CN114005190A - Face recognition method for class attendance system - Google Patents

Face recognition method for class attendance system Download PDF

Info

Publication number
CN114005190A
CN114005190A CN202111418164.2A CN202111418164A CN114005190A CN 114005190 A CN114005190 A CN 114005190A CN 202111418164 A CN202111418164 A CN 202111418164A CN 114005190 A CN114005190 A CN 114005190A
Authority
CN
China
Prior art keywords
terminal
user
attendance system
authentication server
class attendance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111418164.2A
Other languages
Chinese (zh)
Inventor
魏泽宇
陈东
王波
林杨
徐金鑫
刘馨霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Investment Information Industry Group Co ltd
Original Assignee
Sichuan Investment Information Industry Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Investment Information Industry Group Co ltd filed Critical Sichuan Investment Information Industry Group Co ltd
Priority to CN202111418164.2A priority Critical patent/CN114005190A/en
Publication of CN114005190A publication Critical patent/CN114005190A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C1/00Registering, indicating or recording the time of events or elapsed time, e.g. time-recorders for work people
    • G07C1/10Registering, indicating or recording the time of events or elapsed time, e.g. time-recorders for work people together with the recording, indicating or registering of other data, e.g. of signs of identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention provides a face recognition method for a class attendance system, which comprises the following steps: registering a user with a biometric authentication server; receiving a request of a user of a class attendance system terminal to register the terminal with the biometric authentication server; registering a plurality of services with the biometric authentication server; authorizing a user to access services at the class attendance system terminal; receiving a user terminal watermark, generating a user token request by a class attendance system terminal, generating a disposable user token and sending the disposable user token to the class attendance system terminal; and decrypting the encrypted password by using the terminal watermark. The invention provides a face recognition method for a class attendance system, wherein a terminal watermark for identity recognition is not stored in a terminal, so that an attacker is prevented from using a leaked password, and the security of identity recognition is improved.

