CN106411533B - The online fingerprint identification system and method for two-way secret protection - Google Patents
The online fingerprint identification system and method for two-way secret protection Download PDFInfo
- Publication number
- CN106411533B CN106411533B CN201610987321.4A CN201610987321A CN106411533B CN 106411533 B CN106411533 B CN 106411533B CN 201610987321 A CN201610987321 A CN 201610987321A CN 106411533 B CN106411533 B CN 106411533B
- Authority
- CN
- China
- Prior art keywords
- user
- finger print
- data
- print identifying
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Collating Specific Patterns (AREA)
Abstract
The invention discloses a kind of online fingerprint recognition system of two-way secret protection and methods, mainly solve the two-way Privacy Protection that the prior art is not directed to user fingerprints data and fingerprint template data.The system includes trusted party (1), finger print identifying server (2) and user terminal (3).Trusted party (1) completes system initialization, provides registration and key distribution for user terminal and finger print identifying server, while acquiring user fingerprints as certification template, and the template is licensed to legal finger print identifying server with ciphertext form;Finger print identifying server (2) provides the online cryptographic fingerprint authentication service of secret protection, and authentication result is replied to user terminal;User terminal (3) sends cryptographic fingerprint certification request and gives finger print identifying server, decrypts to obtain authentication result to the reply of finger print identifying server.The present invention realizes the two-way secret protection of user fingerprints data and fingerprint template data, can be used for providing safe online finger print identifying service.
Description
Technical field
The invention belongs to field of information security technology, and in particular to a kind of online fingerprint identification system of secret protection and side
Method can be used for providing precise and high efficiency online finger print identifying service for user terminal, and realize to user fingerprints data and fingerprint mould
Effective secret protection of plate data.
Background technique
With the development of biological identification technology and universal, provided using biological identification technology to carry out authentication for user
More convenient service.Traditional online fingerprint identification system is acquired by service provider and stores fingerprint matching mould
Plate, when service provider, which needs user to provide fingerprint, carries out authentication, user terminal extracts user fingerprints and is sent to service
Provider, service provider compare the fingerprint template of storage, are user terminal return authentication result.However, such system by
In the secret protection for being not directed to user fingerprints and fingerprint template, so that the privacy of these sensitive datas of user fingerprints and fingerprint template
It is seriously threatened.
To solve the above-mentioned problems, there has been proposed some solutions, in which:
A kind of patent " security fingerprint recognition methods of intelligent terminal " (application number of University of Electronic Science and Technology
CN201510179446.X application publication number CN104778393A) a kind of security fingerprint recognition methods of intelligent terminal is disclosed,
Method includes the following steps: 1. fingerprint registers, extract user fingerprints and encrypt storage;2. requesting the close of transmission fingerprint data
Key;3. receiving fingerprint template data and decrypting;4. carrying out fingerprint matching operation.Although this method is able to achieve fingerprint template and is transmitting
Secret protection in the process, this method to the fingerprint template data of encryption due to needing to be decrypted into after being sent to user terminal
In plain text, then matching operation is carried out, thus when attacker's certain user terminal that disguises oneself as sends certification request and will obtain the user's
Fingerprint template data cannot achieve effective secret protection of fingerprint template data.
Summary of the invention
Present invention aims at the online fingerprints in view of the above shortcomings of the prior art, proposing a kind of two-way secret protection to recognize
System and method is demonstrate,proved, to guarantee to improve under the premise of normally providing finger print identifying service to user fingerprints data and fingerprint mould
The secret protection of plate data.
To achieve the above object, the online fingerprint identification system of two-way secret protection of the invention, comprising:
Trusted party (1) provides registration and close for completing system initialization for user terminal and finger print identifying server
Key distribution, while acquiring the finger print data of registration user as certification template, and the template licensed to ciphertext form it is legal
Finger print identifying server;
Finger print identifying server (2), for providing the finger print identifying service of secret protection, by directly being calculated in ciphertext
Match parameter carries out bidirectional identity authentication between user terminal in the service of offer to judge whether fingerprint matches;
User terminal (3), the fingerprint for sending encryption gives finger print identifying server as certification request, to finger print identifying
The authentication result that server returns decrypts to obtain query result, and double progress between finger print identifying server when receiving service
To authentication.
