Identity credential management method and apparatus, electronic device, and readable storage medium
By generating authorization files and automatically requesting identity credentials during trusted communication application upgrades, the problem of inefficient identity credential acquisition after upgrades is solved, achieving seamless intelligent credential management and improving user experience.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- WEIWEI SHANGHAI NETWORK TECH CO LTD
- Filing Date
- 2023-03-28
- Publication Date
- 2026-07-07
AI Technical Summary
After a trusted communication application is upgraded or updated, the method of manually obtaining identity credentials by users becomes inefficient, resulting in the loss of identity credentials or the need to obtain them again.
When the target application requests an upgrade, an authorization file is generated and the upgrade is performed based on the upgrade data. The upgraded application is controlled to request identity credentials from the application backend. The authorization file is generated by signing information such as timestamp, user identifier, and certificate identifier, thereby achieving intelligent acquisition of identity credentials.
It improves the efficiency of identity credential acquisition, eliminating the need for manual operation by users and enhancing the user experience.
Smart Images

Figure CN116361765B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of communication technology, and in particular to an identity credential management method, apparatus, electronic device, and readable storage medium. Background Technology
[0002] Trusted Communication is a secure communication service based on user terminal cryptographic tokens. It is a security service product that leverages smart terminal computing and domestically developed cryptographic algorithms to achieve end-to-end trusted authentication and display during communication. Enterprises and employees, after being verified and issued digital certificates by a CA (Certificate Authority), initiate calls carrying trusted identities using smart terminals. The data is transmitted end-to-end in encrypted form to the called party. Simultaneously with the ringing of the called terminal, the verified caller's trusted identity information is displayed. Throughout the authentication, transmission, and display process, the caller's identity is ensured to be legally valid and tamper-proof.
[0003] In this application, the user's identity credentials (i.e., digital certificate) private key is stored in the cryptographic module and cannot be retrieved. Furthermore, the identity credentials and the package name of the trusted communication application (i.e., the trusted communication product) generally correspond uniquely. However, when the trusted communication application is upgraded or updated, new installation packages may be installed, or the cryptographic module may be switched, resulting in the loss of identity credentials. Therefore, the upgraded trusted communication application needs to re-acquire identity credentials before trusted communication can be maintained.
[0004] Currently, the way trusted communication applications re-obtain identity credentials after upgrades and updates is for users to manually obtain an activation code, perform three-factor authentication, and re-obtain identity credentials. However, this method of manually re-obtaining identity credentials is not intelligent and is inefficient. Summary of the Invention
[0005] To address all or part of the aforementioned technical problems, this application provides an identity credential management method, apparatus, electronic device, and readable storage medium.
[0006] In a first aspect, embodiments of this application provide an identity credential management method, including:
[0007] When a target application requests an upgrade, the upgrade information corresponding to the target application is obtained, wherein the upgrade information includes upgrade data and upgrade method;
[0008] Control the target application to generate a corresponding license file based on the upgrade method;
[0009] After generating the authorization file, the target application is upgraded based on the upgrade data;
[0010] The upgraded target application requests the corresponding identity credentials from the corresponding application backend based on the authorization file.
[0011] In one possible implementation, if the upgrade method involves switching a cryptographic module, the step of controlling the target application to generate a corresponding authorization file based on the upgrade method includes:
[0012] The target application is controlled to obtain timestamp information, user identifier, certificate identifier and original application information corresponding to the target application, and based on the private key corresponding to the user identifier, the timestamp information, user identifier, certificate identifier and original application information are signed to obtain the corresponding signature value;
[0013] The authorization file is generated based on the timestamp information, the user identifier, the certificate identifier, the original application information, and the signature value.
[0014] In one possible implementation, if the upgrade method involves switching a password module, the upgraded target application requests the corresponding identity credentials from the corresponding application backend based on the authorization file, including:
[0015] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0016] After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair.
[0017] The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
[0018] In one possible implementation, if the upgrade method involves installing a new installation package, controlling the target application to generate a corresponding license file based on the upgrade method includes:
[0019] The target application is controlled to obtain timestamp information, user identifier, and updated application information corresponding to the newly installed package, and based on the private key corresponding to the user identifier, the timestamp information, the user identifier, and the updated application information are signed to obtain the corresponding signature value;
[0020] The authorization file is generated based on the timestamp information, the user identifier, and the signature value.
