CN103929425B - A kind of identity registration, identity authentication method, equipment and system - Google Patents
A kind of identity registration, identity authentication method, equipment and system Download PDFInfo
- Publication number
- CN103929425B CN103929425B CN201410160781.0A CN201410160781A CN103929425B CN 103929425 B CN103929425 B CN 103929425B CN 201410160781 A CN201410160781 A CN 201410160781A CN 103929425 B CN103929425 B CN 103929425B
- Authority
- CN
- China
- Prior art keywords
- parameter
- biological characteristic
- registration
- terminal
- calculated
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Telephonic Communication Services (AREA)
- Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)
- Medical Treatment And Welfare Office Work (AREA)
Abstract
The embodiment of the present invention provides a kind of identity registration, identity authentication method, equipment and system.Including:Terminal is according to login password and logs in biological characteristic, recovery biological characteristic is extracted from biological characteristic safety box using biological characteristic decoding algorithm, then, terminal obtains registration check information, and check information is logged in using registration checking algorithm generation according to biological characteristic and login password is recovered, if it is identical with logging in check information to register check information, then terminal determines that login password and login biological characteristic are effective.In the above method, when user is validated user, it is identical with registration biological characteristic according to the recovery biological characteristic that login biological characteristic extracts from biological characteristic safety box, so as to reduce the reject rate of biological characteristic authentication, improve the recognition capability of biological characteristic.
Description
Technical field
The present embodiments relate to data communication technology, more particularly to a kind of identity registration, identity authentication method, equipment
And system.
Background technology
The password and token that traditional authentication is inputted based on user carry out authentication, still, traditional identity certification
The security of method is not high.For example, simple password is easily stolen by attacker, there is the risk forgotten, smart card in complicated password
In the presence of risk that is stolen or losing.Therefore there is the authentication based on biological characteristic, biological characteristic can be fingerprint, people
Face, iris etc., it is authenticated, is lost, quilt using the intrinsic physics of user or behavior property based on the authentication of biological characteristic
Surreptitiously equivalent risk is small, and these three comprehensive factors are authenticated, and can effectively improve the security of authentication.
The existing identity identifying method based on three factors includes registration and two processes of certification:In registration process, use
Family selects random number K, input identity IDi, password PWi, biological characteristic Bi, registration center generation random number Xs, registration center
CalculateWithAnd by (IDi,h(·),fi,ei)
With random number K storages into the smart card distributed for user, wherein, h () is one-way Hash function, and registration center passes through reliable
Smart card is issued to user by channel.In verification process, user is firstly inserted into smart card, and terminal scanning obtains the biology of user
Feature B 'i, then judgeWhether set up, if so, then user is by biological characteristic authentication, in biological characteristic
After certification, mutual authentication is also needed between terminal and server.
But there is problems with the identity identifying method based on three factors of prior art:In the prior art using Kazakhstan
Uncommon function protects biological attribute data, by comparing (the life that i.e. user submits in registration process of user's registration biological characteristic
Thing feature) and inquiry biological characteristic (biological characteristic that i.e. user submits in login process) one-way hash function transformation results whether
Unanimously come to carry out biological characteristic authentication to user.But the characteristics of hash function is that disturbance to input parameter is very sensitive.By
The difference of environment is obtained in illumination, posture etc., in general same person is impossible to completely in the biological characteristic of twice sweep
Unanimously, namely the registration biological characteristic of user and inquiry biological characteristic typically can all exist in certain class and change, and due to breathing out
The characteristics of disturbance sensitivity of uncommon function pair input parameter so that even if change may also cause to register biological characteristic in small class
There is larger difference with the hash conversion result of inquiry biological characteristic, so that legal user can not be recognized by biological characteristic
Card.
The content of the invention
The embodiment of the present invention provides a kind of identity registration, identity authentication method, equipment and system, for solving existing skill
The problem of biological characteristic authentication discrimination is low in art.
In a first aspect, terminal provided in an embodiment of the present invention includes:Receiving module, for receiving the login letter of user's input
Breath, the log-on message include login password and log in biological characteristic;Acquisition module, for obtaining biological characteristic safety box, institute
The registration biological characteristic inputted when biological characteristic safety box is according to user's registration and log-in password is stated to encode using biological characteristic
Algorithm generation;Extraction module, for according to the login password and the login biological characteristic, being decoded and being calculated using biological characteristic
Method extracts recovery biological characteristic from biological characteristic safety box;The acquisition module, it is additionally operable to obtain registration check information, institute
It is to be generated according to the log-in password and the registration biological characteristic using registration checking algorithm to state registration check information;Calculate
Module, for logging in verification letter using the registration checking algorithm generation according to the login password and the recovery biological characteristic
Breath;Correction verification module, for when it is described registration check information and it is described login check information it is equal when, determine the login password and
The login biological characteristic is effective.
In the first possible implementation of first aspect, the extraction module, for according to the login password
With the login biological characteristic, extracted using biological characteristic decoding algorithm from biological characteristic safety box and recover biological characteristic tool
Body includes:The extraction module, for generating L member multinomials according to the login password, L is the positive integer more than or equal to 1;Will
The biological characteristic that logs in is divided into the feature subvector that length is L;For each feature subvector, the feature is calculated
Projection z of the subvector on the L members multinomial, at least one alternative point pair is chosen from the biological characteristic safety box, wherein,
First parameter of the alternative point pair is the vector that length is L, and the second parameter is first parameter on the L members multinomial
Projection, the first parameter and the distance of the feature subvector of the alternative point pair are less than pre-determined distance threshold value;From described standby
A point of destination pair is chosen in reconnaissance centering, and the point of destination is to being the alternative point parameter of centering second with the distance of the z most
Small point pair, using the first parameter of the point of destination pair as recovery feature subvector corresponding to the feature subvector;Will be each
Recover feature subvector corresponding to the feature subvector and be combined into recovery biological characteristic.
With reference to the possible implementation of the first of first aspect or first aspect, in second of possible implementation
In, terminal also includes:Sending module;The correction verification module determine the login password and it is described login biological characteristic effectively it
Afterwards, the acquisition module is additionally operable to:Get parms ei, the parameter eiBe using the second non-reversible algorithm to the first random number and
After mutual parameters for authentication is calculated in the enrollment status mark inputted during user's registration, further according to the 3rd non-reversible algorithm to the note
Volume biological characteristic and log-in password, the mutually parameters for authentication are calculated;The computing module is additionally operable to:Using with described
Analytical algorithm corresponding to three non-reversible algorithms is to the parameter ei, the login password, the recovery biological characteristic be calculated
Parameter M1;After the second random number is generated, become scaling method to second random number and the parameter M using first1It is calculated
Parameter M2, using the 4th non-reversible algorithm to second random number and the parameter M1Parameter M is calculated3;The transmission mould
Block, for the first parameters for authentication to be sent into certificate server, so that the certificate server is according to first parameters for authentication
Verify whether the terminal is effective, first parameters for authentication includes:The enrollment status mark, the parameter M2With the ginseng
Number M3;The receiving module is additionally operable to:Receive the second parameters for authentication that the certificate server returns, second parameters for authentication
Including parameter M7With parameter M8, second parameters for authentication is that the certificate server verifies institute according to first parameters for authentication
Generation, the parameter M after stating terminal effectively7It is to become scaling method to the 3rd random number and the mutual parameters for authentication using second
It is calculated, the parameter M8It is to the 3rd random number and mutually parameters for authentication, the institute using the 5th non-reversible algorithm
State what the second random number was calculated;The computing module is additionally operable to:Calculated using becoming to parse corresponding to scaling method with described second
Method is to the parameter M7With parameter M1Parameter M is calculated9, using the 5th non-reversible algorithm to the parameter M1, parameter M9
Parameter M is calculated with second random number10;The correction verification module is additionally operable to:If the parameter M10With the parameter M8
It is equal, it is determined that the identity of the certificate server is effective.
Second aspect, registration center provided in an embodiment of the present invention include:Receiving module, for receiving the note of user's input
Volume information, the log-on message include log-in password and registration biological characteristic;Computing module, for according to the log-in password and
The registration biological characteristic is using registration checking algorithm generation registration check information;Generation module, for close according to the registration
Code and the registration biological characteristic, biological characteristic safety box, the biological characteristic insurance are generated using biological characteristic encryption algorithm
Case and the registration check information are used to be supplied to terminal, so as to the login password inputted to the user and log in biological characteristic
Verified.
In the first possible implementation of second aspect, the generation module be used for according to the log-in password and
The registration biological characteristic, biological characteristic safety box is generated using biological characteristic encryption algorithm, specifically included:The generation mould
Block, for generating L member multinomials according to the log-in password, L is the positive integer more than or equal to 1;By the registration biological characteristic
It is divided into the feature subvector that length is L;For each feature subvector, True Data point pair, the true number are generated
First parameter at strong point pair is the feature subvector, and the second parameter of the True Data point pair exists for the feature subvector
Projection value on the L members multinomial;Generation interference data point pair, the first parameter of the interference data point pair is that length is L
Vector, projection value of first parameter on the L members multinomial of the interference data point pair and the interference data point pair
The second parameter value it is unequal;By True Data point pair corresponding to each feature subvector and the interference data point pair
Mixing generates the biological characteristic safety box.
With reference to the possible implementation of the first of second aspect or second aspect, in second of possible implementation
In, log-on message also includes enrollment status and identified, and the computing module is additionally operable to:The first random number is generated, described first is random
Number is shared between the registration center and certificate server;Using the second non-reversible algorithm to first random number and described
After mutual parameters for authentication is calculated in enrollment status mark, then using the 3rd non-reversible algorithm to the registration biological characteristic and described
Parameter e is calculated in log-in password, the mutually parameters for authenticationi, the parameter eiFor being supplied to the terminal, so as to the end
Verified mutually between end and the certificate server.
The third aspect, identity authentication method provided in an embodiment of the present invention include:Terminal receives the login of user's input
Information, the log-on message include login password and log in biological characteristic;The terminal obtains biological characteristic safety box, the life
The registration biological characteristic and log-in password that thing feature safety box inputs when being according to user's registration use biological characteristic encryption algorithm
Generation;The terminal is according to the login password and the login biological characteristic, using biological characteristic decoding algorithm from biology
Recovery biological characteristic is extracted in feature safety box;The terminal obtains registration check information, and the registration check information is root
According to the log-in password and the registration biological characteristic using registration checking algorithm generation;The terminal is close according to the login
Code and the recovery biological characteristic log in check information using the registration checking algorithm generation;If the registration check information
Equal with the login check information, then the terminal determines that the login password and the login biological characteristic are effective.
In the first possible implementation of the third aspect, the terminal is according to the login password and the login
Biological characteristic, recovery biological characteristic is extracted from biological characteristic safety box using biological characteristic decoding algorithm, including:The end
End generates L member multinomials according to the login password, and L is the positive integer more than or equal to 1;The terminal logs in biology spy by described
Sign is divided into the feature subvector that length is L;For each feature subvector, the terminal calculates the feature subvector
Projection z on the L members multinomial, at least one alternative point pair is chosen from the biological characteristic safety box, wherein, it is described standby
First parameter of reconnaissance pair is the vector that length is L, and the second parameter is throwing of first parameter on the L members multinomial
Shadow, the first parameter and the distance of the feature subvector of the alternative point pair are less than pre-determined distance threshold value;From the alternative point
A point of destination pair is chosen in centering, and the point of destination is minimum to being the alternative point parameter of centering second and the distance of the z
Point pair, using the first parameter of the point of destination pair as recovery feature subvector corresponding to the feature subvector;The terminal
Recovery biological characteristic is combined into by feature subvector is recovered corresponding to each feature subvector.