Description

Face recognition method for class attendance system
Technical Field
The invention relates to system safety, in particular to a face recognition method for a class attendance system.
Background
The authentication mechanism is a credential that identifies a legitimate user. In a networked campus attendance system, student users must enter a username and password to log on to the attendance platform, but revealing the password may result in intrusion and data leakage. Furthermore, increasingly stringent password strength requirements result in users not being able to remember passwords. The password-centered authentication mode cannot be adapted to modern network attendance platform users.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a face recognition method for a class attendance system, which comprises the following steps:
registering a user with a biometric authentication server to create a password and a user identification code for the user, the password and user identification code being linked to an account associated with a group of users;
receiving a request of a user of the class attendance system terminal to register the terminal of the class attendance system terminal with the biometric authentication server, to create a terminal profile including a received unique terminal identifier required for generating a terminal watermark and a terminal pre-shared key, and to create a terminal asset identification number for the class attendance system terminal;
registering a plurality of services with the biometric authentication server according to a service profile used by a user, wherein the service profile comprises a service subject name, a user name associated with the service subject name, a password and a terminal asset identification number, and the password is encrypted at a class attendance system terminal using a terminal watermark;
storing the registered user, the class attendance system terminal and the service profile in a repository of a biometric authentication server; authorizing the user to access services at the class attendance system terminal, wherein the biometric authentication server executes on the accessed campus cloud service;
receiving a user terminal watermark from a user, generating a user token request by a class attendance system terminal, and sending the generated user token request to the biological authentication server by the class attendance system terminal;
processing the received user token request to generate a one-time user token linked to the accessed campus cloud service;
the terminal watermark is dynamically generated in memory by a HASH function that uses a terminal pre-shared key shared by the biometric authentication server over a secure channel with the class attendance system terminal and a terminal identifier associated with the registered class attendance system terminal, the terminal watermark being automatically generated by the class attendance system terminal and automatically generated at the biometric authentication server using the terminal asset identification number, and wherein the terminal watermark is not stored in the class attendance system terminal or the biometric authentication server of the user;
wherein the verifying comprises sending the received one-time user token to the biometric authentication server to verify the one-time user token and the campus cloud service based on the server credential and a service principal name linked to the accessed campus cloud service;
generating, by the client application, the user token request with a plug-in loaded by the classroom attendance system terminal without the need for the biometric authentication server.
Compared with the prior art, the invention has the following advantages:
the invention provides a face recognition method for a class attendance system, wherein a terminal watermark for identity recognition is not stored in a terminal, so that an attacker is prevented from using a leaked password, and the security of identity recognition is improved.
Drawings
Fig. 1 is a flowchart of a face recognition method for a class attendance system according to an embodiment of the present invention.
Detailed Description
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the invention provides a face recognition method for a class attendance system. Fig. 1 is a flowchart of a face recognition method for a class attendance system according to an embodiment of the invention.
The invention provides an authority certification method for the terminal-related identity of an attendance system. The invention provides for identifying a user and an attendance system terminal in a service session, watermarking a source of the user attendance system terminal, scoring the user based on a legal social relationship, and modeling an attribute-based relationship by dynamic data fusion using a directed graph. Wherein the user authentication is a terminal watermark associated with the user's attendance system terminal and the user's social relationship in a service session by means of a user token issued by the cloud and a service ID issued by the accessed campus cloud service, wherein the affiliation information is transmitted as a user token comprising dynamically calculated affiliation weights, component weights and affiliation attributes.
The terminal watermark of the invention is not stored in the terminal of the user attendance system or the biological authentication server, and is not transmitted on the network, but is automatically and dynamically generated on the terminal of the user attendance system and the biological authentication server by using the hash function. The terminal watermark is generated using a plurality of terminal identifiers that are tightly coupled and bound to the terminals of the user attendance system. Furthermore, the terminal watermarking does not require any external physical attendance system terminal, such as a hardware key fob, to receive the one-time password.
The service ID issued by the accessed campus cloud service is digitally signed with the server private key and transmitted over a secure encrypted channel with extended server authentication. The user token for the social relationship is only generated upon service ID authentication and transmitted over a secure encrypted channel.
The method includes the steps of verifying a service ID of the accessed campus cloud service before an authentication process based on a terminal watermark associated with a user attendance system terminal, before the user attendance system terminal transmits an encrypted password for decryption, and decrypting the encrypted password on the user attendance system terminal using the terminal watermark and a personal identification code of the user, wherein the personal identification code of the user is owned by the user only and is linked to the accessed campus cloud service requiring user authentication, or pre-sharing the encrypted user identification code using the attendance system terminal of the accessed campus cloud service not requiring user authentication. The personal identification code comprises a service authentication code and a user identification code.
The social relationship is a mechanism to generate and publish a user token that includes affiliation weights, component weights, and affiliation attributes of the user requested by the accessed campus cloud service and is agreed to by the user during the service session with user authentication. The user token requests to generate a terminal watermark, an attendance system terminal pre-shared password and a user identification code. Further, a user's affiliation is a relationship between other users and an organization. The service authentication code and the user identification code operate a plurality of users to safely share a single terminal and related terminal watermarks by using different personal identification codes.
