CN112328989A

CN112328989A - Network identity authentication method, system and storage medium based on biological characteristics

Info

Publication number: CN112328989A
Application number: CN202011163936.8A
Authority: CN
Inventors: 韩思; 范渊; 吴永越
Original assignee: Hangzhou Dbappsecurity Technology Co Ltd
Current assignee: Hangzhou Dbappsecurity Technology Co Ltd
Priority date: 2020-10-27
Filing date: 2020-10-27
Publication date: 2021-02-05

Abstract

The application relates to a network identity authentication method, a system and a storage medium based on biological characteristics, wherein the network identity authentication method based on the biological characteristics comprises the following steps: the method comprises the steps of obtaining identity information, iris information and a session key, encrypting the identity information and the iris information according to the session key to obtain first encrypted information, generating a first check code according to the identity information and the iris information, sending the first encrypted information and the first check code to a server, obtaining second encrypted information and a second check code under the condition that the server passes verification, decrypting the second encrypted information according to the session key, and judging whether identity verification passes or not according to the second check code and the decrypted second encrypted information. Through the method and the device, the problems that in the related technology, the safety of the authentication process is low and the loss is easily caused to the user because the authentication is carried out only through the password and the owned article are solved, and the privacy of the user information is improved.

Description

Network identity authentication method, system and storage medium based on biological characteristics

Technical Field

The present application relates to the field of network security technologies, and in particular, to a network identity authentication method, system and storage medium based on biometric features.

Background

Generally, the identity authentication of a network user is required in a remote desktop service or a remote desktop connection process, and with the development of network technology, how to accurately authenticate the identity of the network user and protect the information security of the user is a problem that must be solved.

In the related art, authentication methods based on identity information or owned articles are mostly used for identity authentication, for example, by password. The password and the owned articles are easy to lose, steal and forget, and an impostor cannot be identified through the password and the owned articles, so that the security of the authentication method in the related technology is low, and the loss is easily caused for the user.

At present, no effective solution is provided for the problems that in the related art, only password and owned articles are used for identity authentication, so that the security of the identity authentication process is low, and the loss of users is easily caused.

Disclosure of Invention

The embodiment of the application provides a network identity authentication method, a system and a storage medium based on biological characteristics, which are used for at least solving the problems that the security of an identity authentication process is low and the loss is easily caused to a user because the identity authentication is only carried out through a password and owned articles in the related technology.

In a first aspect, an embodiment of the present application provides a network identity authentication method based on a biometric feature, including:

acquiring identity information and iris information;

acquiring a session key, encrypting the identity information and the iris information according to the session key to obtain first encrypted information, and generating a first check code according to the identity information and the iris information;

sending the first encrypted information and the first check code to a server for verification, and acquiring second encrypted information and a second check code under the condition that the verification is passed;

and decrypting the second encrypted information according to the session key, and judging whether the identity authentication passes according to the second check code and the decrypted second encrypted information.

In some embodiments, obtaining the first encryption information further comprises:

first encryption information is generated according to a time stamp, the identity information and the iris information, wherein the time stamp is generated simultaneously with the session key.

In some of these embodiments, obtaining iris information comprises:

acquiring an iris image to be recognized, and comparing the iris image with a template iris in a database to obtain a first characteristic of the iris image;

identifying the iris image to obtain a second characteristic;

and obtaining the iris information according to the first characteristic and the second characteristic.

In some of these embodiments, obtaining the first feature of the iris image comprises:

acquiring a plurality of coding matrixes of a plurality of groups of iris images to be recognized, wherein the iris images correspond to the coding matrixes;

comparing the plurality of coding matrixes with the coding matrixes of the template iris respectively to obtain a plurality of first characteristics;

and selecting the first feature with the minimum value from the plurality of first features as the first feature of the iris image.

In some of these embodiments, acquiring an iris image to be recognized includes:

acquiring an inner boundary and an outer boundary of an iris in an initial iris image;

normalizing the initial iris image by polar coordinates according to the inner boundary and the outer boundary;

and carrying out histogram equalization on the normalized initial iris image to obtain the iris image to be identified.

In a second aspect, an embodiment of the present application provides a network identity authentication method based on a biometric feature, including:

generating a session key through authentication, acquiring first encrypted information and a first check code, decrypting the first encrypted information according to the session key, and acquiring identity information and iris information;

verifying the first check code according to the identity information and the iris information, and respectively matching the identity information and the iris information with template identity information and template iris information in a database under the condition that the verification is passed;

under the condition of successful matching, encrypting the template identity information and the template iris information according to the session key to generate second encrypted information, and generating a second check code according to the template identity information and the template iris information;

and sending the second encryption information and the second check code.

In some embodiments, before sending the second encryption information and the second check code, the method further includes:

acquiring a timestamp;

and in the case that the difference value between the timestamp and the current time is larger than a preset time period threshold value, the verification is judged to be invalid.

In some embodiments, the iris information includes a first feature and a second feature, and after the verification passes, the method further includes:

performing identity verification according to the first feature if the second feature is present in the database;

adding the first feature and the second feature to the database in the event that the second feature is not present in the database.

In a third aspect, an embodiment of the present application provides a network identity authentication system based on biometrics, including a client and a server:

the server receives a communication request of the client, and authenticates the server and the client mutually according to the communication request to generate a session key;

the client acquires identity information and iris information, encrypts the identity information and the iris information according to the session key to obtain first encrypted information, and generates a first check code according to the identity information and the iris information;

the client sends the first encryption information and the first check code to the server for verification;

the server decrypts the first encrypted information according to the session key to acquire the identity information and the iris information;

the server verifies the first check code according to the identity information and the iris information, and respectively matches the identity information and the iris information with template identity information and template iris information in a database under the condition that the verification is passed;

the server encrypts the template identity information and the template iris information according to the session key under the condition of successful matching to generate second encrypted information, generates a second check code according to the template identity information and the template iris information, and sends the second encrypted information and the second check code to the client;

and the client decrypts the second encrypted information according to the session key and judges whether the authentication passes according to the second check code and the decrypted second encrypted information.

In a fourth aspect, the present application provides an electronic apparatus, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the biometric-based network authentication method according to the first aspect or the second aspect.

In a fifth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the biometric-based network authentication method according to the first aspect or the second aspect.

Compared with the related art, the network identity authentication method based on the biological characteristics, provided by the embodiment of the application, includes the steps of obtaining identity information, iris information and a session key, encrypting the identity information and the iris information according to the session key to obtain first encrypted information, generating a first check code according to the identity information and the iris information, sending the first encrypted information and the first check code to a server for authentication, obtaining second encrypted information and a second check code under the condition that the authentication is passed, decrypting the second encrypted information according to the session key, judging whether the authentication is passed according to the second check code and the decrypted second encrypted information, solving the problems that the security of an identity authentication process is low and the loss of a user is easily caused due to the fact that the authentication is only carried out through a password and an owned article in the related art, and improving the privacy of user information, the possibility of property loss is reduced for the user.

The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a flow chart of a biometric-based network authentication method according to an embodiment of the present application;

FIG. 2 is a flow chart of a method of acquiring iris information according to an embodiment of the present application;

FIG. 3 is a flow chart of a method of iris image pre-processing according to an embodiment of the present application;

FIG. 4 is a flow chart of another biometric-based network authentication method according to an embodiment of the present application;

fig. 5 is a block diagram of a hardware structure of a terminal of a network authentication method based on biometrics according to an embodiment of the present application;

FIG. 6 is a block diagram of a biometric-based network authentication system according to an embodiment of the present application;

fig. 7 is a schematic diagram of a network authentication system according to the preferred embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.

Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.

Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.

The network identity authentication requires the user to perform identity authentication before establishing a session with the server, and the measure is an important means for ensuring the safety and integrity of remote transmission information and the reliability of remote access and non-repudiation of the user identity, and is generally applied to the technologies of remote desktop service or remote desktop connection and the like.

The internet service content provider pays attention to the safety of user identity authentication generally and inadequately in consideration of operation cost, entity service is rarely established, and once the user has the conditions that an account is stolen or a password is forgotten and the like, the user can only require assistance of the service provider by simply filling in a form or sending a mail. Just because the lack of the verification and guarantee of the internet service content provider on the authenticity of the user identity causes the phenomenon that the user information is stolen at present, the experience of the user in normal service use is seriously influenced, and irrecoverable loss is easily caused.

The present embodiment provides a network identity authentication method based on a biometric feature, which is applied to a scenario where a client interacts with a server, taking the method as an example, fig. 1 is a flowchart of the network identity authentication method based on the biometric feature according to the embodiment of the present application, and as shown in fig. 1, the method includes the following steps:

step S110, obtaining identity information and iris information.

In this embodiment, the client obtains identity information and iris information of the user, where the identity information is information indicating an identity of the user, and is usually an Identifier (ID) or a code corresponding to the user, such as an identification number or an employee number. For the iris information, the iris image of the user can be acquired through a camera of the client, and then the characteristics in the iris image are identified.

Step S120, a session key is obtained, the identity information and the iris information are encrypted according to the session key to obtain first encrypted information, and a first check code is generated according to the identity information and the iris information.

Wherein the session key is generated by the server and the client authenticating each other using Diffie-Hellman algorithm, and K is used_sIt is shown that the authentication between the server and the client only needs to satisfy the normal communication protocol, the Diffie-Hellman algorithm is a key consistency algorithm, which calculates the discrete logarithm over a finite field, and can improve the security of the calculation process, further, the Diffie-Hellman algorithm generates the session key only when needed, and reduces the chance that the session key is attacked due to long-time storage, and besides the agreement on the global parameters, the exchange of the session key does not need the pre-existing infrastructure, such as identity information and iris information. The implementation adopts a Diffie-Hellman algorithm to exchange the key, ensures the unknown of the key, improves the privacy and the safety of authentication, and reduces the possibility of stealing the secret key.

Session key K for server and client_sComprising a public and private key pair { (PK)_i,SK_i) The specific generation process is as follows: the server generates a session list according to the plaintext to be transmitted and the public and private keys, wherein the session list comprises a public key PK_iA list, the private key not existing in the session list; the client generates a master public key according to a distributed secret key of the system, namely a public key in a session list, and then obtains a ciphertext through encryption by an ElGamal algorithm, whereinThe distributed key refers to a public and private key which is generated by mutual authentication of the client and the server without requiring a third party to generate and transmit centrally; the server calculates the product of the ciphertexts, and recovers the main private key through a protocol generated by the distributed secret key; the client inputs the main private key, decrypts the product of the ciphertexts by using an ElGamal decryption function, realizes mutual authentication between the server and the client according to a decryption result, and allows the client to access if the authentication is successful. The ElGamal in this embodiment is an asymmetric encryption algorithm.

In this embodiment, the first check code is obtained by performing MD5 check on the identity information and the iris information, where the MD5 check is a one-way operation that converts a data string of any length into a short fixed-length value, and any two strings have different hash values.

Step S130, sending the first encrypted information and the first check code to the server for verification, and obtaining the second encrypted information and the second check code when the verification passes, where the second encrypted information and the second check code in this embodiment are both generated by the server.

Step S140, decrypting the second encrypted information according to the session key, and determining whether the authentication passes according to the second check code and the decrypted second encrypted information.

After receiving the second encrypted information, the client decrypts the second encrypted information by the session key, then performs MD5 verification on the decrypted information, and considers that the authentication of the client is passed if the obtained verification code is consistent with the second verification code. By using MD5 verification, remote counterfeiting can be reduced, and accuracy of remote information transmission can be improved.

Through the steps S110 to S140, the identity is verified based on the iris of the user in the embodiment, because the iris has the advantages of uniqueness, stability, collectability, non-invasiveness and the like, the accuracy of authentication and identification through the iris is higher, the iris of the user is easy to collect and is not easily influenced by the outside, the error rate of user identification can be effectively reduced, the problems that the security of the identity verification process is lower and the loss of the user is easily caused due to the fact that the identity verification is only performed through a password and owned articles in the related technology are solved, the privacy of user information is improved, and the possibility of property loss is reduced for the user.

In some embodiments, obtaining the first encryption information further comprises: first encryption information is generated according to the timestamp, the identity information and the iris information, wherein the timestamp is generated simultaneously with the session key. Under the condition that the time stamp exists, if the server receives the first encryption information, the time stamp is verified firstly, and under the condition that the difference value between the time of the time stamp and the verification time is larger than a preset time period threshold value, the verification is judged to be invalid, wherein the preset time period threshold value can be set by developers according to scene requirements. The timestamp is introduced in the embodiment, so that the session key has a certain timeliness, and if the user does not act within a certain time, the session key is expired and the identity needs to be verified again, thereby ensuring the validity of the session key and improving the security of the client.

In some embodiments, fig. 2 is a flowchart of a method for acquiring iris information according to an embodiment of the present application, and as shown in fig. 2, the method includes the following steps:

step S210, obtaining an iris image to be identified, and comparing the iris image with a template iris in a database to obtain a first characteristic of the iris image.

In this embodiment, the database is pre-established and includes a plurality of template irises, the template irises are iris images pre-recorded in the database for authentication of a user, when a client requests data on the server, the irises of the user can be re-acquired and compared with the template irises stored in advance, the first feature in this embodiment is a unique feature of the iris image, each user is different, a unique user, such as a spot, a filament, a crown, a stripe, a pit and the like, can be determined according to the unique feature, and an iris feature value obtained by comparing the iris image with the template irises can be used as the first feature.

And step S220, identifying the iris image to obtain a second characteristic.

The second feature in this embodiment is a non-unique feature that can be identified from the iris image, and a plurality of users can be determined according to the second feature, for example, including pigment, blood vessel, smooth muscle, sclera, iris, pupil, crystalline lens, retina, iris color, and the like, for example, yellow, blue, and brown.

And step S230, obtaining iris information according to the first characteristic and the second characteristic.

Through the above steps S210 to S230, the iris information in the present embodiment is composed of the unique feature and the non-unique feature of the iris, and the identification accuracy of the iris information can be further improved.

In some embodiments, in consideration of the situation that the acquired iris images are blocked or unclear, a plurality of sets of iris images to be recognized need to be acquired, each set of iris image includes iris images of left and right eyes, wherein the number of the iris images can define a threshold, and then the acquired iris images are compared with template irises in a database, and normally, 6 sets are acquired. The method specifically comprises the following steps: acquiring a plurality of coding matrixes of a plurality of groups of iris images to be recognized, wherein the iris images correspond to the coding matrixes, and then comparing the coding matrixes with the coding matrixes of the template iris respectively to obtain a plurality of first characteristics, and further comparing the irises by using the following formula 1:

ψ_i＝(I_i-I₀)²1,2,3, n equation 1

Wherein psi_iAs a characteristic value of the iris, I₀Code matrix of template irises, I_iA coding matrix for the iris image to be recognized, wherein the iris image can be obtained from the pupil image, psi_iN is the number of images in the image library as a result of the comparison of the ith image to the template image. Then find psi_iThe smallest value is recorded as min (psi)_i) That is, the first feature with the smallest value is selected from the plurality of first features as the first feature of the iris image.

In the embodiment, by acquiring a plurality of groups of iris images, the identification error caused by the unclear acquired iris images can be reduced, and the identification accuracy of the iris images is improved.

The iris is an annular organ located between the pupil and the cornea, about ten and several millimeters in diameter, and the color of the iris varies greatly among races. When the iris image is collected, because the human eye is a lens, when the iris image is collected by using a special image collecting device, the parasitic light imaged in the human eye is prevented from being shot, and after the initial iris image is obtained, the initial iris image needs to be preprocessed.

In some embodiments, fig. 3 is a flowchart of a method for preprocessing an iris image according to an embodiment of the present application, as shown in fig. 3, the method including the steps of:

step S310, the inner boundary and the outer boundary of the iris in the initial iris image are obtained.

After the initial iris image is acquired, the initial iris image needs to be located first. Because the iris is an annular tissue located between the pupil and the sclera, the inner and outer diameters of the annular tissue correspond to different circle centers, and therefore, the inner and outer boundaries thereof are determined respectively. For the inner boundary, a binarization method can be adopted, the pupil is positioned by using the distribution of the image gray projection amount, a gray histogram of the initial iris image is calculated, and the gray threshold value is preferably the minimum value between a first peak value and a second peak value of the gray, so as to successfully separate the pupil. For the outer boundary, firstly, performing edge extraction on the initial iris image, and finally obtaining the outer boundary by adopting least square fitting, wherein Canny operators can be used for the edge extraction.

Step S320, normalizing the initial iris image by polar coordinates according to the inner boundary and the outer boundary.