[0021] In one possible implementation, if the upgrade method involves installing a new installation package, the step of upgrading the target application based on the upgrade data further includes:
[0022] Determine the module type corresponding to the password module of the target application, and determine the corresponding user data based on the module type;
[0023] The target application is controlled to send the user data and the file content of the authorization file to the application backend, so that the application backend can verify the file content and store the user data after the verification is successful.
[0024] In one possible implementation, the module type includes a standalone cryptographic module, and the target application after the control upgrade requests corresponding identity credentials from the corresponding application backend based on the authorization file, including:
[0025] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0026] After the upgraded target application receives the user data returned by the application backend based on the file content, it establishes a mapping relationship between the upgraded target application and the identity credentials stored in the independent password module based on the user data.
[0027] In one possible implementation, the module type includes an integrated cryptographic module, wherein the target application after the control upgrade requests corresponding identity credentials from the corresponding application backend based on the authorization file, including:
[0028] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0029] After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair.
[0030] The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
[0031] Secondly, embodiments of this application provide an identity credential management device, comprising:
[0032] The acquisition module is used to acquire upgrade information corresponding to the target application when the target application requests an upgrade, wherein the upgrade information includes upgrade data and upgrade method;
[0033] The first control module is used to control the target application to generate a corresponding license file based on the upgrade method;
[0034] An upgrade module is used to upgrade the target application based on the upgrade data after the authorization file is generated;
[0035] The second control module is used to control the upgraded target application and request the corresponding identity credentials from the corresponding application backend based on the authorization file.
[0036] In one possible implementation, if the upgrade method involves switching a cryptographic module, the first control module is specifically used for:
[0037] The target application is controlled to obtain timestamp information, user identifier, certificate identifier and original application information corresponding to the target application, and based on the private key corresponding to the user identifier, the timestamp information, user identifier, certificate identifier and original application information are signed to obtain the corresponding signature value;
[0038] The authorization file is generated based on the timestamp information, the user identifier, the certificate identifier, the original application information, and the signature value.
[0039] In one possible implementation, if the upgrade method involves switching a cryptographic module, the second control module is specifically used for:
[0040] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0041] After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair.
[0042] The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
[0043] In one possible implementation, if the upgrade method involves installing a new installation package, the first control module is further configured to:
[0044] The target application is controlled to obtain timestamp information, user identifier, and updated application information corresponding to the newly installed package, and based on the private key corresponding to the user identifier, the timestamp information, the user identifier, and the updated application information are signed to obtain the corresponding signature value;
[0045] The authorization file is generated based on the timestamp information, the user identifier, and the signature value.
[0046] In one possible implementation, if the upgrade method involves installing a new installation package, the device further includes a third control module, specifically used for:
[0047] Determine the module type corresponding to the password module of the target application, and determine the corresponding user data based on the module type;
[0048] The target application is controlled to send the user data and the file content of the authorization file to the application backend, so that the application backend can verify the file content and store the user data after the verification is successful.
[0049] In one possible implementation, the module type includes an independent cryptographic module, and the second control module is further configured to:
[0050] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0051] After the upgraded target application receives the user data returned by the application backend based on the file content, it establishes a mapping relationship between the upgraded target application and the identity credentials stored in the independent password module based on the user data.
[0052] In one possible implementation, the module type includes an integrated cryptographic module, and the second control module is further configured to:
[0053] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0054] After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair.
[0055] The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
[0056] Thirdly, an electronic device is provided, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus;
[0057] Memory, used to store computer programs;
[0058] When a processor executes a program stored in memory, it implements any of the steps described in the first aspect.
[0059] Fourthly, a computer-readable storage medium is provided, characterized in that the computer-readable storage medium stores a computer program, which, when executed by a processor, implements the steps of any of the methods described in the first aspect.
[0060] Fifthly, a computer program product containing instructions is provided, which, when run on a computer, causes the computer to execute any of the aforementioned identity credential management methods.
[0061] Beneficial effects of the embodiments in this application:
[0062] This application provides an identity credential management method, apparatus, electronic device, and readable storage medium. In this embodiment, when a target application requests an upgrade, firstly, upgrade information corresponding to the target application is obtained. This upgrade information includes upgrade data and an upgrade method. Then, the target application is controlled to generate a corresponding authorization file based on the upgrade method. After generating the authorization file, the target application is upgraded based on the upgrade data. Finally, the upgraded target application is controlled to request the corresponding identity credential from the corresponding application backend based on the authorization file. This solution enables the upgraded target application to request the corresponding identity credential from the application backend based on the authorization file generated by the target application before the upgrade. Therefore, intelligent acquisition of identity credentials after application updates and upgrades is achieved, thereby improving the efficiency of identity credential acquisition. Furthermore, the process of acquiring identity credentials using this solution requires no manual user operation; therefore, the entire process is imperceptible to the user, thus improving the user experience.