To achieve the above object, the fingerprint verification method of two-way secret protection of the invention, comprising the following steps:
(1) system parameter initializes:
(1a) trusted party selects a security parameter l ∈ Z+;
(1b) trusted party generates the function Gen (κ) of bilinear map group by operation, obtains bilinear map parameterWherein q1,q2It is the first prime number and the second prime number that length is l bit respectively,It is rank
For the cyclic group of N, order N=q1·q2,It isMaps Group, e () be bilinear map function, g is cyclic groupLife
Cheng Yuan, h are system parameters;
(1c) calculates data encryption and handles private keyWith corresponding public key
(1d) trusted party randomly chooses SKTA∈Zq *As the private key of oneself,Indicate that rank is non-in the group of integers of q
Null set, while being calculated and its private key SK according to member g is generatedTACorresponding public key
(1e) trusted party selects the symmetric encipherment algorithm E () an of safety and the hash function H () of a safety;
(1f) trusted party chooses reasonable fingerprint matching critical value Δd∈Zn *;
(1g) trusted party saves the private key < q of oneself1,SKTA>, open system parameter
(2) registration and key distribution:
(2a) finger print identifying server S randomly chooses SK in registrations∈Zn *As the private key of oneself, while according to life
It is calculated and its private key SK at first gsCorresponding public keyAnd by the public key PK of oneselfsIt is sent with the relevant information of oneself
To trusted party;
(2b) user terminal UiIn registration, random selectionAs the private key of oneself, at the same it is first according to generating
G is calculated and its private keyCorresponding public keyAnd by the public keyIt is sent in credible with user information
The heart, while trusted party extracts n Wesy family fingerprint template
(2c) trusted party chooses random number k ∈ Zn *For symmetric cryptographic key, with the data encryption generated in step (1c)
Private key SB and public key PB the composition parameter list<SB, PB, k of processing>, and the parameter list is sent to the user to succeed in registration;
(2d) trusted party is to the user to succeed in registration and its list of public keyCarry out disclosure;
(3) fingerprint template encrypts:
(3a) trusted party extracts user fingerprints and generates fingerprint template data and carry out encryption storage;
(3b) trusted party is according to fingerprint matching critical value Δd, hash function H () and data encryption public key PB calculating comment
Estimate reference value RDm=H (PBm), constitute assessment reference data setThe reference is commented
Estimate data set RDS and be sent to all registered finger print identifying servers, wherein 0≤m≤Δd;
(4) cryptographic fingerprint template authorization:
(4a) finger print identifying server S is obtaining user UiFingerprint template authorization requests are constructed after authorization, and are sent this and asked
It asks to trusted party;
After (4b) trusted party receives the fingerprint template authorization requests of finger print identifying server, which is asked
The legitimacy asked is verified, if being proved to be successful, is thened follow the steps (4c), is otherwise abandoned this communication bag;
(4c) trusted party is by the user encryption fingerprint templateReturn to finger print identifying server S;
(5) user terminal generates finger print identifying service request:
(5a) user terminal encrypts the user fingerprints of acquisition to obtain encryption user fingerprints dataAnd user's signature
Sigi;
(5b) user terminal will encrypt user fingerprints dataUser information Ui, time stamp T S3It signs with user terminal
SigiForm finger print identifying service requestAnd the finger print identifying service request is sent to fingerprint and is recognized
Demonstrate,prove server;
(6) finger print identifying server providing services:
(6a) finger print identifying server receives the finger print identifying service request of user terminal transmissionAfterwards, the legitimacy of the finger print identifying service request is verified, if being proved to be successful, executes step
Suddenly (6b), otherwise return step (5a);
(6b) finger print identifying server is according to encryption user fingerprints dataWith cryptographic fingerprint template dataIt carries out close
Text calculates, and obtains matching result RS;
(6c) finger print identifying server by utilizing asymmetric encryption function E () and the (n+1)th dimension for encrypting user fingerprints template data
Data rq'y, matching result RS is encrypted to obtain encryption matching resultBy the encryption matching resultWith time stamp T S4Collectively as the input of hash function H (), Hash Value is obtainedUse oneself
Private key SKSIt signs to the Hash ValueConstruct authentication result listAnd the authentication result list is replied into user terminal;
(7) user terminal obtains authentication result:
(7a) user terminal receives the authentication result list of finger print identifying server replyIt
Afterwards, the legitimacy of the authentication result list is verified, if being proved to be successful, thens follow the steps (7b), otherwise return step
(5a);
(7b) user terminal uses the (n+1)th dimension data rq' for encrypting user fingerprints template datayIt is rightIt is solved
It is close, identity authentication result RS is obtained, if RS is true, finger print identifying success, otherwise, finger print identifying failure.
Compared with the prior art, the invention has the following advantages:
1. realizing the secret protection of user fingerprints certification request data.
User terminal is before sending service request to finger print identifying server in the present invention, first to the finger print data of oneself
It is encrypted, so that the original fingerprint data of user terminal will not be obtained by finger print identifying server and attacker, it is ensured that use
The secret protection of family Terminal fingerprints data.
2. realizing the secret protection of finger print identifying template data.
Fingerprint template is before being licensed to finger print identifying server by trusted party in the present invention, due to first to fingerprint template into
Encryption is gone, so that fingerprint template data will not be obtained by finger print identifying server and attacker, it is ensured that fingerprint template data
Secret protection.
3. realizing the finger print identifying service of efficiently and accurately.
By finger print identifying server by being completed to encryption user fingerprints data and cryptographic fingerprint template data in the present invention
Matching primitives, and secret protection frame will not influence the accuracy of fingerprint matching, realize the finger print identifying service of efficiently and accurately.
Detailed description of the invention
Fig. 1 is system block diagram of the invention;
Fig. 2 is the realization general flow chart of the method for the present invention;
Fig. 3 is the sub-process figure of cryptographic fingerprint template authorization in the method for the present invention.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawing.
Referring to Fig.1, the present invention includes this three big module of trusted party 1, finger print identifying server 2 and user terminal 3.Its
In: trusted party 1 provides registration and key distribution for completing system initialization for user terminal and finger print identifying server,
The finger print data of registration user is acquired simultaneously as certification template, and the template is licensed into legal finger print identifying with ciphertext form
Server;Finger print identifying server 2 passes through the directly calculating in ciphertext for providing the finger print identifying service of secret protection
Judge whether fingerprint matches with parameter, and carries out bidirectional identity authentication between user terminal in the service of offer;User is whole
End 3, gives finger print identifying server for sending cryptographic fingerprint as certification request, the certification knot returned to finger print identifying server
Fruit decrypts to obtain query result, and carries out bidirectional identity authentication between finger print identifying server when receiving service.
The trusted party 1, comprising: system initialization module 11, registration module 12, data encryption module 13, encryption
Template authorization module 14 and the safe support module 15 of trusted party.
The system initialization module 11 generates bilinear map group, obtains the public ginseng of system for initializing system
Number;
The registration module 12 extracts the use to succeed in registration for providing registration for user terminal and finger print identifying server
The fingerprint template at family, and distribute key to the user terminal and finger print identifying server to succeed in registration;
The data encryption module 13, the fingerprint template data for the user to extract encrypt;
The encrypted template authorization module 14 is used for Certificate Authority information, and to obtain the finger print identifying service of user's authorization
Device sends the cryptographic fingerprint matching template of corresponding user;
The safe support module 15 of the trusted party, for being system initialization module 11, data encryption module 13, encryption mould
Plate authorization module 14 provides required Encryption Algorithm and hash algorithm.
The finger print identifying server 2, including server authentication module 21, user registration module 22, data store mould
Block 23, service providing module 24 and the safe support module 25 of server.
The server authentication module 21 is mentioned for generating oneself public private key pair in server registration to user terminal
For being verified before servicing to the signature of user terminal, sign after obtaining cryptographic fingerprint authentication result to it;
The user registration module 22, for providing registration, and the fingerprint template authorization to the user terminal received for user
Signature is verified, and the fingerprint matching mould that corresponding fingerprint template authorization requests are sent to trusted party application for registration user is generated
Plate;
The data memory module 23, for storing the cryptographic fingerprint template from trusted party;
The service providing module 24, for the cryptographic fingerprint data in being requested according to user, encryption fingerprint template and
Cryptogram computation is carried out in encryption user's request, and obtained finger print identifying result is encrypted, by cryptographic fingerprint authentication result and right
It should sign and return to user terminal;
The server security support module 25, for being provided for server authentication module 21, user registration module 22, service
Module 24 provides required Encryption Algorithm and hash algorithm.
The user terminal 3, including user authentication module 31, service request module 32, data decryption module 33 and use
The safe support module 34 in family.
The user authentication module 31 generates the public private key pair of oneself in registration for user terminal, and generates fingerprint mould
Plate authorized signature is sent to finger print identifying server, signs to the user service request of generation, is receiving finger print identifying clothes
It is engaged in verifying the signature of finger print identifying server after the reply of device;
The service request module 32 generates user service according to the user fingerprints data encryption of acquisition for user terminal and asks
It asks, and user service request is sent to finger print identifying server with corresponding signature;
The data decryption module 33, for leading to after the cryptographic fingerprint authentication result for receiving the transmission of finger print identifying server
It crosses user terminal and decryption oprerations is executed to cryptographic fingerprint authentication result;
The user security support module 34, for being user authentication module 31, service request module 32, data decryption module
33 provide required Encryption Algorithm and hash algorithm.
Referring to Fig. 2, the fingerprint verification method of the two-way secret protection of the present invention includes the following steps:
Step 1, system parameter initializes.
1.1) trusted party selects a security parameter l ∈ Z+;
1.2) trusted party generates the function Gen (κ) of bilinear map group by operation, obtains bilinear map parameterWherein q1,q2It is the first prime number and the second prime number that length is l bit respectively,It is rank
For the cyclic group of N, order N=q1·q2,It isMaps Group, e () be bilinear map function, g is cyclic groupLife
Cheng Yuan, h are system parameters;
1.3) it calculates data encryption and handles private keyWith corresponding public key
1.4) trusted party randomly chooses SKTA∈Zq *As the private key of oneself,Indicate that rank is non-in the group of integers of q
Null set, while being calculated and its private key SK according to member g is generatedTACorresponding public key
1.5) trusted party selects the symmetric encipherment algorithm E () an of safety and the hash function H () of a safety;
1.6) trusted party chooses fingerprint matching critical value Δd∈Zn *;
1.7) trusted party saves the private key < q of oneself1,SKTA>, open system parameter
Step 2, registration and key distribution.
2.1) finger print identifying server S randomly chooses SK in registrations∈Zn *As the private key of oneself, while according to life
It is calculated and its private key SK at first gsCorresponding public keyAnd by the public key PK of oneselfsIt is sent with the relevant information of oneself
To trusted party;
2.2) user terminal UiIn registration, random selectionAs the private key of oneself, while according to generation member g
It calculates and its private keyCorresponding public keyAnd by the public keyIt is sent in credible with user information
The heart, while trusted party extracts n Wesy family fingerprint templateWherein xjIt is user fingerprints template
The jth dimension data of data, 1≤j≤n;
2.3) trusted party chooses random number k ∈ Zn *For symmetric cryptographic key, the private key SB handled with data encryption and public affairs
Key PB composition parameter list<SB, PB, k>, and the parameter list is sent to the user to succeed in registration;
2.4) trusted party discloses the list of the user and its public key that succeed in registration
Step 3, fingerprint template encrypts.
3.1) trusted party is according to the n Wesy family fingerprint template data of extractionIt utilizes
Symmetric cryptographic key k obtains upsetting numerical value H (k) as the input of hash function H (), calculates the fingerprint template number that addition is upset
According to (x'1,x'2,…,x'j,…,x'n), wherein x 'jIt is the jth dimension data for the fingerprint template data that addition is upset, x 'j=xj+H
(k);
3.2) trusted party chooses n random number r1,r2,…,rj,…,rn, wherein rj∈Zn *, 1≤j≤n, and according to life
Fingerprint template data (the x' upset at first g, system parameter h, addition1,x'2,…,x'j,…,x'n) and data encryption public key
Cryptographic fingerprint template data is calculated in PBAnd store, whereinIt is cryptographic fingerprint
The jth dimension data of template data,fx'It is the (n+1)th dimension data of cryptographic fingerprint template data,
3.3) trusted party is according to fingerprint matching critical value Δd, hash function H () and data encryption public key PB calculating comment
Estimate reference value RDm=H (PBm), constitute assessment reference data setAssessment ginseng
Data set is examined by the Hash Value for being used to search for match parameter to judge whether matching succeeds, by this with reference to assessment data set RDS hair
All registered finger print identifying servers are given, wherein 0≤m≤Δd 2。
Step 4, cryptographic fingerprint template authorization.
Referring to Fig. 3, this step is implemented as follows:
4.1) user terminal UiWhen being registered in finger print identifying server S, by the information U of oneselfi, time stamp T S1Altogether
With the input as hash function H (), obtains user and authorize Hash Value H (Ui||TS1), and with the private key of oneselfTo the use
Family authorization Hash Value is signedForm authorized user message listHair
Finger print identifying server is given, to indicate that user has agreed to the cryptographic fingerprint template of oneself licensing to finger print identifying server;
4.2) finger print identifying server first checks for user information Ui, by time stamp T S1It is compared with current time T, if
TS1Earlier than T and | T-TS1|≤NT, then follow the steps 4.3), otherwise, abandon this communication bag, wherein NTIt is logical for the maximum of system
Believe time delay;
4.3) finger print identifying server is by user information UiWith time stamp T S1As the input of hash function H (), calculate miscellaneous
Gather value H (Ui||TS1), and according to the public key of the userUsing bilinear map function e (), equation is judgedWhether true, if the equation is set up, it is legal to sign, and executes step 4.4), no
Then, communication bag is abandoned;
4.4) finger print identifying server is by the information S of oneself, time stamp T S2Collectively as the input of hash function H (), obtain
To user authorize Hash Value H (S | | TS2), and signed with the private key SKS of oneself to the Hash ValueAgain with signature SigSWith authorized user message listForm template authorization
Solicited message listIt is sent to trusted party, requests UiThe cryptographic fingerprint mould of user
Plate;
4.5) trusted party receives the fingerprint template authorization requests of finger print identifying server, first looks at finger print identifying service
Device S and authorized user UiInformation, confirm finger print identifying server S and authorized user UiWhether all register, then by timestamp
TS2It is compared with current time T: if TS2Earlier than T, and | T-TS2|≤NT, then follow the steps 4.6), otherwise, it is logical to abandon this
Letter wraps, wherein NTFor the maximum communication time delay of system;
4.6) trusted party is by user information UiWith time stamp T S1As input, hash function H (U is calculatedi||TS1), and
According to the public key of the userUsing bilinear map function e (), equation is judged
Whether true, if equation is set up, user's signature is legal, executes step 4.7), otherwise abandons communication bag;
4.7) trusted party is by finger print identifying server info S and time stamp T S2As input calculate hash function H (S | |
TS2), and according to the public key PK of finger print identifying serverS, using bilinear map function e (), judge equation e (g, SigS)=e
(PKS,H(S||TS2)) whether true, if equation is set up, the legitimate verification success of the fingerprint template authorization requests executes step
It is rapid 4.8), otherwise abandon the communication bag;
4.8) trusted party is by the user UiCryptographic fingerprint templateReturn to finger print identifying server S.
Step 5, user terminal generates finger print identifying service request.
5.1) user terminal obtains the n Wesy family finger print data of oneselfIt afterwards, will be symmetrical
Encryption key k obtains upset value H (k) as the input of hash function H (), calculates the user fingerprints data (y' that addition is upset1,
y'2,…,y'j..., y'n), wherein y'j=yj+ H (k), yjIt is the jth dimension data of user fingerprints data, y'jIt is that addition is upset
The jth dimension data of user fingerprints data;
5.2) user terminal is according to the public key PB and corresponding private key SB of data processing, and the finger print data arrow that addition is upset
Measure (y'1,y'2,…,y'j,…,y'n), calculate encryption user fingerprints data
WhereinIt is the jth dimension data for encrypting user fingerprints data,rqy' it is encrypt user fingerprints data n-th
+ 1 dimension data,
5.3) user terminal uses the public key PK of finger print identifying serverS, symmetric encipherment algorithm E () and encryption user fingerprints
DataCalculate symmetric cryptography valueAnd by the symmetric cryptography valueWith user terminal information Ui, when
Between stab TS3Collectively as the input of hash function H (), user's Hash Value is calculated
5.4) oneself private key of user terminalTo user's Hash ValueIt signs, i.e.,
5.5) user terminal encryption user fingerprints dataUser information Ui, time stamp T S3It signs with user terminal
SigiForm finger print identifying service requestAnd the finger print identifying service request is sent to fingerprint and is recognized
Demonstrate,prove server.
Step 6, finger print identifying server providing services.
6.1) finger print identifying server receives the finger print identifying service request of user terminal transmissionAfterwards, by time stamp T S3It is compared with current time T, if TS3Earlier than T, and | T-TS3|≤NT, then
Execute step 6.2), otherwise, return step 5.1), wherein NTFor the maximum communication time delay of system;
6.2) user terminal is by symmetric cryptography valueUser information UiWith time stamp T S3As the defeated of hash function H ()
Enter, calculates hash functionAnd according to the public key of the user terminalUtilize bilinear map function e
() judges equationIt is whether true, if the equation is set up, the finger print identifying
The legitimate verification success of service request, executes step 6.3), otherwise abandons the communication bag;
6.3) the private key SK of finger print identifying server by utilizing oneselfSDecryption symmetric cryptography value obtains encryption user fingerprints
Data
6.4) finger print identifying server is according to user information UiSearch for corresponding user's in cryptographic fingerprint template database
Cryptographic fingerprint template
6.5) finger print identifying server is according to encryption user fingerprints dataWith cryptographic fingerprint templateUtilize two-wire
Property mapping function e (), is directly calculated match parameter in ciphertext:
6.6) finger print identifying server is by match parameter MdAs the input of hash function H (), Hash Value H (M is calculatedd),
And the Hash Value is searched in reference assessment data set RDS, if the Hash Value can be found, proves user fingerprints data and refer to
Line template matching, i.e. matching result RS are very, otherwise, to mismatch, i.e. matching result RS is false;
6.7) the (n+1)th dimension of finger print identifying server by utilizing asymmetric encryption function E () and encryption user fingerprints template data
Data rq'y, matching result RS is encrypted to obtain encryption matching resultBy the encryption matching resultWith time stamp T S4Collectively as the input of hash function H (), Hash Value is obtainedIt uses again
The private key SK of oneselfSIt signs to the Hash ValueConstruct authentication result listAnd the authentication result list is replied into user terminal.
Step 7, user terminal obtains authentication result.
7.1) user terminal receives the authentication result list of finger print identifying server replyIt
Afterwards, by time stamp T S4It is compared with current time T, if TS4Earlier than T, and | T-TS4|≤NT, it thens follow the steps 7.2), it is no
Then, return step 5.1), wherein NTFor the maximum communication time delay of system;
7.2) user terminal is by encrypted resultWith time stamp T S4As the input of hash function H (), calculate miscellaneous
Gather valueAnd according to the public key PK of finger print identifying serverS, using bilinear map function e (), sentence
Disconnected equationIt is whether true, if the equation is set up, authentication result list
Legitimate verification success, executes step 7.3), otherwise abandons the communication bag;
7.3) user terminal uses the (n+1)th dimension data rq' for encrypting user fingerprints template datayIt is rightIt is solved
It is close, identity authentication result RS is obtained, if RS is true, finger print identifying success, otherwise, finger print identifying failure.
Above description is only example of the present invention, does not constitute any limitation of the invention, it is clear that for this
It, all may be without departing substantially from the principle of the invention, structure after having understood the content of present invention and principle for the professional in field
In the case of, various modifications and variations in form and details are carried out, but these modifications and variations based on inventive concept are still
Within the scope of the claims of the present invention.
Claims (9)
1. a kind of fingerprint identification system of two-way secret protection, characterized by comprising:
Trusted party (1) provides registration and key point for completing system initialization for user terminal and finger print identifying server
Hair, while the finger print data for acquiring registration user is used as certification template, and the template is licensed to legal finger in the form of ciphertext
Line certificate server;
Finger print identifying server (2) is matched for providing the finger print identifying service of secret protection by directly calculating in ciphertext
Parameter carries out bidirectional identity authentication between user terminal in the service of offer to judge whether fingerprint matches;
User terminal (3) gives finger print identifying server for sending cryptographic fingerprint as certification request, to finger print identifying server
The authentication result of return decrypts to obtain query result, and carries out bidirectional identification between finger print identifying server when receiving service
Certification;
The finger print identifying server (2) includes:
Server authentication module (21) is providing clothes to user terminal for generating oneself public private key pair in server registration
The signature of user terminal is verified before business, is signed after obtaining cryptographic fingerprint authentication result to it;
User registration module (22), for providing registration for user, and to the fingerprint template authorized signature of the user terminal received
It is verified, generates the fingerprint matching template that corresponding fingerprint template authorization requests are sent to trusted party application for registration user;
Data memory module (23), for storing the cryptographic fingerprint template from trusted party;
Service providing module (24), for the cryptographic fingerprint data in being requested according to user, fingerprint template and encryption in encryption
Cryptogram computation is carried out in user's request, and obtained finger print identifying result is encrypted, by cryptographic fingerprint authentication result and corresponding label
Name returns to user terminal;
Server security support module (25), for being provided for server authentication module (21), user registration module (22), service
Module (24) provides required Encryption Algorithm and hash algorithm.
2. system according to claim 1, it is characterised in that trusted party (1) includes:
System initialization module (11) generates bilinear map group, obtains the common parameter of system for initializing system;
Registration module (12) extracts the user's to succeed in registration for providing registration for user terminal and finger print identifying server
Fingerprint template, and distribute key to the user terminal and finger print identifying server to succeed in registration;
Data encryption module (13), the fingerprint template data for the user to extract encrypt;
Encrypted template authorization module (14) is used for Certificate Authority information, and to obtain the finger print identifying server hair of user's authorization
Send the cryptographic fingerprint matching template of corresponding user;
The safe support module of trusted party (15), for being system initialization module (11), data encryption module (13), encrypting mould
Plate authorization module (14) provides required Encryption Algorithm and hash algorithm.
3. system according to claim 1, it is characterised in that user terminal (3) includes:
User authentication module (31) generates the public private key pair of oneself in registration for user terminal, and generates fingerprint template and award
Right of approval name is sent to finger print identifying server, signs to the user service request of generation, is receiving finger print identifying server
Reply after the signature of finger print identifying server is verified;
Service request module (32) generates user service request according to the user fingerprints data encryption of acquisition for user terminal,
And user service request is sent to finger print identifying server with corresponding signature;
Data decryption module (33), after receiving the cryptographic fingerprint authentication result that finger print identifying server is sent, user terminal
Decryption oprerations are executed to cryptographic fingerprint authentication result;
User security support module (34), for being user authentication module (31), service request module (32), data decryption module
(33) Encryption Algorithm and hash algorithm needed for providing.
4. a kind of fingerprint verification method of two-way secret protection, comprising:
(1) system parameter initializes:
(1a) trusted party selects a security parameter l ∈ Z+;
(1b) trusted party generates the function Gen (κ) of bilinear map group by operation, obtains bilinear map parameterWherein q1,q2It is the first prime number and the second prime number that length is l bit respectively,It is rank
For the cyclic group of N, order N=q1·q2,It isMaps Group, e () be bilinear map function, g is cyclic groupLife
Cheng Yuan, h are system parameters;
(1c) calculates data encryption and handles private keyWith corresponding public key
(1d) trusted party randomly chooses SKTA∈Zq *As the private key of oneself,Indicate rank for the non-null set in the group of integers of q
It closes, while being calculated and its private key SK according to member g is generatedTACorresponding public key
(1e) trusted party selects the symmetric encipherment algorithm E () an of safety and the hash function H () of a safety;
(1f) trusted party chooses reasonable fingerprint matching critical value Δd∈Zn *;
(1g) trusted party saves the private key < q of oneself1,SKTA>, open system parameter
(2) registration and key distribution:
(2a) finger print identifying server S randomly chooses SK in registrations∈Zn *As the private key of oneself, while according to generation member g
It calculates and its private key SKsCorresponding public keyAnd by the public key PK of oneselfsBeing sent to the relevant information of oneself can
Letter center;
(2b) user terminal UiIn registration, random selectionIt is calculated as the private key of oneself, while according to member g is generated
With its private keyCorresponding public keyAnd by the public keyIt is sent to trusted party with user information, simultaneously
Trusted party extracts n Wesy family fingerprint templateWherein xjIt is the of user fingerprints template data
J dimension data, 1≤j≤n;
(2c) trusted party chooses random number k ∈ Zn *For symmetric cryptographic key, handled with the data encryption generated in step (1c)
Private key SB and public key PB constitute parameter list<SB, PB, k>, and the parameter list is sent to the user to succeed in registration;
(2d) trusted party is to the user to succeed in registration and its list of public keyCarry out disclosure;
(3) fingerprint template encrypts:
(3a) trusted party extracts user fingerprints and generates fingerprint template data and carry out encryption storage;
(3b) trusted party is according to fingerprint matching critical value Δd, hash function H () and data encryption public key PB calculate assessment ginseng
Examine value RDm=H (PBm), constitute assessment reference data setBy this with reference to assessment number
All registered finger print identifying servers are sent to according to collection RDS, wherein 0≤m≤Δd 2;
(4) cryptographic fingerprint template authorization:
(4a) finger print identifying server S is obtaining user UiFingerprint template authorization requests are constructed after authorization, and send the request to can
Letter center;
After (4b) trusted party receives the fingerprint template authorization requests of finger print identifying server, to the fingerprint template authorization requests
Legitimacy is verified, if being proved to be successful, is thened follow the steps (4c), is otherwise abandoned this communication bag;
(4c) trusted party is by the user encryption fingerprint templateReturn to finger print identifying server S;
(5) user terminal generates finger print identifying service request:
(5a) user terminal encrypts the user fingerprints of acquisition to obtain encryption user fingerprints dataWith user's signature Sigi;
(5b) user terminal will encrypt user fingerprints dataUser information Ui, time stamp T S3With user terminal signature SigiGroup
At finger print identifying service requestAnd the finger print identifying service request is sent to finger print identifying service
Device;
(6) finger print identifying server providing services:
(6a) finger print identifying server receives the finger print identifying service request of user terminal transmissionAfterwards,
The legitimacy of the finger print identifying service request is verified, if being proved to be successful, thens follow the steps (6b), otherwise return step
(5a);
(6b) finger print identifying server is according to encryption user fingerprints dataWith cryptographic fingerprint template dataCarry out ciphertext meter
It calculates, obtains matching result RS;
(6c) finger print identifying server by utilizing asymmetric encryption function E () and the (n+1)th dimension data for encrypting user fingerprints template data
rq'y, matching result RS is encrypted to obtain encryption matching resultBy the encryption matching resultWith
Time stamp T S4Collectively as the input of hash function H (), Hash Value is obtainedWith the private key SK of oneselfS
It signs to the Hash ValueConstruct authentication result listAnd the authentication result list is replied into user terminal;
(7) user terminal obtains authentication result:
(7a) user terminal receives the authentication result list of finger print identifying server replyLater,
The legitimacy of the authentication result list is verified, if being proved to be successful, thens follow the steps (7b), otherwise return step (5a);
(7b) user terminal uses the (n+1)th dimension data rq' for encrypting user fingerprints template datayIt is rightIt is decrypted, obtains
To identity authentication result RS, if RS is true, finger print identifying success, otherwise, finger print identifying failure.
5. according to the method described in claim 4, wherein trusted party extracts user fingerprints generation fingerprint template in step (3a)
Data simultaneously carry out encryption storage, carry out as follows:
(3a1) trusted party is according to the n Wesy family fingerprint template data of extractionUsing symmetrical
Encryption key k obtains upsetting numerical value H (k) as the input of hash function H (), calculates the fingerprint template data that addition is upset
(x'1,x'2,…,x'j,…,x'n), wherein x 'jIt is the jth dimension data for the fingerprint template data that addition is upset, x 'j=xj+H
(k);
(3a2) trusted party chooses n random number r1,r2,…,rj,…,rn∈Zn *, and according to generate member g, system parameter h, add
Scramble random fingerprint template data (x'1,x'2,…,x'j,…,x'n) and data encryption public key PB, cryptographic fingerprint is calculated
Template dataWhereinIt is the jth dimension data of cryptographic fingerprint template data,fx'It is the (n+1)th dimension data of cryptographic fingerprint template data,
6. according to the method described in claim 4, wherein in step (4a) fingerprint certificate server S obtain user authorization after structure
Fingerprint template authorization requests are made, are carried out as follows:
(4a1) is as user terminal UiWhen being registered in finger print identifying server S, by the information U of oneselfi, time stamp T S1Altogether
With the input as hash function H (), obtains user and authorize Hash Value H (Ui||TS1), and with the private key of oneselfTo the use
Family authorization Hash Value is signedAnd form authorized user message list
It is sent to finger print identifying server;
(4a2) finger print identifying server first checks for user information Ui, by time stamp T S1It is compared with current time T, if TS1
Earlier than T and | T-TS1|≤NT(4a3) is then executed, otherwise, abandons this communication bag, wherein NTFor the maximum communication time delay of system;
(4a3) finger print identifying server is by user information UiWith time stamp T S1As the input of hash function H (), Hash Value is calculated
H(Ui||TS1), and according to the public key of the userUsing bilinear map function e (), equation is judgedWhether true, if the equation is set up, it is legal to sign, and executes step (4a4),
Otherwise, communication bag is abandoned;
(4a4) finger print identifying server is by the information S of oneself, time stamp T S2Collectively as the input of hash function H (), obtain
User's authorization Hash Value H (S | | TS2), and with the private key SK of oneselfSIt signs to the Hash Value
With authorized user message listForm template authorization requests information listIt is sent to trusted party.
7. according to the method described in claim 4, wherein testing in step (4b) the legitimacy of fingerprint template authorization requests
Card carries out as follows:
(4b1) trusted party receives the fingerprint template authorization requests of finger print identifying server, first looks at finger print identifying server S
With authorized user UiInformation, then by time stamp T S2It is compared with current time T: if TS2Earlier than T, and | T-TS2|≤NT, then
It executes (4b2) and otherwise abandons this communication bag, wherein NTFor the maximum communication time delay of system;
(4b2) trusted party is by user information UiWith time stamp T S1As input, hash function H (U is calculatedi||TS1), and according to
The public key of the userUsing bilinear map function e (), equation is judged
Whether true, if equation is set up, user's signature is legal, executes step (4b3), otherwise abandons communication bag;
(4b3) trusted party is by finger print identifying server info S and time stamp T S2As input calculate hash function H (S | |
TS2), and according to the public key PK of finger print identifying serverS, using bilinear map function e (), judge equation e (g, SigS)=e
(PKS,H(S||TS2)) whether true, if equation is set up, the legitimate verification success of the fingerprint template authorization requests executes step
Suddenly (4c) otherwise abandons the communication bag.
8. according to the method described in claim 4, wherein user terminal encrypts the user fingerprints of acquisition in step (5a),
It carries out as follows:
(5a1) user terminal obtains the n Wesy family finger print data of oneselfSymmetric cryptography is close
Key k obtains upsetting H (k) as the input of hash function H (), calculates the user fingerprints data (y' that addition is upset1,y'2,…,
y'j,…,y'n), wherein y'j=yj+ H (k), yjIt is the jth dimension data of user fingerprints data, y'jIt is that the user that addition is upset refers to
The jth dimension data of line data;
(5a2) user terminal is according to the public key PB and corresponding private key SB of data processing, and the finger print data vector that addition is upset
(y'1,y'2,…,y'j,…,y'n), calculate encryption user fingerprints dataIts
InIt is the jth dimension data for encrypting user fingerprints data,rqy'It is encrypt user fingerprints data (n+1)th
Dimension data,
(5a3) user terminal uses the public key PK of finger print identifying serverS, symmetric encipherment algorithm E () and encryption user fingerprints number
According toCalculate symmetric cryptography valueAnd by the symmetric cryptography valueWith user terminal information Ui, the time
Stab TS3Collectively as the input of hash function H (), user's Hash Value is calculated
Oneself private key of (5a4) user terminalTo user's Hash ValueIt signs, i.e.,
9. according to the method described in claim 4, wherein in step (6b) fingerprint certificate server according to encryption user fingerprints number
Cryptogram computation is carried out according to cryptographic fingerprint template data, matching result is obtained, carries out as follows:
The private key SK of (6b1) finger print identifying server by utilizing oneselfSDecrypt symmetric cryptography valueObtain encryption user fingerprints data
(6b2) finger print identifying server is according to user information UiThe encryption of corresponding user is searched in cryptographic fingerprint template database
Fingerprint template
(6b3) finger print identifying server is according to encryption user fingerprints dataWith cryptographic fingerprint templateIt is reflected using bilinearity
Function e () is penetrated, match parameter is calculated
(6b4) finger print identifying server is by match parameter MdAs the input of hash function H (), Hash Value H (M is calculatedd), and
With reference to the Hash Value is searched in assessment data set RDS, user fingerprints data and fingerprint mould are proved if it can find the Hash Value
Plate matching, matching result RS are very, otherwise to mismatch, and matching result RS is false.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610987321.4A CN106411533B (en) | 2016-11-10 | 2016-11-10 | The online fingerprint identification system and method for two-way secret protection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610987321.4A CN106411533B (en) | 2016-11-10 | 2016-11-10 | The online fingerprint identification system and method for two-way secret protection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106411533A CN106411533A (en) | 2017-02-15 |
CN106411533B true CN106411533B (en) | 2019-07-02 |
Family
ID=59230174
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610987321.4A Active CN106411533B (en) | 2016-11-10 | 2016-11-10 | The online fingerprint identification system and method for two-way secret protection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106411533B (en) |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20180129475A (en) * | 2017-05-26 | 2018-12-05 | 삼성에스디에스 주식회사 | Method, user terminal and authentication service server for authentication |
CN107947934B (en) * | 2017-11-08 | 2021-07-30 | 中国银行股份有限公司 | Fingerprint identification and authentication system and method of mobile terminal based on bank system |
CN110035032A (en) * | 2018-01-11 | 2019-07-19 | 南昌欧菲生物识别技术有限公司 | Unlocked by fingerprint method and unlocked by fingerprint system |
CN108566389B (en) * | 2018-03-28 | 2021-02-23 | 中国工商银行股份有限公司 | Cross-application fingerprint identity authentication method and device |
CN108763895B (en) * | 2018-04-28 | 2021-03-30 | Oppo广东移动通信有限公司 | Image processing method and device, electronic equipment and storage medium |
US11063936B2 (en) * | 2018-08-07 | 2021-07-13 | Microsoft Technology Licensing, Llc | Encryption parameter selection |
CN111177676B (en) * | 2018-11-12 | 2022-09-09 | 群光电子股份有限公司 | Verification system, verification method, and non-transitory computer-readable recording medium |
CN109410406B (en) * | 2018-11-14 | 2021-11-16 | 北京华大智宝电子系统有限公司 | Authorization method, device and system |
