Cross-device identity continuity authentication method, apparatus, device, and storage medium

Abstract

The application relates to a cross-device identity continuity authentication method, device, equipment and storage medium. The method comprises the following steps: when it is detected that the signal strength of a broadcast message meets a preset wake-up threshold, performing a wake-up operation; in the case of being in a wake-up state, establishing an ultra-wideband communication connection with a terminal device triggering the wake-up, completing distance measurement between the terminal device, and in the case that the distance measurement result is less than a preset safety distance threshold, performing an identity authentication process; negotiating a session key with an authentication execution end to establish an end-to-end encrypted communication link; completing identity legitimacy verification based on a zero-knowledge proof protocol with the authentication execution end through the encrypted communication link, and in the case that the identity legitimacy verification is passed, receiving an encrypted identity token sent by the authentication execution end; decrypting the encrypted identity token and performing permission verification, and in the case that the verification is passed, performing an unlocking operation. The method can realize cross-device cooperative authentication and guarantee identity authentication continuity.

Description

Technical Field

[0001] This application relates to the field of identity authentication technology, and in particular to a method, apparatus, device and storage medium for cross-device identity continuity authentication. Background Technology

[0002] With the rapid development of IoT, intelligent sensing and wireless communication technologies, contactless access authentication technology has been widely used in smart communities, smart homes, vehicle networks and other scenarios. This technology relies on the wireless interaction between various smart terminals and access control devices to achieve automated identity verification and access control without manual operation by users, which greatly improves access efficiency and user experience.

[0003] In traditional technologies, seamless access relies on a single wireless communication technology such as Bluetooth or Near Field Communication (NFC) to verify the identity of access control devices and terminal devices. Typically, the user's smartphone serves as the sole authentication terminal. The access control device completes identity recognition by receiving the Bluetooth key or NFC identifier sent by the phone, and then performs the unlocking operation.

[0004] However, traditional identity authentication methods still have many technical shortcomings: First, the authentication terminal is singular and highly dependent on the device status. If the mobile phone runs out of power or the network is unstable, authentication will fail directly, and the user will not be able to pass through. Device compatibility and authentication continuity are poor. Second, the positioning accuracy of single wireless communication technology is low. Judging distance solely by signal strength is prone to false wake-up and false authentication problems, making it impossible to achieve accurate close-range identity verification. Third, the authentication process has weak environmental adaptability, making it difficult to balance the convenience and security of authentication. Summary of the Invention

[0005] Therefore, it is necessary to provide a cross-device identity continuity authentication method, apparatus, device, and storage medium that can achieve cross-device collaborative authentication, ensure identity authentication continuity, and has high-precision positioning and high security, in order to address the above-mentioned technical problems.

[0006] Firstly, this application provides a cross-device identity continuity authentication method, applied to access control devices, the method comprising:

[0007] While in a sleep state, it continuously acquires broadcast messages sent by at least one terminal device, and performs a wake-up operation when the signal strength of the broadcast message meets a preset wake-up threshold.

[0008] When in a wake-up state, an ultra-wideband communication connection is established with the terminal device that triggered the wake-up, and the distance between the terminal device and the terminal device is measured. If the distance measurement result is less than a preset safe distance threshold, the identity authentication process is executed.

[0009] In response to the initiation of the identity authentication process, a terminal device with preset biometric authentication capability is selected from the terminal devices that have established a communication connection as the authentication execution end, and a session key is generated through negotiation with the authentication execution end to establish an end-to-end encrypted communication link;

[0010] The identity legitimacy verification based on the zero-knowledge proof protocol is completed through the encrypted communication link with the authentication execution terminal. If the identity legitimacy verification is successful, the encrypted identity token sent by the authentication execution terminal is received.

[0011] The encrypted identity token is decrypted and its permissions are verified. If the verification is successful, the unlocking operation is performed.

[0012] In some embodiments of the method, the step of completing the distance measurement with the terminal device, and performing an identity authentication process if the distance measurement result is less than a preset safe distance threshold, includes:

[0013] The distance to the terminal device is measured by combining the time-of-flight and angle-of-arrival ranging algorithm.

[0014] When there are multiple terminal devices establishing a communication connection, the ranging results of each terminal device are merged to obtain a comprehensive ranging result. If the comprehensive ranging result is less than a preset safe distance threshold, an identity authentication process is executed.

[0015] In some embodiments of the method, the step of completing identity verification based on a zero-knowledge proof protocol with the authentication execution terminal via the encrypted communication link includes:

[0016] The system receives a commitment value sent by the authentication execution terminal, sends a random challenge value to the authentication execution terminal, receives a response value returned by the authentication execution terminal, verifies the validity of the response value using preset public key parameters, and determines that the identity legitimacy verification is successful if the verification is successful.

[0017] In some embodiments of the method, the step of decrypting and verifying the encrypted identity token, and performing an unlocking operation if the verification passes, includes:

[0018] The encrypted identity token, which includes a timestamp and a digital signature, is decrypted end-to-end using the session key generated through negotiation.

[0019] The validity of the digital signature, the legality of the timestamp, and the matching of the access permission information with the preset permissions of the access control device are verified.

[0020] If the verification is successful, the unlocking operation is performed, the authentication log is recorded, and the system returns to sleep mode. The authentication log includes at least one of the following: authentication time, authentication execution device identifier, and access permission information.

[0021] In some embodiments of the method, the access control device pre-stores a local cache of permission policies and user public keys, and the method further includes:

[0022] When offline, the local cache is invoked to complete the verification;

[0023] When the system is online, the verification is completed after updating the local cache.

[0024] If the identity verification fails or the authorization verification fails, supplementary authentication is performed through near-field communication authentication or password authentication. If the supplementary authentication is successful, the unlocking operation is performed.