With reference to the possible implementation of the first of the third aspect or the third aspect, in second of possible implementation
In, after the terminal determines that the login password and the login biological characteristic are effective, in addition to:The terminal gets parms
ei, the parameter eiIt is that meter is identified to the enrollment status inputted when the first random number and user's registration using the second non-reversible algorithm
After calculation obtains mutual parameters for authentication, further according to the 3rd non-reversible algorithm to the registration biological characteristic and log-in password, described recognize each other
Card parameter is calculated;The terminal is using analytical algorithm corresponding with the 3rd non-reversible algorithm to the parameter ei、
Parameter M is calculated in the login password, the recovery biological characteristic1;The terminal generates the second random number;The terminal is adopted
Become scaling method to second random number and the parameter M with first1Parameter M is calculated2, using the 4th non-reversible algorithm pair
Second random number and the parameter M1Parameter M is calculated3;First parameters for authentication is sent to authentication service by the terminal
Device, so that the certificate server verifies whether the terminal is effective according to first parameters for authentication, the first certification ginseng
Number includes:The enrollment status mark, the parameter M2With the parameter M3;The terminal receives the certificate server and returned
The second parameters for authentication, second parameters for authentication includes parameter M7With parameter M8, second parameters for authentication is the certification clothes
It is engaged in what is generated after device verifies the terminal effectively according to first parameters for authentication, the M7It is to become scaling method pair using second
What the 3rd random number and the mutually parameters for authentication were calculated, the M8It is random to the described 3rd using the 5th non-reversible algorithm
Number and mutually parameters for authentication, second random number are calculated;The terminal uses becomes scaling method pair with described second
The analytical algorithm answered is to the parameter M7With parameter M1Parameter M is calculated9, using the 5th non-reversible algorithm to the ginseng
Number M1, parameter M9Parameter M is calculated with second random number10;If the parameter M10With the parameter M8It is equal, then institute
State terminal and determine that the identity of the certificate server is effective.
With reference to second of possible implementation of the third aspect, in the third possible implementation, the terminal
First parameters for authentication, which is sent to after certificate server, also to be included:Certificate server receives described first that the terminal is sent
Parameters for authentication, first parameters for authentication include:The enrollment status mark of the user, the parameter M2With the parameter M2;Institute
Certificate server is stated according to enrollment status mark and first random number using second non-reversible algorithm generation ginseng
Number M4;The certificate server is according to the parameter M2With the parameter M4Using becoming with described first, scaling method is corresponding to be parsed
Algorithm generation parameter M5;The certificate server is according to the parameter M4With the parameter M5Use the 4th non-reversible algorithm
Generate parameter M6;If the parameter M3With the parameter M6Equal, the certificate server determines that the identity of the terminal has
Effect;The certificate server generates the 3rd random number, according to the parameter M4Become with the 3rd random number using described second
Scaling method generation parameter M7;The certificate server is according to the parameter M4, the parameter M5Institute is used with the 3rd random number
State the 5th non-reversible algorithm generation parameter M8;Second parameters for authentication is sent to the terminal by the certificate server, with
The terminal is set to determine whether the certificate server is effective according to second parameters for authentication, the second parameters for authentication bag
Include:The parameter M7With the parameter M8。
Fourth aspect, the embodiments of the invention provide the method for identity registration, methods described includes:Registration center, which receives, to be used
The log-on message of family input, the log-on message include log-in password and registration biological characteristic;The registration center is according to
Log-in password and the registration biological characteristic are using registration checking algorithm generation registration check information;The registration center is according to institute
Log-in password and the registration biological characteristic are stated, biological characteristic safety box, the biology are generated using biological characteristic encryption algorithm
Feature safety box and the registration check information are used to be supplied to terminal, so as to the login password inputted to the user and login
Biological characteristic is verified.
In the first possible implementation of fourth aspect, the registration center is according to the log-in password and described
Biological characteristic is registered, biological characteristic safety box is generated using biological characteristic encryption algorithm, including:The registration center is according to
Log-in password generates L member multinomials, and L is the positive integer more than or equal to 1;The registration center divides the registration biological characteristic
Into the feature subvector that length is L;For each feature subvector, the registration center generates True Data point pair, institute
The first parameter for stating True Data point pair is the feature subvector, and the second parameter of the True Data point pair is the feature
Projection value of the subvector on the L members multinomial;Registration center's generation interference data point pair, the interference data point pair
The first parameter be vector that length is L, projection value of first parameter on the L members multinomial of the interference data point pair
It is unequal with the value of the second parameter of the interference data point pair;The registration center is by corresponding to each feature subvector
True Data point pair is with the interference data point to mixing the generation biological characteristic safety box.
With reference to the possible implementation of the first of fourth aspect or fourth aspect, in second of possible implementation
In, the log-on message also includes enrollment status and identified, and methods described also includes:The registration center generates the first random number,
First random number is shared between the registration center and certificate server;The registration center can not inverse operator using second
After mutual parameters for authentication is calculated to first random number and enrollment status mark in method, then using the 3rd non-reversible algorithm
Parameter e is calculated to the registration biological characteristic and the log-in password, the mutually parameters for authenticationi, the parameter eiFor carrying
The terminal is supplied, to be verified mutually between the terminal and the certificate server.
The embodiment of the present invention, the login password of user's input is received by terminal and logs in biological characteristic, obtain biology spy
Safety box and registration check information are levied, is extracted using biological characteristic decoding algorithm from biological characteristic safety box and recovers biological special
Sign, check information is logged in using registration checking algorithm generation according to login password and recovery biological characteristic, if registering verification letter
Breath is equal with check information is logged in, it is determined that login password and login biological characteristic are effective;Using the invention, when user is legal
During user, the recovery biological characteristic and registration biological characteristic extracted according to login biological characteristic from biological characteristic safety box is complete
It is identical, so as to reduce the reject rate of biological characteristic authentication, improve the recognition capability of biological characteristic.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are this hairs
Some bright embodiments, for those of ordinary skill in the art, without having to pay creative labor, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the terminal structure figure of authenticating user identification provided in an embodiment of the present invention;
Fig. 2 is the terminal structure figure for the authenticating user identification that another embodiment of the present invention provides;
Fig. 3 is registration center's structure chart of customer identity registration provided in an embodiment of the present invention;
Fig. 4 is the method flow diagram of authenticating user identification provided in an embodiment of the present invention;
The method flow diagram of Fig. 5 mutual certifications between terminal provided in an embodiment of the present invention and certificate server;
Fig. 6 is the method flow diagram of identity registration provided in an embodiment of the present invention;
Fig. 7 is the structure chart of Verification System provided in an embodiment of the present invention;
Fig. 8 is the terminal structure figure provided in an embodiment of the present invention based on computer system;
Fig. 9 is registration center's structure chart provided in an embodiment of the present invention based on computer system.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
Part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Identity identifying method provided in an embodiment of the present invention is the authentication method based on three factors, user authentication it
It is preceding to need first to complete identity registration in registration center, it could carry out authentication after identity registration success.Registration process is main
Completed by registration center, verification process is completed jointly by terminal and certificate server, will specifically introduce the embodiment of the present invention below
Identity registration, identity identifying method.Illustratively, the log-in password that occurs in following embodiment, registration biological characteristic are
Refer to password and biological characteristic that user submits when registration center is registered, login password, login biological characteristic refer to user
The password and biological characteristic that using terminal inputs when logging in, recover biological characteristic and refer to that terminal is extracted from biological characteristic safety box
Biological characteristic.
In addition, the terminal in various embodiments of the present invention can be task equipment or common apparatus, registration center receives
After the log-on message of user, the information of generation can be stored on the smart card on task equipment or for user's distribution, Yong Hutong
Crossing the task equipment can directly be logged in, or the smart card is inserted on common apparatus and logged in.The common apparatus can be
Privately owned equipment, such as mobile phone, personal computer, the common apparatus can also be common equipment, for example, ATM.
The embodiment of the present invention one provides the terminal for realizing authenticating user identification, as shown in figure 1, the end of the present embodiment
End can include:Receiving module 11, acquisition module 12, extraction module 13, computing module 14 and correction verification module 15.
Wherein, receiving module 11, for receiving the log-on message of user's input, the log-on message includes login password and stepped on
Record biological characteristic.
Acquisition module 12, for obtaining biological characteristic safety box, the biological characteristic safety box is defeated when being according to user's registration
The registration biological characteristic and log-in password entered is using the generation of biological characteristic encryption algorithm.
Extraction module 13, for the login password received according to receiving module 11 and biological characteristic is logged in, using biological special
Recovery biological characteristic is extracted in the biological characteristic safety box that sign decoding algorithm obtains from acquisition module 12.
Acquisition module 12, it is additionally operable to obtain registration check information, the registration check information is according to log-in password and registration
Biological characteristic is using registration checking algorithm generation.
Computing module 14, for the recovery biology of login password and extraction module 13 extraction received according to receiving module 11
Feature logs in check information using registration checking algorithm generation.
Correction verification module 15, for when registration check information is equal with check information is logged in, determining login password and login
Biological characteristic is effective.
Alternatively, the log-on message also comprising log in identity, acquisition module 12 when obtaining biological characteristic safety box,
It is specifically used for:Obtain biological characteristic safety box corresponding with the login identity.The biological characteristic that acquisition module 12 obtains
Safety box be registration center according to user's registration when the registration biological characteristic that inputs and log-in password calculated using biological characteristic coding
Method generation, the biological characteristic safety box is stored in terminal.Specifically, the biological characteristic safety box is stored in registration center is
On the smart card of user's distribution, or on task equipment, terminal reads the biological characteristic safety box from smart card or locally.
Extraction module 13 is used for according to the login password and the login biological characteristic, using biological characteristic decoding algorithm
Recovery biological characteristic is extracted from biological characteristic safety box to specifically include:
First, L member multinomials are generated according to the login password, L is the positive integer more than or equal to 1.
Then, biological characteristic will be logged in and is divided into the feature subvector that length is L, for each feature subvector, calculated
Projection z of this feature subvector on the L member multinomials, at least one alternative point pair is chosen from biological characteristic safety box, wherein,
First parameter of the alternative point pair is the vector that length is L, and the second parameter is throwing of first parameter on the L member multinomials
Shadow, the first parameter of the alternative point pair are less than pre-determined distance threshold value with the distance of feature subvector;Chosen from the alternative centering
One point of destination pair, the point of destination to be the alternative parameter of centering second and z the minimum point pair of distance, by the point of destination pair
The first parameter as recovering feature subvector corresponding to feature subvector.
Finally, feature subvector will be recovered corresponding to each feature subvector and is combined into recovery biological characteristic.
Computing module 14, for using the registration checking algorithm according to the login password and the recovery biological characteristic
Generation logs in check information:Computing module 14, for according to login password and recover biological characteristic can not using first
Algorithm for inversion generation logs in check information.The requirement of first non-reversible algorithm is:It can not be obtained from the login check information backstepping
The login password and the recovery biological characteristic.
Wherein, the specific implementation procedure of the modules of terminal corresponds to the description of embodiment referring to Fig. 4.
It is special due to extracting recovery biology from biological characteristic safety box using biological characteristic decoding algorithm in the present embodiment
Sign, as long as the login biological characteristic of user's input and registration biological characteristic change in class, the recovery biological characteristic extracted will
It is identical with registration biological characteristic, then the hash conversion value of registration biological characteristic and recovery biological characteristic is also identical, so as to
The reject rate of biological characteristic authentication can be reduced, so as to improve the recognition capability of biological characteristic.