[0063] Of course, implementing any product or method of this application does not necessarily require achieving all of the advantages described above at the same time. Attached Figure Description
[0064] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0065] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0066] Figure 1 A flowchart illustrating an identity credential management method provided in this application embodiment;
[0067] Figure 2 An example of the format of an authorization document provided for an embodiment of this application;
[0068] Figure 3 An example of the format of an authorization document provided for an embodiment of this application;
[0069] Figure 4 A flowchart illustrating another identity credential management method provided in this application embodiment;
[0070] Figure 5 A flowchart illustrating another identity credential management method provided in this application embodiment;
[0071] Figure 6 A flowchart illustrating another identity credential management method provided in this application embodiment;
[0072] Figure 7 This is a schematic diagram of the structure of an identity credential management device provided in an embodiment of this application;
[0073] Figure 8 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation
[0074] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0075] The identity credential management method provided in this application will be explained and described below with reference to the accompanying drawings and specific embodiments. The embodiments do not constitute a limitation on the embodiments of this application.
[0076] See Figure 1 This is a flowchart illustrating an embodiment of an identity credential management method provided in this application. Figure 1 As shown, the process may include the following steps:
[0077] S101, when the target application requests an upgrade, obtain the upgrade information corresponding to the target application, wherein the upgrade information includes upgrade data and upgrade method.
[0078] The target application refers to a trusted communication application.
[0079] Upgrade information includes upgrade data and upgrade method. Upgrade data refers to the data used to update the target application. Upgrade method refers to the way the target application is upgraded, such as an upgrade method involving switching the password module or an upgrade method involving a change in the application's package name.
[0080] In this embodiment of the application, the target application sends an upgrade request to the OTA (Over-The-Air technology) interface of the application backend. After parsing and verifying the upgrade request, the application backend returns the corresponding upgrade information to the target application, namely, the upgrade data and the upgrade method.
[0081] S102, control the target application to generate a corresponding license file based on the upgrade method.
[0082] In this application embodiment, the generated authorization files differ depending on the upgrade method.
[0083] As one possible implementation, if the upgrade method involves switching a cryptographic module, the specific implementation of controlling the target application to generate the corresponding authorization file based on the upgrade method may include: controlling the target application to obtain timestamp information, user identifier, certificate identifier, and the original application information corresponding to the target application; and signing the timestamp information, user identifier, certificate identifier, and original application information based on the private key corresponding to the user identifier to obtain the corresponding signature value; and generating the authorization file based on the timestamp information, user identifier, certificate identifier, original application information, and signature value.
[0084] The original application information refers to information that identifies the target application before the upgrade, such as the application package name, application signature value, and application key keywords. Here, the private key corresponding to the user identifier is the private key associated with the user identifier's identity credentials.
[0085] Figure 2 The image shown is an example of the format of an authorization file generated using this method.
[0086] Where k1 = timestamp, k2 = userid (i.e., user identifier), k3 = app package name (i.e., target application package name) + app signature value (i.e., target application signature value) + appkey (i.e., application key key of the target application) + certid (certificate identifier), k4 = signature(k1+k2+k3, private key of userid), which uses the private key corresponding to userid to sign k1+k2+k3 to obtain the signature value k4.
[0087] As another possible implementation, if the upgrade method involves installing a new installation package, the specific implementation of controlling the target application to generate the corresponding authorization file based on the upgrade method may include: controlling the target application to obtain timestamp information, user identifier, and update application information corresponding to the new installation package, and signing the timestamp information, user identifier, and update application information based on the private key corresponding to the user identifier to obtain the corresponding signature value, and generating the authorization file based on the timestamp information, user identifier, and signature value.
[0088] Among them, updated application information refers to information that can mark the target application after the upgrade, such as the application package name, application signature value, application key keywords, etc.
[0089] Figure 3 The image shown is an example of the format of an authorization file generated using this method.
[0090] Where, k1 = timestamp; k2 = userid (i.e., user identifier); k3 = signature[k1 + k2 + new app package name (i.e., the package name of the upgraded target application) + new app signature value (i.e., the signature value of the upgraded target application) + new appkey (i.e., the application key keyword of the upgraded target application), private key corresponding to userid].
[0091] In another embodiment, the authorization file is stored in the target application's private directory, thereby preventing other applications from obtaining the authorization file and improving file usage security.