CN110084224B (en) * | 2019-05-08 | 2022-08-05 | 电子科技大学 | Cloud fingerprint security authentication system and method |
CN111131142A (en) * | 2019-10-22 | 2020-05-08 | 北京握奇智能科技有限公司 | Fingerprint authentication encryption system and method for multi-application system |
CN111131145B (en) * | 2019-11-08 | 2021-07-13 | 西安电子科技大学 | Management query system and method for hiding communication key nodes |
CN111682941B (en) * | 2020-05-18 | 2022-12-20 | 浙江连湖科技有限责任公司 | Centralized identity management, distributed authentication and authorization method based on cryptography |
CN112329519B (en) * | 2020-09-21 | 2024-01-02 | 中国人民武装警察部队工程大学 | Safe online fingerprint matching method |
CN112347473B (en) * | 2020-11-06 | 2022-07-26 | 济南大学 | Machine learning security aggregation prediction method and system supporting bidirectional privacy protection |
CN113114689B (en) * | 2021-04-15 | 2022-10-18 | 南京邮电大学 | Authentication method based on bilinear mapping and dot product protocol in intelligent medical treatment |
CN113452671A (en) * | 2021-05-10 | 2021-09-28 | 华东桐柏抽水蓄能发电有限责任公司 | Terminal access authentication method based on equipment identity |
CN113704728B (en) * | 2021-07-19 | 2024-03-01 | 桂林电子科技大学 | Fingerprint authentication method based on D-H key exchange and key sharing |
CN114980096B (en) * | 2022-03-18 | 2023-05-30 | 国网智能电网研究院有限公司 | Sensing terminal safety guarantee method, device, equipment and medium based on equipment fingerprint |
CN117061240B (en) * | 2023-10-11 | 2023-12-19 | 北京金睛云华科技有限公司 | Verifiable fingerprint matching privacy protection method in cloud environment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
CN102223235A (en) * | 2011-06-23 | 2011-10-19 | 甘肃农业大学 | Fingerprint characteristic template protecting method and identity authentication method in open network environment |
CN102394896A (en) * | 2011-12-13 | 2012-03-28 | 甘肃农业大学 | Privacy-protection fingerprint authentication method and system based on token |
CN104639315A (en) * | 2013-11-10 | 2015-05-20 | 航天信息股份有限公司 | Dual-authentication method and device based on identity passwords and fingerprint identification |
CN105391554A (en) * | 2015-11-09 | 2016-03-09 | 中国电子科技集团公司第三十研究所 | Method and system for realizing fingerprint matching by using ciphertext |
-
2016
- 2016-11-10 CN CN201610987321.4A patent/CN106411533B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101340285A (en) * | 2007-07-05 | 2009-01-07 | 杭州中正生物认证技术有限公司 | Method and system for identity authentication by finger print USBkey |
CN102223235A (en) * | 2011-06-23 | 2011-10-19 | 甘肃农业大学 | Fingerprint characteristic template protecting method and identity authentication method in open network environment |
CN102394896A (en) * | 2011-12-13 | 2012-03-28 | 甘肃农业大学 | Privacy-protection fingerprint authentication method and system based on token |
CN104639315A (en) * | 2013-11-10 | 2015-05-20 | 航天信息股份有限公司 | Dual-authentication method and device based on identity passwords and fingerprint identification |
CN105391554A (en) * | 2015-11-09 | 2016-03-09 | 中国电子科技集团公司第三十研究所 | Method and system for realizing fingerprint matching by using ciphertext |
Also Published As
Publication number | Publication date |
---|---|
CN106411533A (en) | 2017-02-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106411533B (en) | The online fingerprint identification system and method for two-way secret protection | |
CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
CN109347878B (en) | Decentralized data verification and data security transaction system and method | |
CN102170357B (en) | Combined secret key dynamic security management system | |
CN107454079A (en) | Lightweight device authentication and shared key machinery of consultation based on platform of internet of things | |
CN108092776A (en) | A kind of authentication server and authentication token | |
JP2004304751A5 (en) | ||
KR100682263B1 (en) | System and method for remote authorization authentication using mobile | |
CN106878318A (en) | A kind of block chain real time polling cloud system | |
CN107070652A (en) | A kind of anti-tamper car networking method for secret protection of ciphertext based on CP ABE and system | |
JP2005223924A (en) | Opinion registering application for universal pervasive transaction framework | |
JP2005102163A (en) | Equipment authentication system, server, method and program, terminal and storage medium | |
CN102932149A (en) | Integrated identity based encryption (IBE) data encryption system | |
CN101243438A (en) | Distributed single sign-on service | |
CN105207776A (en) | Fingerprint authentication method and system | |
KR20070095908A (en) | Method and device for key generation and proving authenticity | |
JP3362780B2 (en) | Authentication method in communication system, center device, recording medium storing authentication program | |
CN112329519A (en) | Safe online fingerprint matching method | |
CN104935441A (en) | Authentication method and relevant devices and systems | |
CN101124767A (en) | Method and device for key generation and proving authenticity | |
CN108809936A (en) | A kind of intelligent mobile terminal auth method and its realization system based on Hybrid Encryption algorithm | |
US20120124378A1 (en) | Method for personal identity authentication utilizing a personal cryptographic device | |
US20100005519A1 (en) | System and method for authenticating one-time virtual secret information | |
CN111245834B (en) | Internet of things cross-domain access control method based on virtual identification | |
CN104899737A (en) | Fingerprint IRLRD characteristic encryption method, and mobile payment system and method based on encryption method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220210 Address after: 710000 room 004, F2002, 20 / F, block 4-A, Xixian financial port, Fengdong new town energy gold trade zone, Xixian new area, Xi'an City, Shaanxi Province Patentee after: Shaanxi Songyuan Mingrui Information Technology Co.,Ltd. Address before: 710071 Taibai South Road, Yanta District, Xi'an, Shaanxi Province, No. 2 Patentee before: XIDIAN University |
|
TR01 | Transfer of patent right |