Since both the inner and outer boundaries of the iris can be regarded as circles, polar coordinates are used for normalization in this embodiment. Because the inner and outer boundaries have different centers of circles, it can be assumed that the parameters of the inner and outer boundaries of the initial iris image are: (x)_i,y_i,r_i,)、(x₀,y₀,r₀) And the center of the inner boundary is used as the center of the polar coordinate.

Get the polar seatAnd (3) making a ray forming an angle theta with the horizontal line after the center of the target, wherein the ray has an intersection point with the inner boundary and the outside respectively, and the intersection points are respectively as follows: b (x)_i(θ),y_i(θ))、A(x₀(θ),y₀(θ)), any point on the ray between two intersection points can be represented by a linear combination of the two intersection points, as shown in equation 2:

in equation 2, (x, y) is the coordinate of any point on the ray between two intersection points. Each point in the initial iris image can be mapped one-to-one into polar coordinates (r, θ) by equation 2, and the processed initial iris image has pupil scaling and rotation invariance.

And step S330, carrying out histogram equalization on the normalized initial iris image to obtain an iris image to be identified.

After the initial iris image is normalized, the initial iris image needs to be enhanced, for example, local histogram equalization is performed on the initial iris image, contrast is enhanced, and the influence of uneven illumination on the initial iris image is eliminated.

Through the steps S310 to S330, the present embodiment preprocesses the initial iris image to obtain the final iris image for verification, thereby improving the quality of the iris image and further improving the speed and efficiency of iris recognition.

The present embodiment provides a network identity authentication method based on a biometric feature, which is applied to a scenario where a client interacts with a server, taking the method as an example, fig. 4 is a flowchart of another network identity authentication method based on a biometric feature according to an embodiment of the present application, and as shown in fig. 4, the method includes the following steps:

step S410, generating a session key through authentication, obtaining first encrypted information and a first check code, and decrypting the first encrypted information according to the session key to obtain identity information and iris information.

In this embodiment, the client and the server authenticate each other, and then generate a session key, and the server obtains the first encrypted information and the first check code sent by the client, and decrypts the first encrypted information according to the session key. The first encrypted information is obtained by encrypting the identity information and the iris information according to the session key, and the first check code is generated according to the identity information and the iris information through MD5 verification.

And step S420, verifying the first check code according to the identity information and the iris information, and respectively matching the identity information and the iris information with the template identity information and the template iris information in the database under the condition that the verification is passed.

And the server verifies the first check code by using MD5 check according to the identity information and the iris information obtained after decryption. And under the condition that the verification is passed, the server performs the next verification according to the iris information and the identity information, the template identity information and the template iris information in the database are pre-stored user information, and when the user requests the server service again, the verification is required according to the template identity information and the template iris information.

And step S430, encrypting the template identity information and the template iris information under the condition of successful matching to generate second encrypted information, and generating a second check code according to the template identity information and the template iris information.

And under the condition that the identity information and the iris information obtained after decryption by the server are respectively consistent with the template identity information and the template iris information, the verification is considered to be successful, and then the server generates second encrypted information and a second check code to be verified with the client.

Step S440, the second encryption information and the second check code are transmitted.

Through the steps S410 to S440, interaction between the server and the client is carried out through iris information, and due to the fact that the iris has the advantages of uniqueness, stability, collectability, non-invasiveness and the like, the iris authentication and identification accuracy through the iris is higher, the iris of the user is easy to collect and is not easily influenced by the outside, the error rate of user identification can be effectively reduced, the problems that in the related technology, identity authentication is carried out only through password codes and owned objects, the safety of an identity authentication process is low, loss is easily caused to the user are solved, the privacy of user information is improved, and the possibility of property loss is reduced for the user.

In some embodiments, before the server sends the second encrypted information and the second check code, a timestamp may be further obtained, and in a case that a difference between the timestamp and the current time is greater than a preset time period threshold, the verification is determined to be invalid. Specifically, after receiving the first encrypted information and the first check code, the server judges whether the authentication request of the client is expired according to the timestamp, if so, the request is invalid, otherwise, the server decrypts the first encrypted information by using the session key obtained by the Diffie-Hellman algorithm, so that the validity of the session key is ensured, and meanwhile, the security of the client is improved.