[0092] In practical applications, expiration conditions for license files can be set. For example, an expiration duration can be set, starting when the license file is generated, and deleting the license file when the expiration duration is reached; alternatively, an expiration count can be set, deleting the license file when the number of uses reaches the expiration count. This improves the security of file usage.
[0093] S103, after generating the authorization file, upgrade the target application based on the upgrade data.
[0094] S104, the upgraded target application requests the corresponding identity credentials from the corresponding application backend based on the authorization file.
[0095] The following provides a unified explanation of S103 and S104:
[0096] In this embodiment, after generating the authorization file, the target application can be upgraded based on the upgrade data to obtain the upgraded target application. Then, the upgraded target application can be controlled to request the corresponding identity credentials (i.e., digital certificates) from the corresponding application backend based on the authorization file. Thus, the intelligent acquisition of the corresponding identity credentials after upgrading the target application is realized.
[0097] Here, the process of requesting identity credentials from the application backend varies depending on the upgrade method. As for how to specifically control the upgraded target application and request the corresponding identity credentials from the corresponding application backend based on the authorization file, this will be explained in detail in the following embodiments, and will not be elaborated here.
[0098] In this embodiment, when a target application requests an upgrade, firstly, upgrade information corresponding to the target application is obtained. This upgrade information includes upgrade data and an upgrade method. Then, the target application is controlled to generate a corresponding authorization file based on the upgrade method. After generating the authorization file, the target application is upgraded based on the upgrade data. Finally, the upgraded target application is controlled to request the corresponding identity credential from the corresponding application backend based on the authorization file. This solution enables the upgraded target application to request the corresponding identity credential from the application backend based on the authorization file generated by the target application before the upgrade. Therefore, intelligent acquisition of identity credentials after application updates and upgrades is achieved, thereby improving the efficiency of identity credential acquisition. Furthermore, the process of acquiring identity credentials using this solution requires no manual user operation; therefore, the entire process is imperceptible to the user, thus improving the user experience.
[0099] See Figure 4 This is a flowchart illustrating another embodiment of an identity credential management method provided in this application. Figure 4 The process shown above Figure 1 Based on the illustrated process, this section describes how, if the upgrade method involves switching password modules, the upgraded target application is controlled to request the corresponding identity credentials from the corresponding application backend based on the authorization file. For example... Figure 4 As shown, the process may include the following steps:
[0100] S401, the upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0101] S402, after the upgraded target application receives the user data returned by the application backend based on the file content, the upgraded target application is controlled to generate a corresponding key pair based on the user data, and generate a corresponding identity credential request based on the key pair.
[0102] S403, the upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
[0103] The following provides a unified explanation of S401-S403:
[0104] User data refers to data used to tag a target application.
[0105] In this embodiment, the upgraded target application reads the file content from the authorization file and sends a data request generated based on that file content to the application backend. The request calls a user information retrieval interface through the file content to obtain the corresponding user data, which is then returned to the upgraded target application. Next, the upgraded target application generates a corresponding key pair based on the user data and generates a corresponding identity credential request p10 based on the key pair. p10 and the user data are then sent to the application backend, which downloads the corresponding identity credential based on p10 and the user data, and returns the identity credential to the target application.
[0106] In practical applications, after receiving a data request, the application backend can validate the parameters (i.e., file content) in the request. Simultaneously, it assembles the parameters according to the same rules as the authorization file and verifies the signature value in the file content using the user's identity credentials. Upon successful verification, the user data is returned. Furthermore, when returning the user data, the application backend can also simultaneously return a signature value obtained by signing the user data using the backend system's private key. After the upgraded target application receives the user data, verifies this signature value, and then executes the step of requesting identity credentials based on the user data.
[0107] In another embodiment, when the target application, after control upgrade, sends p10 and user data to the application backend, it can also carry a signature value signed using the private key in the key pair. After the application backend verifies the signature based on the signature value, it downloads the corresponding identity credential according to p10 and user data, and returns the identity credential to the target application. This improves the security of data transmission.
[0108] For ease of understanding, the following provides the complete process for requesting identity credentials when the upgrade method involves switching password modules:
[0109] S1. The target application sends an upgrade request to the application backend OTA upgrade interface.
[0110] S2. The application backend determines the upgrade data and upgrade method by parsing and verifying the upgrade request.
[0111] S3. The application backend returns upgrade data and upgrade method to the target application.
[0112] S4. When the returned upgrade method involves switching the password module, the target application first generates a private authorization file locally.
[0113] The authorization file includes: k1 = timestamp; k2 = userid; k3 = app package name + app signature value + appkey + certid; k4 = signature(k1 + k2 + k3, userid's private key), which uses the private key corresponding to idi to sign k1 + k2 + k3 to obtain the signature value k4.
[0114] S5. The client downloads and installs the upgrade package based on the upgrade data.
[0115] S6. After the upgrade package is installed, when the upgraded target application is opened, the target application reads the file content in the authorization file and requests the application backend to obtain user information based on the file content.
[0116] S7. After receiving the request, the application backend verifies the file content. At the same time, it assembles parameters according to the same rules as the file content and uses the user's identity credentials to verify the signature of k4.
[0117] S8. After the signature verification is successful, the application backend returns the signature value of the user data and the system private key to sign the user data.
[0118] S9. The upgraded target application receives user data, generates a key pair based on the user data, and then requests identity credentials from the application backend.
[0119] pass Figure 4 The illustrated process allows the upgraded target application to request corresponding identity credentials from the application backend based on the content of the authorization file. This enables the application to intelligently obtain identity credentials after an upgrade involving a password module switch, thereby improving the efficiency of credential acquisition.
[0120] See Figure 5 This is a flowchart illustrating another embodiment of an identity credential management method provided in this application. Figure 5 As shown, the process may include the following steps:
[0121] S501, determine the module type corresponding to the password module of the target application, and determine the corresponding user data based on the module type.
[0122] S502, control the target application to send the user data and the file content of the authorization file to the application backend, so that the application backend can verify the file content and store the user data after the verification is successful.
[0123] The following provides a unified explanation of S501 and S502:
[0124] There are two types of modules: standalone cryptographic modules and integrated cryptographic modules. Standalone cryptographic modules include Super SIM cards and mobile SEs; integrated cryptographic modules include Jida Zhengyuan SDK cryptographic modules.
[0125] It should be noted that with the standalone password module, the user's key will not be lost when installing a new installation package; only the mapping between the target application and the key needs to be synchronized. With the integrated password module, however, the key will be lost when installing a new installation package, and the user's identity credentials will need to be reissued and synchronized.
[0126] In this embodiment of the application, since the installation of a new installation package is involved, after the target application generates the authorization file, it needs to report the file content of the authorization file and the corresponding user data to the application backend. This is so that when the target application requests identity credentials after the upgrade, the application backend will feed back the user data to the target application.
[0127] Because the process of obtaining identity credentials differs depending on the module type, the reported user data also differs.
[0128] The independent cryptographic module typically reports user data including: user ID, identity credential ID, idi, ki, username, company name, department, and position. Here, idi refers to the identity identifier issued by the operating system to the i-th trusted user for service authentication; this ID is a randomly generated 128-bit data to protect user personal information. Ki refers to the symmetric key corresponding to the idi, securely transmitted by the operator to the i-th trusted user. The integrated cryptographic module typically reports user data including: user ID, the new app's package name, the new app's signature value, appkey, and a signature value of the preceding data using the private key corresponding to the user ID.
[0129] In this embodiment of the application, after determining the module type corresponding to the password module of the target application and determining the corresponding user data based on the module type, the target application is controlled to send the user data and the file content of the authorization file to the application backend. After receiving the user data and the file content, the application backend performs verification based on the file content and stores the user data after the verification is successful. When the target application requests identity credentials after subsequent upgrades, the stored user data is fed back to the target application.
[0130] pass Figure 5 The process shown allows you to control the target application to report corresponding user data to the application backend based on the corresponding module type, so that it can be fed back to the upgraded target application later.
[0131] See Figure 6 This is a flowchart illustrating another embodiment of an identity credential management method provided in this application. Figure 6 The process shown above Figure 5 Based on the illustrated process, this section describes how to control the upgraded target application to request the corresponding identity credentials from the corresponding application backend based on the authorization file if the upgrade method involves installing a new installation package and the module type is an independent password module. For example... Figure 6 As shown, the process may include the following steps:
[0132] S601, the upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0133] S602, after the upgraded target application receives the user data returned by the application backend based on the file content, a mapping relationship is established between the upgraded target application and the identity credentials stored in the independent password module based on the user data.
[0134] The following provides a unified explanation of S601 and S602:
[0135] Because of the independent password module, the user's key will not be lost when installing a new installation package; only the mapping relationship between the upgraded target application and the key needs to be synchronized.
[0136] Based on this, in this embodiment, the upgraded target application first sends a data request to the application backend. This data request carries the file content of an authorization file. The application backend verifies the file content and, upon successful verification, returns the user data reported by the target application before the upgrade to the upgraded target application. After receiving the user data returned by the application backend based on the file content, the upgraded target application can establish a mapping relationship between the upgraded target application and the identity credentials stored in the independent password module. This enables the application to intelligently obtain identity credentials after an upgrade involving the installation of a new package, thereby improving the efficiency of identity credential acquisition.
[0137] In another embodiment of this application, the module type includes an integrated cryptographic module, and the specific implementation of the target application after control upgrade requesting the corresponding identity credentials from the corresponding application backend based on the authorization file may include:
[0138] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file. After the upgraded target application receives user data returned by the application backend based on the file content, the upgraded target application generates a corresponding key pair based on the user data and generates a corresponding identity credential request based on the key pair. The upgraded target application then sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
[0139] Because the integrated cryptographic module can cause key loss when installing a new installation package, this embodiment requires the user's identity credentials to be reissued and synchronized. The specific process is the same as S401-S403, and a detailed explanation can be found in the description of S401-S403.
[0140] In another embodiment of this application, the upgrade of the target application based on the upgrade data may further include the following steps: upon detecting a login operation to the upgraded target application, controlling the upgraded target application to execute a verification code login process, and sending the verification code corresponding to the verification code login process to the application backend, so that the application backend encrypts the user data based on the verification code when returning the user data to the upgraded target application. This improves the security of data transmission.
[0141] The login verification code can be set with expiration conditions, such as expiring after a single use, or expiring after a period of inactivity. This further ensures the security of the verification process.
[0142] For ease of understanding, the following provides the complete process for requesting identity credentials when the upgrade method involves installing a new installation package:
[0143] S1. The target application sends an upgrade request to the application backend OTA upgrade interface.
[0144] S2. The application backend determines the upgrade data and upgrade method by parsing and verifying the upgrade request.
[0145] S3. The application backend returns upgrade data and upgrade method to the target application.
[0146] S4. When the returned upgrade method involves switching the password module, the target application first generates a private authorization file locally.
[0147] The authorization file includes: k1 = timestamp; k2 = userid; k3 = signature(k1 + k2 + new app package name + new app signature value + new appkey, private key corresponding to userid).
[0148] S5. The target application reports user data to the application backend. The reported user data varies depending on the password module type.
[0149] The user data reported by the independent cryptographic module includes the following:
[0150] User ID, identity credential ID, idi, ki, username, company name, department, and position.
[0151] The user data reported by the integrated cryptographic module includes the following:
[0152] User ID, new app package name, new app signature value, appkey, and signature value of the preceding data using the private key corresponding to the user ID.
[0153] S6. The application backend verifies the contents of the authorization file, and if the verification is successful, stores the reported user data.
[0154] S7. The application backend returns a result indicating that the verification was successful and the reported user data has been stored.
[0155] S8. The client downloads and installs the upgrade package based on the upgrade data.
[0156] S9. After the upgrade package is installed, users will need to log in to the target application via SMS verification code.
[0157] S10. After the application backend verifies successful login, it will temporarily record the SMS verification code for use in step S13 to encrypt user data.
[0158] S11. Returns the result of successful login.
[0159] S12. If the upgraded target application detects that there are no identity credentials in the authorization file and locally, it will use the content of the authorization file to request the target data reported by the target application before the upgrade.
[0160] S13. The application backend verifies the content of the authorization file. After successful verification, it generates an encryption key for the SM4 encryption algorithm based on the SMS verification code in S10 (e.g., using the last 10 digits of the mobile phone number + 6 digits of the login verification code). After encrypting the user data with the key, the encrypted user data is returned to the target application.
[0161] S14. The upgraded target application decrypts the encrypted user data to obtain the user data. It determines whether it is an integrated cryptographic module or an independent cryptographic module through k2 in the authorization file. If it is an independent cryptographic module, it can map the upgraded target data and user credentials based on the user data. If it is an integrated cryptographic module, it proceeds to step S15.
[0162] S15. The upgraded target application generates a key pair based on the user data, and then requests identity credentials from the application backend.
[0163] This enables applications to intelligently retrieve identity credentials after an update involving the installation of a new package, thereby improving the efficiency of credential retrieval. Furthermore, this solution employs dual verification using both authorization files and login verification codes, further enhancing security.
[0164] Based on the same technical concept, embodiments of this application also provide an identity credential management device, such as... Figure 7 As shown, the device includes:
[0165] The acquisition module 701 is used to acquire upgrade information corresponding to the target application when the target application requests an upgrade, wherein the upgrade information includes upgrade data and upgrade method;
[0166] The first control module 702 is used to control the target application to generate a corresponding license file based on the upgrade method;
[0167] The upgrade module 703 is used to upgrade the target application based on the upgrade data after the authorization file is generated;
[0168] The second control module 704 is used to control the upgraded target application to request the corresponding identity credentials from the corresponding application backend based on the authorization file.
[0169] In one possible implementation, if the upgrade method involves switching a cryptographic module, the first control module is specifically used for:
[0170] The target application is controlled to obtain timestamp information, user identifier, certificate identifier and original application information corresponding to the target application, and based on the private key corresponding to the user identifier, the timestamp information, user identifier, certificate identifier and original application information are signed to obtain the corresponding signature value;
[0171] The authorization file is generated based on the timestamp information, the user identifier, the certificate identifier, the original application information, and the signature value.
[0172] In one possible implementation, if the upgrade method involves switching a cryptographic module, the second control module is specifically used for:
[0173] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0174] After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair.
[0175] The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
[0176] In one possible implementation, if the upgrade method involves installing a new installation package, the first control module is further configured to:
[0177] The target application is controlled to obtain timestamp information, user identifier, and updated application information corresponding to the newly installed package, and based on the private key corresponding to the user identifier, the timestamp information, the user identifier, and the updated application information are signed to obtain the corresponding signature value;
[0178] The authorization file is generated based on the timestamp information, the user identifier, and the signature value.
[0179] In one possible implementation, if the upgrade method involves installing a new installation package, the device further includes a third control module, specifically used for:
[0180] Determine the module type corresponding to the password module of the target application, and determine the corresponding user data based on the module type;
[0181] The target application is controlled to send the user data and the file content of the authorization file to the application backend, so that the application backend can verify the file content and store the user data after the verification is successful.
[0182] In one possible implementation, the module type includes an independent cryptographic module, and the second control module is further configured to:
[0183] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0184] After the upgraded target application receives the user data returned by the application backend based on the file content, it establishes a mapping relationship between the upgraded target application and the identity credentials stored in the independent password module based on the user data.
[0185] In one possible implementation, the module type includes an integrated cryptographic module, and the second control module is further configured to:
[0186] The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file;
[0187] After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair.
[0188] The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
[0189] In this embodiment, when a target application requests an upgrade, firstly, upgrade information corresponding to the target application is obtained. This upgrade information includes upgrade data and an upgrade method. Then, the target application is controlled to generate a corresponding authorization file based on the upgrade method. After generating the authorization file, the target application is upgraded based on the upgrade data. Finally, the upgraded target application is controlled to request the corresponding identity credential from the corresponding application backend based on the authorization file. This solution enables the upgraded target application to request the corresponding identity credential from the application backend based on the authorization file generated by the target application before the upgrade. Therefore, intelligent acquisition of identity credentials after application updates and upgrades is achieved, thereby improving the efficiency of identity credential acquisition. Furthermore, the process of acquiring identity credentials using this solution requires no manual user operation; therefore, the entire process is imperceptible to the user, thus improving the user experience.
[0190] Based on the same technical concept, embodiments of this application also provide an electronic device, such as... Figure 8 As shown, it includes a processor 111, a communication interface 112, a memory 113, and a communication bus 114, wherein the processor 111, the communication interface 112, and the memory 113 communicate with each other through the communication bus 114.
[0191] Memory 113 is used to store computer programs;
[0192] When processor 111 executes the program stored in memory 113, it performs the following steps:
[0193] When a target application requests an upgrade, the upgrade information corresponding to the target application is obtained, wherein the upgrade information includes upgrade data and upgrade method;
[0194] Control the target application to generate a corresponding license file based on the upgrade method;
[0195] After generating the authorization file, the target application is upgraded based on the upgrade data;
[0196] The upgraded target application requests the corresponding identity credentials from the corresponding application backend based on the authorization file.
[0197] The communication bus mentioned in the above electronic devices can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. This communication bus can be divided into address bus, data bus, control bus, etc. For ease of illustration, only one thick line is used to represent it in the diagram, but this does not mean that there is only one bus or one type of bus.
[0198] The communication interface is used for communication between the aforementioned electronic devices and other devices.
[0199] The memory may include random access memory (RAM) or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory may also be at least one storage device located remotely from the aforementioned processor.
[0200] The processors mentioned above can be general-purpose processors, including central processing units (CPUs), network processors (NPs), etc.; they can also be digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components.
[0201] In another embodiment provided in this application, a computer-readable storage medium is also provided, which stores a computer program that, when executed by a processor, implements the steps of any of the above-described identity credential management methods.
[0202] In another embodiment provided in this application, a computer program product containing instructions is also provided, which, when run on a computer, causes the computer to execute any of the identity credential management methods described in the above embodiments.
[0203] In the above embodiments, implementation can be achieved entirely or partially through software, hardware, firmware, or any combination thereof. When implemented using software, it can be implemented entirely or partially in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk (SSD)).
[0204] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0205] The above description is merely a specific embodiment of this application, enabling those skilled in the art to understand or implement this application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features claimed herein.
Claims
1. A method for managing identity credentials, characterized in that, The method includes: When a target application requests an upgrade, the upgrade information corresponding to the target application is obtained, wherein the upgrade information includes upgrade data and upgrade method; Control the target application to generate a corresponding license file based on the upgrade method; After generating the authorization file, the target application is upgraded based on the upgrade data; The upgraded target application requests the corresponding identity credentials from the corresponding application backend based on the authorization file. Wherein, if the upgrade method involves switching the password module, the target application after the upgrade requests the corresponding identity credentials from the corresponding application backend based on the authorization file, including: The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file; After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair. The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application. If the target application's password module includes a separate password module, the upgraded target application, based on the authorization file, requests the corresponding identity credentials from the corresponding application backend, including: The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file; After the upgraded target application receives the user data returned by the application backend based on the file content, it establishes a mapping relationship between the upgraded target application and the identity credentials stored in the independent password module based on the user data.
2. The method according to claim 1, characterized in that, If the upgrade method involves switching a password module, the step of controlling the target application to generate a corresponding authorization file based on the upgrade method includes: The target application is controlled to obtain timestamp information, user identifier, certificate identifier and original application information corresponding to the target application, and based on the private key corresponding to the user identifier, the timestamp information, user identifier, certificate identifier and original application information are signed to obtain the corresponding signature value; The authorization file is generated based on the timestamp information, the user identifier, the certificate identifier, the original application information, and the signature value.
3. The method according to claim 1, characterized in that, If the upgrade method involves installing a new installation package, the step of controlling the target application to generate a corresponding license file based on the upgrade method includes: The target application is controlled to obtain timestamp information, user identifier, and updated application information corresponding to the newly installed package, and based on the private key corresponding to the user identifier, the timestamp information, the user identifier, and the updated application information are signed to obtain the corresponding signature value; The authorization file is generated based on the timestamp information, the user identifier, and the signature value.
4. The method according to claim 1, characterized in that, If the upgrade method involves installing a new installation package, the process further includes, before upgrading the target application based on the upgrade data: Determine the module type corresponding to the password module of the target application, and determine the corresponding user data based on the module type; The target application is controlled to send the user data and the file content of the authorization file to the application backend, so that the application backend can verify the file content and store the user data after the verification is successful.
5. The method according to claim 4, characterized in that, The module type includes an integrated cryptographic module. The target application after the control upgrade requests corresponding identity credentials from the corresponding application backend based on the authorization file, including: The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file; After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair. The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application.
6. An identity credential management device, characterized in that, The device includes: The acquisition module is used to acquire upgrade information corresponding to the target application when the target application requests an upgrade, wherein the upgrade information includes upgrade data and upgrade method; The first control module is used to control the target application to generate a corresponding license file based on the upgrade method; An upgrade module is used to upgrade the target application based on the upgrade data after the authorization file is generated; The second control module is used to control the upgraded target application and request the corresponding identity credentials from the corresponding application backend based on the authorization file. Wherein, if the upgrade method involves switching the password module, the second control module is specifically used for: The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file; After the upgraded target application receives user data returned by the application backend based on the file content, it controls the upgraded target application to generate a corresponding key pair based on the user data, and generates a corresponding identity credential request based on the key pair. The upgraded target application sends the identity credential request and the user data to the application backend, so that the application backend returns the corresponding identity credential to the upgraded target application. If the cryptographic module of the target application includes a separate cryptographic module, the second control module is further configured to: The upgraded target application sends a data request to the application backend, wherein the data request carries the file content of the authorization file; After the upgraded target application receives the user data returned by the application backend based on the file content, it establishes a mapping relationship between the upgraded target application and the identity credentials stored in the independent password module based on the user data.
7. An electronic device, characterized in that, It includes a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus; Memory, used to store computer programs; A processor, when executing a program stored in memory, implements the steps of the method described in any one of claims 1-5.
8. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method described in any one of claims 1-5.