For access to services requiring authentication, the terminal watermark created by the user and known only by the user is represented by PIC. The terminal watermark is dynamically and automatically generated by the attendance system terminal and the biometric authentication server to establish proof of the user's presence on the attendance system terminal during the service session. The terminal watermark is used to encrypt a password associated with the accessed service for use during the authentication process. The user terminal watermark is not registered with the identity provider and is only used for encrypting the original authentication password of the user. This facilitates the use of stronger passwords and regular password changes without having to invoke difficult to remember passwords and prevents attackers from using compromised passwords.
For the access of services which do not need authentication, the attendance system terminal uses a terminal pre-shared password to encrypt the user identification code so as to transmit the user identification code to the biological authentication server through a secure channel. The method comprises the steps of protecting the damaged terminal watermark from being maliciously used by the terminal of the attacker attendance system by requiring the terminal watermark of a private user, and protecting the damaged terminal watermark from being maliciously used by the terminal of the attacker attendance system by requiring the matched terminal watermark. Furthermore, the disclosure of the endpoint watermark will require disclosure of the endpoint pre-shared key and multiple endpoint identifiers associated with the user's registration attendance system endpoint.
Different from the traditional authentication process of the biological authentication server, the invention provides authoritative identification for the user at the attendance system terminal instead of a user authentication mechanism based on biological characteristics or terminal attributes. The user provides authentication credentials to the accessed campus cloud service without having to manually enter a difficult-to-remember service login password. The method does not store the user's password in a single password protected library for automatic authentication using form auto-population. The user encrypts a password on the attendance system terminal using the private user terminal watermark and the dynamically generated terminal watermark, and registers the encrypted password with the biometric authentication server to generate a user token including the encrypted password in subsequent access to the service. The encrypted password can only be decrypted on the attendance system terminal by using the dynamically generated terminal watermark and the private user terminal watermark. The user may use the same terminal watermark for all accessed campus cloud services from one terminal, use a different terminal watermark for each accessed campus cloud service on one terminal, or use different terminal watermarks for the same accessed campus cloud service on different terminals. If the terminal identifier changes, the registered attendance system terminals only need to be resynchronized once, and if the terminal watermark of the user is damaged on the attendance system terminals, all the passwords protected by the same user terminal watermark only need to be encrypted once again without changing all the passwords.
The invention constructs a directed graph comprising entity vertexes and relationship links, processes attributes as dependent variables or independent variables, maps the attributes to components, and evaluates the relative influence of component weights and the attributes in the attached weight calculation of a user.
The social relationships of the present invention are not attribute-based access controls, but are based on the weights of entity relationships in a directed graph for post-access rights management, where entities include users, organizations, and profiles, and relationships include the dependent and independent attributes of entities.
The invention uses a plurality of local terminal identifiers and terminal pre-shared keys, the biological authentication server shares with the class attendance system terminal through a secure channel, and the terminal watermark is dynamically generated through the HASH function for the class attendance system terminal identification. The user identification may be associated with a plurality of passwords on a plurality of user class attendance system terminals and a plurality of accessed campus cloud services based on a username associated with the service principal name.
The identity identification method is based on the confirmation of the server to the terminal of the registered class attendance system, and is used as the proof that the user exists in the identified class attendance system terminal, and the verification of the user based on the manually input watermark of the user terminal. During the authentication handshake or management session, the user terminal watermark is not transmitted over the network.
Terminal registration and dynamic verification of the class attendance system are based on a plurality of attributes and components of the group account and the terminal. The attributes include hardware identification, trusted platform module chip identifier, processor identification terminal asset identification number, and the like. The above-mentioned attribute of registering the attendance system terminal of class of the attendance system terminal is used for producing globally unique terminal watermark and relevant terminal asset identification number dynamically, keep unchanged in conversation.
The globally unique terminal watermark is dynamically generated by a HASH function by using a terminal pre-shared key PSK and a terminal identifier associated with a terminal of a registered class attendance system, the terminal pre-shared key is shared with the class attendance system terminal through a secure channel, and the terminal identifier is automatically generated at the class attendance system terminal. Therefore, the terminal watermark cannot be stored in the class attendance system terminal or the biometric authentication server.
The identification of the user is based on the account, class attendance system terminal registration and the service profile, where the password in the service profile is encrypted using the terminal watermark and the user's terminal watermark and includes a service principal name (e.g., URL) by which the client uniquely identifies the instance of the service, the username, the password, and the terminal asset identification number. The user terminal watermark is locally input at the class attendance system terminal to decrypt the password in the service profile. The password contained in the service profile is encrypted using the terminal watermark.
During a user session of a registration service that registers a class attendance system terminal, a user token request to a biometric authentication server includes a terminal asset identification number, an account, a timestamp, a digital signature generated using a terminal watermark and timestamp, a service principal name, a username to be authenticated to an accessed service or a user identification code encrypted using a terminal pre-shared key that does not require authentication to an accessed service, a digitally signed service ID received via the biometric authentication server, and an IP address of the accessed service. The user token response may include an encrypted password in the service profile that was originally encrypted using the terminal watermark during service enrollment. The encrypted password in the service profile can only be decrypted using the user's terminal watermark. By using a standard timestamp and a message integrity signature over a secure channel between the class attendance system terminal and the biometric authentication server, the user token request can be protected from replay attacks.
Identification in real-time sessions requires a one-time user token linked to a service profile, the one-time user token being issued by a biometric authentication server based on verification of a terminal watermark to authenticate the identified user to the service, optional adjunct context including adjunct weights, component weights and categorical adjunct attributes. The one-time user token may comprise an encrypted password or a pre-authentication token for the user.
The social relationships based on identification are established by processing various large data sets collected from multiple third-party data sources as directed graphs and queried by user names, addresses, phone numbers, etc. The received data set includes user profile information. The query also receives a data set relating to an organization with which the user may be associated, the data set including organization profile information. The social relationships are used to define associations of users with a plurality of independent and trusted nodes sufficiently to establish integrity based on a user profile.
The user's affiliation weights are measured on legal attributes and relationships that are determined based on information available to the cloud about the user. The social relationship weight is derived based on a plurality of component weights, wherein each component weight is further determined based on a relative weight and classification of relevant attributes received from a plurality of data sources about the user. The privacy of the user profile is protected by first encrypting the data with a private user's terminal watermark on the user's class attendance system terminal, and then further encrypting the data on the remote server with a dynamically generated server platform identification number based on the user profile information and server hardware. This provides a double protection for the user's static data.
The calculation of dependent weights uses a directed graph, where a set of objects, i.e., nodes, are connected together, all edges, i.e., links, point from one node to another, and functionally homomorphic encryption is used for obfuscation. The biometric authentication server service obtains various user attributes from a plurality of data sources through directed queries to the user. User attributes that may be cached in the repository include information for personal, social, professional, and organizational domains. The static and associated attributes of the user are used to construct a dynamic directed graph, representing entities as nodes and relationships as links. Entities include user communities, social networks, organizations, roles. The relationship represents a type of association, such as a relative, colleague, friend. A plurality of component weights are calculated based on the scoring function traversal directed graph. The weight function calculates a weighted weight for each entity and relationship that matches the weight criteria.
The social relationship weight calculation is based on the interdependencies between the entities. Each node is an entity and may be assigned attributes. Each link represents a relationship with a specified attribute having a static or dynamic absolute weight. The calculation of the adjunct weight of a user entity is based on the conditional weight of the weighted absolute weights of other entities and relationships in the directed graph.
For the distribution of the pre-shared key, the RSA parameter D needs to be generated first:
D=(E,p,Ωx,Ωy)
wherein: e is an elliptic curve over an integer field gf (p) modulo a prime number, p being a large prime number of a predetermined length. Omegax,ΩyThe x, y coordinates of the base point omega on the elliptic curve E. The RSA parameter D is generated by a single accessing server. For each management domain A (containing a plurality of management terminals R)nEach management terminal manages an ID set sigma containing a plurality of attendance system terminalsn):
A={R1,R2,…,Rn,Σ1,Σ2,…,Σn}
And using the same group of parameters D, and registering in the biological authentication server according to the respective identifiers of the management terminal and the attendance system terminal to which the A belongs.
For each pair of management terminals R within the same management domainnAnd its subordinate ID set ∑nEach attendance system terminal T innAnd the server needs to generate a positive integer P and a public and private key for identity authentication between the attendance system terminal ID and the reader. Wherein the respective authentication private keys d of the management terminal and the attendance system terminalr、dtManaging the public key K of the terminal for the respective privaterThe attendance system terminal is common to all attendance system terminals in the ID set managed by the management terminal. Public key K of attendance system terminaltAnd storing the ID TID in a biological authentication server according to the attendance system terminal ID TID. A management terminal RnAnd its subordinate ID set ∑nThe pre-shared key generation and distribution steps are as follows:
the server selects a random number d of sufficient lengthrSimultaneously, the target management terminal R is taken out from the biometric authentication servernRSA parameter D of the associated administrative domain A, curve E depicted at DDUpper calculation of Kr=ED(dr·Ω);
The server selects a positive integer PnTerminal T of system for checking work attendance as targetnForExchanging parameters of the pre-shared secret key and selecting a random number d of sufficient lengthtSimultaneously, the target attendance system terminal T is taken out from the biological authentication servernRSA parameter D of the associated administrative domain A, curve E depicted at DDUpper calculation of Kt=ED(dt·Ω);
D to be generated by the servert、Kr、PnTerminal T for distributing to target attendance system through reliable channelnAnd generating Kt、PnTerminal ID TID of target attendance systemnThe key value is stored in the biological authentication server for the inquiry.
Repeating the above steps to select RnSubordinate ID set ∑nMedium-different target attendance system terminal TnPre-shared key distribution until ID set ∑nAll the attendance system terminals are processed, and d is addedrAs a management terminal authentication private key, distributes the key to a target management terminal R through a reliable channelnThe pre-shared key distribution process ends.
In summary, the invention provides a face recognition method for a class attendance system, wherein a terminal watermark for identity recognition is not stored in a terminal, so that an attacker is prevented from using a leaked password, and the security of identity recognition is improved.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.

Claims (1)

1. The utility model provides a face identification method for classroom attendance system, its characterized in that for classroom attendance system terminal provides user's identification to visited campus cloud service, its characterized in that includes:
registering a user with a biometric authentication server to create a password and a user identification code for the user, the password and user identification code being linked to an account associated with a group of users;
receiving a request of a user of the class attendance system terminal to register the terminal of the class attendance system terminal with the biometric authentication server, to create a terminal profile including a received unique terminal identifier required for generating a terminal watermark and a terminal pre-shared key, and to create a terminal asset identification number for the class attendance system terminal;
registering a plurality of services with the biometric authentication server according to a service profile used by a user, wherein the service profile comprises a service subject name, a user name associated with the service subject name, a password and a terminal asset identification number, and the password is encrypted at a class attendance system terminal using a terminal watermark;
storing the registered user, the class attendance system terminal and the service profile in a repository of a biometric authentication server; authorizing the user to access services at the class attendance system terminal, wherein the biometric authentication server executes on the accessed campus cloud service;
receiving a user terminal watermark from a user, generating a user token request by a class attendance system terminal, and sending the generated user token request to the biological authentication server by the class attendance system terminal;
processing the received user token request to generate a one-time user token linked to the accessed campus cloud service;
the terminal watermark is dynamically generated in memory by a HASH function that uses a terminal pre-shared key shared by the biometric authentication server over a secure channel with the class attendance system terminal and a terminal identifier associated with the registered class attendance system terminal, the terminal watermark being automatically generated by the class attendance system terminal and automatically generated at the biometric authentication server using the terminal asset identification number, and wherein the terminal watermark is not stored in the class attendance system terminal or the biometric authentication server of the user;
wherein the verifying comprises sending the received one-time user token to the biometric authentication server to verify the one-time user token and the campus cloud service based on the server credential and a service principal name linked to the accessed campus cloud service;
generating, by the client application, the user token request with a plug-in loaded by the classroom attendance system terminal without the need for the biometric authentication server.
CN202111418164.2A 2021-11-26 2021-11-26 Face recognition method for class attendance system Pending CN114005190A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111418164.2A CN114005190A (en) 2021-11-26 2021-11-26 Face recognition method for class attendance system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111418164.2A CN114005190A (en) 2021-11-26 2021-11-26 Face recognition method for class attendance system

Publications (1)

Publication Number Publication Date
CN114005190A true CN114005190A (en) 2022-02-01

Family

ID=79930436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111418164.2A Pending CN114005190A (en) 2021-11-26 2021-11-26 Face recognition method for class attendance system

Country Status (1)

Country Link
CN (1) CN114005190A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070256123A1 (en) * 2005-12-01 2007-11-01 Rsa Security, Inc. Detecting and preventing replay in authentication systems
US20150059003A1 (en) * 2013-08-23 2015-02-26 Morphotrust Usa, Llc System and Method for Identity Management
US9503452B1 (en) * 2016-04-07 2016-11-22 Automiti Llc System and method for identity recognition and affiliation of a user in a service transaction
KR101710200B1 (en) * 2015-11-05 2017-02-24 광운대학교 산학협력단 Automatic Attendance System Using Face Recognition and method thereof
CN109274644A (en) * 2018-08-21 2019-01-25 华为技术有限公司 A kind of data processing method, terminal and watermark server
CN209231993U (en) * 2019-01-24 2019-08-09 刘磊 A kind of smart classroom comprehensive management system
CN112200924A (en) * 2020-09-30 2021-01-08 广东技术师范大学 Class attendance checking method and system based on face recognition

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070256123A1 (en) * 2005-12-01 2007-11-01 Rsa Security, Inc. Detecting and preventing replay in authentication systems
US20150059003A1 (en) * 2013-08-23 2015-02-26 Morphotrust Usa, Llc System and Method for Identity Management
KR101710200B1 (en) * 2015-11-05 2017-02-24 광운대학교 산학협력단 Automatic Attendance System Using Face Recognition and method thereof
US9503452B1 (en) * 2016-04-07 2016-11-22 Automiti Llc System and method for identity recognition and affiliation of a user in a service transaction
CN109274644A (en) * 2018-08-21 2019-01-25 华为技术有限公司 A kind of data processing method, terminal and watermark server
CN209231993U (en) * 2019-01-24 2019-08-09 刘磊 A kind of smart classroom comprehensive management system
CN112200924A (en) * 2020-09-30 2021-01-08 广东技术师范大学 Class attendance checking method and system based on face recognition

Similar Documents

Publication Publication Date Title
US10567370B2 (en) Certificate authority
JP5265744B2 (en) Secure messaging system using derived key
Khalid et al. Cloud based secure and privacy enhanced authentication & authorization protocol
JP6731491B2 (en) Data transfer method, non-transitory computer-readable storage medium, cryptographic device, and method of controlling data use
US8683209B2 (en) Method and apparatus for pseudonym generation and authentication
AU2003202511A1 (en) Methods for authenticating potential members invited to join a group
CA2551113A1 (en) Authentication system for networked computer applications
CN109963282A (en) Secret protection access control method in the wireless sensor network that IP is supported
Paquin U-prove technology overview v1. 1
US7315950B1 (en) Method of securely sharing information over public networks using untrusted service providers and tightly controlling client accessibility
Chalaemwongwan et al. A practical national digital ID framework on blockchain (NIDBC)
ES2665887T3 (en) Secure data system
Quan et al. A secure user authentication protocol for sensor network in data capturing
Kravitz Transaction immutability and reputation traceability: Blockchain as a platform for access controlled iot and human interactivity
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
Guo et al. Using blockchain to control access to cloud data
CN107347073B (en) A kind of resource information processing method
EP3785409B1 (en) Data message sharing
WO2023116027A1 (en) Cross-domain identity verification method in secure multi-party computation, and server
Aljahdali et al. Efficient and Secure Access Control for IoT-based Environmental Monitoring
CN114005190A (en) Face recognition method for class attendance system
CN114996770A (en) Identity recognition method based on host management system
CN113556236B (en) Energy data middlebox sensitive content entrusting and authorizing method based on proxy signature
Ashouri-Talouki et al. BlindLocation: Supporting user location privacy using blind signature
Alrodhan Privacy and practicality of identity management systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination