CN114036485A - Face characteristic cooperative protection safety authentication system under public network - Google Patents

Abstract

The application constructs a security authentication model based on biological feature protection under a public network environment from two aspects of a security authentication protocol based on human face feature cooperative protection and a security authentication system based on human face feature cooperative protection respectively, combines the features of biological feature identity authentication and an authentication interaction process under the public network environment to obtain a server for bearing the tasks of storing human face features and completing feature matching, realizes the cross-terminal identity authentication based on biological features, provides a security authentication framework based on human face feature cooperative protection suitable for two parties participating under a cross-terminal application scene, abstracts a feature cooperative protection algorithm based on a transformation technology, focuses on the security of a feature specific shell and authentication data, provides security guarantee on a human face identity authentication interaction process, realizes the interaction process from a bottom processing module to protocol authentication, and meets the security requirement of biological feature identity authentication under the public network environment, an authentication protocol with unified usability and safety is constructed.

Description

Face characteristic cooperative protection safety authentication system under public network

Technical Field

The application relates to a face feature collaborative protection security authentication system, in particular to a face feature collaborative protection security authentication system in a public network, and belongs to the technical field of face feature security authentication.

Background

With the rapid rise of cloud computing and big data, the coverage of public network services is wider and wider, and the requirement on identity security authentication is more and more. In the face of increasing identity authentication requirements, security authentication should be developed towards easy use, low cost and high security. The security of the traditional authentication technology based on password mainly depends on the complexity of the password, so that the usability and the security of the identity authentication technology form a reverse association relationship, namely, the simpler the password, the worse the security, the more complex the password with better security, and the difficulty in remembering the password. Although the hardware token-based authentication technology has high security, the deployment cost is high, and the use is inconvenient and the usability is poor. The emergence of biometric identification technology has brought a new opportunity for the construction of secure and user-friendly identity authentication technology. Compared with password passwords, the biological features are more complex, are bound with biological individuals for the lifetime and have stability, and are not easy to forget and lose although the biological features are complex. The biometric feature is inherent, and does not need to carry an additional authentication object like a hardware token, so that the user experience of the biometric authentication process is better. However, the uniqueness and irrevocability of the original biological features pose a potential safety hazard for the biological feature authentication system, and the safety of the biological features, particularly the human face features, in the public network environment becomes a concern.

Along with the rapid development of mobile networks, the performance of intelligent terminal equipment is stronger, many smart phone manufacturers use face recognition as a mobile phone standard, each financial payment platform starts to support the research of identity authentication technologies such as faces and irises, and the biometric authentication technology is accepted and used by more and more people. The rapid development of biometric technology has led to the face recognition technology being widely applied to security authentication protocols, however, the biometric features themselves have the characteristics of being irrevocable, being bound with user identities one by one, and the biometric feature data reflecting the biological privacy information, etc., so that the security of the original biometric features in the public network environment faces a serious challenge. Under ideal environment, the verifier of the identity authentication defaults to be an entity which is honest and believable, and can faithfully carry out the biometric identity authentication and safely store the user biometric characteristics. In reality, however, the biometric features of the user present a number of security problems, since the server verifier is at the other end of the intricate network. Firstly, the characteristic data stored by the verifier server has potential threat of being stolen, and the characteristic data submitted to the verifier server by a user is possibly intercepted by a third party in the network transmission process; secondly, the original biological characteristics are uniquely bound with the user, and characteristic revocation is difficult to realize on a common application server; in addition, it is possible for a dishonest application server to impersonate a user to access other servers using the user's biometric. The safety of the biological characteristics is guaranteed on the premise of identity authentication of the biological characteristics, and on the basis, the establishment of an authentication protocol with unified usability and safety is very important and has great application prospect.

On the basis of solving the problems of convenience and safety of user identity authentication, the prior art provides a plurality of authentication methods based on cryptography, and in the application of the authentication methods, large enterprises such as banks and the like adopt hardware token technologies such as U shields and the like to support the identity authentication, but the U shield token technology is rarely adopted by small and medium-sized enterprises and users due to the problems of high configuration, updating and maintenance costs and the like. Moreover, the hardware token cannot be used with the mobile smart device. Although the software token technology reduces the security of authentication and has the advantages of convenience and cheapness in deployment of hard tokens, the cost problem is rarely adopted, and the user verification requirement of the mobile intelligent device is difficult to meet. In addition, with the popularization of mobile phones, dynamic passwords become another common user authentication mode gradually, the dynamic passwords can only be used once within a certain time limit, in reality, most users only use one mobile phone to complete transaction and identity authentication simultaneously, and the technology cannot ensure the sufficient safety of user information and cannot be applied to identity authentication of a mobile public network.

In summary, the prior art face feature security authentication technology has many defects, and the current major defects and difficulties include:

firstly, the biological characteristics have the characteristics of non-revocable property, one-to-one binding with user identities, biological characteristic data reflecting biological privacy information and the like, so that the safety of the original biological characteristics in a public network environment faces a severe challenge, in a practical situation, as a server verifier is positioned at the other end of an intricate and complex network, the biological characteristics of a user have a plurality of safety problems, the characteristic data stored by a verifier server has a potential threat of being stolen, and the characteristic data submitted to the verifier server by the user is possibly intercepted by a third party in a network transmission process; the original biological characteristics are uniquely bound with the user, and characteristic revocation is difficult to realize on a common application server; a dishonest application server may impersonate a user to access other servers using the user's biometric characteristics; in the prior art, the face feature identity authentication can not simultaneously consider two aspects of biological feature cooperative protection and the safety of an authentication protocol under a public network environment, and the authentication protocol with unified availability and safety can not be constructed;

secondly, the usability of the biometric authentication system is directly influenced by the processing of the face feature template in the prior art, because the original face data extracted twice has data disturbance, the prior art directly encrypts the original face information by using a cryptographic algorithm, although the safety of face feature transmission is ensured, the matching performance of the encrypted face features is poor, the specific shell of the face needs to be decrypted before the application server performs specific shell matching, the face feature matching query efficiency is low, the precision and the practicability are poor, and the practical value is almost lost; in addition, the generated face template has no revocable property, because the original face of the user is unchangeable and unique for the whole life, the interlinkage of the face template between servers and the safety of the original face are protected, the face specific shell registered by the user is bound with the server and is subjected to irreversible processing, and the complete original face cannot be recovered from the face specific shell, but the prior art cannot completely realize the point;