The embodiment of the present invention two provides the terminal for realizing authenticating user identification, as shown in Fig. 2 the terminal of the present embodiment exists
On the basis of terminal structure shown in Fig. 1, further, in addition to sending module 16, recognize for the first parameters for authentication to be sent to
Server is demonstrate,proved, so that certificate server verifies whether terminal is effective, and first parameters for authentication includes according to first parameters for authentication:
Enrollment status mark, parameter M2With parameter M3。
Correction verification module 15 determine login password and log in biological characteristic it is effective after, sending module 16, which sends this, first to be recognized
Before demonstrate,proving parameter, acquisition module 12 is additionally operable to:Get parms ei, parameter eiIt is to the first random number using the second non-reversible algorithm
After mutual parameters for authentication is calculated with the enrollment status mark inputted during user's registration, further according to the 3rd non-reversible algorithm to registration
Biological characteristic and log-in password, mutual parameters for authentication are calculated.
Computing module 14 is additionally operable to:Using analytical algorithm corresponding with the 3rd non-reversible algorithm to parameter ei, login password,
Recover biological characteristic and parameter M is calculated1, then, the second random number is generated, becomes scaling method to second random number using first
With parameter M1Parameter M is calculated2, using the 4th non-reversible algorithm to the second random number and parameter M1Parameter M is calculated3。
Parameter M is calculated in computing module 142With parameter M3Afterwards, the first parameters for authentication is sent to and recognized by sending module 16
Server is demonstrate,proved, so that certificate server verifies whether terminal is effective, and first parameters for authentication includes according to first parameters for authentication:
Enrollment status mark, parameter M2With parameter M3.After certificate server verifies that terminal is effective according to first parameters for authentication, recognize
Card server generates the second parameters for authentication and second parameters for authentication is sent into terminal.
Receiving module 11 is additionally operable to:The second parameters for authentication that certificate server returns is received, second parameters for authentication includes
Parameter M7With parameter M8, second parameters for authentication is raw after certificate server verifies terminal effectively according to first parameters for authentication
Into, parameter M7The 3rd random number and mutual parameters for authentication are calculated using the second change scaling method, parameter M8It is using the
3rd random number and mutual parameters for authentication, the second random number are calculated five non-reversible algorithms.
After receiving module 11 receives second parameters for authentication, computing module 14 is additionally operable to:Become conversion using with second
Analytical algorithm corresponding to method is to parameter M7With parameter M1Parameter M is calculated9, using the 5th non-reversible algorithm to parameter M1, parameter
M9Parameter M is calculated with the second random number10.Parameter M is calculated according to second parameters for authentication in computing module 1310Afterwards,
Correction verification module 15 is additionally operable to:Compare the parameter M of the reception of receiving module 118The parameter M being calculated with computing module 1410Whether phase
Deng if parameter M10With parameter M8It is equal, it is determined that the identity of certificate server is effective.
In the present embodiment, computing module 14 is using analytical algorithm corresponding with the 3rd non-reversible algorithm to parameter ei, step on
Parameter M is calculated in record password, recovery biological characteristic1When, it is specifically used for:Using formulaIt is right
Parameter M1, login password, recover biological characteristic parameter M is calculated1, wherein, h () is one-way Hash function, and parameter PW ' is
Login password, parameterTo recover biological characteristic.
Computing module 14 is becoming scaling method to the second random number and parameter M using first1Parameter M is calculated2, using
Four non-reversible algorithms are to the second random number and parameter M1Parameter M is calculated3When, it is specifically used for:Using formulaTo the second random number and parameter M1Parameter M is calculated2, using formula M3=h(M1||Rc) random to second
Number and parameter M1Parameter M is calculated3, wherein, h () is one-way Hash function, parameter RcFor the second random number.
Computing module 14 is using analytical algorithm corresponding with the second change scaling method to parameter M7With parameter M1Ginseng is calculated
Number M9, using the 5th non-reversible algorithm to parameter M1, parameter M9Parameter M is calculated with the second random number10When, it is specifically used for:Adopt
Use formulaTo parameter M7With parameter M1Parameter M is calculated9, using formula M10=h(M1||Rc||M9) to ginseng
Number M1, parameter M9Parameter M is calculated with the second random number10, wherein, h () is one-way Hash function, parameter RcFor described
Two random numbers.
In the present embodiment, after completing to user login code and logging in the checking of biological characteristic, terminal and server
Between carry out mutual certification because calculating parameter M3Algorithm and calculating parameter M8Algorithm it is different, if attacker is by intercepting
Parameter M7And M8After pretend to be M2And M3Being logged in, server can just identify after the first parameters for authentication is received, therefore only
Need to carry out to interact can completion verification process twice, so as to reduce the process step of mutual certification.
The embodiment of the present invention three provides the registration center for customer identity registration, as shown in figure 3, the present embodiment provides
Registration center include:Receiving module 21, computing module 22 and generation module 23.
Wherein, receiving module 21, for receiving the log-on message of user's input, the log-on message includes log-in password and note
Volume biological characteristic.
Computing module 22, for generating registration verification using registration checking algorithm according to log-in password and registration biological characteristic
Information.
Generation module 23, for according to log-in password and registration biological characteristic, being generated and being given birth to using biological characteristic encryption algorithm
Thing feature safety box, the biological characteristic safety box and the registration check information are used to be supplied to terminal, so as to what is inputted to user
Login password and login biological characteristic are verified.
Computing module 22 is specifically used for:First non-reversible algorithm generation note is used according to log-in password and registration biological characteristic
Volume check information.
Computing module 22 is using the generation registration verification of the first non-reversible algorithm according to log-in password and registration biological characteristic
During information, it is specifically used for:Using formula fi=h(PW||Bi) generation registration verification letter is calculated log-in password and registration biological characteristic
Breath, wherein, h () is one-way Hash function, and parameter PW is log-in password, parameter BiTo register biological characteristic, parameter fiFor registration
Check information.
In the present embodiment, generation module 23 is used for according to the log-in password and the registration biological characteristic, using biology
Feature coding algorithm generates biological characteristic safety box, specifically includes:
First, L member multinomials are generated according to log-in password, L is the positive integer more than or equal to 1.
Secondly, biological characteristic will be registered and be divided into feature subvector of the length as L, for each feature subvector, generation
True Data point pair, the first parameter of True Data point pair are characterized subvector, and the second parameter of True Data point pair is characterized
Projection value of the subvector on L member multinomials.
Then, generation interference data point pair, wherein, the first parameter of interference data point pair is the vector that length is L, and dry
It is unequal to disturb projection value of the second parameter of data point pair with the first parameter on L member multinomials.
Finally, True Data point pair corresponding to each feature subvector is generated into biological characteristic with interference data point to mixing
Safety box.
After registration center generates biological characteristic safety box and registration check information, by the biological characteristic safety box and the registration
Check information is stored in terminal, specifically, being stored on the smart card or task equipment for user's distribution, the smart card is used
In the common apparatus for being inserted into permission user's login, such as mobile phone, personal computer or ATM.Wherein, in registration
The heart directly can also be deployed in terminal.
Alternatively, log-on message can also include enrollment status mark, and computing module 22 is additionally operable to:It is random to generate first
Number, first random number are shared between registration center and certificate server, and random to first using the second non-reversible algorithm
Mutual parameters for authentication is calculated in number and enrollment status mark, after mutual parameters for authentication is calculated, then can not inverse operator using the 3rd
Parameter e is calculated to registration biological characteristic and log-in password, mutual parameters for authentication in methodi, parameter eiFor being supplied to terminal, so as to
Verified mutually between terminal and certificate server.
Computing module 22 is being calculated and recognized each other to the first random number and enrollment status mark using the second non-reversible algorithm
When demonstrate,proving parameter, it is specially:Using function ri=h(IDi||Xs) mutual certification is calculated to the first random number and enrollment status mark
Parameter, wherein, h () is one-way Hash function, parameter IDiIdentified for enrollment status, parameter XsFor the first random number, parameter ri
For mutual parameters for authentication.
Computing module 22 is being calculated registration biological characteristic and log-in password, mutual parameters for authentication using the 3rd non-reversible algorithm
Obtain parameter eiWhen, it is specially:Using functionTo registration biological characteristic and log-in password, recognize each other
Parameter e is calculated in card parameteri, wherein, h () is one-way Hash function, parameter PWiFor log-in password, parameter BiGiven birth to for registration
Thing feature, parameter riFor mutual parameters for authentication.
Wherein, the specific implementation procedure of the modules of registration center corresponds to the description of embodiment referring to Fig. 6.
The registration center of the present embodiment, in user's registration, the log-in password and registration biological characteristic that are inputted according to user
Biological characteristic safety box is generated, encrypting storing is bound in the biological characteristic safety box by the way that biological characteristic and log-in password will be registered
In, the security of biological characteristic is improved, the biological characteristic safety box is used to be supplied to terminal, so that terminal is carried out to user
During authentication, it is authenticated using the biological characteristic safety box.
The embodiment of the present invention four provides identity authentication method, the login password inputted when being logged in for terminal-pair user
It is authenticated with biological characteristic is logged in, as shown in figure 4, the method for the present embodiment may comprise steps of:
Step 301, terminal receive the log-on message of user's input, and log-on message includes login password and login biology is special
Sign.
In authentication, user inputs log-on message by terminal, and the log-on message includes login password and logged in and gives birth to
Thing feature, login password are the numeral of certain digit and the combination of letter, user can be set according to the needs of oneself it is simple or
The complicated password of person, log in face, iris, fingerprint or other biological characteristics that biological characteristic can be user.Due to illumination, appearance
Gesture etc. obtains the difference of environment, even validated user, the logins biological characteristic that inputs and the note used when registering when logging in
Volume biological characteristic be also impossible to it is identical, therefore, as long as in the embodiment of the present invention registration biological characteristic of user and log in give birth to
Thing feature, which belongs in class, to be changed, that is, meets 0<||Bi-B′i||<τ ', B 'iTo log in biological characteristic, BiIt is special for registration biology
Sign, τ ' is biological characteristic threshold value, | | Bi-B′i| | it is B 'iAnd BiCharacteristic distance.
Step 302, terminal obtain biological characteristic safety box, are inputted when the biological characteristic safety box is according to user's registration
Biological characteristic and log-in password are registered using the generation of biological characteristic encryption algorithm.
Wherein, when terminal is task equipment, the step is specially to obtain biological characteristic safety box from local;When terminal is
During common apparatus, the common apparatus needs to insert the smart card that registration center is user's distribution, and the step is specially from smart card
Middle acquisition biological characteristic safety box.
Alternatively, the log-on message also comprising identity is logged in, when obtaining biological characteristic safety box specifically use by terminal
In:Obtain biological characteristic safety box corresponding with the login identity.For example, terminal allows multiple users to be stepped on using respective
Information registration is recorded, it is necessary to which input logs in identity when user logs in.
Step 303, terminal are according to the login password and the login biological characteristic, using biological characteristic decoding algorithm from the life
Recovery biological characteristic is extracted in thing feature safety box.
The step is specially:
The first step, terminal generate L member multinomials according to the login password, and L is the positive integer more than or equal to 1.
Polynomial first number L can be selected according to the difference of biological characteristic, for example, when biological characteristic is fingerprint,
Because fingerprint is the plane coordinates set of minutiae point, it is unordered between each point, L=2 can be taken, when biological characteristic is face,
Correspond to a base vector in projection matrix respectively due to each element in face characteristic, be ordered between each point, L value
It can be larger.When generating L member multinomials according to login password, it is more that L members are generated using default Polynomial generation algorithm
Item formula, parameter L and Polynomial generation algorithm are pre-stored in terminal and registration center, if logged on password and log-in password
L member multinomial phases identical, that the L members multinomial that the terminal generates generates with registration center when generating biological characteristic safety box
Together.
When generating L member multinomials according to login password, login password is calculated according to the Polynomial generation algorithm
Obtain polynomial coefficient.Such as using each element of login password as polynomial coefficient, or, it is every with login password
Individual element is multiplied by the value that a setting factor beforehand obtains and the Polynomial generation algorithm not carried out as multinomial coefficient, the present invention
Limitation.For example, the login password of user's input is the password of 6 bit digitals, i.e. PWi=(p1,…,p6), registration center will log in close
The each element of code is as polynomial coefficient, the multinomial of one dihydric phenol of structure:
Second step, terminal by the login biological characteristic be divided into length be L feature subvector, for each feature to
Amount, terminal calculate projection z of this feature subvector on the L member multinomials, are chosen from the biological characteristic safety box at least one
Alternative point pair, wherein, the first parameter of the alternative point pair is the vector that length is L, and the second parameter is first parameter in L members
Projection on multinomial, the first parameter of the alternative point pair and the distance of this feature subvector are less than pre-determined distance threshold value, from standby
A point of destination pair is chosen in reconnaissance centering, the point of destination to be the alternative parameter of centering second and z the minimum point pair of distance,
Using the first parameter of the point of destination pair as recovery feature subvector corresponding to feature subvector.
Assuming that the L member multinomials are represented with f, this feature subvector b 'jRepresent, then this feature subvector is more in L members
Projection z in item formula is f ' (x).Each alternative point is to including two parameters:First parameter and the second parameter, first parameter are used
X represents that second parameter represents with y, then the first parameter and the distance of this feature subvector of the alternative point pair be | | b 'j-x
| |, the alternative point with below equation to can be represented:T={(x,y)|(x,y)∈V,||b′j-x||<τ }, V is the biological characteristic
Safety box, τ represent distance threshold, | | x | | distance operation is sought in expression, and T represents alternative point pair.Included in the biological characteristic safety box
True Data point pair and interference data point pair, the first parameter of True Data point pair are the feature subvector of registration biological characteristic,
Second parameter of True Data point pair disturbs number to register projection value of the feature subvector of biological characteristic on L member multinomials
First parameter at strong point pair is the vector that length is L, disturb projection value of first parameter on L member multinomials of data point pair with
Disturb the value of the second parameter of data point pair unequal.When login user is validated user, logs in biological characteristic and registration is given birth to
Thing is characterized in changing in class, and change compares small, therefore, selects suitable distance threshold τ to may insure to register biological characteristic
Feature subvector is included in alternative point centering.
It is determined that alternative put to rear, terminal chooses point of destination pair from alternative point centering, and the point of destination is to being the alternative point pair
In the minimum point pair of the second parameter and z distance, it is assumed that this alternatively puts the second parameter of centering and z distance is used | | f ' (x)-y |
| represent, then point of destination with below equation to can be represented:Y represents the second ginseng
Number, f ' (x) represent the projection z of the first parameter on a polynomial,Represent point of destination pair.Due to the interference number of registration center's generation
The value of second parameter of projection value of first parameter at strong point pair on L member multinomials with disturbing data point pair is unequal, so
Can be with the influence of exclusive PCR data point pair, when user is validated user, it can be ensured that extraction by choosing point of destination pair
It is identical with registration biological characteristic to recover biological characteristic.
3rd step, terminal will recover feature subvector and be combined into recovery biological characteristic corresponding to each feature subvector.
It is effective if logged on password and login biological characteristic, then the recovery biological characteristic that terminal extracts is given birth to registration
Thing feature is identical.
Step 304, terminal obtain registration check information, and the registration check information is according to the log-in password and registration life
Thing feature is using registration checking algorithm generation.
Wherein, when terminal is task equipment, the step is specially to obtain registration check information from local;When terminal is logical
During with equipment, the common apparatus needs to insert the smart card that registration center is user's distribution, and the step is specially from smart card
Obtain registration check information.
Step 305, terminal are logged according to the login password and the recovery biological characteristic using registration checking algorithm generation
Check information.
Specifically, terminal generates the login according to the login password and the recovery biological characteristic using the first non-reversible algorithm
Check information, the requirement of first non-reversible algorithm are:The login password can not be obtained from the login check information backstepping and is somebody's turn to do
Recover biological characteristic.
For example, terminal uses formulaCalculate and log in check information, wherein, h () represents unidirectional and breathed out
Uncommon functional operation, PW 'iFor login password,To recover biological characteristic, f 'iTo log in check information.Here, simply list
A kind of algorithm, it is of course also possible to use other algorithms generate the login check information, such as concatenation operation is revised as XOR fortune
Calculate etc..
If step 306, the registration check information are equal with the login check information, terminal determine the login password and
The login biological characteristic is effective.
Because the algorithm used and the login check information of terminal generation of registration center's generation registration check information use
Algorithm it is identical, when validated user logs in, the log-in password of input is identical with login password, as long as logging in biological characteristic and note
Volume biological characteristic changes in class, then can extract and register the identical recovery biological characteristic of biological characteristic, therefore count
Obtained registration check information is also identical with logging in check information, so that it is determined that the login password and the login biological characteristic have
Effect.If logged on password and log at least one illegal in biological characteristic, then registration check information and login check information
Difference, login password and login biological characteristic are illegal, and refusal user logs in.
The present embodiment, recover biological characteristic due to being extracted using biological characteristic decoding algorithm from biological characteristic safety box,
As long as the login biological characteristic and registration biological characteristic of user's input change in class, the recovery biological characteristic extracted will be with note
Volume biological characteristic is identical, then and the hash conversion value of registration biological characteristic and recovery biological characteristic is also identical, so as to
The reject rate of biological characteristic authentication is reduced, so as to improve the recognition capability of biological characteristic.
In some cases, if terminal will communicate with certificate server, the method validation of embodiment is being corresponded to using Fig. 4
After login password and login biological characteristic are effective, the identity of mutual authentication other side is also needed between terminal and certificate server is
It is no effective.The method that the mutual certification between terminal and certificate server is provided in the embodiment of the present invention five, as shown in figure 5, tool
Body comprises the following steps:
Step 401, terminal get parms ei, parameter eiIt is that registration center is random to first using the second non-reversible algorithm
After mutual parameters for authentication is calculated in the enrollment status mark inputted when number and user's registration, further according to the 3rd non-reversible algorithm to note
Volume biological characteristic and log-in password, mutual parameters for authentication are calculated, using analytical algorithm corresponding with the 3rd non-reversible algorithm
To parameter ei, login password, recover biological characteristic parameter M is calculated1。
Wherein, when terminal is task equipment, the step is specially from the local e that gets parmsi;When terminal is common apparatus
When, the common apparatus needs to insert the smart card that registration center is user's distribution, and the step is specially that ginseng is obtained from smart card
Number ei。
Wherein, the requirement of the second non-reversible algorithm is:Can not be obtained from the mutual parameters for authentication backstepping first random number and
The enrollment status identifies.The requirement of 3rd non-reversible algorithm is:Can not be from parameter eiBackstepping obtains the mutual parameters for authentication, the registration
Biological characteristic and log-in password, validated user, can be according to the registration biological characteristic and log-in passwords from parameter e in certificationi
Backstepping obtains the mutual parameters for authentication.
For example, registration center uses function ri=h(IDi||Xs) mutual parameters for authentication is calculated, wherein, h () is unidirectional
Hash function, parameter IDiIdentified for enrollment status, parameter XsFor the first random number, parameter riFor mutual parameters for authentication.
For example, registration center uses functionTo registration biological characteristic and log-in password, recognize each other
Parameter e is calculated in card parameteri, wherein, h () is one-way Hash function, parameter PWiFor log-in password, parameter BiGiven birth to for registration
Thing feature, parameter riFor mutual parameters for authentication.
For example, terminal uses formulaTo parameter ei, login password, recover biological characteristic
Parameter M is calculated1, wherein, h () is one-way Hash function, and parameter PW ' is login password, parameterIt is special to recover biology
Sign.
Step 402, terminal generate the second random number, become scaling method to second random number and parameter M using first1Calculate
Obtain parameter M2, using the 4th non-reversible algorithm to second random number and parameter M1Parameter M is calculated3。
This first change scaling method requirement be:Can not be from parameter M2Backstepping obtains second random number and parameter M1If
Know parameter M1, first can be used to become analytical algorithm corresponding to scaling method from parameter M2Obtain second random number.4th can not
The requirement of algorithm for inversion is:(1)Can not be from parameter M3Backstepping obtains second random number and parameter M1;(2)Even if know parameter M2,
Can not be from parameter M3Backstepping obtains second random number and parameter M1;(3)Even if know parameter M2, can not be according to parameter M1
Obtain the second random number and obtain parameter M3,(4)M3≠M2。
For example, terminal uses formulaTo the second random number and parameter M1Parameter M is calculated2, using public affairs
M3=h(M1||Rc) to the second random number and parameter M1Parameter M is calculated3, wherein, h () is one-way Hash function, parameter Rc
For the second random number.
First parameters for authentication is sent to certificate server by step 403, terminal, and first parameters for authentication includes:Register body
Part mark, parameter M2With parameter M3, so that the certificate server verifies whether the terminal is effective according to first parameters for authentication.
Optionally, terminal can also use the 6th non-reversible algorithm to the parameter M1Generation ginseng is calculated with current time stamp
Number Mt, first parameters for authentication further comprises:Parameter MtAnd current time stamp.
Wherein, the requirement of the 6th non-reversible algorithm is:Even if get current time stamp, it is impossible to from parameter MtBackstepping obtains
Parameter M1.For example, terminal uses formula Mt=h(M1| | t) calculate generation parameter Mt, wherein, h () is one-way Hash function, ginseng
Number t is current time stamp.
First parameters for authentication that step 404, certificate server receiving terminal are sent, according to enrollment status mark and the
One random number is using the second non-reversible algorithm generation parameter M4, according to parameter M2With parameter M4It is corresponding using scaling method is become with first
Analytical algorithm generation parameter M5, according to parameter M4With parameter M5Use the 4th non-reversible algorithm generation parameter M6。
For example, certificate server uses formula M4=h(IDi||Xs) parameter M is calculated4, wherein, h () is unidirectionally to breathe out
Uncommon function, parameter IDiIdentified for enrollment status, parameter XsFor the first random number.
For example, certificate server uses formulaParameter M is calculated5。
For example, certificate server uses formula M6=h(M4||M5) parameter M is calculated6, wherein, h () is one-way hash function
Function.
Optionally, when first parameters for authentication also includes parameter MtDuring with current time stamp, certificate server is generating
Parameter M5Before, in addition to:According to parameter M4The 6th non-reversible algorithm generation parameter is used with current time stampDetermine institute
State parameterWith parameter MtThe timestamp locally preserved is further obtained after equal, judges whether current time stamp is more than the guarantor
The timestamp deposited, if current time stamp is more than the timestamp of the preservation, the timestamp locally preserved is replaced with described
Current time stamp, if parameterWith parameter MtUnequal or current time stamp is not more than the timestamp locally preserved, then says
Bright certificate server receives Replay Attack, terminates mutual verification process.
If step 405, parameter M3With parameter M6Equal, then certificate server determines that the identity of terminal is effective, generation the 3rd
Random number, according to parameter M4Become scaling method generation parameter M using second with the 3rd random number7, according to parameter M4, parameter M5With
3rd random number uses the 5th non-reversible algorithm generation parameter M8。
Wherein, this second change scaling method requirement be:(1)Can not be from parameter M7Backstepping obtains parameter M4It is random with the 3rd
Number;(2)If it is known that parameter M4, analytical algorithm corresponding with the second change scaling method can be used from parameter M7Obtain the 3rd
Random number.
Wherein, the requirement of the 5th non-reversible algorithm is:(1)M8≠M7;(2)Can not be from parameter M8Backstepping obtains parameter M4、
Parameter M5With the 3rd random number;(3)Even if know parameter M7, can not be from parameter M8Backstepping obtains parameter M4, parameter M5And this
3rd random number;(4)Even if know parameter M4, parameter M5, can not be from parameter with any two parameter in the 3rd random number
M8Backstepping obtains another parameter in addition to any two parameter.
For example, using formulaParameter M is calculated7, wherein, h () is one-way Hash function, parameter
RsFor the 3rd random number.
For example, certificate server uses formula M8=h(M4||M5||Rs) calculate to obtain parameter M8, wherein, h () is unidirectionally to breathe out
Uncommon function, parameter RsFor the 3rd random number.
Second parameters for authentication is sent to terminal by step 406, certificate server, and second parameters for authentication includes:Parameter M7
With parameter M8, so that terminal determines whether the certificate server is effective according to second parameters for authentication.
Step 407, terminal receive the second parameters for authentication that certificate server returns, corresponding using scaling method is become with second
Analytical algorithm is to parameter M7With parameter M1Parameter M is calculated9, using the 5th non-reversible algorithm to parameter M1, parameter M9With second
Parameter M is calculated in random number10If parameter M10With parameter M8It is equal, it is determined that the identity of certificate server is effective.
For example, terminal uses formulaParameter M is calculated9, wherein, h () is one-way Hash function,
Parameter RcFor the second random number.
For example, using formula M10=h(M1||Rc||M9) parameter M is calculated10, wherein, h () is one-way Hash function,
Parameter RcFor the second random number.
Optionally, after terminal and certificate server complete mutual certification, terminal and certificate server calculate session respectively
The session key of key, terminal and certificate server generation is equal, and specifically, terminal is according to the second random number, parameter M1And ginseng
Number M9The session key is calculated, certificate server is according to parameter M4, parameter M5With the 3rd generating random number session key.
The method that the present embodiment provides, terminal determine login password and log in biological characteristic it is effective after, terminal and recognize
Mutual certification is carried out between card server, because calculating parameter M3Algorithm and calculating parameter M8Algorithm it is different, if attacker is logical
Cross and intercept parameter M7And M8After pretend to be M2And M3Logged in, server can just identify after the first parameters for authentication is received
Go out, therefore only need to carry out interacting can completion verification process twice, so as to reduce the process step of mutual certification, can subtract
The process step of few mutual certification.
The method that the embodiment of the present invention six provides identity registration, log-on message and the life of user are received for registration center
Into biological characteristic safety box, as shown in fig. 6, the method for the present embodiment may comprise steps of:
Step 501, registration center receive the log-on message of user's input, and the log-on message includes log-in password and registration is given birth to
Thing feature.
The identity of user and log-in password are set by user oneself, and identity can be mailbox, QQ number etc., register
Password can be numeral and monogram, user can according to oneself need simple or complicated password is set.Registration life
Thing feature can be face, iris, fingerprint or other biological characteristics.
Step 502, registration center are according to the log-in password and the registration biological characteristic using registration checking algorithm generation note
Volume check information.
The step is specially:Registration center uses the first non-reversible algorithm according to the log-in password and the registration biological characteristic
Generate the registration check information.
For example, using formula fi=h(PW||Bi) generation registration check information is calculated, wherein, h () is one-way hash function letter
Number, parameter PW are log-in password, parameter BiTo register biological characteristic, parameter fiTo register check information.
Step 503, registration center are given birth to according to the log-in password and the registration biological characteristic using biological characteristic encryption algorithm
Into biological characteristic safety box, the biological characteristic safety box and the registration check information are used to be supplied to terminal, so as to defeated to user
The login password and login biological characteristic entered is verified.
The step is specially:
The first step, registration center generate L member multinomials according to log-in password, and L is the positive integer more than or equal to 1.
Registration center is entered when generating L member multinomials according to log-in password using Polynomial generation algorithm to log-in password
Polynomial coefficient is calculated in row.Such as using each element of log-in password as polynomial coefficient, or, it is close with registering
Each element of code is multiplied by the value that a setting factor beforehand obtains and is used as multinomial coefficient, of the invention not to Polynomial generation algorithm
Limited.The Polynomial generation algorithm that the Polynomial generation algorithm that registration center uses uses with terminal in authentication
It is identical, if log-in password is identical with login password, then the multinomial that registration center generates in registration is with terminal in certification
Shi Shengcheng multinomial is identical.
Second step, registration center will register biological characteristic and be divided into feature subvector of the length as L, according to each feature
Vector generation True Data point pair, the first parameter of the True Data point pair is characterized subvector, and the of the True Data point pair
Two parameters are characterized projection value of the subvector on the L member multinomials.
Registration center divides the feature subvector that K length is respectively L, this feature subvector b by biological characteristic is registeredj
Represent, j=1,2 ..., K, can be with zero padding, for each feature subvector registration center when registration biological characteristic length is inadequate
Calculate its projection value on a polynomial, form True Data point pair, the first parameter of the True Data point pair be characterized son to
Amount, the second parameter of the True Data point pair is the projection value of this feature subvector on a polynomial.
3rd step, registration center's generation interference data point pair, the first parameter of the interference data point pair be length be L to
Amount, the projection value of the first parameter of the interference data point pair on L member multinomials and the value of the second parameter of interference data point pair
It is unequal.
First parameter of the interference data point pair can be Arbitrary Digit, but the second parameter of the interference data point pair is with being somebody's turn to do
Disturb the projection value of the first parameter of data point pair on a polynomial unequal.
True Data point pair corresponding to each feature subvector is mixed generation by the 4th step, registration center with interference data point
Biological characteristic safety box.
Under normal circumstances, the number of the True Data point pair is less than the number of the interference data point pair, because interference
The number of data point pair is more, and the security of system is higher, and still, the number of interference data point pair increases and can also increased from biology
Feature safety box determines the amount of calculation of recovery biological characteristic, therefore, should consider interference when data point pair is disturbed in generation
The number of data point pair.
After registration center generates biological characteristic safety box and registration check information, it can be stored on task equipment or to use
On the smart card of family distribution, user can directly be logged in by the task equipment, or the smart card is inserted into common apparatus
Upper login, biological characteristic safety box and registration check information are read when user logs in from the smart card.
Alternatively, the log-on message that user inputs in step 501 also includes enrollment status and identified, and the identity registration method is also
It may comprise steps of:Registration center generates the first random number, first random number registration center and certificate server it
Between share;Mutual parameters for authentication is calculated to the first random number and enrollment status mark using the second non-reversible algorithm in registration center
Afterwards, then using the 3rd non-reversible algorithm to registration biological characteristic and log-in password, mutual parameters for authentication parameter e is calculatedi, parameter
eiFor being supplied to terminal, to be verified mutually between terminal and the certificate server.
Wherein, the requirement of the second non-reversible algorithm is:Can not be obtained from the mutual parameters for authentication backstepping first random number and
The enrollment status identifies.The requirement of 3rd non-reversible algorithm is:Can not be from parameter eiBackstepping obtains the mutual parameters for authentication, the note
Volume biological characteristic and log-in password, validated user, can be according to the registration biological characteristic and log-in passwords from parameter in certification
eiBackstepping obtains the mutual parameters for authentication.
For example, registration center uses function ri=h(IDi||Xs) the first random number and enrollment status mark are calculated mutually
Parameters for authentication, wherein, h () is one-way Hash function, parameter IDiIdentified for enrollment status, parameter XsFor the first random number, ginseng
Number riFor mutual parameters for authentication.
For example, registration center uses functionTo registration biological characteristic and log-in password, recognize each other
Parameter e is calculated in card parameteri, wherein, wherein, h () is one-way Hash function, parameter PWiFor log-in password, parameter BiFor
Register biological characteristic, parameter riFor mutual parameters for authentication.
The identity registration method that the present embodiment provides, the log-in password of registration center's reception user's input and registration biology spy
Sign, according to log-in password and registration biological characteristic using registration checking algorithm generation registration check information, and according to log-in password
With registration biological characteristic using biological characteristic encryption algorithm generation biological characteristic safety box, by the way that biological characteristic and registration will be registered
Cryptographic binding encrypting storing improves the security of biological characteristic in the biological characteristic safety box, the biological characteristic safety box
For being stored in terminal, so that terminal is authenticated when carrying out authentication to user using the biological characteristic safety box.
Fig. 7 is the structure chart of Verification System provided in an embodiment of the present invention, as shown in fig. 7, the certification that the present embodiment provides
System includes:Terminal 61 and certificate server 62, the specific descriptions of terminal 61 Fig. 2 embodiment, can perform Fig. 4 referring to Fig. 1
With the method shown in Fig. 5 embodiment, certificate server 62 can perform the method shown in Fig. 5 embodiment.
Terminal in the embodiment of the present invention can be realized based on computer system, as shown in figure 8, the terminal of the present embodiment
Including:Processor 71, memory 72 and communication interface 73, wherein, processor 71 can be central processing unit(central
Processing unit, abbreviation CPU), application specific integrated circuit(application-specific integrated
Circuit, abbreviation ASIC)Deng memory 72 can include:Random access memory(Random access memory, referred to as
RAM), read-only storage(Read-only memory, abbreviation ROM), disk etc. has the entity of store function.In the present embodiment
Can also include bus 74, can be connected and communicate by bus 74 between processor 71, memory 72 and communication interface 73.
In the present embodiment, communication interface 73 is used for the log-on message for receiving user's input, and the log-on message, which includes, to be logged in
Password and login biological characteristic;Processor 71 is specifically used for performing following operate:Biological characteristic safety box is obtained, the biology is special
The registration biological characteristic and log-in password that sign safety box inputs when being according to user's registration are generated using biological characteristic encryption algorithm
's;According to the login password and the login biological characteristic, using biological characteristic decoding algorithm from biological characteristic safety box
Extract recovery biological characteristic;Registration check information is obtained, the registration check information is according to the log-in password and described
Biological characteristic is registered using registration checking algorithm generation;According to using the login password and the recovery biological characteristic
Register checking algorithm generation and log in check information;If the registration check information and the login check information are equal, really
The fixed login password and the login biological characteristic are effective.
Processor 71 is according to the login password and the login biological characteristic, using biological characteristic decoding algorithm from biology
Recovery biological characteristic is extracted in feature safety box is specially:According to the login password generate L member multinomials, L be more than etc.
In 1 positive integer;The login biological characteristic is divided into the feature subvector that length is L;For each feature to
Amount, calculates projection z of the feature subvector on the L members multinomial, and at least one is chosen from the biological characteristic safety box
Individual alternative point pair, wherein, the first parameter of the alternative point pair is the vector that length is L, and the second parameter is first parameter
Projection on the L members multinomial, the first parameter of the alternative point pair and the distance of the feature subvector are less than default
Distance threshold;A point of destination pair is chosen from the alternative point centering, the point of destination is to being that the alternative point centering second is joined
The number point pair minimum with the distance of the z, using the first parameter of the point of destination pair as extensive corresponding to the feature subvector
Multiple feature subvector;Recovery biological characteristic is combined into by feature subvector is recovered corresponding to each feature subvector.
After the terminal determines that the login password and the login biological characteristic are effective, processor 71 is additionally operable to:Obtain
Take parameter ei, the parameter eiIt is the enrollment status using the second non-reversible algorithm to being inputted when the first random number and user's registration
After mutual parameters for authentication is calculated in mark, further according to the 3rd non-reversible algorithm to the registration biological characteristic and log-in password, institute
State what mutual parameters for authentication was calculated;Using analytical algorithm corresponding with the 3rd non-reversible algorithm to the parameter ei, institute
State login password, parameter M is calculated in the recovery biological characteristic1;Generate the second random number;Become scaling method to institute using first
State the second random number and the parameter M1Parameter M is calculated2, using the 4th non-reversible algorithm to second random number and institute
State parameter M1Parameter M is calculated3。
After processor 71 generates the first parameters for authentication, communication interface 73 performs following operation:By the first parameters for authentication
Certificate server is sent to, so that the certificate server verifies whether the terminal is effective according to first parameters for authentication,
First parameters for authentication includes:The enrollment status mark, the parameter M2With the parameter M3;Receive the authentication service
The second parameters for authentication that device returns, second parameters for authentication include parameter M7With parameter M8, second parameters for authentication is described
Generation, the M after certificate server verifies the terminal effectively according to first parameters for authentication7It is using the second conversion
3rd random number and the mutually parameters for authentication are calculated algorithm, the M8It is to described the using the 5th non-reversible algorithm
Three random numbers and mutually parameters for authentication, second random number are calculated.Processor 71 is additionally operable to:Using with described
Two become analytical algorithm corresponding to scaling method to the parameter M7With parameter M1Parameter M is calculated9, it is irreversible using the described 5th
Algorithm is to the parameter M1, parameter M9Parameter M is calculated with second random number10;If the parameter M10With the ginseng
Number M8Equal, then terminal determines that the identity of the certificate server is effective.
The terminal of the present embodiment, available for performing, the terminal that Fig. 4 corresponds to embodiment, Fig. 5 is corresponded to described in embodiment is related
Each step, the present embodiment will not be described in detail herein.
Registration center in the embodiment of the present invention can be realized based on computer system, as shown in figure 9, the present embodiment
Registration center includes:Processor 81, memory 82 and communication interface 83, wherein, processor 81 can be central processing unit
(Central processing unit, abbreviation CPU), application specific integrated circuit(application-specific
Integrated circuit, abbreviation ASIC)Deng memory 82 can include:Random access memory(random access
Memory, abbreviation RAM), read-only storage(Read-only memory, abbreviation ROM), disk etc. has the reality of store function
Body.It can also include bus 84 in the present embodiment, can pass through bus between processor 81, memory 82 and communication interface 83
84 connect and communicate.
In the present embodiment, communication interface 83 is used for the log-on message for receiving user's input, and the log-on message includes registration
Password and registration biological characteristic;Processor 81 is used to perform following operation:It is special according to the log-in password and the registration biology
Sign is using registration checking algorithm generation registration check information;According to the log-in password and the registration biological characteristic, using life
Thing feature coding algorithm generates biological characteristic safety box, and the biological characteristic safety box and the registration check information are used to provide
To terminal, so that the login password and login biological characteristic that are inputted to the user are verified.
Processor 81 is according to the log-in password and the registration biological characteristic using registration checking algorithm generation registration school
Testing information is specially:Processor 81 is generated according to the log-in password and the registration biological characteristic using the first non-reversible algorithm
The registration check information.
Processor 81 is generated using biological characteristic encryption algorithm and given birth to according to the log-in password and the registration biological characteristic
Thing feature safety box is specially:L member multinomials are generated according to the log-in password, L is the positive integer more than or equal to 1;By described in
Register biological characteristic and be divided into feature subvector of the length as L;For each feature subvector, True Data point is generated
Right, the first parameter of the True Data point pair is the feature subvector, and the second parameter of the True Data point pair is institute
State projection value of the feature subvector on the L members multinomial;Generation interference data point pair, the first of the interference data point pair
Parameter is the vector that length is L, projection value of first parameter on the L members multinomial of the interference data point pair with it is described
Disturb the value of the second parameter of data point pair unequal;By True Data point pair corresponding to each feature subvector with it is described
Data point is disturbed to generate the biological characteristic safety box to mixing.
Alternatively, the number of the True Data point pair is less than the number of the interference data point pair.
Alternatively, the log-on message also includes enrollment status mark, and processor 81 is additionally operable to:The first random number is generated,
First random number is shared between the registration center and certificate server;Using the second non-reversible algorithm to described first
After mutual parameters for authentication is calculated in random number and enrollment status mark, then using the 3rd non-reversible algorithm to the registration life
Parameter e is calculated in thing feature and the log-in password, the mutually parameters for authenticationi, the parameter eiFor being supplied to the end
End, to be verified mutually between the terminal and the certificate server.
The registration center of the present embodiment, each step of registration center's correlation described in embodiment is corresponded to available for execution Fig. 6
Suddenly, the present embodiment will not be described in detail herein.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above-mentioned each method embodiment can lead to
The related hardware of programmed instruction is crossed to complete.Foregoing program can be stored in a computer read/write memory medium.The journey
Sequence upon execution, execution the step of including above-mentioned each method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or
Person's CD etc. is various can be with the medium of store program codes.
Finally it should be noted that:Various embodiments above is merely illustrative of the technical solution of the present invention, rather than its limitations;To the greatest extent
The present invention is described in detail with reference to foregoing embodiments for pipe, it will be understood by those within the art that:Its according to
The technical scheme described in foregoing embodiments can so be modified, either which part or all technical characteristic are entered
Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is departed from various embodiments of the present invention technology
The scope of scheme.
Claims (40)
- A kind of 1. terminal, it is characterised in that including:Receiving module, for receiving the log-on message of user's input, the log-on message includes login password and logged in biological special Sign;Acquisition module, for obtaining biological characteristic safety box, inputted when the biological characteristic safety box is according to user's registration Biological characteristic and log-in password are registered using the generation of biological characteristic encryption algorithm;Extraction module, for according to the login password and the login biological characteristic, using biological characteristic decoding algorithm from life Recovery biological characteristic is extracted in thing feature safety box;The acquisition module, is additionally operable to obtain registration check information, the registration check information be according to the log-in password and The registration biological characteristic is using registration checking algorithm generation;Computing module, for being stepped on according to the login password and the recovery biological characteristic using the registration checking algorithm generation Record check information;Correction verification module, for when it is described registration check information and it is described login check information it is equal when, determine the login password It is effective with the login biological characteristic.
- 2. terminal according to claim 1, it is characterised in that the computing module, for according to the login password and The recovery biological characteristic logs in check information using the registration checking algorithm generation:The computing module, is used for The login check information is generated using the first non-reversible algorithm according to the login password and the recovery biological characteristic.
- 3. terminal according to claim 2, it is characterised in that the computing module is used for according to the login password and institute State recover biological characteristic using first non-reversible algorithm generation it is described login check information when, specifically include:The calculating Module, using formulaThe login school is calculated to the login password and the recovery biological characteristic Information is tested, wherein, h () is one-way Hash function, PWi' it is the login password,For the recovery biological characteristic, fi' for institute State login check information.
- 4. according to the terminal any one of claim 1-3, it is characterised in that the extraction module, for according to Login password and the login biological characteristic, recovery life is extracted from biological characteristic safety box using biological characteristic decoding algorithm Thing feature specifically includes:The extraction module, for generating L member multinomials according to the login password, L is more than or equal to 1 Positive integer;The login biological characteristic is divided into the feature subvector that length is L;For each feature subvector, projection z of the feature subvector on the L members multinomial is calculated, from described Biological characteristic safety box chooses at least one alternative point pair, wherein, the first parameter of the alternative point pair be length be L to Amount, the second parameter is projection of first parameter on the L members multinomial, the first parameter of the alternative point pair with it is described The distance of feature subvector is less than pre-determined distance threshold value;A point of destination pair, the point of destination are chosen from the alternative point centering To being the alternative point parameter of centering second point pair minimum with the distance of the z, the first parameter of the point of destination pair is made To recover feature subvector corresponding to the feature subvector;Recovery biological characteristic is combined into by feature subvector is recovered corresponding to each feature subvector.
- 5. according to the terminal any one of claim 1-3, it is characterised in that:The log-on message is also comprising login identity;The acquisition module specifically includes for obtaining biological characteristic safety box:The acquisition module, stepped on for obtaining with described Record biological characteristic safety box corresponding to identity.
- 6. according to the terminal any one of claim 1-3, it is characterised in that also include:Sending module;After the correction verification module determines that the login password and the login biological characteristic are effective, the acquisition module is also used In:Get parms ei, the parameter eiIt is the note using the second non-reversible algorithm to being inputted when the first random number and user's registration After mutual parameters for authentication is calculated in volume identity, to the registration biological characteristic and registered close further according to the 3rd non-reversible algorithm Code, the mutually parameters for authentication are calculated;The computing module is additionally operable to:Using analytical algorithm corresponding with the 3rd non-reversible algorithm to the parameter ei, the login password, described recover life Thing feature calculation obtains parameter M1;After the second random number is generated, become scaling method to second random number and institute using first State parameter M1Parameter M is calculated2, using the 4th non-reversible algorithm to second random number and the parameter M1It is calculated Parameter M3;The sending module, for the first parameters for authentication to be sent into certificate server, so that the certificate server is according to institute State the first parameters for authentication and verify whether the terminal is effective, and first parameters for authentication includes:The enrollment status identifies, is described Parameter M2With the parameter M3;The receiving module is additionally operable to:Receive the second parameters for authentication that the certificate server returns, second parameters for authentication Including parameter M7With parameter M8, second parameters for authentication is that the certificate server verifies institute according to first parameters for authentication Generation, the parameter M after stating terminal effectively7It is to become scaling method to the 3rd random number and the mutual parameters for authentication using second It is calculated, the parameter M8It is to the 3rd random number and mutually parameters for authentication, the institute using the 5th non-reversible algorithm State what the second random number was calculated;The computing module is additionally operable to:Become analytical algorithm corresponding to scaling method to the parameter M using with described second7And parameter M1Parameter M is calculated9, using the 5th non-reversible algorithm to the parameter M1, parameter M9Calculated with second random number Obtain parameter M10;The correction verification module is additionally operable to:If the parameter M10With the parameter M8It is equal, it is determined that the certificate server Identity is effective.
- 7. terminal according to claim 6, it is characterised in that the computing module is irreversible for use and the described 3rd Analytical algorithm corresponding to algorithm is to the parameter ei, the login password, the recovery biological characteristic parameter M is calculated1 When, specifically include:The computing module, using formulaTo the parameter ei, it is the login password, described Recover biological characteristic and the parameter M is calculated1, wherein, h () is one-way Hash function, parameter PWi' it is the login password, ParameterFor the recovery biological characteristic.
- 8. terminal according to claim 6, it is characterised in that the computing module is used to become scaling method using described first To second random number and the parameter M1The parameter M is calculated2, using the 4th non-reversible algorithm to described Two random numbers and the parameter M1The parameter M is calculated3, specifically include:The computing module, for using formulaTo second random number and the parameter M1It is calculated The parameter M2, using formula M3=h (M1||Rc) to second random number and the parameter M1The parameter M is calculated3, Wherein, h () is one-way Hash function, parameter RcFor second random number;The computing module is used for using analytical algorithm corresponding with the described second change scaling method to the parameter M7With the parameter M1The parameter M is calculated9, using the 5th non-reversible algorithm to the parameter M1, parameter M9With second random number The parameter M is calculated10When, specifically include:The computing module, for using formulaTo the parameter M7With the parameter M1It is calculated described Parameter M9, using formula M10=h (M1||Rc||M9) to the parameter M1, parameter M9It is calculated with second random number described Parameter M10, wherein, h () is one-way Hash function, parameter RcFor second random number.
- 9. terminal according to claim 6, it is characterised in that the first parameters for authentication is sent to certification by the sending module Before server, the computing module is additionally operable to:Using the 6th non-reversible algorithm to the parameter M1Generation parameter M is calculated with current time stampt;First parameters for authentication also includes:The parameter MtWith the current time stamp.
- 10. terminal according to claim 9, it is characterised in that the computing module is using the 6th non-reversible algorithm pair The parameter M1Calculated with the current time stamp and generate the parameter MtWhen, it is specifically used for:Using formula Mt=h (M1| | t) to the parameter M1Calculated with the current time stamp and generate the parameter Mt, wherein, h () is one-way Hash function, and parameter t is current time stamp.
- A kind of 11. registration center, it is characterised in that including:Receiving module, for receiving the log-on message of user's input, the log-on message includes log-in password and registration biology is special Sign;Computing module, for registering school using registration checking algorithm generation according to the log-in password and the registration biological characteristic Test information;Generation module, for according to the log-in password and the registration biological characteristic, being generated using biological characteristic encryption algorithm Biological characteristic safety box, the biological characteristic safety box and the registration check information are used to be supplied to terminal, so as to described The login password and login biological characteristic of user's input are verified.
- 12. registration center according to claim 11, it is characterised in that the computing module is specifically used for:The registration check information is generated using the first non-reversible algorithm according to the log-in password and the registration biological characteristic.
- 13. registration center according to claim 12, it is characterised in that the computing module, for according to the registration Password and the registration biological characteristic are specifically included using first non-reversible algorithm generation registration check information:The computing module, for using formula fi=h (PW | | Bi) log-in password and the registration biological characteristic are calculated The registration check information is generated, wherein, h () is one-way Hash function, and parameter PW is the log-in password, parameter BiFor institute State registration biological characteristic, parameter fiFor the registration check information.
- 14. according to the registration center any one of claim 11-13, it is characterised in that the generation module is used for root According to the log-in password and the registration biological characteristic, biological characteristic safety box is generated using biological characteristic encryption algorithm, specifically Including:The generation module, for generating L member multinomials according to the log-in password, L is the positive integer more than or equal to 1;The biological characteristic of registering is divided into feature subvector of the length as L;For each feature subvector, True Data point pair is generated, the first parameter of the True Data point pair is described Feature subvector, the second parameter of the True Data point pair is projection of the feature subvector on the L members multinomial Value;Generation interference data point pair, it is described interference data point pair the first parameter be length be L vector, the interference data point To projection value of first parameter on the L members multinomial and the interference data point pair the second parameter value it is unequal;By True Data point pair corresponding to each feature subvector with the interference data point to mixing the generation biology Feature safety box.
- 15. registration center according to claim 14, it is characterised in that the generation module, for for each described Feature subvector, generation True Data point is to further comprising:The number of the True Data point pair is less than the interference data The number of point pair.
- 16. according to the registration center any one of claim 11-13, it is characterised in that the log-on message also includes Enrollment status is identified, and the computing module is additionally operable to:The first random number is generated, first random number is shared between the registration center and certificate server;After mutual parameters for authentication is calculated to first random number and enrollment status mark using the second non-reversible algorithm, Ginseng is calculated to the registration biological characteristic and the log-in password, the mutually parameters for authentication using the 3rd non-reversible algorithm again Number ei, the parameter eiFor being supplied to the terminal, to be verified mutually between the terminal and the certificate server.
- 17. registration center according to claim 16, it is characterised in that the computing module, can not for use second Algorithm for inversion is calculated the mutually parameters for authentication to first random number and enrollment status mark and specifically included:The computing module, for using function ri=h (IDi||Xs) first random number and the enrollment status are identified The mutual parameters for authentication is calculated, wherein, h () is one-way Hash function, parameter IDiIdentified for the enrollment status, ginseng Number XsFor first random number, parameter riFor the mutual parameters for authentication;The computing module, for using the 3rd non-reversible algorithm to the registration biological characteristic and log-in password, described Parameter e is calculated in mutual parameters for authenticationi, specifically include:The computing module, for using functionIt is close to the registration biological characteristic and the registration The parameter e is calculated in code, the mutually parameters for authenticationi, wherein, h () is one-way Hash function, parameter PWiFor the registration Password, parameter BiFor the registration biological characteristic, parameter riFor the mutual parameters for authentication.
- A kind of 18. identity authentication method, it is characterised in that including:Terminal receives the log-on message of user's input, and the log-on message includes login password and logs in biological characteristic;The terminal obtains biological characteristic safety box, the registration life that the biological characteristic safety box inputs when being according to user's registration Thing feature and log-in password are using the generation of biological characteristic encryption algorithm;The terminal is according to the login password and the login biological characteristic, using biological characteristic decoding algorithm from biological characteristic Recovery biological characteristic is extracted in safety box;The terminal obtains registration check information, and the registration check information is according to the log-in password and the registration biology Feature is using registration checking algorithm generation;The terminal logs in school according to the login password and the recovery biological characteristic using the registration checking algorithm generation Test information;If the registration check information and the login check information are equal, the terminal determines the login password and institute It is effective to state login biological characteristic.
- 19. according to the method for claim 18, it is characterised in that the terminal is according to the login password and the recovery Biological characteristic logs in check information using the registration checking algorithm generation, including:The terminal generates the login according to the login password and the recovery biological characteristic using the first non-reversible algorithm Check information.
- 20. according to the method for claim 19, it is characterised in that the terminal is according to the login password and the recovery Biological characteristic generates the login check information using the first non-reversible algorithm:The terminal uses formulaThe login check information is calculated to the login password and the recovery biological characteristic, wherein, h () is one-way Hash function, PWi' it is the login password,For the recovery biological characteristic, fi' believe for the login verification Breath.
- 21. according to the method any one of claim 18-20, it is characterised in that the terminal is close according to the login Code and the login biological characteristic, recovery biology spy is extracted from biological characteristic safety box using biological characteristic decoding algorithm Sign, including:The terminal generates L member multinomials according to the login password, and L is the positive integer more than or equal to 1;The login biological characteristic is divided into the feature subvector that length is L by the terminal;For each feature subvector, the terminal calculates projection of the feature subvector on the L members multinomial Z, at least one alternative point pair is chosen from the biological characteristic safety box, wherein, the first parameter of the alternative point pair is length For L vector, the second parameter is projection of first parameter on the L members multinomial, the first ginseng of the alternative point pair The distance of number and the feature subvector is less than pre-determined distance threshold value;A point of destination pair, institute are chosen from the alternative point centering Point of destination is stated to being the alternative point parameter of centering second point pair minimum with the distance of the z, by the of the point of destination pair One parameter is as recovery feature subvector corresponding to the feature subvector;The terminal will recover feature subvector and be combined into recovery biological characteristic corresponding to each feature subvector.
- 22. according to the method any one of claim 18-20, it is characterised in that:The log-on message is also comprising login identity;It is specially that the terminal obtains biology corresponding with the login identity that the terminal, which obtains biological characteristic safety box, Feature safety box.
- 23. according to the method any one of claim 18-20, it is characterised in that the terminal determines that the login is close After code and the login biological characteristic are effective, in addition to:The terminal gets parms ei, the parameter eiIt is when using the second non-reversible algorithm to the first random number and user's registration After mutual parameters for authentication is calculated in the enrollment status mark of input, further according to the 3rd non-reversible algorithm to the registration biological characteristic It is calculated with log-in password, the mutually parameters for authentication;The terminal is using analytical algorithm corresponding with the 3rd non-reversible algorithm to the parameter ei, the login password, institute State recovery biological characteristic and parameter M is calculated1;The terminal generates the second random number;The terminal becomes scaling method to second random number and the parameter M using first1Parameter M is calculated2, using Four non-reversible algorithms are to second random number and the parameter M1Parameter M is calculated3;First parameters for authentication is sent to certificate server by the terminal, so that the certificate server is according to first certification Whether terminal described in Verification is effective, and first parameters for authentication includes:The enrollment status mark, the parameter M2And institute State parameter M3;The terminal receives the second parameters for authentication that the certificate server returns, and second parameters for authentication includes parameter M7With Parameter M8, second parameters for authentication be the certificate server according to first parameters for authentication verify the terminal effectively it Generate afterwards, the M7The 3rd random number and the mutually parameters for authentication are calculated using the second change scaling method, the M8 It is that the 3rd random number and mutually parameters for authentication, second random number are calculated using the 5th non-reversible algorithm 's;The terminal uses analytical algorithm corresponding with the described second change scaling method to the parameter M7With parameter M1Ginseng is calculated Number M9, using the 5th non-reversible algorithm to the parameter M1, parameter M9Parameter M is calculated with second random number10;If the parameter M10With the parameter M8Equal, then the terminal determines that the identity of the certificate server is effective.
- 24. according to the method for claim 23, it is characterised in thatThe terminal is using analytical algorithm corresponding with the 3rd non-reversible algorithm to the parameter ei, the login password, institute State recovery biological characteristic and parameter M is calculated1Specially:The terminal uses formulaTo institute State parameter ei, the login password, the recovery biological characteristic parameter M is calculated1, wherein, h () is one-way hash function letter Number, parameter PWi' it is the login password, parameterFor the recovery biological characteristic.
- 25. according to the method for claim 23, it is characterised in thatThe terminal becomes scaling method to second random number and the parameter M using first1Parameter M is calculated2, using Four non-reversible algorithms are to second random number and the parameter M1Parameter M is calculated3Specially:The terminal uses formulaTo second random number and the parameter M1Parameter M is calculated2, using formula M3=h (M1||Rc) right Second random number and the parameter M1Parameter M is calculated3, wherein, h () is one-way Hash function, parameter RcTo be described Second random number;The terminal uses analytical algorithm corresponding with the described second change scaling method to the parameter M7With parameter M1Ginseng is calculated Number M9, using the 5th non-reversible algorithm to the parameter M1, parameter M9Parameter M is calculated with second random number10Tool Body is:The terminal uses formulaTo the parameter M7With parameter M1Parameter M is calculated9, using formula M10=h (M1||Rc||M9) to the parameter M1, parameter M9Parameter M is calculated with second random number10, wherein, h () It is one-way Hash function, parameter RcFor second random number.
- 26. according to the method for claim 23, it is characterised in that the first parameters for authentication is sent to certification and taken by the terminal It is engaged in before device, in addition to:The terminal is using the 6th non-reversible algorithm to the parameter M1Generation ginseng is calculated with current time stamp Number Mt;First parameters for authentication also includes:The parameter MtWith the current time stamp.
- 27. according to the method for claim 26, it is characterised in that the terminal is using the 6th non-reversible algorithm to the ginseng Number M1Generation parameter M is calculated with current time stamptSpecially:The terminal uses formula Mt=h (M1| | t) to the parameter M1With The current time stamp calculates generation parameter Mt, wherein, h () is one-way Hash function, and parameter t is current time stamp.
- 28. according to the method for claim 23, it is characterised in that the first parameters for authentication is sent to certification and taken by the terminal Also include after business device:Certificate server receives first parameters for authentication that the terminal is sent, and first parameters for authentication includes:The use The enrollment status mark at family, the parameter M2With the parameter M2;The certificate server uses second non-reversible algorithm according to enrollment status mark and first random number Generate parameter M4;The certificate server is according to the parameter M2With the parameter M4Calculated using corresponding parse of scaling method is become with described first Method generation parameter M5;The certificate server is according to the parameter M4With the parameter M5Use the 4th non-reversible algorithm generation parameter M6;If the parameter M3With the parameter M6Equal, the certificate server determines that the identity of the terminal is effective;The certificate server generates the 3rd random number, according to the parameter M4Become with the 3rd random number using described second Scaling method generation parameter M7;The certificate server is according to the parameter M4, the parameter M5It is irreversible using the described 5th with the 3rd random number Algorithm generation parameter M8;Second parameters for authentication is sent to the terminal by the certificate server, so that the terminal is recognized according to described second Card parameter determines whether the certificate server is effective, and second parameters for authentication includes:The parameter M7With the parameter M8。
- 29. according to the method for claim 28, it is characterised in that the certificate server identifies according to the enrollment status With first random number using second non-reversible algorithm generation parameter M4Specially:The certificate server uses formula M4=h (IDi||Xs) parameter M is calculated to enrollment status mark and first random number4, wherein, h () is single To hash function, parameter IDiIdentified for the enrollment status, parameter XsFor first random number;The certificate server is according to the parameter M2With the parameter M4Calculated using corresponding parse of scaling method is become with described first Method generation parameter M5Specially:The certificate server uses formulaTo the parameter M2With the parameter M4 Parameter M is calculated5;The certificate server is according to the parameter M4With the parameter M5Use the 4th non-reversible algorithm generation parameter M6Tool Body is:The certificate server uses formula M6=h (M4||M5) to the parameter M4With the parameter M5What is calculated arrives parameter M6, Wherein, h () is one-way Hash function.
- 30. the method according to claim 28 or 29, it is characterised in thatIt is described according to the parameter M4Become scaling method generation parameter M using described second with the 3rd random number7Specially:Adopt Use formulaTo the parameter M4Parameter M is calculated with the 3rd random number7, wherein, h () is unidirectional Hash function, parameter RsFor the 3rd random number;The certificate server is according to the parameter M4, the parameter M5It is irreversible using the described 5th with the 3rd random number Algorithm generation parameter M8Specially:The certificate server uses formula M8=h (M4||M5||Rs) to the parameter M4, the ginseng Number M5Parameter M is calculated to obtain with the 3rd random number8, wherein, h () is one-way Hash function, parameter RsIt is random for the described 3rd Number.
- 31. the method according to claim 28 or 29, it is characterised in that when also including current in first parameters for authentication Between stamp and parameter Mt;The certificate server is according to the parameter M2With the parameter M4Given birth to using analytical algorithm corresponding with the first change scaling method Into parameter M5Also include before:The certificate server is according to the parameter M4The 6th non-reversible algorithm generation parameter is used with the current time stampThe certificate server determines the parameterWith the parameter MtAfter equal, the timestamp locally preserved is obtained;Determine that the current time stamp is more than the timestamp locally preserved.
- 32. according to the method for claim 31, it is characterised in that methods described also includes:The certificate server is by institute State the timestamp locally preserved and replace with the current time stamp.
- A kind of 33. method of identity registration, it is characterised in that including:Registration center receives the log-on message of user's input, and the log-on message includes log-in password and registration biological characteristic;The registration center is according to the log-in password and the registration biological characteristic using registration checking algorithm generation registration school Test information;The registration center is generated using biological characteristic encryption algorithm and given birth to according to the log-in password and the registration biological characteristic Thing feature safety box, the biological characteristic safety box and the registration check information are used to be supplied to terminal, so as to the use The login password and login biological characteristic of family input are verified.
- 34. according to the method for claim 33, it is characterised in that the registration center is according to the log-in password and described Biological characteristic is registered using registration checking algorithm generation registration check information, including:The registration center is according to the log-in password and the registration biological characteristic using the generation of the first non-reversible algorithm Register check information.
- 35. according to the method for claim 34, it is characterised in that the registration center is according to the log-in password and described Registration biological characteristic generates the registration check information using the first non-reversible algorithm:The registration center uses formula fi=h (PW | | Bi) log-in password and the registration biological characteristic are calculated and generate the registration check information, wherein, h () is one-way Hash function, and parameter PW is the log-in password, parameter BiFor the registration biological characteristic, parameter fiTo be described Register check information.
- 36. according to the method any one of claim 33-35, it is characterised in that the registration center is according to the note Volume password and the registration biological characteristic, biological characteristic safety box is generated using biological characteristic encryption algorithm, including:The registration center generates L member multinomials according to the log-in password, and L is the positive integer more than or equal to 1;The biological characteristic of registering is divided into feature subvector of the length as L by the registration center;For each feature subvector, the registration center generates True Data point pair, and the of the True Data point pair One parameter is the feature subvector, and the second parameter of the True Data point pair is more in L members for the feature subvector Projection value in item formula;Registration center generation interference data point pair, the first parameter of the interference data point pair are the vectors that length is L, institute State projection value of the first parameter of interference data point pair on the L members multinomial and the second parameter of the interference data point pair Value it is unequal;The registration center is by True Data point pair corresponding to each feature subvector with the interference data point to mixing Generate the biological characteristic safety box.
- 37. according to the method for claim 36, it is characterised in that the number of the True Data point pair is less than the interference The number of data point pair.
- 38. according to the method any one of claim 33-35, it is characterised in that the log-on message also includes registration Identity, methods described also include:The registration center generates the first random number, and first random number is common between the registration center and certificate server Enjoy;First random number and enrollment status mark are calculated using the second non-reversible algorithm for the registration center After mutual parameters for authentication, then using the 3rd non-reversible algorithm to the registration biological characteristic and the log-in password, the mutual certification Parameter e is calculated in parameteri, the parameter eiFor being supplied to the terminal, so as to the terminal and the certificate server it Between verify mutually.
- 39. according to the method for claim 38, it is characterised in that the registration center is using the second non-reversible algorithm to institute State the first random number and enrollment status mark is calculated mutual parameters for authentication and is specially:The registration center uses function ri =h (IDi||Xs) mutual parameters for authentication is calculated to first random number and enrollment status mark, wherein, h () is One-way Hash function, parameter IDiIdentified for the enrollment status, parameter XsFor first random number, parameter riRecognized each other to be described Demonstrate,prove parameter;It is described that the registration biological characteristic and the log-in password, the mutually parameters for authentication are calculated using the 3rd non-reversible algorithm Obtain parameter eiSpecially:Using functionTo it is described registration biological characteristic and the log-in password, Parameter e is calculated in the mutually parameters for authenticationi, wherein, h () is one-way Hash function, parameter PWiFor the log-in password, ginseng Number BiFor the registration biological characteristic, parameter riFor the mutual parameters for authentication.
- A kind of 40. Verification System, it is characterised in that including:Certificate server and such as any claim institute in claim 1-9 The terminal stated;The certificate server is used for after the terminal determines that the login password and the login biological characteristic are effective, connects The first parameters for authentication that the terminal is sent is received, first parameters for authentication includes:The enrollment status mark of user, parameter M2With Parameter M3;According to enrollment status mark and the first random number using the second non-reversible algorithm generation parameter M4;According to the ginseng Number M2With the parameter M4Use analytical algorithm generation parameter M corresponding with the first change scaling method5;According to the parameter M4And institute State parameter M5Use the 4th non-reversible algorithm generation parameter M6;If the parameter M3With the parameter M6It is equal, determine the end The identity at end is effective;The 3rd random number is generated, according to the parameter M4Become scaling method using second with the 3rd random number to give birth to Into parameter M7;According to the parameter M4, the parameter M5The 5th non-reversible algorithm generation parameter is used with the 3rd random number M8;Second parameters for authentication is sent to the terminal, so that the terminal determines the certification according to second parameters for authentication Whether server is effective, and second parameters for authentication includes:The parameter M7With the parameter M8。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410160781.0A CN103929425B (en) | 2014-04-21 | 2014-04-21 | A kind of identity registration, identity authentication method, equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410160781.0A CN103929425B (en) | 2014-04-21 | 2014-04-21 | A kind of identity registration, identity authentication method, equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103929425A CN103929425A (en) | 2014-07-16 |
| CN103929425B true CN103929425B (en) | 2017-12-01 |
Family
ID=51147502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410160781.0A Expired - Fee Related CN103929425B (en) | 2014-04-21 | 2014-04-21 | A kind of identity registration, identity authentication method, equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103929425B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106709716A (en) * | 2015-11-13 | 2017-05-24 | 航天信息股份有限公司 | Method, device and system for PBOC transaction based on biometric encryption |
| CN105809112B (en) * | 2016-02-29 | 2019-04-12 | 宇龙计算机通信科技(深圳)有限公司 | Finger print information restoration methods, finger print information recovery device and terminal |
| US10637662B2 (en) * | 2017-08-28 | 2020-04-28 | International Business Machines Corporation | Identity verification using biometric data and non-invertible functions via a blockchain |
| CN110391899B (en) * | 2018-04-20 | 2022-04-29 | 武汉真元生物数据有限公司 | Password generation method and system based on biological identification |
| CN109992942B (en) * | 2019-01-03 | 2022-02-08 | 西安电子科技大学 | Privacy protection face authentication method and system based on secret sharing and intelligent terminal |
| CN109775178B (en) * | 2019-01-24 | 2021-11-09 | 四川奇奥超洁环保科技有限公司 | Intelligent waste recycling method |
| CN114598454B (en) * | 2020-12-03 | 2023-11-21 | 中移(成都)信息通信科技有限公司 | Key generation and identity authentication method, device, equipment and computer storage medium |
| CN114422109A (en) * | 2022-01-24 | 2022-04-29 | 平安国际智慧城市科技股份有限公司 | Information encryption method, device, server and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098232A (en) * | 2007-07-12 | 2008-01-02 | 兰州大学 | Dynamic password and multiple biological characteristics combined identification authenticating method |
| CN102413148A (en) * | 2012-01-03 | 2012-04-11 | 西安电子科技大学 | Biological characteristic remote authentication method based on visual codes |
| CN103368954A (en) * | 2013-07-02 | 2013-10-23 | 山东科技大学 | Smart card registration entry method based on password and biological characteristics |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1932278B1 (en) * | 2005-09-29 | 2017-05-10 | Koninklijke Philips N.V. | Secure protection of biometric templates |
-
2014
- 2014-04-21 CN CN201410160781.0A patent/CN103929425B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098232A (en) * | 2007-07-12 | 2008-01-02 | 兰州大学 | Dynamic password and multiple biological characteristics combined identification authenticating method |
| CN102413148A (en) * | 2012-01-03 | 2012-04-11 | 西安电子科技大学 | Biological characteristic remote authentication method based on visual codes |
| CN103368954A (en) * | 2013-07-02 | 2013-10-23 | 山东科技大学 | Smart card registration entry method based on password and biological characteristics |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103929425A (en) | 2014-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103929425B (en) | A kind of identity registration, identity authentication method, equipment and system | |
| US10680808B2 (en) | 1:N biometric authentication, encryption, signature system | |
| US11824991B2 (en) | Securing transactions with a blockchain network | |
| US10728027B2 (en) | One-time passcodes with asymmetric keys | |
| Gunasinghe et al. | PrivBioMTAuth: Privacy preserving biometrics-based and user centric protocol for user authentication from mobile phones | |
| EP3532972B1 (en) | Authentication method and system | |
| US6845453B2 (en) | Multiple factor-based user identification and authentication | |
| US9646296B2 (en) | Mobile-to-mobile transactions | |
| US8478990B2 (en) | Mobile transaction methods and devices with three-dimensional colorgram tokens | |
| US9286466B2 (en) | Registration and authentication of computing devices using a digital skeleton key | |
| KR20180003113A (en) | Server, device and method for authenticating user | |
| CN108965222A (en) | Identity identifying method, system and computer readable storage medium | |
| CN109768983A (en) | Dynamic and Multi dimensional personal identification method, apparatus and system based on block chain | |
| CN105827571A (en) | UAF (Universal Authentication Framework) protocol based multi-modal biological characteristic authentication method and equipment | |
| Bisogni et al. | ECB2: A novel encryption scheme using face biometrics for signing blockchain transactions | |
| Martínez et al. | Secure crypto-biometric system for cloud computing | |
| US20070106903A1 (en) | Multiple Factor-Based User Identification and Authentication | |
| US10523654B1 (en) | System and method to integrate secure and privacy-preserving biometrics with identification, authentication, and online credential systems | |
| Nair et al. | An approach to improve the match-on-card fingerprint authentication system security | |
| EP3915221B1 (en) | Offline interception-free interaction with a cryptocurrency network using a network-disabled device | |
| Verma et al. | A novel model to enhance the data security in cloud environment | |
| CN108122108A (en) | Mobile device authentication system and mobile equipment authentication method | |
| Albahbooh et al. | A mobile phone device as a biometrics authentication method for an ATM terminal | |
| Gunasinghe et al. | Privacy preserving biometrics-based and user centric authentication protocol | |
| Kiran et al. | Implementation of 3-Level Security System Using Image Grid Based Authentication System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20171201 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |