CN106411533B - The online fingerprint identification system and method for two-way secret protection - Google Patents

The online fingerprint identification system and method for two-way secret protection Download PDF

Info

Publication number
CN106411533B
CN106411533B CN201610987321.4A CN201610987321A CN106411533B CN 106411533 B CN106411533 B CN 106411533B CN 201610987321 A CN201610987321 A CN 201610987321A CN 106411533 B CN106411533 B CN 106411533B
Authority
CN
China
Prior art keywords
user
finger print
data
print identifying
user terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610987321.4A
Other languages
Chinese (zh)
Other versions
CN106411533A (en
Inventor
朱辉
魏晴
李晖
赵兴文
张亦文
温凯
王枫为
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shaanxi Songyuan Mingrui Information Technology Co ltd
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201610987321.4A priority Critical patent/CN106411533B/en
Publication of CN106411533A publication Critical patent/CN106411533A/en
Application granted granted Critical
Publication of CN106411533B publication Critical patent/CN106411533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The invention discloses a kind of online fingerprint recognition system of two-way secret protection and methods, mainly solve the two-way Privacy Protection that the prior art is not directed to user fingerprints data and fingerprint template data.The system includes trusted party (1), finger print identifying server (2) and user terminal (3).Trusted party (1) completes system initialization, provides registration and key distribution for user terminal and finger print identifying server, while acquiring user fingerprints as certification template, and the template is licensed to legal finger print identifying server with ciphertext form;Finger print identifying server (2) provides the online cryptographic fingerprint authentication service of secret protection, and authentication result is replied to user terminal;User terminal (3) sends cryptographic fingerprint certification request and gives finger print identifying server, decrypts to obtain authentication result to the reply of finger print identifying server.The present invention realizes the two-way secret protection of user fingerprints data and fingerprint template data, can be used for providing safe online finger print identifying service.

Description

The online fingerprint identification system and method for two-way secret protection
Technical field
The invention belongs to field of information security technology, and in particular to a kind of online fingerprint identification system of secret protection and side Method can be used for providing precise and high efficiency online finger print identifying service for user terminal, and realize to user fingerprints data and fingerprint mould Effective secret protection of plate data.
Background technique
With the development of biological identification technology and universal, provided using biological identification technology to carry out authentication for user More convenient service.Traditional online fingerprint identification system is acquired by service provider and stores fingerprint matching mould Plate, when service provider, which needs user to provide fingerprint, carries out authentication, user terminal extracts user fingerprints and is sent to service Provider, service provider compare the fingerprint template of storage, are user terminal return authentication result.However, such system by In the secret protection for being not directed to user fingerprints and fingerprint template, so that the privacy of these sensitive datas of user fingerprints and fingerprint template It is seriously threatened.
To solve the above-mentioned problems, there has been proposed some solutions, in which:
A kind of patent " security fingerprint recognition methods of intelligent terminal " (application number of University of Electronic Science and Technology CN201510179446.X application publication number CN104778393A) a kind of security fingerprint recognition methods of intelligent terminal is disclosed, Method includes the following steps: 1. fingerprint registers, extract user fingerprints and encrypt storage;2. requesting the close of transmission fingerprint data Key;3. receiving fingerprint template data and decrypting;4. carrying out fingerprint matching operation.Although this method is able to achieve fingerprint template and is transmitting Secret protection in the process, this method to the fingerprint template data of encryption due to needing to be decrypted into after being sent to user terminal In plain text, then matching operation is carried out, thus when attacker's certain user terminal that disguises oneself as sends certification request and will obtain the user's Fingerprint template data cannot achieve effective secret protection of fingerprint template data.
Summary of the invention
Present invention aims at the online fingerprints in view of the above shortcomings of the prior art, proposing a kind of two-way secret protection to recognize System and method is demonstrate,proved, to guarantee to improve under the premise of normally providing finger print identifying service to user fingerprints data and fingerprint mould The secret protection of plate data.
To achieve the above object, the online fingerprint identification system of two-way secret protection of the invention, comprising:
Trusted party (1) provides registration and close for completing system initialization for user terminal and finger print identifying server Key distribution, while acquiring the finger print data of registration user as certification template, and the template licensed to ciphertext form it is legal Finger print identifying server;
Finger print identifying server (2), for providing the finger print identifying service of secret protection, by directly being calculated in ciphertext Match parameter carries out bidirectional identity authentication between user terminal in the service of offer to judge whether fingerprint matches;
User terminal (3), the fingerprint for sending encryption gives finger print identifying server as certification request, to finger print identifying The authentication result that server returns decrypts to obtain query result, and double progress between finger print identifying server when receiving service To authentication.
To achieve the above object, the fingerprint verification method of two-way secret protection of the invention, comprising the following steps:
(1) system parameter initializes:
(1a) trusted party selects a security parameter l ∈ Z+
(1b) trusted party generates the function Gen (κ) of bilinear map group by operation, obtains bilinear map parameterWherein q1,q2It is the first prime number and the second prime number that length is l bit respectively,It is rank For the cyclic group of N, order N=q1·q2,It isMaps Group, e () be bilinear map function, g is cyclic groupLife Cheng Yuan, h are system parameters;
(1c) calculates data encryption and handles private keyWith corresponding public key
(1d) trusted party randomly chooses SKTA∈Zq *As the private key of oneself,Indicate that rank is non-in the group of integers of q Null set, while being calculated and its private key SK according to member g is generatedTACorresponding public key
(1e) trusted party selects the symmetric encipherment algorithm E () an of safety and the hash function H () of a safety;
(1f) trusted party chooses reasonable fingerprint matching critical value Δd∈Zn *
(1g) trusted party saves the private key < q of oneself1,SKTA>, open system parameter
(2) registration and key distribution:
(2a) finger print identifying server S randomly chooses SK in registrations∈Zn *As the private key of oneself, while according to life It is calculated and its private key SK at first gsCorresponding public keyAnd by the public key PK of oneselfsIt is sent with the relevant information of oneself To trusted party;
(2b) user terminal UiIn registration, random selectionAs the private key of oneself, at the same it is first according to generating G is calculated and its private keyCorresponding public keyAnd by the public keyIt is sent in credible with user information The heart, while trusted party extracts n Wesy family fingerprint template
(2c) trusted party chooses random number k ∈ Zn *For symmetric cryptographic key, with the data encryption generated in step (1c) Private key SB and public key PB the composition parameter list<SB, PB, k of processing>, and the parameter list is sent to the user to succeed in registration;
(2d) trusted party is to the user to succeed in registration and its list of public keyCarry out disclosure;
(3) fingerprint template encrypts:
(3a) trusted party extracts user fingerprints and generates fingerprint template data and carry out encryption storage;
(3b) trusted party is according to fingerprint matching critical value Δd, hash function H () and data encryption public key PB calculating comment Estimate reference value RDm=H (PBm), constitute assessment reference data setThe reference is commented Estimate data set RDS and be sent to all registered finger print identifying servers, wherein 0≤m≤Δd
(4) cryptographic fingerprint template authorization:
(4a) finger print identifying server S is obtaining user UiFingerprint template authorization requests are constructed after authorization, and are sent this and asked It asks to trusted party;
After (4b) trusted party receives the fingerprint template authorization requests of finger print identifying server, which is asked The legitimacy asked is verified, if being proved to be successful, is thened follow the steps (4c), is otherwise abandoned this communication bag;
(4c) trusted party is by the user encryption fingerprint templateReturn to finger print identifying server S;
(5) user terminal generates finger print identifying service request:
(5a) user terminal encrypts the user fingerprints of acquisition to obtain encryption user fingerprints dataAnd user's signature Sigi
(5b) user terminal will encrypt user fingerprints dataUser information Ui, time stamp T S3It signs with user terminal SigiForm finger print identifying service requestAnd the finger print identifying service request is sent to fingerprint and is recognized Demonstrate,prove server;
(6) finger print identifying server providing services:
(6a) finger print identifying server receives the finger print identifying service request of user terminal transmissionAfterwards, the legitimacy of the finger print identifying service request is verified, if being proved to be successful, executes step Suddenly (6b), otherwise return step (5a);
(6b) finger print identifying server is according to encryption user fingerprints dataWith cryptographic fingerprint template dataIt carries out close Text calculates, and obtains matching result RS;
(6c) finger print identifying server by utilizing asymmetric encryption function E () and the (n+1)th dimension for encrypting user fingerprints template data Data rq'y, matching result RS is encrypted to obtain encryption matching resultBy the encryption matching resultWith time stamp T S4Collectively as the input of hash function H (), Hash Value is obtainedUse oneself Private key SKSIt signs to the Hash ValueConstruct authentication result listAnd the authentication result list is replied into user terminal;
(7) user terminal obtains authentication result:
(7a) user terminal receives the authentication result list of finger print identifying server replyIt Afterwards, the legitimacy of the authentication result list is verified, if being proved to be successful, thens follow the steps (7b), otherwise return step (5a);
(7b) user terminal uses the (n+1)th dimension data rq' for encrypting user fingerprints template datayIt is rightIt is solved It is close, identity authentication result RS is obtained, if RS is true, finger print identifying success, otherwise, finger print identifying failure.
Compared with the prior art, the invention has the following advantages:
1. realizing the secret protection of user fingerprints certification request data.
User terminal is before sending service request to finger print identifying server in the present invention, first to the finger print data of oneself It is encrypted, so that the original fingerprint data of user terminal will not be obtained by finger print identifying server and attacker, it is ensured that use The secret protection of family Terminal fingerprints data.
2. realizing the secret protection of finger print identifying template data.
Fingerprint template is before being licensed to finger print identifying server by trusted party in the present invention, due to first to fingerprint template into Encryption is gone, so that fingerprint template data will not be obtained by finger print identifying server and attacker, it is ensured that fingerprint template data Secret protection.
3. realizing the finger print identifying service of efficiently and accurately.
By finger print identifying server by being completed to encryption user fingerprints data and cryptographic fingerprint template data in the present invention Matching primitives, and secret protection frame will not influence the accuracy of fingerprint matching, realize the finger print identifying service of efficiently and accurately.
Detailed description of the invention
Fig. 1 is system block diagram of the invention;
Fig. 2 is the realization general flow chart of the method for the present invention;
Fig. 3 is the sub-process figure of cryptographic fingerprint template authorization in the method for the present invention.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawing.
Referring to Fig.1, the present invention includes this three big module of trusted party 1, finger print identifying server 2 and user terminal 3.Its In: trusted party 1 provides registration and key distribution for completing system initialization for user terminal and finger print identifying server, The finger print data of registration user is acquired simultaneously as certification template, and the template is licensed into legal finger print identifying with ciphertext form Server;Finger print identifying server 2 passes through the directly calculating in ciphertext for providing the finger print identifying service of secret protection Judge whether fingerprint matches with parameter, and carries out bidirectional identity authentication between user terminal in the service of offer;User is whole End 3, gives finger print identifying server for sending cryptographic fingerprint as certification request, the certification knot returned to finger print identifying server Fruit decrypts to obtain query result, and carries out bidirectional identity authentication between finger print identifying server when receiving service.
The trusted party 1, comprising: system initialization module 11, registration module 12, data encryption module 13, encryption Template authorization module 14 and the safe support module 15 of trusted party.
The system initialization module 11 generates bilinear map group, obtains the public ginseng of system for initializing system Number;
The registration module 12 extracts the use to succeed in registration for providing registration for user terminal and finger print identifying server The fingerprint template at family, and distribute key to the user terminal and finger print identifying server to succeed in registration;
The data encryption module 13, the fingerprint template data for the user to extract encrypt;
The encrypted template authorization module 14 is used for Certificate Authority information, and to obtain the finger print identifying service of user's authorization Device sends the cryptographic fingerprint matching template of corresponding user;
The safe support module 15 of the trusted party, for being system initialization module 11, data encryption module 13, encryption mould Plate authorization module 14 provides required Encryption Algorithm and hash algorithm.
The finger print identifying server 2, including server authentication module 21, user registration module 22, data store mould Block 23, service providing module 24 and the safe support module 25 of server.
The server authentication module 21 is mentioned for generating oneself public private key pair in server registration to user terminal For being verified before servicing to the signature of user terminal, sign after obtaining cryptographic fingerprint authentication result to it;
The user registration module 22, for providing registration, and the fingerprint template authorization to the user terminal received for user Signature is verified, and the fingerprint matching mould that corresponding fingerprint template authorization requests are sent to trusted party application for registration user is generated Plate;