In some embodiments, the iris information includes a first feature and a second feature, wherein the first feature is a unique feature of the iris image, a matching user can be determined according to the first feature, the second feature is a non-unique feature, a plurality of users can be determined according to the second feature, and after the first check code is verified, the method further includes: under the condition that the second characteristic exists in the database, a smaller verification range can be determined according to the second characteristic, the identity of the user is verified in the smaller verification range according to the first characteristic, if the verification is passed, the server generates second encryption information, otherwise, the user can select to re-authenticate or register; and under the condition that the second characteristic does not exist in the database, the server judges that the current scene is registered, and adds the first characteristic and the second characteristic to the database. In this embodiment, the server verifies the iris features step by step through the first feature and the second feature, so that the identification accuracy of the iris information can be further improved.

It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.

The method embodiments provided in the present application may be executed in a terminal, a computer or a similar computing device. Taking the example of the operation on the terminal, fig. 5 is a hardware structure block diagram of the terminal of the network authentication method based on the biometric features according to the embodiment of the present application. As shown in fig. 5, the terminal 50 may include one or more processors 502 (only one is shown in fig. 5) (the processor 502 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 504 for storing data, and optionally may also include a transmission device 506 for communication functions and an input-output device 508. It will be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration and is not intended to limit the structure of the terminal. For example, terminal 50 may also include more or fewer components than shown in FIG. 5, or have a different configuration than shown in FIG. 5.

The memory 504 can be used to store control programs, for example, software programs and modules of application software, such as a control program corresponding to the biometric-based network authentication method in the embodiment of the present application, and the processor 502 executes various functional applications and data processing by running the control programs stored in the memory 504, so as to implement the method described above. The memory 504 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 504 may further include memory located remotely from processor 502, which may be connected to terminal 50 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 506 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal 50. In one example, the transmission device 506 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 506 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.

The present embodiment also provides a network identity verification system based on biometric features, which is used to implement the foregoing embodiments and preferred embodiments, and the description of which has been already made is omitted. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.

Fig. 6 is a block diagram of a biometric-based network authentication system according to an embodiment of the present application, and as shown in fig. 6, the system includes a client 61 and a server 62:

the server 62 receives the communication request of the client 61, and according to the communication request, the server 62 and the client 61 authenticate each other to generate a session key;

the client 61 acquires the identity information and the iris information, encrypts the identity information and the iris information according to the session key to obtain first encrypted information, and generates a first check code according to the identity information and the iris information;

the client 61 sends the first encrypted information and the first check code to the server 62 for verification;

the server 62 decrypts the first encrypted information according to the session key to obtain the identity information and the iris information;

the server 62 verifies the first check code according to the identity information and the iris information, and respectively matches the identity information and the iris information with template identity information and template iris information in the database under the condition that the verification is passed;

the server 62 encrypts the template identity information and the template iris information according to the session key to generate second encrypted information, generates a second check code according to the template identity information and the template iris information, and sends the second encrypted information and the second check code to the client 61;

the client 61 decrypts the second encrypted information according to the session key, and determines whether the authentication is passed according to the second check code and the decrypted second encrypted information.

The client 61 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 62 may be implemented by an independent server or a server cluster composed of a plurality of servers.

Interaction between the server 62 and the client 61 is carried out through iris information, and as the iris has the advantages of uniqueness, stability, collectability, non-invasiveness and the like, the accuracy of authentication and identification through the iris is higher, the iris of the user is easy to collect and is not easily influenced by the outside, the error rate of user identification can be effectively reduced, the problems that in the related technology, identity authentication is carried out only through password codes and owned objects, the safety of the identity authentication process is lower, loss is easily caused for the user are solved, the privacy of user information is improved, and the possibility of property loss is reduced for the user.

The embodiments of the present application are described and illustrated below by means of preferred embodiments.

Fig. 7 is a schematic diagram of a network authentication system according to a preferred embodiment of the present application, and as shown in fig. 7, the system is a "browser/server" structure in a network environment, where a browser is installed on a client, and a user needs to perform authentication through an iris before acquiring resources on a remote server if the user wants to access the server, and all information resources on the server side are managed by the network authentication system, and a user who does not pass authentication cannot access server resources. The system is divided into a client and a server, wherein the client provides a user operation interface through an Internet browser to realize the functions of acquisition, encryption/decryption and transmission of living iris information of a user and return a user operation result, and the server realizes network transmission, file lifting, iris information matching and iris database management. Specifically, it is examinedThe process is as follows: the server and the client authenticate each other, and a session key K is generated through Diffie-Hellman_sGenerating a timestamp T at the same time; the method comprises the steps that a client collects an iris image of a user, identifies iris information and obtains identity information ID of the user, wherein the iris information comprises first characteristics Irisfeature and second characteristics Others; the client uses the session key K for ID, IrisFeature and other_sEncrypting to obtain first encryption information, forming authentication information M1 by the first encryption information, the timestamp T and a first check code, and sending the authentication information M1 to a server, wherein the check code is obtained by MD5 according to the identity information, the first characteristic and the second characteristic; after the server receives the authentication information M1, whether the client request corresponding to the authentication information is expired is judged according to the timestamp T, if so, the request is invalid, otherwise, the corresponding session key K is used_sDecrypting to obtain ID, IrisFeture and other, then verifying the first check code, if the verification is passed, judging whether the request of the client is registration or identification according to the second characteristic of the iris, if so, adding the iris information to the database, and if so, comparing the ID, IrisFeture and other with the values in the database; under the condition that the comparison is completed and the matching is successful, the server passes the template identity information and the template iris information in the database through a session key K_sEncrypting to obtain second encrypted information, and transmitting authentication information M2 formed by the second encrypted information and the MD5 check code of the second encrypted information to the client, wherein the MD5 check code of the second encrypted information is the second check code; the client acquires the authentication information M2, decrypts the second encrypted information by the session key, and verifies the second encrypted information by the second check code.

In this embodiment, both the client and the server that establish the connection are encrypted with the session key, and if it is determined that the communication is overtime according to the timestamp, the session key is invalid and the client needs to perform authentication again. Because the client does not store the iris information, the iris information of the client is acquired in real time during each verification, thereby avoiding counterfeiters.

The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.

The present embodiment also provides an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.

Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.

Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:

s1, acquiring identity information and iris information;

s2, acquiring a session key, encrypting the identity information and the iris information according to the session key to obtain first encrypted information, and generating a first check code according to the identity information and the iris information;

s3, sending the first encrypted information and the first check code to a server for verification, and acquiring second encrypted information and a second check code under the condition that the verification is passed;

and S4, decrypting the second encrypted information according to the session key, and judging whether the identity authentication passes according to the second check code and the decrypted second encrypted information.

Optionally, in this embodiment, the processor may be further configured to execute, by the computer program, the following steps:

s5, generating a session key through authentication, acquiring first encrypted information and a first check code, and decrypting the first encrypted information according to the session key to acquire identity information and iris information;

s6, verifying the first check code according to the identity information and the iris information, and respectively matching the identity information and the iris information with the template identity information and the template iris information in the database under the condition that the verification is passed;

s7, encrypting the template identity information and the template iris information according to the session key under the condition of successful matching to generate second encryption information, and generating a second check code according to the template identity information and the template iris information;

s8, the second encryption information and the second check code are transmitted.

It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.

In addition, in combination with the network identity authentication method based on the biometric features in the above embodiments, the embodiments of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any of the above embodiments of a biometric-based network authentication method.

The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A network identity authentication method based on biological characteristics is characterized by comprising the following steps:

acquiring identity information and iris information;

2. The biometric-based network authentication method of claim 1, wherein obtaining the first encrypted information further comprises:

3. The biometric-based network authentication method of claim 1, wherein obtaining iris information comprises:

identifying the iris image to obtain a second characteristic;

4. The biometric-based network authentication method according to claim 3, wherein obtaining the first feature of the iris image comprises:

5. The biometric-based network authentication method according to claim 3, wherein the acquiring of the iris image to be recognized comprises:

6. A network identity authentication method based on biological characteristics is characterized by comprising the following steps:

and sending the second encryption information and the second check code.

7. The biometric-based network authentication method as claimed in claim 6, further comprising, before the sending the second encryption information and the second check code:

acquiring a timestamp;

8. The biometric-based network authentication method according to claim 6, wherein the iris information includes a first feature and a second feature, and after the first check code is verified and verified, the method further comprises:

9. A biometric-based network authentication system comprising a client and a server:

10. A storage medium having a computer program stored therein, wherein the computer program is configured to execute the biometric-based network authentication method according to any one of claims 1 to 5 or the biometric-based network authentication method according to any one of claims 6 to 8 when the computer program is executed.