, and initiate an authentication key acquisition request to the quantum key management system, the authentication key acquisition request carrying the key sequence number Z and a request ciphertext, the request ciphertext being obtained by encrypting a time-varying parameter, the first security chip identifier ITa, and the session identifier SessionId using the key B; receive a first authentication key response information returned by the quantum key management system, the first authentication key response information carrying the key sequence number Z and a response ciphertext, the response ciphertext being obtained by encrypting a first time-varying parameter, the first security chip identifier ITa, the session identifier SessionId, and the authentication key AuthKey using the key B; decrypt the key ciphertext using the key sequence number Z to obtain the authentication key AuthKey, and cache the application identifier AppId, the authentication key AuthKey, and the session identifier SessionId.

12. A unified identity authentication device based on quantum-safe middleware, characterized in that, The device is an identity authentication server, which integrates a second security chip. The second security chip stores a quantum key pre-loaded by a quantum key management system. The identity authentication server includes: The username verification module is used to receive username validity verification requests sent by mobile terminals. The random number sending module is used to send a challenge random number à to the mobile terminal when the username verification is valid, so that the mobile terminal can calculate the login authentication information. The login authentication information includes the login information MAC value and the login information ciphertext. The login information ciphertext carries time-varying parameters, login authentication credentials, application identifier AppId and challenge random number à. The login request receiving module is used to receive the login authentication information sent by the mobile terminal, and request the authentication key from the quantum key management system through the second security chip to decrypt the login authentication information; The ciphertext generation module is used to generate ciphertext information and return it to the mobile terminal when the plaintext verification of the login authentication information is successful. The ciphertext information includes a global token identifier Token, an application identity ticket AppTicketId, a response information MAC be, and an application identifier AppId. An access receiving module is used to receive an access request sent by an application server, and return response information to the application server when verifying the legality of the access request, so that the application server generates an application token identifier App_Token based on the response information and returns it to the mobile terminal. The access request is generated by the mobile terminal based on the encrypted information. The login request receiving module is specifically used for: Based on the login authentication information, a key request is initiated to the second security chip to obtain the key sequence number Y, key C, and second security chip identifier ID ß returned by the second security chip; an authentication key acquisition request is initiated to the quantum key management system to enable the quantum key management system to acquire the authentication key AuthKey and generate a second authentication key response message. The authentication key acquisition request includes the key sequence number Y and key encryption information, which carries a time-varying parameter, the second security chip identifier ID ß, and the session identifier SessionId; the second authentication key response message returned by the quantum key management system is received, and the second authentication key response message is decrypted using the key sequence number Y to obtain the authentication key AuthKey; the login authentication information is decrypted using the authentication key AuthKey to obtain the login authentication information plaintext, which includes the user login authentication credentials, challenge random number à, application identifier AppId, and login information MAC value.

13. A unified identity authentication system based on quantum secure inter- mediary, characterized in that, The system includes a mobile terminal, an application server, an identity authentication server, and a quantum key management system. The quantum key management system is connected to the mobile terminal and the identity authentication server, respectively. The mobile terminal is connected to the application server and the identity authentication server, respectively. The application server is connected to the identity authentication server. The mobile terminal integrates a security middleware, a first security chip, and an application client. The first security chip stores a quantum key pre-filled by the quantum key management system. The identity authentication server integrates a second security chip, which stores a quantum key pre-filled by the quantum key management system. The secure middleware is used to execute the unified identity authentication method based on quantum secure middleware as described in any one of claims 1-7, wherein the secure middleware comprises: The authentication key acquisition module is used to intercept the login request information submitted by the application client to the identity authentication server, and request the authentication key from the quantum key management system through the first security chip; The login request module is used to encrypt the login request information using the authentication key, obtain login authentication information, and forward it to the identity authentication server, so that the identity authentication server can obtain the authentication key from the key management system and decrypt the login authentication information. The encrypted receiving module is used to receive encrypted information returned by the identity authentication server. The encrypted information consists of a global token identifier Token and an application identity ticket AppTicketId. An access module is used to access the application server based on the encrypted information, so that the application server initiates an authentication request to the identity authentication server, and the identity authentication server returns response information to the application server. The authentication login module is used to receive the application token identifier App_Token returned by the application server and complete the unified identity authentication login. The App_Token is generated by the application server based on the response information.