The data memory module 23, for storing the cryptographic fingerprint template from trusted party;
The service providing module 24, for the cryptographic fingerprint data in being requested according to user, encryption fingerprint template and Cryptogram computation is carried out in encryption user's request, and obtained finger print identifying result is encrypted, by cryptographic fingerprint authentication result and right It should sign and return to user terminal;
The server security support module 25, for being provided for server authentication module 21, user registration module 22, service Module 24 provides required Encryption Algorithm and hash algorithm.
The user terminal 3, including user authentication module 31, service request module 32, data decryption module 33 and use The safe support module 34 in family.
The user authentication module 31 generates the public private key pair of oneself in registration for user terminal, and generates fingerprint mould Plate authorized signature is sent to finger print identifying server, signs to the user service request of generation, is receiving finger print identifying clothes It is engaged in verifying the signature of finger print identifying server after the reply of device;
The service request module 32 generates user service according to the user fingerprints data encryption of acquisition for user terminal and asks It asks, and user service request is sent to finger print identifying server with corresponding signature;
The data decryption module 33, for leading to after the cryptographic fingerprint authentication result for receiving the transmission of finger print identifying server It crosses user terminal and decryption oprerations is executed to cryptographic fingerprint authentication result;
The user security support module 34, for being user authentication module 31, service request module 32, data decryption module 33 provide required Encryption Algorithm and hash algorithm.
Referring to Fig. 2, the fingerprint verification method of the two-way secret protection of the present invention includes the following steps:
Step 1, system parameter initializes.
1.1) trusted party selects a security parameter l ∈ Z+
1.2) trusted party generates the function Gen (κ) of bilinear map group by operation, obtains bilinear map parameterWherein q1,q2It is the first prime number and the second prime number that length is l bit respectively,It is rank For the cyclic group of N, order N=q1·q2,It isMaps Group, e () be bilinear map function, g is cyclic groupLife Cheng Yuan, h are system parameters;
1.3) it calculates data encryption and handles private keyWith corresponding public key
1.4) trusted party randomly chooses SKTA∈Zq *As the private key of oneself,Indicate that rank is non-in the group of integers of q Null set, while being calculated and its private key SK according to member g is generatedTACorresponding public key
1.5) trusted party selects the symmetric encipherment algorithm E () an of safety and the hash function H () of a safety;
1.6) trusted party chooses fingerprint matching critical value Δd∈Zn *
1.7) trusted party saves the private key < q of oneself1,SKTA>, open system parameter
Step 2, registration and key distribution.
2.1) finger print identifying server S randomly chooses SK in registrations∈Zn *As the private key of oneself, while according to life It is calculated and its private key SK at first gsCorresponding public keyAnd by the public key PK of oneselfsIt is sent with the relevant information of oneself To trusted party;
2.2) user terminal UiIn registration, random selectionAs the private key of oneself, while according to generation member g It calculates and its private keyCorresponding public keyAnd by the public keyIt is sent in credible with user information The heart, while trusted party extracts n Wesy family fingerprint templateWherein xjIt is user fingerprints template The jth dimension data of data, 1≤j≤n;
2.3) trusted party chooses random number k ∈ Zn *For symmetric cryptographic key, the private key SB handled with data encryption and public affairs Key PB composition parameter list<SB, PB, k>, and the parameter list is sent to the user to succeed in registration;
2.4) trusted party discloses the list of the user and its public key that succeed in registration
Step 3, fingerprint template encrypts.
3.1) trusted party is according to the n Wesy family fingerprint template data of extractionIt utilizes Symmetric cryptographic key k obtains upsetting numerical value H (k) as the input of hash function H (), calculates the fingerprint template number that addition is upset According to (x'1,x'2,…,x'j,…,x'n), wherein x 'jIt is the jth dimension data for the fingerprint template data that addition is upset, x 'j=xj+H (k);
3.2) trusted party chooses n random number r1,r2,…,rj,…,rn, wherein rj∈Zn *, 1≤j≤n, and according to life Fingerprint template data (the x' upset at first g, system parameter h, addition1,x'2,…,x'j,…,x'n) and data encryption public key Cryptographic fingerprint template data is calculated in PBAnd store, whereinIt is cryptographic fingerprint The jth dimension data of template data,fx'It is the (n+1)th dimension data of cryptographic fingerprint template data,
3.3) trusted party is according to fingerprint matching critical value Δd, hash function H () and data encryption public key PB calculating comment Estimate reference value RDm=H (PBm), constitute assessment reference data setAssessment ginseng Data set is examined by the Hash Value for being used to search for match parameter to judge whether matching succeeds, by this with reference to assessment data set RDS hair All registered finger print identifying servers are given, wherein 0≤m≤Δd 2
Step 4, cryptographic fingerprint template authorization.
Referring to Fig. 3, this step is implemented as follows:
4.1) user terminal UiWhen being registered in finger print identifying server S, by the information U of oneselfi, time stamp T S1Altogether With the input as hash function H (), obtains user and authorize Hash Value H (Ui||TS1), and with the private key of oneselfTo the use Family authorization Hash Value is signedForm authorized user message listHair Finger print identifying server is given, to indicate that user has agreed to the cryptographic fingerprint template of oneself licensing to finger print identifying server;
4.2) finger print identifying server first checks for user information Ui, by time stamp T S1It is compared with current time T, if TS1Earlier than T and | T-TS1|≤NT, then follow the steps 4.3), otherwise, abandon this communication bag, wherein NTIt is logical for the maximum of system Believe time delay;
4.3) finger print identifying server is by user information UiWith time stamp T S1As the input of hash function H (), calculate miscellaneous Gather value H (Ui||TS1), and according to the public key of the userUsing bilinear map function e (), equation is judgedWhether true, if the equation is set up, it is legal to sign, and executes step 4.4), no Then, communication bag is abandoned;
4.4) finger print identifying server is by the information S of oneself, time stamp T S2Collectively as the input of hash function H (), obtain To user authorize Hash Value H (S | | TS2), and signed with the private key SKS of oneself to the Hash ValueAgain with signature SigSWith authorized user message listForm template authorization Solicited message listIt is sent to trusted party, requests UiThe cryptographic fingerprint mould of user Plate;
4.5) trusted party receives the fingerprint template authorization requests of finger print identifying server, first looks at finger print identifying service Device S and authorized user UiInformation, confirm finger print identifying server S and authorized user UiWhether all register, then by timestamp TS2It is compared with current time T: if TS2Earlier than T, and | T-TS2|≤NT, then follow the steps 4.6), otherwise, it is logical to abandon this Letter wraps, wherein NTFor the maximum communication time delay of system;
4.6) trusted party is by user information UiWith time stamp T S1As input, hash function H (U is calculatedi||TS1), and According to the public key of the userUsing bilinear map function e (), equation is judged Whether true, if equation is set up, user's signature is legal, executes step 4.7), otherwise abandons communication bag;
4.7) trusted party is by finger print identifying server info S and time stamp T S2As input calculate hash function H (S | | TS2), and according to the public key PK of finger print identifying serverS, using bilinear map function e (), judge equation e (g, SigS)=e (PKS,H(S||TS2)) whether true, if equation is set up, the legitimate verification success of the fingerprint template authorization requests executes step It is rapid 4.8), otherwise abandon the communication bag;
4.8) trusted party is by the user UiCryptographic fingerprint templateReturn to finger print identifying server S.
Step 5, user terminal generates finger print identifying service request.
5.1) user terminal obtains the n Wesy family finger print data of oneselfIt afterwards, will be symmetrical Encryption key k obtains upset value H (k) as the input of hash function H (), calculates the user fingerprints data (y' that addition is upset1, y'2,…,y'j..., y'n), wherein y'j=yj+ H (k), yjIt is the jth dimension data of user fingerprints data, y'jIt is that addition is upset The jth dimension data of user fingerprints data;
5.2) user terminal is according to the public key PB and corresponding private key SB of data processing, and the finger print data arrow that addition is upset Measure (y'1,y'2,…,y'j,…,y'n), calculate encryption user fingerprints data WhereinIt is the jth dimension data for encrypting user fingerprints data,rqy' it is encrypt user fingerprints data n-th + 1 dimension data,
5.3) user terminal uses the public key PK of finger print identifying serverS, symmetric encipherment algorithm E () and encryption user fingerprints DataCalculate symmetric cryptography valueAnd by the symmetric cryptography valueWith user terminal information Ui, when Between stab TS3Collectively as the input of hash function H (), user's Hash Value is calculated
5.4) oneself private key of user terminalTo user's Hash ValueIt signs, i.e.,
5.5) user terminal encryption user fingerprints dataUser information Ui, time stamp T S3It signs with user terminal SigiForm finger print identifying service requestAnd the finger print identifying service request is sent to fingerprint and is recognized Demonstrate,prove server.
Step 6, finger print identifying server providing services.
6.1) finger print identifying server receives the finger print identifying service request of user terminal transmissionAfterwards, by time stamp T S3It is compared with current time T, if TS3Earlier than T, and | T-TS3|≤NT, then Execute step 6.2), otherwise, return step 5.1), wherein NTFor the maximum communication time delay of system;
6.2) user terminal is by symmetric cryptography valueUser information UiWith time stamp T S3As the defeated of hash function H () Enter, calculates hash functionAnd according to the public key of the user terminalUtilize bilinear map function e () judges equationIt is whether true, if the equation is set up, the finger print identifying The legitimate verification success of service request, executes step 6.3), otherwise abandons the communication bag;
6.3) the private key SK of finger print identifying server by utilizing oneselfSDecryption symmetric cryptography value obtains encryption user fingerprints Data
6.4) finger print identifying server is according to user information UiSearch for corresponding user's in cryptographic fingerprint template database Cryptographic fingerprint template
6.5) finger print identifying server is according to encryption user fingerprints dataWith cryptographic fingerprint templateUtilize two-wire Property mapping function e (), is directly calculated match parameter in ciphertext:
6.6) finger print identifying server is by match parameter MdAs the input of hash function H (), Hash Value H (M is calculatedd), And the Hash Value is searched in reference assessment data set RDS, if the Hash Value can be found, proves user fingerprints data and refer to Line template matching, i.e. matching result RS are very, otherwise, to mismatch, i.e. matching result RS is false;
6.7) the (n+1)th dimension of finger print identifying server by utilizing asymmetric encryption function E () and encryption user fingerprints template data Data rq'y, matching result RS is encrypted to obtain encryption matching resultBy the encryption matching resultWith time stamp T S4Collectively as the input of hash function H (), Hash Value is obtainedIt uses again The private key SK of oneselfSIt signs to the Hash ValueConstruct authentication result listAnd the authentication result list is replied into user terminal.
Step 7, user terminal obtains authentication result.
7.1) user terminal receives the authentication result list of finger print identifying server replyIt Afterwards, by time stamp T S4It is compared with current time T, if TS4Earlier than T, and | T-TS4|≤NT, it thens follow the steps 7.2), it is no Then, return step 5.1), wherein NTFor the maximum communication time delay of system;
7.2) user terminal is by encrypted resultWith time stamp T S4As the input of hash function H (), calculate miscellaneous Gather valueAnd according to the public key PK of finger print identifying serverS, using bilinear map function e (), sentence Disconnected equationIt is whether true, if the equation is set up, authentication result list Legitimate verification success, executes step 7.3), otherwise abandons the communication bag;
7.3) user terminal uses the (n+1)th dimension data rq' for encrypting user fingerprints template datayIt is rightIt is solved It is close, identity authentication result RS is obtained, if RS is true, finger print identifying success, otherwise, finger print identifying failure.
Above description is only example of the present invention, does not constitute any limitation of the invention, it is clear that for this It, all may be without departing substantially from the principle of the invention, structure after having understood the content of present invention and principle for the professional in field In the case of, various modifications and variations in form and details are carried out, but these modifications and variations based on inventive concept are still Within the scope of the claims of the present invention.

Claims (9)

1. a kind of fingerprint identification system of two-way secret protection, characterized by comprising:
Trusted party (1) provides registration and key point for completing system initialization for user terminal and finger print identifying server Hair, while the finger print data for acquiring registration user is used as certification template, and the template is licensed to legal finger in the form of ciphertext Line certificate server;
Finger print identifying server (2) is matched for providing the finger print identifying service of secret protection by directly calculating in ciphertext Parameter carries out bidirectional identity authentication between user terminal in the service of offer to judge whether fingerprint matches;
User terminal (3) gives finger print identifying server for sending cryptographic fingerprint as certification request, to finger print identifying server The authentication result of return decrypts to obtain query result, and carries out bidirectional identification between finger print identifying server when receiving service Certification;
The finger print identifying server (2) includes:
Server authentication module (21) is providing clothes to user terminal for generating oneself public private key pair in server registration The signature of user terminal is verified before business, is signed after obtaining cryptographic fingerprint authentication result to it;
User registration module (22), for providing registration for user, and to the fingerprint template authorized signature of the user terminal received It is verified, generates the fingerprint matching template that corresponding fingerprint template authorization requests are sent to trusted party application for registration user;
Data memory module (23), for storing the cryptographic fingerprint template from trusted party;
Service providing module (24), for the cryptographic fingerprint data in being requested according to user, fingerprint template and encryption in encryption Cryptogram computation is carried out in user's request, and obtained finger print identifying result is encrypted, by cryptographic fingerprint authentication result and corresponding label Name returns to user terminal;
Server security support module (25), for being provided for server authentication module (21), user registration module (22), service Module (24) provides required Encryption Algorithm and hash algorithm.
2. system according to claim 1, it is characterised in that trusted party (1) includes:
System initialization module (11) generates bilinear map group, obtains the common parameter of system for initializing system;
Registration module (12) extracts the user's to succeed in registration for providing registration for user terminal and finger print identifying server Fingerprint template, and distribute key to the user terminal and finger print identifying server to succeed in registration;
Data encryption module (13), the fingerprint template data for the user to extract encrypt;
Encrypted template authorization module (14) is used for Certificate Authority information, and to obtain the finger print identifying server hair of user's authorization Send the cryptographic fingerprint matching template of corresponding user;
The safe support module of trusted party (15), for being system initialization module (11), data encryption module (13), encrypting mould Plate authorization module (14) provides required Encryption Algorithm and hash algorithm.
3. system according to claim 1, it is characterised in that user terminal (3) includes:
User authentication module (31) generates the public private key pair of oneself in registration for user terminal, and generates fingerprint template and award Right of approval name is sent to finger print identifying server, signs to the user service request of generation, is receiving finger print identifying server Reply after the signature of finger print identifying server is verified;
Service request module (32) generates user service request according to the user fingerprints data encryption of acquisition for user terminal, And user service request is sent to finger print identifying server with corresponding signature;
Data decryption module (33), after receiving the cryptographic fingerprint authentication result that finger print identifying server is sent, user terminal Decryption oprerations are executed to cryptographic fingerprint authentication result;
User security support module (34), for being user authentication module (31), service request module (32), data decryption module (33) Encryption Algorithm and hash algorithm needed for providing.
4. a kind of fingerprint verification method of two-way secret protection, comprising:
(1) system parameter initializes:
(1a) trusted party selects a security parameter l ∈ Z+
(1b) trusted party generates the function Gen (κ) of bilinear map group by operation, obtains bilinear map parameterWherein q1,q2It is the first prime number and the second prime number that length is l bit respectively,It is rank For the cyclic group of N, order N=q1·q2,It isMaps Group, e () be bilinear map function, g is cyclic groupLife Cheng Yuan, h are system parameters;
(1c) calculates data encryption and handles private keyWith corresponding public key
(1d) trusted party randomly chooses SKTA∈Zq *As the private key of oneself,Indicate rank for the non-null set in the group of integers of q It closes, while being calculated and its private key SK according to member g is generatedTACorresponding public key
(1e) trusted party selects the symmetric encipherment algorithm E () an of safety and the hash function H () of a safety;
(1f) trusted party chooses reasonable fingerprint matching critical value Δd∈Zn *
(1g) trusted party saves the private key < q of oneself1,SKTA>, open system parameter
(2) registration and key distribution:
(2a) finger print identifying server S randomly chooses SK in registrations∈Zn *As the private key of oneself, while according to generation member g It calculates and its private key SKsCorresponding public keyAnd by the public key PK of oneselfsBeing sent to the relevant information of oneself can Letter center;
(2b) user terminal UiIn registration, random selectionIt is calculated as the private key of oneself, while according to member g is generated With its private keyCorresponding public keyAnd by the public keyIt is sent to trusted party with user information, simultaneously Trusted party extracts n Wesy family fingerprint templateWherein xjIt is the of user fingerprints template data J dimension data, 1≤j≤n;
(2c) trusted party chooses random number k ∈ Zn *For symmetric cryptographic key, handled with the data encryption generated in step (1c) Private key SB and public key PB constitute parameter list<SB, PB, k>, and the parameter list is sent to the user to succeed in registration;
(2d) trusted party is to the user to succeed in registration and its list of public keyCarry out disclosure;
(3) fingerprint template encrypts:
(3a) trusted party extracts user fingerprints and generates fingerprint template data and carry out encryption storage;
(3b) trusted party is according to fingerprint matching critical value Δd, hash function H () and data encryption public key PB calculate assessment ginseng Examine value RDm=H (PBm), constitute assessment reference data setBy this with reference to assessment number All registered finger print identifying servers are sent to according to collection RDS, wherein 0≤m≤Δd 2
(4) cryptographic fingerprint template authorization:
(4a) finger print identifying server S is obtaining user UiFingerprint template authorization requests are constructed after authorization, and send the request to can Letter center;
After (4b) trusted party receives the fingerprint template authorization requests of finger print identifying server, to the fingerprint template authorization requests Legitimacy is verified, if being proved to be successful, is thened follow the steps (4c), is otherwise abandoned this communication bag;
(4c) trusted party is by the user encryption fingerprint templateReturn to finger print identifying server S;
(5) user terminal generates finger print identifying service request:
(5a) user terminal encrypts the user fingerprints of acquisition to obtain encryption user fingerprints dataWith user's signature Sigi
(5b) user terminal will encrypt user fingerprints dataUser information Ui, time stamp T S3With user terminal signature SigiGroup At finger print identifying service requestAnd the finger print identifying service request is sent to finger print identifying service Device;
(6) finger print identifying server providing services:
(6a) finger print identifying server receives the finger print identifying service request of user terminal transmissionAfterwards, The legitimacy of the finger print identifying service request is verified, if being proved to be successful, thens follow the steps (6b), otherwise return step (5a);
(6b) finger print identifying server is according to encryption user fingerprints dataWith cryptographic fingerprint template dataCarry out ciphertext meter It calculates, obtains matching result RS;
(6c) finger print identifying server by utilizing asymmetric encryption function E () and the (n+1)th dimension data for encrypting user fingerprints template data rq'y, matching result RS is encrypted to obtain encryption matching resultBy the encryption matching resultWith Time stamp T S4Collectively as the input of hash function H (), Hash Value is obtainedWith the private key SK of oneselfS It signs to the Hash ValueConstruct authentication result listAnd the authentication result list is replied into user terminal;
(7) user terminal obtains authentication result:
(7a) user terminal receives the authentication result list of finger print identifying server replyLater, The legitimacy of the authentication result list is verified, if being proved to be successful, thens follow the steps (7b), otherwise return step (5a);
(7b) user terminal uses the (n+1)th dimension data rq' for encrypting user fingerprints template datayIt is rightIt is decrypted, obtains To identity authentication result RS, if RS is true, finger print identifying success, otherwise, finger print identifying failure.
5. according to the method described in claim 4, wherein trusted party extracts user fingerprints generation fingerprint template in step (3a) Data simultaneously carry out encryption storage, carry out as follows:
(3a1) trusted party is according to the n Wesy family fingerprint template data of extractionUsing symmetrical Encryption key k obtains upsetting numerical value H (k) as the input of hash function H (), calculates the fingerprint template data that addition is upset (x'1,x'2,…,x'j,…,x'n), wherein x 'jIt is the jth dimension data for the fingerprint template data that addition is upset, x 'j=xj+H (k);
(3a2) trusted party chooses n random number r1,r2,…,rj,…,rn∈Zn *, and according to generate member g, system parameter h, add Scramble random fingerprint template data (x'1,x'2,…,x'j,…,x'n) and data encryption public key PB, cryptographic fingerprint is calculated Template dataWhereinIt is the jth dimension data of cryptographic fingerprint template data,fx'It is the (n+1)th dimension data of cryptographic fingerprint template data,
6. according to the method described in claim 4, wherein in step (4a) fingerprint certificate server S obtain user authorization after structure Fingerprint template authorization requests are made, are carried out as follows:
(4a1) is as user terminal UiWhen being registered in finger print identifying server S, by the information U of oneselfi, time stamp T S1Altogether With the input as hash function H (), obtains user and authorize Hash Value H (Ui||TS1), and with the private key of oneselfTo the use Family authorization Hash Value is signedAnd form authorized user message list It is sent to finger print identifying server;
(4a2) finger print identifying server first checks for user information Ui, by time stamp T S1It is compared with current time T, if TS1 Earlier than T and | T-TS1|≤NT(4a3) is then executed, otherwise, abandons this communication bag, wherein NTFor the maximum communication time delay of system;
(4a3) finger print identifying server is by user information UiWith time stamp T S1As the input of hash function H (), Hash Value is calculated H(Ui||TS1), and according to the public key of the userUsing bilinear map function e (), equation is judgedWhether true, if the equation is set up, it is legal to sign, and executes step (4a4), Otherwise, communication bag is abandoned;
(4a4) finger print identifying server is by the information S of oneself, time stamp T S2Collectively as the input of hash function H (), obtain User's authorization Hash Value H (S | | TS2), and with the private key SK of oneselfSIt signs to the Hash Value With authorized user message listForm template authorization requests information listIt is sent to trusted party.
7. according to the method described in claim 4, wherein testing in step (4b) the legitimacy of fingerprint template authorization requests Card carries out as follows:
(4b1) trusted party receives the fingerprint template authorization requests of finger print identifying server, first looks at finger print identifying server S With authorized user UiInformation, then by time stamp T S2It is compared with current time T: if TS2Earlier than T, and | T-TS2|≤NT, then It executes (4b2) and otherwise abandons this communication bag, wherein NTFor the maximum communication time delay of system;
(4b2) trusted party is by user information UiWith time stamp T S1As input, hash function H (U is calculatedi||TS1), and according to The public key of the userUsing bilinear map function e (), equation is judged Whether true, if equation is set up, user's signature is legal, executes step (4b3), otherwise abandons communication bag;
(4b3) trusted party is by finger print identifying server info S and time stamp T S2As input calculate hash function H (S | | TS2), and according to the public key PK of finger print identifying serverS, using bilinear map function e (), judge equation e (g, SigS)=e (PKS,H(S||TS2)) whether true, if equation is set up, the legitimate verification success of the fingerprint template authorization requests executes step Suddenly (4c) otherwise abandons the communication bag.
8. according to the method described in claim 4, wherein user terminal encrypts the user fingerprints of acquisition in step (5a), It carries out as follows:
(5a1) user terminal obtains the n Wesy family finger print data of oneselfSymmetric cryptography is close Key k obtains upsetting H (k) as the input of hash function H (), calculates the user fingerprints data (y' that addition is upset1,y'2,…, y'j,…,y'n), wherein y'j=yj+ H (k), yjIt is the jth dimension data of user fingerprints data, y'jIt is that the user that addition is upset refers to The jth dimension data of line data;
(5a2) user terminal is according to the public key PB and corresponding private key SB of data processing, and the finger print data vector that addition is upset (y'1,y'2,…,y'j,…,y'n), calculate encryption user fingerprints dataIts InIt is the jth dimension data for encrypting user fingerprints data,rqy'It is encrypt user fingerprints data (n+1)th Dimension data,
(5a3) user terminal uses the public key PK of finger print identifying serverS, symmetric encipherment algorithm E () and encryption user fingerprints number According toCalculate symmetric cryptography valueAnd by the symmetric cryptography valueWith user terminal information Ui, the time Stab TS3Collectively as the input of hash function H (), user's Hash Value is calculated
Oneself private key of (5a4) user terminalTo user's Hash ValueIt signs, i.e.,
9. according to the method described in claim 4, wherein in step (6b) fingerprint certificate server according to encryption user fingerprints number Cryptogram computation is carried out according to cryptographic fingerprint template data, matching result is obtained, carries out as follows:
The private key SK of (6b1) finger print identifying server by utilizing oneselfSDecrypt symmetric cryptography valueObtain encryption user fingerprints data
(6b2) finger print identifying server is according to user information UiThe encryption of corresponding user is searched in cryptographic fingerprint template database Fingerprint template
(6b3) finger print identifying server is according to encryption user fingerprints dataWith cryptographic fingerprint templateIt is reflected using bilinearity Function e () is penetrated, match parameter is calculated
(6b4) finger print identifying server is by match parameter MdAs the input of hash function H (), Hash Value H (M is calculatedd), and With reference to the Hash Value is searched in assessment data set RDS, user fingerprints data and fingerprint mould are proved if it can find the Hash Value Plate matching, matching result RS are very, otherwise to mismatch, and matching result RS is false.
CN201610987321.4A 2016-11-10 2016-11-10 The online fingerprint identification system and method for two-way secret protection Active CN106411533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610987321.4A CN106411533B (en) 2016-11-10 2016-11-10 The online fingerprint identification system and method for two-way secret protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610987321.4A CN106411533B (en) 2016-11-10 2016-11-10 The online fingerprint identification system and method for two-way secret protection

Publications (2)

Publication Number Publication Date
CN106411533A CN106411533A (en) 2017-02-15
CN106411533B true CN106411533B (en) 2019-07-02

Family

ID=59230174

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610987321.4A Active CN106411533B (en) 2016-11-10 2016-11-10 The online fingerprint identification system and method for two-way secret protection

Country Status (1)

Country Link
CN (1) CN106411533B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180129475A (en) * 2017-05-26 2018-12-05 삼성에스디에스 주식회사 Method, user terminal and authentication service server for authentication
CN107947934B (en) * 2017-11-08 2021-07-30 中国银行股份有限公司 Fingerprint identification and authentication system and method of mobile terminal based on bank system
CN110035032A (en) * 2018-01-11 2019-07-19 南昌欧菲生物识别技术有限公司 Unlocked by fingerprint method and unlocked by fingerprint system
CN108566389B (en) * 2018-03-28 2021-02-23 中国工商银行股份有限公司 Cross-application fingerprint identity authentication method and device
CN108763895B (en) * 2018-04-28 2021-03-30 Oppo广东移动通信有限公司 Image processing method and device, electronic equipment and storage medium
US11063936B2 (en) * 2018-08-07 2021-07-13 Microsoft Technology Licensing, Llc Encryption parameter selection
CN111177676B (en) * 2018-11-12 2022-09-09 群光电子股份有限公司 Verification system, verification method, and non-transitory computer-readable recording medium
CN109410406B (en) * 2018-11-14 2021-11-16 北京华大智宝电子系统有限公司 Authorization method, device and system
CN110084224B (en) * 2019-05-08 2022-08-05 电子科技大学 Cloud fingerprint security authentication system and method
CN111131142A (en) * 2019-10-22 2020-05-08 北京握奇智能科技有限公司 Fingerprint authentication encryption system and method for multi-application system
CN111131145B (en) * 2019-11-08 2021-07-13 西安电子科技大学 Management query system and method for hiding communication key nodes
CN111682941B (en) * 2020-05-18 2022-12-20 浙江连湖科技有限责任公司 Centralized identity management, distributed authentication and authorization method based on cryptography
CN112329519B (en) * 2020-09-21 2024-01-02 中国人民武装警察部队工程大学 Safe online fingerprint matching method
CN112347473B (en) * 2020-11-06 2022-07-26 济南大学 Machine learning security aggregation prediction method and system supporting bidirectional privacy protection
CN113114689B (en) * 2021-04-15 2022-10-18 南京邮电大学 Authentication method based on bilinear mapping and dot product protocol in intelligent medical treatment
CN113452671A (en) * 2021-05-10 2021-09-28 华东桐柏抽水蓄能发电有限责任公司 Terminal access authentication method based on equipment identity
CN113704728B (en) * 2021-07-19 2024-03-01 桂林电子科技大学 Fingerprint authentication method based on D-H key exchange and key sharing
CN114980096B (en) * 2022-03-18 2023-05-30 国网智能电网研究院有限公司 Sensing terminal safety guarantee method, device, equipment and medium based on equipment fingerprint
CN117061240B (en) * 2023-10-11 2023-12-19 北京金睛云华科技有限公司 Verifiable fingerprint matching privacy protection method in cloud environment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340285A (en) * 2007-07-05 2009-01-07 杭州中正生物认证技术有限公司 Method and system for identity authentication by finger print USBkey
CN102223235A (en) * 2011-06-23 2011-10-19 甘肃农业大学 Fingerprint characteristic template protecting method and identity authentication method in open network environment
CN102394896A (en) * 2011-12-13 2012-03-28 甘肃农业大学 Privacy-protection fingerprint authentication method and system based on token
CN104639315A (en) * 2013-11-10 2015-05-20 航天信息股份有限公司 Dual-authentication method and device based on identity passwords and fingerprint identification
CN105391554A (en) * 2015-11-09 2016-03-09 中国电子科技集团公司第三十研究所 Method and system for realizing fingerprint matching by using ciphertext

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340285A (en) * 2007-07-05 2009-01-07 杭州中正生物认证技术有限公司 Method and system for identity authentication by finger print USBkey
CN102223235A (en) * 2011-06-23 2011-10-19 甘肃农业大学 Fingerprint characteristic template protecting method and identity authentication method in open network environment
CN102394896A (en) * 2011-12-13 2012-03-28 甘肃农业大学 Privacy-protection fingerprint authentication method and system based on token
CN104639315A (en) * 2013-11-10 2015-05-20 航天信息股份有限公司 Dual-authentication method and device based on identity passwords and fingerprint identification
CN105391554A (en) * 2015-11-09 2016-03-09 中国电子科技集团公司第三十研究所 Method and system for realizing fingerprint matching by using ciphertext

Also Published As

Publication number Publication date
CN106411533A (en) 2017-02-15

Similar Documents

Publication Publication Date Title
CN106411533B (en) The online fingerprint identification system and method for two-way secret protection
CN111083131B (en) Lightweight identity authentication method for power Internet of things sensing terminal
CN109347878B (en) Decentralized data verification and data security transaction system and method
CN102170357B (en) Combined secret key dynamic security management system
CN107454079A (en) Lightweight device authentication and shared key machinery of consultation based on platform of internet of things
CN108092776A (en) A kind of authentication server and authentication token
JP2004304751A5 (en)
KR100682263B1 (en) System and method for remote authorization authentication using mobile
CN106878318A (en) A kind of block chain real time polling cloud system
CN107070652A (en) A kind of anti-tamper car networking method for secret protection of ciphertext based on CP ABE and system
JP2005223924A (en) Opinion registering application for universal pervasive transaction framework
JP2005102163A (en) Equipment authentication system, server, method and program, terminal and storage medium
CN102932149A (en) Integrated identity based encryption (IBE) data encryption system
CN101243438A (en) Distributed single sign-on service
CN105207776A (en) Fingerprint authentication method and system
KR20070095908A (en) Method and device for key generation and proving authenticity
JP3362780B2 (en) Authentication method in communication system, center device, recording medium storing authentication program
CN112329519A (en) Safe online fingerprint matching method
CN104935441A (en) Authentication method and relevant devices and systems
CN101124767A (en) Method and device for key generation and proving authenticity
CN108809936A (en) A kind of intelligent mobile terminal auth method and its realization system based on Hybrid Encryption algorithm
US20120124378A1 (en) Method for personal identity authentication utilizing a personal cryptographic device
US20100005519A1 (en) System and method for authenticating one-time virtual secret information
CN111245834B (en) Internet of things cross-domain access control method based on virtual identification
CN104899737A (en) Fingerprint IRLRD characteristic encryption method, and mobile payment system and method based on encryption method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220210

Address after: 710000 room 004, F2002, 20 / F, block 4-A, Xixian financial port, Fengdong new town energy gold trade zone, Xixian new area, Xi'an City, Shaanxi Province

Patentee after: Shaanxi Songyuan Mingrui Information Technology Co.,Ltd.

Address before: 710071 Taibai South Road, Yanta District, Xi'an, Shaanxi Province, No. 2

Patentee before: XIDIAN University

TR01 Transfer of patent right