[0025] According to a second aspect of the present disclosure, a cross-device identity continuity authentication method is provided, applied to a terminal device, the method comprising:

[0026] Complete the binding with the server and obtain the device identifier, authentication key and access permission information issued by the server;

[0027] Broadcast messages carrying user identification are continuously sent at a preset period, and the broadcast messages are used to trigger the wake-up operation of the access control device;

[0028] Upon receiving an ultra-wideband communication connection request initiated by the access control device, an ultra-wideband communication connection is established with the access control device to cooperate with the access control device in completing distance measurement;

[0029] When selected as the authentication execution end by the access control device, the authentication key is used to negotiate and generate a session key with the access control device to establish an end-to-end encrypted communication link. The identity legitimacy verification based on the zero-knowledge proof protocol is completed with the access control device through the encrypted communication link.

[0030] If the identity verification is successful, the identity token, which includes the device identifier, the access permission information, and the user identity identifier, is encrypted using the authentication key to generate an encrypted identity token. The encrypted identity token is then sent to the access control device via the encrypted communication link. The encrypted identity token is used by the access control device to complete the unlocking operation.

[0031] According to a third aspect of the present disclosure, a cross-device identity continuity authentication device is provided, applied to an access control device, the device comprising:

[0032] The wake-up detection module is used to continuously acquire broadcast messages sent by at least one terminal device while in a sleep state, and to perform a wake-up operation when the signal strength of the broadcast message meets a preset wake-up threshold.

[0033] The ranging authentication startup module is used to establish an ultra-wideband communication connection with the terminal device that triggered the wake-up when it is in a wake-up state, complete the distance measurement between the terminal device and the terminal device, and execute the identity authentication process when the ranging result is less than a preset safe distance threshold.

[0034] The communication link establishment module is used to respond to the start of the identity authentication process by selecting terminal devices with preset biometric authentication capabilities from the terminal devices establishing communication connections as authentication execution terminals, negotiating with the authentication execution terminals to generate session keys, and establishing an end-to-end encrypted communication link.

[0035] The first identity verification module is used to complete identity legitimacy verification based on the zero-knowledge proof protocol with the authentication execution terminal through the encrypted communication link, and to receive the encrypted identity token sent by the authentication execution terminal if the identity legitimacy verification is successful.

[0036] The unlocking module is used to decrypt the encrypted identity token and verify its permissions, and to perform the unlocking operation if the verification is successful.

[0037] According to a fourth aspect of the present disclosure, a cross-device identity continuity authentication apparatus is provided, applied to a terminal device, the apparatus comprising:

[0038] The device binding module is used to complete the binding with the server and obtain the device identifier, authentication key and access permission information issued by the server.

[0039] The broadcast message sending module is used to continuously send broadcast messages carrying user identification at a preset period, and the broadcast messages are used to trigger the wake-up operation of the access control device;

[0040] The communication module is used to establish an ultra-wideband communication connection with the access control device when it receives an ultra-wideband communication connection request initiated by the access control device, and cooperate with the access control device to complete distance measurement;

[0041] The second authentication module is used to negotiate and generate a session key with the access control device using the authentication key when selected as the authentication execution end by the access control device, establish an end-to-end encrypted communication link, and complete the identity legitimacy verification based on the zero-knowledge proof protocol with the access control device through the encrypted communication link.

[0042] An identity token sending module is used to, when the identity legitimacy verification is passed, encrypt an identity token including the device identifier, the access permission information and the user identity identifier using the authentication key to generate an encrypted identity token, and send the encrypted identity token to the access control device through the encrypted communication link. The encrypted identity token is used by the access control device to complete the unlocking operation.

[0043] According to a fifth aspect of the present disclosure, a computer device is provided. The computer device includes a memory and a processor, the memory storing a computer program, and the processor executing the computer program to implement the cross-device identity continuity authentication method described above.

[0044] According to a sixth aspect of the present disclosure, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program thereon, which, when executed by a processor, implements the cross-device identity continuity authentication method described above.

[0045] According to a seventh aspect of the present disclosure, a computer program product is provided. The computer program product includes a computer program that, when executed by a processor, implements the cross-device identity continuity authentication method described above.

[0046] The cross-device identity continuity authentication scheme provided in this application can reduce the standby power consumption and false wake-up probability of access control devices through sleep wake-up and ultra-wideband ranging. At the same time, it solves the problem of authentication failure caused by the failure of a single authentication terminal by multi-device screening, thus ensuring the continuity of identity authentication. By combining end-to-end encrypted communication links with zero-knowledge proof protocols, it completes identity legitimacy verification without disclosing user privacy data, taking into account both the convenience and security of the authentication process, and realizing a seamless passage experience for users without manual operation.

[0047] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description

[0048] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure, and are not intended to unduly limit this disclosure.

[0049] Figure 1 This is a flowchart illustrating a cross-device identity continuity authentication method applied to an access control device according to an exemplary embodiment;

[0050] Figure 2 This is a flowchart illustrating a cross-device identity continuity authentication method applied to a terminal device according to an exemplary embodiment;

[0051] Figure 3 This is a structural block diagram illustrating a cross-device identity continuity authentication apparatus applied to an access control device according to an exemplary embodiment;

[0052] Figure 4 This is a structural block diagram of a cross-device identity continuity authentication apparatus applied to a terminal device, according to an exemplary embodiment.

[0053] Figure 5 This is a diagram illustrating the internal structure of a computer device according to an exemplary embodiment. Detailed Implementation

[0054] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.

[0055] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this disclosure are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this disclosure described herein can be implemented in orders other than those illustrated or described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this disclosure. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this disclosure. The terms "comprising," "including," or any other variations thereof are intended to cover a non-exclusive inclusion, such that a process, method, product, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, product, or apparatus. Without further limitations, the presence of other identical or equivalent elements in a process, method, product, or apparatus that includes said elements is not excluded. For example, the use of terms such as "first," "second," etc., to denote names does not indicate any specific order.

[0056] In some embodiments provided in this disclosure, the execution of the cross-device identity continuity authentication method can be controlled by a unified controller or by multiple controllers. These controllers may include controllers of local terminals or controllers of remote servers. In some embodiments, the controllers of local terminals and the controllers of servers may jointly assist in completing the cross-device identity continuity authentication control processing. The local terminal mentioned in this disclosure may include, but is not limited to, various robotic devices, in-vehicle devices, personal computers, laptops, smartphones, tablets, wearable devices, medical devices, VR (Virtual Reality) devices, etc. The server may also be a server, server cluster, distributed subsystem, cloud processing platform, server containing blockchain nodes, and combinations thereof. The controllers described in this disclosure may include various control units capable of implementing logic processing functions, including but not limited to CPU (Central Processing Unit), PLC (Programmable Logic Controller), ECU (Electronic Control Unit), MCU (Microcontroller Unit), FPGA (Field Programmable Gate Array), and CPLD (Complex Programmable Logic Device), as well as controllers composed of one or more logic function units, chips, etc.

[0057] In some embodiments of this disclosure, a cross-device identity continuity authentication method is provided, applied to access control devices, such as... Figure 1 As shown, it includes the following steps:

[0058] S20. While in a sleep state, continuously acquire broadcast messages sent by at least one terminal device, and when the signal strength of the broadcast message is detected to meet a preset wake-up threshold, perform a wake-up operation.

[0059] Access control devices typically refer to intelligent devices deployed at various entrances and exits, possessing the ability to manage access permissions and control physical opening and closing. Access control devices can integrate wireless communication units, encrypted computing units, drive execution units, and sleep / wake-up control units. They can continuously sense wireless signals from the surrounding environment in low-power standby mode, and after completing a full identity verification process, drive the execution mechanism to grant access permission. Common deployment scenarios include residential entrance doors, community unit doors, underground parking garage entrances and exits, and access control points in office areas.

[0060] Terminal devices typically refer to smart portable devices that users can wear or carry. They usually possess wireless communication and secure storage capabilities, enabling secure storage of identity credentials, transmission and reception of wireless signals, ranging interaction, and execution of encrypted authentication processes. They can also bind identities and issue credentials to servers, and perform two-way wireless interaction and identity verification with access control devices. Terminal devices can include smart handheld terminals and wearable smart devices, among others.

[0061] Hibernation mode typically refers to a low-power operating mode that access control devices run to reduce standby power consumption. In this mode, only the low-power wireless signal monitoring function is kept running, while other non-essential functions such as computing, communication, and driver execution are turned off. It can be woken up by responding to wireless broadcast signals that meet preset conditions.

[0062] Broadcast messages typically refer to wireless data frames sent out by terminal devices at fixed intervals via low-power wireless communication. The data frames carry user identity-related identification information that has been de-identified and can be received and identified by access control devices in the vicinity that are listening in, in order to trigger the access control device's wake-up determination and subsequent interaction process.

[0063] The preset wake-up threshold usually refers to the signal strength judgment standard configured in the access control device to determine whether to perform a wake-up operation. The access control device will compare the real-time signal strength of the broadcast message it listens for with the standard. When the signal strength meets the standard requirements, the subsequent wake-up operation will be initiated.

[0064] S22. When in a wake-up state, establish an ultra-wideband communication connection with the terminal device that triggered the wake-up, complete the distance measurement between the terminal device and the terminal device, and execute the identity authentication process if the distance measurement result is less than the preset safe distance threshold.

[0065] The wake-up state usually refers to the full-function working mode that the access control device is in after completing the wake-up operation. In this mode, all functional modules of the access control device, such as the ultra-wideband communication unit, encryption calculation unit, and permission verification unit, are started and can establish a normal communication connection with the terminal device to perform ranging interaction and complete identity authentication process.

[0066] Ultra-wideband (UWB) communication connections typically refer to short-range, high-speed wireless communication links established between access control devices and terminal devices based on UWB wireless communication technology. These links have strong anti-interference capabilities and high ranging accuracy, and can be used for stable transmission of bidirectional ranging interaction and authentication-related data between access control devices and terminal devices.

[0067] Distance measurement typically refers to the real-time calculation of the physical spatial distance between access control devices and terminal devices through an established ultra-wideband communication link and a corresponding ranging algorithm. This operation can accurately determine the actual distance between the user and the access control device.

[0068] The distance measurement result usually refers to the specific value of the physical spatial distance between the access control device and the terminal device after the distance measurement operation is completed. This value will serve as one of the core bases for the access control device to determine whether to start the identity authentication process.

[0069] The preset safe distance threshold usually refers to the distance judgment standard that is pre-configured in the access control device to determine whether to start the identity authentication process. The access control device will compare the real-time distance value obtained by distance measurement with the standard. When the distance measurement result is less than the standard requirement, the subsequent identity authentication process will be started.

[0070] The identity authentication process typically refers to a series of standardized interactive operations performed between access control devices and terminal devices to verify the legitimacy of a user's identity and confirm access rights.

[0071] S24. In response to initiating the identity authentication process, select a terminal device with preset biometric authentication capability from the terminal devices that have established a communication connection as the authentication execution end, negotiate with the authentication execution end to generate a session key, and establish an end-to-end encrypted communication link.

[0072] Pre-set biometric authentication capabilities typically refer to the hardware and software capabilities of a terminal device that can verify a user's identity through biometric identification. This capability can confirm the legitimacy of a user's identity in advance and can serve as a criterion for the screening and authentication execution end of access control devices. Biometric capabilities can include various types such as fingerprint recognition, heart rate recognition, and vein recognition.

[0073] The authentication execution terminal typically refers to the terminal device selected by the access control device from multiple established communication connections after initiating the identity authentication process. This terminal device is used to perform the complete identity authentication interaction. The authentication execution terminal usually needs to have corresponding biometric authentication capabilities and be able to complete core authentication operations such as zero-knowledge proofs, identity token generation, and encrypted transmission.

[0074] A session key typically refers to a temporary symmetric encryption key generated by the access control device and the authentication execution terminal through a preset key negotiation protocol after the identity authentication process is initiated. This key is only used for the current authentication interaction process and has the characteristic of being valid for a single session. It is used to establish an end-to-end encrypted communication link and realize the encrypted transmission of authentication data.

[0075] An encrypted communication link typically refers to an end-to-end secure data transmission channel established between access control devices and authentication execution terminals based on a negotiated session key. All data transmitted within this channel is encrypted using the session key, effectively preventing data from being stolen, tampered with, or eavesdropped on during transmission and ensuring data security during the authentication interaction process.

[0076] S26. Complete the identity legitimacy verification based on the zero-knowledge proof protocol with the authentication execution terminal through the encrypted communication link, and receive the encrypted identity token sent by the authentication execution terminal if the identity legitimacy verification is successful.

[0077] Zero-knowledge proof protocols typically refer to authentication protocols based on cryptographic principles that are pre-configured in access control devices and terminal devices. Through this protocol, the terminal device can prove the legitimacy of its identity to the access control device without disclosing any user identity privacy data. It can also support verification operations in offline environments and is the core cryptographic foundation for achieving secure and seamless authentication.

[0078] Identity verification typically refers to the verification operation between access control devices and the authentication execution terminal based on a zero-knowledge proof protocol to determine whether the identity of the user corresponding to the terminal device is legitimate and valid. This operation does not disclose the user's privacy and identity information throughout the entire process. The verification result is determined only through a preset cryptographic interaction process. Only after the verification is successful can the subsequent token transmission and permission verification process begin.

[0079] An encrypted identity token typically refers to an encrypted data string generated by the authentication execution end after the identity legitimacy verification is passed, which uses a session key to encrypt the identity credential containing the user's identity identifier, device identifier, access permission information, timestamp, and digital signature. This data string can be decrypted using the corresponding session key.

[0080] S28. Decrypt and verify the encrypted identity token, and perform the unlocking operation if the verification is successful.

[0081] Access control devices typically perform a full-dimensional compliance verification of the decrypted identity token. The verification content can include multiple dimensions such as the validity of the digital signature in the token, the legality of the timestamp, and the matching of access permission information with the preset permissions of the access control device. Only after all verification items pass will the access control device perform the unlocking operation.

[0082] In some embodiments of this disclosure, the standby power consumption and false wake-up probability of access control devices can be reduced by sleep wake-up and ultra-wideband ranging. At the same time, the problem of authentication failure caused by a single authentication terminal failure can be solved by multi-device screening, ensuring the continuity of identity authentication. By combining end-to-end encrypted communication links with zero-knowledge proof protocols, identity legitimacy verification can be completed without disclosing user privacy data, taking into account both the convenience and security of the authentication process, and realizing a seamless passage experience for users without manual operation.

[0083] In some implementations, the access control device in sleep mode continuously monitors wireless broadcast signals in the surrounding environment. In sleep mode, only the low-power Bluetooth signal monitoring function is retained, while all other computing and execution units are turned off to reduce standby power consumption. The access control device performs real-time signal strength determination on the monitored broadcast messages. When the signal strength of the broadcast message meets the preset wake-up criteria, a complete wake-up operation is performed, activating the relevant functional modules within the device.

[0084] In some embodiments of this disclosure, S22 includes:

[0085] The distance to the terminal device is measured by combining the time-of-flight and angle-of-arrival ranging algorithm.

[0086] When there are multiple terminal devices establishing a communication connection, the ranging results of each terminal device are merged to obtain a comprehensive ranging result. If the comprehensive ranging result is less than a preset safe distance threshold, an identity authentication process is executed.

[0087] In some implementations, the access control device that completes the wake-up operation will proactively establish an ultra-wideband communication connection with the terminal device that triggered the wake-up. Based on the wireless transmission characteristics of ultra-wideband communication, it will perform bidirectional distance measurement with the terminal device to obtain real-time distance data between the access control device and the terminal device. The access control device will judge the obtained distance measurement result. If the distance measurement result is less than the preset safe distance judgment standard, it will formally start the subsequent identity authentication process. If the distance measurement result does not meet the safe distance judgment standard, it will terminate the current interaction process and return to a low-power sleep listening state.

[0088] In some examples, when the access control device measures distance to the terminal device, it can combine Time of Flight (TOF) and Angle-of-Arrival (AOA) ranging algorithms to calculate the final distance measurement result, thereby improving the accuracy and anti-interference capability of the distance measurement. In other examples, when the access control device establishes ultra-wideband communication connections with multiple terminal devices simultaneously, it can obtain the distance measurement results for each terminal device separately, and then fuse multiple sets of distance measurement results to obtain a comprehensive distance measurement result. The subsequent identity authentication process will only be executed when the comprehensive distance measurement result is less than a preset safe distance judgment standard. By fusing the distance measurement results of multiple devices, the probability of false wake-up and false authentication is further reduced.

[0089] In some embodiments of this disclosure, the combination of time-of-flight and angle-of-arrival ranging algorithms significantly improves the accuracy and anti-interference capability of distance measurement, avoiding the ranging error problem caused by environmental influences in a single ranging algorithm; at the same time, the fusion calculation of ranging results from multiple devices further improves the accuracy of distance determination, effectively reduces the probability of false wake-up and false authentication, and ensures that the identity authentication process will only be initiated when the user is within the preset safe passage range.

[0090] In some implementations, after the authentication process is initiated, the access control device can detect the status and capabilities of all terminal devices with established communication connections, and select terminal devices with preset biometric authentication capabilities as the execution end for this authentication process. After selecting the authentication execution end, the access control device and the terminal device will complete bidirectional negotiation and generation of a session key through a preset key negotiation protocol. Based on the negotiated session key, an end-to-end encrypted communication link is established between the access control device and the authentication execution end. All subsequent authentication-related data interactions are completed through this encrypted communication link, thereby ensuring the security of data transmission. After the encrypted communication link is established, the access control device can complete identity verification based on a zero-knowledge proof protocol with the authentication execution end through the encrypted communication link. Throughout the verification process, the authentication execution end does not need to disclose any privacy data related to the user's identity to the access control device. It only needs to complete the proof of identity legitimacy through a preset interaction process. The access control device then determines the verification result based on the preset public key parameters. When the identity legitimacy verification is successful, the access control device will receive the encrypted identity token sent by the authentication execution end through an encrypted communication link. If the verification fails, the authentication process will be terminated directly and the device will return to the dormant listening state.

[0091] In some embodiments of this disclosure, S26 includes:

[0092] The system receives a commitment value sent by the authentication execution terminal, sends a random challenge value to the authentication execution terminal, receives a response value returned by the authentication execution terminal, verifies the validity of the response value using preset public key parameters, and determines that the identity legitimacy verification is successful if the verification is successful.

[0093] In some implementations, the access control device first receives the commitment value sent by the authentication execution terminal, then sends a randomly generated challenge value to the authentication execution terminal, and then receives the response value calculated and returned by the authentication execution terminal based on the commitment value and the challenge value. Finally, the validity of the response value is verified by the locally pre-stored public key parameter. If the verification is successful, the identity legality verification is determined to be successful, thus completing the complete zero-knowledge proof interaction process without disclosing the user's privacy and identity information.

[0094] In some embodiments of this disclosure, zero-knowledge proof interaction enables offline verification of user identity. The entire process does not require the terminal device to disclose any privacy data related to user identity to the access control device, nor does it rely on a real-time network connection to complete identity verification. This not only protects user privacy and security but also improves the adaptability of the solution in offline environments. At the same time, the verification method based on public key parameters avoids the risk of the key being stolen and tampered with during transmission, further enhancing the security of identity authentication.

[0095] In some embodiments of this disclosure, S28 includes:

[0096] The encrypted identity token, which includes a timestamp and a digital signature, is decrypted end-to-end using the session key generated through negotiation.

[0097] The validity of the digital signature, the legality of the timestamp, and the matching of the access permission information with the preset permissions of the access control device are verified.

[0098] If the verification is successful, the unlocking operation is performed, the authentication log is recorded, and the system returns to sleep mode. The authentication log includes at least one of the following: authentication time, authentication execution device identifier, and access permission information.

[0099] In some implementations, upon receiving an encrypted identity token, the access control device first decrypts the token using the negotiated session key to obtain the complete data content within it. Then, it performs a full permission verification on the decrypted token. This verification includes checking the validity of the digital signature, the legality of the timestamp, and the matching of access permission information with the access control device's preset permissions. Once all verifications pass, the access control device activates its internal actuator to complete the unlocking operation, simultaneously recording the complete log data of this authentication process. After completing all operations, it returns to a low-power sleep monitoring state. If any verification fails during the permission check, the process is terminated, and the unlocking operation is refused.

[0100] In some implementations, after completing the unlocking operation, the access control device stores the complete authentication log data locally and synchronizes it to the server when the network is connected. The log data may include authentication time, device identifier of the authentication execution terminal, and access permission information. The local storage area of ​​the access control device may pre-store local cache data of access control policies and user public keys.

[0101] In some examples, when the access control device is offline and without network access, it can directly use locally cached data to complete zero-knowledge proof verification and identity token permission verification. When the access control device is online and has network access, it can first obtain the latest permission policy and public key data from the server to update the local cache, and then complete the relevant verification operations based on the updated data. This ensures that the complete authentication and access process can still be completed even when offline. If the identity legitimacy verification or identity token permission verification fails in the current authentication process, the access control device can initiate a supplementary authentication process to complete supplementary identity verification through NFC authentication or password authentication. After the supplementary authentication is successful, the unlocking operation can still be performed, thereby improving the fault tolerance and environmental adaptability of the authentication solution.

[0102] In some embodiments of this disclosure, end-to-end decryption of the session key ensures the data security of the identity token during transmission. At the same time, multiple verifications of the validity of the digital signature, the legality of the timestamp, and the matching of permissions enable multi-dimensional verification of the identity token, effectively preventing the risk of replay attacks that forge tokens for illegal passage.

[0103] In some embodiments of this disclosure, the access control device pre-stores a local cache of permission policies and user public keys, and the method further includes:

[0104] When offline, the local cache is invoked to complete the verification;

[0105] When the system is online, the verification is completed after updating the local cache.

[0106] If the identity verification fails or the authorization verification fails, supplementary authentication is performed through near-field communication authentication or password authentication. If the supplementary authentication is successful, the unlocking operation is performed.

[0107] In some embodiments of this disclosure, a complete identity authentication and permission verification process can be achieved offline through locally cached permission policies and public key data, solving the problem that users cannot complete authentication and access under network failure or unstable network conditions, and greatly improving environmental adaptability; the timeliness of permission policies and public key data is ensured by automatic cache updates in online mode; at the same time, the setting of supplementary authentication mechanisms can improve the fault tolerance of the scheme, and identity verification can still be completed through other methods when the main authentication process is abnormal, ensuring the normal access needs of users.

[0108] The cross-device identity continuity authentication methods disclosed herein can reduce the standby power consumption and false wake-up probability of access control devices through sleep wake-up and ultra-wideband ranging. At the same time, they can solve the problem of authentication failure caused by the failure of a single authentication terminal by multi-device screening, thus ensuring the continuity of identity authentication. By combining end-to-end encrypted communication links with zero-knowledge proof protocols, identity legitimacy verification can be completed without disclosing user privacy data, taking into account both the convenience and security of the authentication process, and realizing a seamless passage experience for users without manual operation.

[0109] In some embodiments of this disclosure, a cross-device identity continuity authentication method is also provided, applied to terminal devices, such as... Figure 2 As shown, it includes the following steps:

[0110] S40. Complete the binding with the server and obtain the device identifier, authentication key and access permission information issued by the server;

[0111] S42. Continuously send broadcast messages carrying user identification according to a preset period, the broadcast messages being used to trigger the wake-up operation of the access control device;

[0112] S44. Upon receiving an ultra-wideband communication connection request initiated by the access control device, establish an ultra-wideband communication connection with the access control device and cooperate with the access control device to complete distance measurement;

[0113] S46. When selected as the authentication execution end by the access control device, the authentication key is used to negotiate with the access control device to generate a session key, and an end-to-end encrypted communication link is established. The identity legitimacy verification based on the zero-knowledge proof protocol is completed with the access control device through the encrypted communication link.

[0114] S48. If the identity legitimacy verification is successful, the identity token including the device identifier, the access permission information and the user identity identifier is encrypted using the authentication key to generate an encrypted identity token, and the encrypted identity token is sent to the access control device through the encrypted communication link. The encrypted identity token is used by the access control device to complete the unlocking operation.

[0115] In some implementations, the terminal device can complete the user identity binding and device registration process with the server before it is officially put into use. After the registration and binding are completed, the terminal device can obtain the unique device identifier, authentication key and corresponding access permission information issued by the server, and store the relevant data securely in the secure storage area within the device to prevent the data from being illegally stolen or tampered with.

[0116] Once the terminal device has completed registration and binding, it can continuously send broadcast messages carrying the user's identity identifier via Bluetooth Low Energy at preset fixed intervals. The broadcast messages can be received by nearby access control devices that are in a dormant listening state, and can be used to trigger the wake-up operation of the access control devices. The user identity identifier in the broadcast message has been hashed to ensure that the user's real identity information is not leaked, thus protecting the user's privacy and security.

[0117] When the terminal device receives an ultra-wideband communication connection request initiated by the access control device, it can establish an ultra-wideband communication connection with the access control device, cooperate with the access control device to complete the two-way distance measurement process, and send back the relevant data required for distance measurement to the access control device to complete the real-time distance calculation between the access control device and the terminal device.

[0118] When a terminal device is selected by an access control device as the authentication execution end for this authentication process, it can use the locally securely stored authentication key to complete the bidirectional negotiation and generation of a session key with the access control device through a preset key negotiation protocol. Based on the negotiated session key, an end-to-end encrypted communication link is established with the access control device. Subsequently, the identity legitimacy verification based on a zero-knowledge proof protocol is completed with the access control device through the encrypted communication link, without disclosing the user's privacy and identity data throughout the entire process.

[0119] Once the identity verification is successful, the terminal device can use the locally stored authentication key to encrypt the identity token containing the device identifier access permission information and the user's identity identifier, generating an encrypted identity token. Then, through the established encrypted communication link, the encrypted identity token is sent to the access control device, enabling the access control device to complete subsequent permission verification and unlocking operations.

[0120] It is understood that the various embodiments of the methods described in this specification are presented in a progressive manner. Similar or identical parts between embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. Related details can be found in the descriptions of other method embodiments.

[0121] It should be understood that although the steps in the flowcharts shown in the accompanying drawings are displayed sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some of the steps in the accompanying drawings may include multiple steps or stages, which are not necessarily completed at the same time, but may be executed at different times, and the execution order of these steps or stages is not necessarily sequential, but may be performed alternately or in turn with other steps or at least a portion of the steps or stages of other steps.

[0122] Based on the description of the cross-device identity continuity authentication method embodiments described above, this disclosure also provides a cross-device identity continuity authentication apparatus for implementing the cross-device identity continuity authentication method involved above. The apparatus may include a system (including a distributed system), software (application), module, component, controller, server, terminal, etc., using the method described in the embodiments of this specification, combined with necessary implementation hardware. Based on the same innovative concept, the apparatuses in one or more embodiments provided in this disclosure are as described in the following embodiments. Since the implementation schemes and methods for solving the problem by the apparatus are similar, the implementation of the specific apparatus in the embodiments of this specification can refer to the implementation of the foregoing method, and repeated details will not be repeated. As used below, the terms "unit" or "module" can refer to a combination of software and / or hardware that implements a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware implementation, or a combination of software and hardware, is also possible and contemplated.

[0123] Figure 3 This is a schematic block diagram illustrating a cross-device identity continuity authentication device applied to an access control system, according to an exemplary embodiment. For details, please refer to... Figure 3The device 100 may include: a wake-up detection module 120, a ranging authentication initiation module 140, a communication link establishment module 160, a first authentication module 180, and an unlocking module 190. The system includes the following components: a wake-up detection module 120, which continuously acquires broadcast messages sent by at least one terminal device while in a sleep state, and performs a wake-up operation when the signal strength of the broadcast message meets a preset wake-up threshold; a ranging authentication initiation module 140, which establishes an ultra-wideband communication connection with the terminal device that triggered the wake-up while in a wake-up state, completes distance measurement between the terminal device and the terminal device, and performs an identity authentication process when the ranging result is less than a preset safe distance threshold; a communication link establishment module 160, which, in response to the initiation of the identity authentication process, selects a terminal device with preset biometric authentication capabilities from the terminal devices that have established a communication connection as the authentication execution end, negotiates and generates a session key with the authentication execution end, and establishes an end-to-end encrypted communication link; a first identity verification module 180, which completes identity legitimacy verification based on a zero-knowledge proof protocol with the authentication execution end through the encrypted communication link, and receives an encrypted identity token sent by the authentication execution end when the identity legitimacy verification is successful; and an unlocking module 190, which decrypts and verifies the permissions of the encrypted identity token, and performs an unlocking operation when the verification is successful.

[0124] Figure 4 This is a schematic block diagram illustrating a cross-device identity continuity authentication device applied to an access control system, according to an exemplary embodiment. For details, please refer to... Figure 4The device 200 may include: a device binding module 220, a broadcast message sending module 240, a communication module 260, a second authentication module 280, and an identity token sending module 290. Specifically, the device binding module 220 is used to bind with a server and obtain the device identifier, authentication key, and access permission information issued by the server; the broadcast message sending module 240 is used to continuously send broadcast messages carrying the user's identity identifier at a preset period, the broadcast messages being used to trigger the wake-up operation of the access control device; the communication module 260 is used to establish an ultra-wideband communication connection with the access control device when receiving an ultra-wideband communication connection request initiated by the access control device, and cooperate with the access control device to complete distance measurement; the second authentication module 280 is used to, when selected by the access control device as the authentication execution end, utilize... The authentication key is used to negotiate and generate a session key with the access control device, establishing an end-to-end encrypted communication link. The identity legitimacy verification based on the zero-knowledge proof protocol is completed through the encrypted communication link with the access control device. The identity token sending module 290 is used to encrypt an identity token including the device identifier, the access permission information, and the user identity identifier using the authentication key when the identity legitimacy verification is successful, generating an encrypted identity token, and sending the encrypted identity token to the access control device through the encrypted communication link. The encrypted identity token is used by the access control device to complete the unlocking operation.

[0125] Each module in the aforementioned cross-device identity continuity authentication device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the memory of a computer device as software, so that the processor can invoke and execute the corresponding operations of each module.

[0126] In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 5 As shown, the computer device includes a processor, memory, communication interface, display screen, and input device connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, mobile cellular networks, NFC (Near Field Communication), or other technologies. When executed by the processor, the computer program implements a cross-device identity continuity authentication method.

[0127] Those skilled in the art will understand that Figure 5 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.

[0128] Based on the foregoing description of the relevant methods and apparatus embodiments, this disclosure also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and when the computer program is executed by the processor, it implements the cross-device identity continuity authentication method described in any embodiment of this specification.

[0129] Based on the foregoing description of the relevant methods and apparatus embodiments, this disclosure also provides a computer-readable storage medium that, when the instructions in the computer-readable storage medium are executed by the processor of a computer device, enables the computer device to implement the cross-device identity continuity authentication method as described in any embodiment of this disclosure.

[0130] Based on the foregoing description of the relevant methods and apparatus embodiments, this disclosure also provides a computer program product, including a computer program that, when executed by a processor, implements the cross-device identity continuity authentication method described in any embodiment of this specification.

[0131] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on its differences from other embodiments. In particular, hardware + program embodiments are relatively simple in description because they are fundamentally similar to method embodiments; relevant parts can be referred to the descriptions in the method embodiments.

[0132] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties.

[0133] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments described above. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, etc., and are not limited to these.

[0134] It should be noted that the apparatus, computer equipment, storage medium, and computer program products described above may also include other implementation methods according to the description of the method embodiments. Specific implementation methods can be found in the description of the relevant method embodiments. Furthermore, new embodiments formed by combinations of features from various methods, apparatuses, devices, and server embodiments still fall within the scope of this disclosure and will not be elaborated upon here.

[0135] For ease of description, the above devices are described in terms of function, divided into various modules. Of course, when implementing one or more of these specifications, the functions of each module can be implemented in the same or different software and / or hardware, or a module that performs the same function can be implemented by a combination of multiple sub-modules or sub-units. The device embodiments described above are merely illustrative. For example, the division of modules or units is only a logical functional division; in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling and communication connections between the devices or units shown or described can be implemented through direct and / or indirect coupling / connection, through standard or custom interfaces or protocols, and can be implemented electrically, mechanically, or in other forms.

[0136] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the following claims.

[0137] It should be understood that this disclosure is not limited to the precise structures described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope.

Claims

1. A cross-device identity continuity authentication method, characterized in that, Applied to access control equipment, the method includes: While in a sleep state, the system continuously acquires broadcast messages sent by at least one terminal device, and performs a wake-up operation when the signal strength of the broadcast message meets a preset wake-up threshold. When in a wake-up state, an ultra-wideband communication connection is established with the terminal device that triggered the wake-up, and the distance between the terminal device and the terminal device is measured. If the distance measurement result is less than a preset safe distance threshold, the identity authentication process is executed. In response to the initiation of the identity authentication process, a terminal device with preset biometric authentication capability is selected from the terminal devices that have established a communication connection as the authentication execution end, and a session key is generated through negotiation with the authentication execution end to establish an end-to-end encrypted communication link; The identity legitimacy verification based on the zero-knowledge proof protocol is completed through the encrypted communication link with the authentication execution terminal. If the identity legitimacy verification is successful, the encrypted identity token sent by the authentication execution terminal is received. The encrypted identity token is decrypted and its permissions are verified. If the verification is successful, the unlocking operation is performed.

2. The method according to claim 1, characterized in that, The step of completing the distance measurement between the device and the terminal, and if the distance measurement result is less than a preset safe distance threshold, involves executing an identity authentication process, including: The distance to the terminal device is measured by combining the time-of-flight and angle-of-arrival ranging algorithm. When there are multiple terminal devices establishing a communication connection, the ranging results of each terminal device are merged to obtain a comprehensive ranging result. If the comprehensive ranging result is less than a preset safe distance threshold, an identity authentication process is executed.

3. The method according to claim 1, characterized in that, The process of verifying identity legitimacy based on a zero-knowledge proof protocol via the encrypted communication link with the authentication execution terminal includes: The system receives a commitment value sent by the authentication execution terminal, sends a random challenge value to the authentication execution terminal, receives a response value returned by the authentication execution terminal, verifies the validity of the response value using preset public key parameters, and determines that the identity legitimacy verification is successful if the verification is successful.

4. The method according to claim 1, characterized in that, The process of decrypting and verifying the encrypted identity token, and then performing an unlocking operation if the verification passes, includes: The encrypted identity token, which includes a timestamp and a digital signature, is decrypted end-to-end using the session key generated through negotiation. The validity of the digital signature, the legality of the timestamp, and the matching of the access permission information with the preset permissions of the access control device are verified. If the verification is successful, the unlocking operation is performed, the authentication log is recorded, and the system returns to sleep mode. The authentication log includes at least one of the following: authentication time, authentication execution device identifier, and access permission information.

5. The method according to claim 1, characterized in that, The access control device has a local cache pre-stored access control policies and user public keys, and the method further includes: When offline, the local cache is invoked to complete the verification; When the system is online, the verification is completed after updating the local cache. If the identity verification fails or the authorization verification fails, supplementary authentication is performed through near-field communication authentication or password authentication. If the supplementary authentication is successful, the unlocking operation is performed.

6. A cross-device identity continuity authentication method, characterized in that, Applied to a terminal device, the method includes: Complete the binding with the server and obtain the device identifier, authentication key and access permission information issued by the server; Broadcast messages carrying user identification are continuously sent at a preset period, and the broadcast messages are used to trigger the wake-up operation of the access control device; Upon receiving an ultra-wideband communication connection request initiated by the access control device, an ultra-wideband communication connection is established with the access control device to cooperate with the access control device in completing distance measurement; When selected as the authentication execution end by the access control device, the authentication key is used to negotiate and generate a session key with the access control device to establish an end-to-end encrypted communication link. The identity legitimacy verification based on the zero-knowledge proof protocol is completed with the access control device through the encrypted communication link. If the identity verification is successful, the identity token, which includes the device identifier, the access permission information, and the user identity identifier, is encrypted using the authentication key to generate an encrypted identity token. The encrypted identity token is then sent to the access control device via the encrypted communication link. The encrypted identity token is used by the access control device to complete the unlocking operation.

7. A cross-device identity continuity authentication device, characterized in that, The device, used in access control equipment, includes: The wake-up detection module is used to continuously acquire broadcast messages sent by at least one terminal device while in a sleep state, and to perform a wake-up operation when the signal strength of the broadcast message meets a preset wake-up threshold. The ranging authentication startup module is used to establish an ultra-wideband communication connection with the terminal device that triggered the wake-up when it is in a wake-up state, complete the distance measurement between the terminal device and the terminal device, and execute the identity authentication process when the ranging result is less than the preset safe distance threshold. The communication link establishment module is used to respond to the start of the identity authentication process by selecting terminal devices with preset biometric authentication capabilities from the terminal devices establishing communication connections as authentication execution terminals, negotiating with the authentication execution terminals to generate session keys, and establishing an end-to-end encrypted communication link. The first identity verification module is used to complete identity legitimacy verification based on the zero-knowledge proof protocol with the authentication execution terminal through the encrypted communication link, and to receive the encrypted identity token sent by the authentication execution terminal if the identity legitimacy verification is successful. The unlocking module is used to decrypt the encrypted identity token and verify its permissions, and to perform the unlocking operation if the verification is successful.

8. A cross-device identity continuity authentication device, characterized in that, Applied to a terminal device, the device includes: The device binding module is used to complete the binding with the server and obtain the device identifier, authentication key and access permission information issued by the server. The broadcast message sending module is used to continuously send broadcast messages carrying user identification at a preset period, and the broadcast messages are used to trigger the wake-up operation of the access control device; The communication module is used to establish an ultra-wideband communication connection with the access control device when it receives an ultra-wideband communication connection request initiated by the access control device, and cooperate with the access control device to complete distance measurement; The second authentication module is used to negotiate and generate a session key with the access control device using the authentication key when selected as the authentication execution end by the access control device, establish an end-to-end encrypted communication link, and complete the identity legitimacy verification based on the zero-knowledge proof protocol with the access control device through the encrypted communication link. An identity token sending module is used to, when the identity legitimacy verification is passed, encrypt an identity token including the device identifier, the access permission information and the user identity identifier using the authentication key to generate an encrypted identity token, and send the encrypted identity token to the access control device through the encrypted communication link. The encrypted identity token is used by the access control device to complete the unlocking operation.

9. A computer device, characterized in that, It includes a memory and a processor, the memory storing a computer program, and the processor executing the computer program to implement the steps of the method according to any one of claims 1 to 6.

10. A computer-readable storage medium, characterized in that, It stores a computer program thereon, which, when executed by a processor, implements the steps of the method according to any one of claims 1 to 6.

Images