thirdly, the safety of the parameters required by the feature template generation cannot be ensured through a safety protocol in the prior art, a reliable face feature collaborative protection algorithm is not introduced into a safety authentication protocol, the correct implementation of the feature collaborative protection algorithm cannot be ensured, the parameter acquisition and negotiation process is lacked, the safety of the template generated data cannot be ensured, the face feature collaborative protection algorithm and the negotiation process cannot be effectively implemented, the usability, the safety and the reliability of the face feature safety authentication are poor, the face feature safety authentication cannot be popularized to a plurality of important fields, the application is greatly limited, and the application has almost no practical value in the actual identity identification application;

fourthly, the prior art does not protect the face feature processing module of the user end equipment in place, a reasonable hardware evaluation mechanism is lacked, the original face is acquired and obtained at the user end equipment, the prior art does not introduce a user end equipment environment evaluation mechanism, the original face participating in the protocol cannot be guaranteed to be legal, a security authentication protocol and a feature collaborative protection algorithm are not combined, the safety of original face feature data cannot be guaranteed, revocation of a template is not supported, a user seriously depends on the terminal equipment during registration when performing identity authentication, and serious problems exist in safety and reliability.

Aiming at the safety problem of the biological characteristic specific shell, the method and the system develop safety certification based on biological characteristics from two aspects of certification protocol design and certification system realization, provide a safety certification framework based on face characteristic cooperative protection, design a safety certification protocol based on characteristic cooperative protection and realize the system. Aiming at the biological characteristic identity authentication characteristics and the safety requirements of the characteristic template, a biological characteristic cooperative protection model and an authentication interaction flow are designed, convenient and quick biological characteristic identity authentication is realized on the premise of protecting a biological characteristic specific shell, and the problem of unified availability and safety of biological characteristic identity authentication in a public network environment is solved.

Disclosure of Invention

The application is based on the face characteristic cooperative protection problem in the face safety authentication protocol, a safety authentication model based on biological characteristic protection under a public network environment is respectively constructed from two aspects of the face characteristic cooperative protection safety authentication protocol and the face characteristic cooperative protection safety authentication system, a safety authentication framework with two parties participating is provided, a server is obtained by combining the characteristics of biological characteristic identity authentication under the public network environment and an authentication interaction process, the server bears a specific shell of storage characteristics and completes the task of characteristic matching, the cross-terminal identity authentication based on biological characteristics can be realized, a safety authentication framework based on the face characteristic cooperative protection suitable for two parties participating under a cross-terminal application scene is provided, a characteristic cooperative protection algorithm based on a transformation technology is abstracted, the safety of the specific shell of the characteristics and authentication data is concerned, and the safety guarantee on the face identity authentication interaction process is provided, the method realizes the interactive flow from the bottom processing module to the protocol authentication, fully considers the safety of the human face characteristic specific shell, meets the safety requirement of biological characteristic identity authentication under the public network environment, and constructs the authentication protocol with unified availability and safety.

In order to achieve the technical effects, the technical scheme adopted by the application is as follows:

a face feature collaborative protection safety authentication system under a public network is used for constructing a safety authentication model based on biological feature protection under the public network environment from two aspects of a safety authentication protocol of face feature collaborative protection and a safety authentication system of face feature collaborative protection based on the face feature collaborative protection problem in the face safety authentication protocol, and a safety authentication framework with participation of two parties is provided;

firstly, a safety authentication protocol based on face feature collaborative protection comprises: the system comprises a safety authentication framework based on face feature collaborative protection, a face feature collaborative protection model, a certificateless public key and secret key collaborative protection system, a certificateless change negotiation protocol and a face feature collaborative protection method based on specific shell transformation; wherein, the face characteristic cooperative protection model comprises: model structural feature definition, a human face security authentication protocol and a protocol mathematical model;

combining the characteristics of the biological characteristic identity authentication under a public network environment and an authentication interaction process, obtaining a server, undertaking tasks of storing a characteristic specific shell and completing characteristic matching, and realizing cross-terminal identity authentication based on biological characteristics, designing a safety authentication framework based on face characteristic cooperative protection suitable for participation of two parties under a cross-terminal application scene, abstracting a characteristic cooperative protection algorithm based on a transformation technology, paying attention to the safety of the characteristic specific shell and authentication data, and providing safety guarantee on a face identity authentication interaction process;

secondly, the safety certification system based on face feature collaborative protection comprises: the system comprises a system overall architecture, a system module design, a system registration process design and a system authentication process design, and realizes an interactive flow from a bottom processing module to protocol authentication.

A face feature collaborative protection safety authentication system under a public network further provides a safety authentication framework of face feature collaborative protection under a central model, a server executes matching operation, only an authentication template needs to be submitted during authentication, and the server performs matching;

and (3) registration process: the method comprises the steps that a user side acquires associated information and necessary parameters of an application server, the user side acquires face data of a user, the user side binds an original face with a server identifier and generates a face specific shell in an irreversible transformation mode, and the user side sends the user identifier and the face specific shell to the application server;

and (3) authentication process: the method comprises the steps that a user side acquires the association information and necessary parameters of an application server, the user side acquires user face data, the user side binds an original face with a server identifier and can not perform inverse transformation to generate an authentication template, then the authentication template and the user identifier are sent to the server, the server searches for a registration template according to the user identifier, and the registration template is matched with the authentication template to complete the whole identity authentication.

The face characteristic cooperative protection algorithm is modeled, identity authentication is completed based on the face characteristic cooperative protection algorithm, a user terminal equipment registration protocol is designed, and evaluation of the environment and performance of the user terminal equipment and negotiation of a characteristic cooperative protection algorithm change item are achieved.

The face characteristic collaborative protection safety certification system under the public network, further, the model structure characteristic definition: the face feature collaborative protection model is divided into three modules, which are respectively: the system comprises a user registration template generation module, a user authentication template generation module and a specific shell matching module, wherein the user registration template generation module is completed in the registration process, and the latter two modules are completed in the authentication process;

the user end equipment firstly scans the face of a user J through a face sensor to obtain an original face image J_jThen, extracting the features to obtain the face feature data Z_jThe face feature is transformed by using a special shell transformation method, and feature data Z is obtained_jConverting the special cipher shell into a special cipher shell, wherein the conversion parameters are divided into user side parameters and server side parameters, the user side parameters are used when a template is generated, the server side parameters are used for de-converting the special shell before the special shell is matched, the conversion parameters are generated by a value shared by a user j and a server i and respective private keys, and the respective private keys of the user j and the server i do not directly participate in the generation of the special shell and the matching of the special shell;

defining one: in the face feature cooperative protection model, VJA_jIdentity, CJA, representing user j_iThe identity mark of the server i is represented, and the registration template stored in the server i by the user j is R_jiN for authentication template generated at the time of authentication of user j_jiRepresents;

definition II: if the parameter of the known user terminal equipment is w₁Server side parameter w₂The sharing parameter between the user and the server is w, and the private key of the user is cw_jThe server private key is cw_iThe user side parameter generation algorithm is f_sThe server-side parameter number generation algorithm is f_cThen, there are:

w₁＝f_s(w,cw_j,CJA_i),w₂＝f_c(w,cw_i,VJA_j)；

defining three: if t represents a random value, the registration template generation algorithm of the user j is g_tbfThen, there are:

R_ji＝g_tbf(Z_j,w₁,w₂,t)；

defining four: the authentication template generation algorithm of user j is g_dvrThen, there are:

N_ji＝g_dvr(Z_j,w₁,t)；

definition of five: the specific shell matching algorithm of the server i is a, the visual value set by the system is b, and the matching result is expressed by s, then:

s＝a(R_ji,N_ji,w₂,b)∈{accepted,rejected}；

design algorithm f that satisfies the following properties_s、f_c、g_tbf、g_dvrAnd a, establishing a face feature collaborative protection model, and satisfying the following features based on a feature collaborative protection algorithm:

the method is characterized in that: algorithm g_tbfAnd g_dvrThe operation on the original characteristic data has irreversibility, namely for the algorithm x, under the condition of lacking a random value t used in the generation of the specific shell, the original face characteristic data Z is recovered_jComputationally infeasible;

the second characteristic: the parameters are bound with the private key, and the binding of the private key has irreversibility, namely a known parameter generation algorithm f_sAnd f_cFrom w₁Recovery of cw_jAnd by w₂Recovery of cw_iComputationally infeasible;

the characteristics are three: registration template R_jiAnd an authentication template N_jiWith matchability, or at parameter w₂Has matching property after the solution of (1), namely to R_jiAnd N_jiSimilarity calculations may be performed.

Raw feature data Z_jAnd the matching operation of the enrollment template and the authentication template irreversibly guarantees the safety of Z, the peculiar shell R_jiAnd N_jiMatching can be carried out to ensure that the face authentication is available.

The face characteristic collaborative protection safety authentication system under the public network, further, the face safety authentication protocol: the registration process of the face security authentication comprises the following steps:

the first process is as follows: between the user side and the server side: w, w₂,VJA_j，CJA_i

Negotiating a sharing parameter w between the client device and the server for generating respective characteristic cooperative protection parameters w₁,w₂User side execution of w₁＝f_s(w,cw_j,CJA_j) Server execution w₂＝f_c(w,cw_i,VJA_i)；

And a second process: user side to server side: r_ji

User end equipment captures original face J_jExtracting characteristic data Z_jGenerating an algorithm g using the authentication template_dvrGenerating a registration template R_jiAnd sending to the server; server receiving characteristic special shell R_jiAnd storing the VJA in own database_j,w,w₂,R_ji}；

After the registration is completed, the authentication process of the user comprises the following steps:

scheme 1: user side to server side: VJA_j

The user end sends VJA the identity of the user to be authenticated to the server_j；

And (2) a flow scheme: server-to-client: w is a

The server is according to VJA_jFinding out the sharing value w and sending the sharing value w to the user side equipment;

and (3) a flow path: user side to server side: n is a radical of_ji

The user end equipment is according to the shared value w and the private key cw_jGenerating a parameter w₁The user end equipment captures an original face J_jExtracting characteristic data Z_jGenerating an algorithm g using the authentication template_tbfGenerating an authentication template N_jiAnd sending to the server; the server is according to VJA_jFind register template R_jiCalling the specific shell matching algorithm a and the authentication template N_jiMatching is carried out, a matching result s is sent to the user terminal equipment, if the result is accepted, the authentication is passed, otherwise, the service is refused; the generation of the registration template and the authentication template depends on the shared value negotiated by the user end device and the application server in the registration stage, and the cancellation of the face peculiar shell is realized by changing the shared value w.

The face characteristic collaborative protection safety certification system under the public network, further, the protocol mathematical model: the specific shell generation algorithm in the face feature cooperative protection model carries out reversible and irreversible transformation on features, and the definition of the face feature cooperative protection model based on the feature transformation comprises the following steps:

define six: face feature cooperative protection model based on feature transformation_s、f_c、g_tbf、g_dvrAnd a, five algorithms are composed:

input user side private key cw_jParameter generation algorithm f_sOutput w₁；

Inputting the server private key cw_iParameter generation algorithm f_cOutput w₂；

Inputting user face feature data Z_jUser side parameter w₁Server parameter w₂Algorithm output registration template N_ji；

Inputting user personFace feature data Z_jAnd user side parameter w₁Algorithm output authentication template R_ji；

Input registration template N_jiAnd an authentication template R_jiOutputting a matching result s by a specific shell matching algorithm, wherein s belongs to { accepted, rejected };

correctness: g_tbfRegistration process for face identity authentication, { g_dvrA, forming an authentication process of face identity authentication, a corresponding to a matching process of the face, acquiring an original face by a user side, defaulting to have enough protection on the original face, generating all specific shells at the user side, and protecting the specific shells by the whole model according to an implemented specific shell generation algorithm g_tbf、g_dvrAnd parameters w, w participating in the algorithm₁，w₂；

Feasibility: by algorithm f_cGenerated parameter w₂With the server private key cw_iBinding, Algorithm f_cEnsuring private key cw_iSecurity of (2), register template R_jiAnd an authentication template N_jiAdding random number factor to ensure original face feature not to be revealed, R_jiAnd N_jiAt w₂Is matched.

The face characteristic cooperative protection safety certification system under the public network, further, the certificateless public key and secret key cooperative protection system: the key pairs of the user side and the server are obtained by the following method:

with S_jRepresenting member j in the system, identified as SJA_jThe key agreement step includes:

the first step is as follows: s_j→ secret key generation system: v. of_j,SJA_j

S_jSetting random numbers

As part of the master key of its own,

is F_qA multiplier subgroup of F_qIs a finite cyclic group, computingPartial key pair

S_jStart negotiating a complete key pair with the key generation system, S_jV is to be_jAnd its own SJA_jSending to a key generation system;

the second step is that: key generating System → S_j：k_j，AW_j

Key generation system setup random number

Computing partial key pairs

And according to v_jAnd user SJA_jCalculating V_j＝H₁(SJA_j,k_j,v_j) And a partial private key AW_j，H₁For a particular hash function, then part of the public key k_jAnd a partial private key AW_jTo S_j；

S_jReceipt of AW_jAnd k_jThen calculate V first_j＝H₁(SJA_j,k_j,v_j) And AW_jThen start to check AW_jValidity of, if valid, computing the private key C_j＝AW_j+x_jPublic key (k)_j,v_j) Thus obtaining a complete key pair { (C)_j,x_j),(k_j,v_j) Else discard AW_jAnd k_jAnd returns to the first step to restart negotiating keys.

A face feature collaborative protection safety authentication system under a public network is further provided with a face feature collaborative protection method based on specific shell transformation: the biological specific shell is transformed into G (BR, Z) under the action of a random key Z, and is divided into two types of reversible transformation and irreversible transformation, wherein the reversible transformation key Z is used for recovering the original biological characteristic specific shell (BR), the irreversible transformation Z is a one-way key, the original biological specific shell cannot be recovered from a transformed result even if Z is known, and the definition of the human face characteristic cooperative protection model requires irreversible transformation on original characteristic data

The face feature collaborative protection method based on the specific shell transformation comprises a registration process and an authentication process:

(1) registration procedure

Step 1: collecting an original face image of a user, and extracting features to obtain a feature matrix Z;

step 2: generating a specific shell transform matrix E ═ E₁,e₂,…,e_mPerforming orthogonal operation H-E.Z on the characteristic matrix Z to obtain an orthogonal decomposition coefficient H-H₁,h₂,…,h_m}；

And 3, step 3: decomposing the specific shell transformation matrix E into two independent submatrices { E) according to a preset proportion t₁,E₂In which E₁＝{e₁,e₂,…,e_n}，E₂＝{e_n+1,e_n+2,…,e_mIs divided into { H } corresponding orthogonal decomposition coefficients₁,H₂}，H₁＝{h₁,h₂,…,h_n}，H₂＝{h_n+1,h_n+2,…,h_mH, where t ═ H₁/H＝n/m；

And 4, step 4: to H₁Face encryption is carried out, and the encryption operation is set as B, W_bIs a randomly generated key, then pair H₁Is H_1b＝B(H₁,W_b) (ii) a To H₂Performing key binding, and setting the binding operation as G, W_gIs the key to bind, then pair H₂Is H_2g＝B(H₂,W_g)；

And 5, step 5: to H_1bAnd H_2gPerforming orthogonal fusion operation to obtain a feature ciphertext H_bg＝E1·H_1b+E1·H_1b；

(2) Authentication procedure

The step (1): collecting original face images of users, extracting features to obtain a feature matrix Z^*；

Step (2): generating an orthogonal matrix E^*＝{e₁ ^*,e₂ ^*,…,e_n ^*,e_n+1,e_n+2,…,e_m}＝{E₁ ^*,E₂For feature matrix Z^*Performing an orthogonal operation H^*＝E^*·Z^*To obtain an orthogonal decomposition coefficient H^*＝{h₁ ^*,h₂ ^*,…,h_m ^*}；

Step (3): decomposing the orthogonal matrix E into two independent sub-matrices { E } according to a preset proportion t₁ ^*,E₂In which E₁ ^*＝{e₁ ^*,e₂ ^*,…,e_n ^*}，E₂＝{e_n+1,e_n+2,…,e_mIs divided into { H } corresponding orthogonal decomposition coefficients₁ ^*,H₂ ^*}，H₁ ^*＝{h₁ ^*,h₂ ^*,…,h_n ^*}，H₂ ^*＝{h_n+1 ^*,h_n+2 ^*,…,h_m ^*H, where t ═ H₁/H＝n/m；

Step (4): to H₁ ^*Face encryption is carried out to obtain H_1b ^*＝B(H₁ ^*,W_b ^*) Let H_2g ^*＝H₂ ^*；

Step (5): to H_1b ^*And H_2g ^*Performing orthogonal fusion operation to obtain a feature ciphertext H_bg ^*＝E₁ ^*·H_1b ^*+E₂ ^*·H_2e ^*；

Step (6): by using E₂To H_bgAnd H_bg ^*Performing orthogonal decomposition to extract matching domain feature H_w＝G^-1(E₂·Z_bg,E₂)＝H_2g-E₂＝H₂And H_w ^*＝E₂·Z_bg ^*＝H₂ ^*；

Step (7): to findSolution of H_wAnd H_w ^*The covariance value of (a) completes the specific shell matching.

Face feature collaborative protection model rules based on specific shell transformation:

rule 1: parameter w₁Is defined as a sub-matrix E₁Algorithm f_sDescribed as first producing a matrix partition ratio t from a shared value w, identifying CJA by a server_iAnd a user private key cw_jGenerating a submatrix E₁；

Rule 2: parameter w₂Is defined as a sub-matrix E₂Algorithm f_cDescribed as first producing a matrix division ratio t from the shared value w, identified by the user VJA_jAnd server private key cw_iGenerating a submatrix E₂；

Rule 3: algorithm g_tbfDescribed as steps 3 to 5 of the registration procedure, registering the template R_jiAs a feature ciphertext H_bgRandom secret key W_bIs a random number factor;

rule 4: algorithm g_dvrDescribed as steps (3) to (5) of the authentication process, the authentication template N_jiAs a feature ciphertext H_bg ^*Random secret key W_b ^*Is a random number factor;

rule 5: algorithm a is described as steps (6) to (7) of the authentication procedure, H_wAnd H_w ^*The covariance value of (a) is within the range of a given error b, namely the matching is successful, otherwise, the matching is failed.

The face characteristic collaborative protection safety certification system under the public network, further, the system overall structure: the face processing association algorithm is realized through the client, the server is communicated during identity authentication, authentication data are written into the database, the face processing association algorithm is written into a safety area for the client, and the whole system comprises three parts:

(1) the user: providing an original face and necessary identification information;

(2) customer premise equipment: generating parameters, generating a registration template and generating an authentication template, wherein an algorithm associated with a face is realized in a security zone, a specific shell generation module of the security zone collects the face, generates the registration template, sends the registration template to a common zone application program and forwards the registration template to an application server during registration, the specific shell generation module of the security zone sends the original face to generate an encrypted authentication template to the application server through the common zone application program during authentication, before the authentication is started, the security zone carries out security evaluation on user equipment and sends an evaluation result to the application server for verification.

(3) A server: and the system is responsible for storing the received face registration template into a database, searching the database through the identity provided by the user to obtain the registration template for the authentication template, and calling a matching algorithm to match the registration template with the authentication template.

The face characteristic collaborative protection safety certification system under the public network, further, the system registration process design: the registration process is a step which is required to be carried out when a user accesses the server in the associated application for the first time, only the user which is successfully registered can obtain the service, a safety area is introduced into user terminal equipment, and the safety area independently exists in the process;

the user opens an application program needing identity authentication to trigger a face security authentication system, and the application program in the non-security area sends an access request to the server; the server receives the access request and then VJA according to the user identification_jInquiring whether a user is registered in a database, and if the user is not registered, starting change item negotiation by the user side equipment and the server; the safety area carries out integrity check on the self program, generates an evaluation report and sends the evaluation report and an intermediate result of the shared value to be negotiated to the server; the server checks the user side evaluation report, and completes change item negotiation with the user side after the check is passed; the user end negotiates a shared value w and generates a parameter w₁,w₂Using these parameters, the client security zone module starts to generate the registration template R_jiThe application program in the non-safety area of the user end sends the generated registration template to the server, and the server stores the registration template R in the database after receiving the registration template_jiAnd shared value w, server parameter w₂And user identification VJA_j。

A face feature cooperative protection safety certification system under public network, further, a system certification process deviceCounting: after the user finishes the registration in the registration stage, the authentication process is triggered when the user accesses the server again, under the condition that the safe area participates independently, the user opens an application program needing identity authentication to trigger the face safety authentication system, the non-safe area application program sends an access request to the server, and the server receives the access request and then sends VJA user identification_jInquiring whether a user is registered in a database, and starting a user process if the user is registered; the safety area carries out integrity check on the self program, generates an evaluation report and sends the evaluation report to the server together with the parameter request; the server checks the user side evaluation report, and responds the shared value w negotiated during registration to a user side security area after the check is passed; the user terminal generates a parameter w according to the shared value w₁User side safety zone module utilizing parameter w₁Generating an authentication template N_jiThe non-safety area application program of the user side sends the generated authentication template to the server; after the server receives the authentication template, it is identified VJA according to the user's ID_jQuerying a database for a registration template R_jiAnd server parameter w₂Server pair registration template R_jiAnd an authentication template N_jiAnd executing matching operation, and returning a matching result, namely an authentication result, to the user side application program, so that the user knows whether the user successfully authenticates.

Compared with the prior art, the innovation points and advantages of the application are as follows:

firstly, the application constructs a security authentication model based on biological feature protection under a public network environment from two aspects of a security authentication protocol based on human face feature cooperative protection and a security authentication system based on human face feature cooperative protection respectively based on human face feature cooperative protection in a human face security authentication protocol, provides a security authentication framework with two parties participating, combines the features of biological feature identity authentication under the public network environment and an authentication interaction process to obtain a security authentication framework based on biological feature which is suitable for two parties participating under a cross-terminal application scene and can realize cross-terminal identity authentication based on biological feature by bearing the tasks of storing a feature specific shell and completing feature matching, and provides a security authentication framework based on human face feature cooperative protection suitable for two parties participating under the cross-terminal application scene, abstracts a feature cooperative protection algorithm based on a transformation technology, pays attention to the security of the feature specific shell and authentication data and provides security guarantee on a human face identity authentication interaction process, the interaction process from a bottom processing module to protocol authentication is realized, the safety of the human face characteristic specific shell is fully considered, the safety requirement of biological characteristic identity authentication under a public network environment is met, and powerful guarantee is provided for the cooperative protection of biological characteristics;

secondly, a safety authentication protocol based on face feature cooperative protection is provided, a face feature transformation method and a feature cooperative protection algorithm are abstracted based on the relation between face feature cooperative protection and the authentication protocol from the safety requirement of the face safety authentication protocol, a safety authentication framework based on face feature cooperative protection is designed according to the characteristics and the safety requirement of face identity authentication, a feature cooperative protection method is improved, a method substitution model based on orthogonal transformation is fused, and an authentication protocol with unified usability and safety is constructed;

thirdly, designing and realizing an authentication system using a safety authentication protocol based on feature cooperative protection, analyzing responsibility of each participant of the authentication protocol, designing a safety interface to hide bottom layer human face feature processing details and protect safety of human face features of a user, combining the human face safety authentication protocol with a trusted hardware technology, and designing a safety authentication system method based on human face feature cooperative protection, which is suitable for a public network environment, greatly improves authentication efficiency compared with an original human face feature safety authentication system, can enable human face feature cooperative protection safety authentication to be more widely applied, and has high sensitivity, safety and practicability;

fourthly, the application also improves partial detail problems: firstly, the processing of the feature template does not affect the usability of the biometric authentication system; the generated face specific shell has revocable property, the original face of the user is unchangeable and unique for the whole life, and in order to avoid the interlinkability of the face specific shell between servers and protect the safety of the original face, the face specific shell registered by the user is bound with the server and cannot recover the complete original face from the face specific shell through irreversible treatment; thirdly, the safety of the parameters required by the generation of the characteristic specific shell is ensured through a safety protocol while the characteristic template is cooperatively protected, and the protocol designs the processes of parameter acquisition and negotiation for ensuring the correct implementation of a characteristic cooperative protection algorithm; and fourthly, designing a reasonable hardware evaluation mechanism based on the protection requirements of the face feature processing module of the user side equipment, acquiring and acquiring the original face at the user side equipment, and introducing the environment evaluation mechanism of the user side equipment into the protocol to ensure that the original face participating in the protocol is legal.

Drawings

Fig. 1 is a schematic diagram of a security authentication architecture based on face feature collaborative protection.

Fig. 2 is a schematic diagram of a registration process of face security authentication according to the present application.

Fig. 3 is a schematic view of an authentication process of face security authentication according to the present application.

FIG. 4 is a schematic process diagram of a face feature cooperative protection method based on the special shell transformation.

Fig. 5 is an overall architecture diagram of a security authentication system based on face feature cooperative protection.

Fig. 6 is a design diagram of a user side of a security authentication system based on face feature cooperative protection.

Fig. 7 is a server-side design diagram of a security authentication system based on face feature cooperative protection.

Fig. 8 is a flowchart of a registration process executed by the security authentication system based on face feature collaborative protection.

Fig. 9 is a flowchart of a security authentication system executing authentication process based on face feature cooperative protection.

Fig. 10 is a sequence diagram of authentication executed by a security authentication system based on face feature cooperative protection.

Detailed description of the invention

The technical solution of the system for cooperatively protecting security authentication by using face features in a public network provided in the present application is further described below with reference to the accompanying drawings, so that those skilled in the art can better understand the present application and can implement the present application.

With the rapid development of mobile public networks, the performance of intelligent terminal equipment is getting stronger, smart phone manufacturers use face recognition as mobile phone standards, various financial payment platforms start to support the research of face, iris and other identity authentication technologies, and biometric authentication technologies are widely accepted and used. The biometric features have the characteristics of lifelong binding and stability with the biological individuals, the biometric feature authentication technology is widely applied to the security authentication protocol, however, the uniqueness of the original biometric features makes the original biometric features irrevocable, and the data carries the privacy information of the biological individuals, so that the security of the original biometric information in a public network environment faces a serious challenge. In practical application, because the server verifier is at the other end of the complicated network, the data stored by the verifier server has a potential threat of being stolen, and the characteristic data submitted to the verifier server by the user can be intercepted by a third party. Therefore, the security of the biological characteristic data is the premise of the biological characteristic identity authentication, and the construction of an authentication protocol with unified usability and security has an important role on the basis.

The method is based on the face feature collaborative protection problem in the face security authentication protocol, a security authentication model based on biological feature protection in a public network environment is respectively constructed from two aspects of the face feature collaborative protection security authentication protocol and the face feature collaborative protection security authentication system, and a security authentication architecture with participation of two parties is provided;

firstly, a safety authentication protocol based on face feature collaborative protection comprises: the system comprises a safety authentication framework based on face feature collaborative protection, a face feature collaborative protection model, a certificateless public key and secret key collaborative protection system, a certificateless change negotiation protocol and a face feature collaborative protection method based on specific shell transformation; wherein, the face characteristic cooperative protection model comprises: model structural feature definition, a human face security authentication protocol and a protocol mathematical model;

combining the characteristics of the biological characteristic identity authentication under a public network environment and an authentication interaction process, obtaining a safety authentication framework which is suitable for two parties to participate under a cross-terminal application scene and is based on face characteristic cooperative protection, wherein the server bears a storage characteristic specific shell and completes the task of characteristic matching so as to realize the cross-terminal identity authentication based on biological characteristics, abstracting a characteristic cooperative protection algorithm based on a transformation technology, paying attention to the safety of the characteristic specific shell and authentication data, and providing safety guarantee on a face identity authentication interaction process;

secondly, the safety certification system based on face feature collaborative protection comprises: the system comprises a system overall architecture, a system module design, a system registration process design and a system authentication process design, realizes an interactive flow from a bottom processing module to protocol authentication, and fully considers the safety of the human face characteristic specific shell.

The safety authentication protocol and the authentication system implementation method based on the characteristic cooperative protection meet the safety requirement of biological characteristic identity authentication in a public network environment and provide powerful guarantee for the cooperative protection of biological characteristics.

Safety authentication protocol based on face feature cooperative protection

In a public network environment, a face recognition technology is applied without protecting an original face, so that hidden dangers are certainly left for the safety of user identity information. Protecting original face features, namely designing a safe face feature cooperative protection algorithm and designing a face feature safety authentication protocol on the basis of the face feature cooperative protection algorithm to ensure that the face feature cooperative protection algorithm can be correctly implemented. According to the available protection requirements of face security authentication, the application provides a security authentication method based on face feature cooperative protection, which comprises two key modules, namely a face feature cooperative protection model and a change negotiation protocol.

Safety certification framework based on face feature cooperative protection

The application provides a security authentication architecture for face feature collaborative protection under a central model, as shown in fig. 1. The server executes matching operation, only an authentication template needs to be submitted during authentication, the server performs matching, and under the condition that the application server is not completely trusted, the safety authentication method based on the characteristic cooperative protection comprises a registration process and an authentication process;

and (3) registration process: the method comprises the steps that a user side acquires associated information and necessary parameters of an application server, the user side acquires face data of a user, the user side binds an original face with a server identifier and generates a face specific shell in an irreversible transformation mode, and the user side sends the user identifier and the face specific shell to the application server;

and (3) authentication process: the method comprises the steps that a user side acquires the association information and necessary parameters of an application server, the user side acquires user face data, the user side binds an original face with a server identifier and can not perform inverse transformation to generate an authentication template, then the authentication template and the user identifier are sent to the server, the server searches for a registration template according to the user identifier, and the registration template is matched with the authentication template to complete the whole identity authentication.

The key problem to be solved is that: firstly, a face specific shell needs to be generated and stored in an application server, the face specific shell is associated with the server and is a ciphertext specific shell, original face information is prevented from being leaked, and a face feature collaborative protection model supporting revocable and protection of an original face is defined; secondly, matching the face specific shell, wherein the registration template and the authentication template are in a ciphertext state; and thirdly, generating the special shell at the user side, needing evaluation measures of the environment and the performance of the equipment at the user side, realizing the evaluation by a reasonable equipment registration protocol, and carrying out change item negotiation of the characteristic cooperative protection algorithm while evaluating the environment and the performance of the equipment.

Aiming at the problems, the face feature collaborative protection algorithm is modeled, the original face data is ensured to be safe, meanwhile, the appropriate face feature collaborative protection algorithm is searched to complete identity authentication, a user terminal device registration protocol is designed, and the evaluation of the environment and performance of the user terminal device and the feature collaborative protection algorithm change item negotiation are realized.

(II) face feature cooperative protection model

The face characteristic cooperative protection model is suitable for an authentication model matched with a server, the face safety authentication of a user does not depend on front-end equipment, the user can carry out remote identity authentication by using equipment with a face sensor and a face specific shell processing algorithm, the face specific shell of the user needs to be stored by the server or a third party, the submitted face specific shell needs to be encrypted for avoiding face privacy disclosure, and the face specific shell needs to be protected and can be submitted to the server.

1. Model structural feature definition

The face feature collaborative protection model defined by the application is divided into three modules, which are respectively: the system comprises a user registration template generation module, a user authentication template generation module and a specific shell matching module, wherein the user registration template generation module is completed in the registration process, and the latter two modules are completed in the authentication process.

The user end equipment firstly scans the face of a user J through a face sensor to obtain an original face image J_jThen, extracting the features to obtain the face feature data Z_jThe face feature is transformed by using a special shell transformation method, and feature data Z is obtained_jConverting the special cipher shell into a special cipher shell, wherein the conversion parameters are divided into user side parameters and server side parameters, the user side parameters are used when a template is generated, the server side parameters are used for de-converting the special shell before the special shell is matched, the conversion parameters are generated by a value shared by a user j and a server i and respective private keys, and the respective private keys of the user j and the server i do not directly participate in the generation of the special shell and the matching of the special shell;

defining one: in the face feature cooperative protection model, VJA_jIdentity, CJA, representing user j_iThe identity mark of the server i is represented, and the registration template stored in the server i by the user j is R_jiN for authentication template generated at the time of authentication of user j_jiRepresents;

definition II: if the parameter of the known user terminal equipment is w₁Server side parameter w₂The sharing parameter between the user and the server is w, and the private key of the user is cw_jThe server private key is cw_iThe user side parameter generation algorithm is f_sThe server-side parameter number generation algorithm is f_cThen, there are:

w₁＝f_s(w,cw_j,CJA_i),w₂＝f_c(w,cw_i,VJA_j)；

defining three: if t represents a random value, the registration template generation algorithm of the user j is g_tbfThen, there are:

R_ji＝g_tbf(Z_j,w₁,w₂,t)；

defining four: by usingThe authentication template generation algorithm of the user j is g_dvrThen, there are:

N_ji＝g_dvr(Z_j,w₁,t)；

definition of five: the specific shell matching algorithm of the server i is a, the visual value set by the system is b, and the matching result is expressed by s, then:

s＝a(R_ji,N_ji,w₂,b)∈{accepted,rejected}；

design algorithm f that satisfies the following properties_s、f_c、g_tbf、g_dvrAnd a, establishing a face feature collaborative protection model, and satisfying the following features based on a feature collaborative protection algorithm:

the method is characterized in that: algorithm g_tbfAnd g_dvrThe operation on the original characteristic data has irreversibility, namely for the algorithm x, under the condition of lacking a random value t used in the generation of the specific shell, the original face characteristic data Z is recovered_jComputationally infeasible;

the second characteristic: the parameters are bound with the private key, and the binding of the private key has irreversibility, namely a known parameter generation algorithm f_sAnd f_cFrom w₁Recovery of cw_jAnd by w₂Recovery of cw_iComputationally infeasible;

the characteristics are three: registration template R_jiAnd an authentication template N_jiWith matchability, or at parameter w₂Has matching property after the solution of (1), namely to R_jiAnd N_jiSimilarity calculations may be performed.

The key of the face feature collaborative protection algorithm is to aim at the original feature data Z_jAnd the matching operation of the enrollment template and the authentication template irreversibly guarantees the safety of Z, the peculiar shell R_jiAnd N_jiMatching can be carried out to ensure that the face authentication is available.

2. Face security authentication protocol

The registration process of face security authentication is shown in fig. 2.

The first process is as follows: between the user side and the server side: w, w₂,VJA_j，CJA_i

Negotiating a sharing parameter w between the client device and the server for generating respective characteristic cooperative protection parameters w₁,w₂User side execution of w₁＝f_s(w,cw_j,CJA_j) Server execution w₂＝f_c(w,cw_i,VJA_i)；

And a second process: user side to server side: r_ji

User end equipment captures original face J_jExtracting characteristic data Z_jGenerating an algorithm g using the authentication template_dvrGenerating a registration template R_jiAnd sending to the server; server receiving characteristic special shell R_jiAnd storing the VJA in own database_j,w,w₂,R_ji}；

The process of authenticating the user after the registration is completed is shown in fig. 3.

Scheme 1: user side to server side: VJA_j

The user end sends VJA the identity of the user to be authenticated to the server_j；

And (2) a flow scheme: server-to-client: w is a

The server is according to VJA_jFinding out the sharing value w and sending the sharing value w to the user side equipment;

and (3) a flow path: user side to server side: n is a radical of_ji

The user end equipment is according to the shared value w and the private key cw_jGenerating a parameter w₁The user end equipment captures an original face J_jExtracting characteristic data Z_jGenerating an algorithm g using the authentication template_tbfGenerating an authentication template N_jiAnd sending to the server; the server is according to VJA_jFind register template R_jiCalling the specific shell matching algorithm a and the authentication template N_jiMatching is carried out, a matching result s is sent to the user terminal equipment, if the result is accepted, the authentication is passed, otherwise, the service is refused; the generation of the registration template and the authentication template depends on the shared value negotiated by the user end device and the application server in the registration stage, and the cancellation of the face peculiar shell is realized by changing the shared value w.

3. Protocol mathematical model

The specific shell generation algorithm in the face feature cooperative protection model carries out reversible and irreversible transformation on features, and the definition of the face feature cooperative protection model based on the feature transformation comprises the following steps:

define six: face feature cooperative protection model based on feature transformation_s、f_c、g_tbf、g_dvrAnd a, five algorithms are composed:

input user side private key cw_jParameter generation algorithm f_sOutput w₁；

Inputting the server private key cw_iParameter generation algorithm f_cOutput w₂；

Inputting user face feature data Z_jUser side parameter w₁Server parameter w₂Algorithm output registration template N_ji；

Inputting user face feature data Z_jAnd user side parameter w₁Algorithm output authentication template R_ji；

Input registration template N_jiAnd an authentication template R_jiOutputting a matching result s by a specific shell matching algorithm, wherein s belongs to { accepted, rejected };

correctness: g_tbfRegistration process for face identity authentication, { g_dvrA, forming an authentication process of face identity authentication, a corresponding to a matching process of the face, acquiring an original face by a user side, defaulting to have enough protection on the original face, generating all specific shells at the user side, and protecting the specific shells by the whole model according to an implemented specific shell generation algorithm g_tbf、g_dvrAnd parameters w, w participating in the algorithm₁，w₂。

Feasibility: by algorithm f_cGenerated parameter w₂With the server private key cw_iBinding, Algorithm f_cEnsuring private key cw_iSecurity of (2), register template R_jiAnd an authentication template N_jiAdding random number factor to ensure original face feature not to be revealed, R_jiAnd N_jiAt w₂Is matched.

(III) certificateless public key and secret key cooperative protection system

The application designs a security authentication protocol based on characteristic cooperative protection, and the key pairs of the user side and the server are obtained according to the following method.

With S_jRepresenting member j in the system, identified as SJA_jThe key agreement step includes:

the first step is as follows: s_j→ secret key generation system: v. of_j,SJA_j

S_jSetting random numbers

As part of the master key of its own,

is F_qA multiplier subgroup of F_qIs a finite cyclic group, calculates partial key pairs

S_jStart negotiating a complete key pair with the key generation system, S_jV is to be_jAnd its own SJA_jSending to a key generation system;

the second step is that: key generating System → S_j：k_j，AW_j

Key generation system setup random number

Computing partial key pairs

And according to v_jAnd user SJA_jCalculating V_j＝H₁(SJA_j,k_j,v_j) And a partial private key AW_j，H₁For a particular hash function, then part of the public key k_jAnd a partial private key AW_jTo S_j；

S_jReceipt of AW_jAnd k_jThen calculate V first_j＝H₁(SJA_j,k_j,v_j) And AW_jThen start to check AW_jValidity of, if valid, computing the private key C_j＝AW_j+x_jPublic key (k)_j,v_j) Thus obtaining a complete key pair { (C)_j,x_j),(k_j,v_j) Else discard AW_jAnd k_jAnd returns to the first step to restart negotiating keys.

(IV) Certificateless-based change negotiation protocol

Aiming at the problem of generation of a change item in a face feature collaborative protection model, the application designs a certificateless-based change item negotiation protocol, an equipment authentication link is added in the certificateless-based change item negotiation protocol, before face identification authentication starts, environment of user side equipment is evaluated and detected, an evaluation result is sent to a server for verification, a user side negotiates a shared value w on the basis that equipment evaluation is passed, and if the user side equipment and the server both obtain a key pair through certificateless key negotiation, the key pair of the user side equipment is { (C)_j,x_j),(k_j,v_j) The key pair of the application server is { (C)_i,x_i),(k_i,v_i) And | | | is a join operation.

(V) face feature cooperative protection method based on specific shell transformation

The biological specific shell is transformed into G (BR, Z) under the action of a random key Z, and is divided into two types of reversible transformation and irreversible transformation, wherein the reversible transformation key Z is used for recovering the original biological characteristic specific shell (BR), the irreversible transformation Z is a one-way key, the original biological specific shell cannot be recovered from a transformed result even if Z is known, and the definition of the human face characteristic cooperative protection model requires irreversible transformation on original characteristic data

The face feature collaborative protection method process based on the specific shell transformation is represented by a figure 4, and comprises a registration process and an authentication process:

(1) registration procedure

Step 1: collecting an original face image of a user, and extracting features to obtain a feature matrix Z;

step 2: generating a specific shell transform matrix E ═ E₁,e₂,…,e_mPerforming orthogonal operation H-E.Z on the characteristic matrix Z to obtain an orthogonal decomposition coefficient H-H₁,h₂,…,h_m}；

And 3, step 3: decomposing the specific shell transformation matrix E into two independent submatrices { E) according to a preset proportion t₁,E₂In which E₁＝{e₁,e₂,…,e_n}，E₂＝{e_n+1,e_n+2,…,e_mIs divided into { H } corresponding orthogonal decomposition coefficients₁,H₂}，H₁＝{h₁,h₂,…,h_n}，H₂＝{h_n+1,h_n+2,…,h_mH, where t ═ H₁/H＝n/m；

And 4, step 4: to H₁Face encryption is carried out, and the encryption operation is set as B, W_bIs a randomly generated key, then pair H₁Is H_1b＝B(H₁,W_b) (ii) a To H₂Performing key binding, and setting the binding operation as G, W_gIs the key to bind, then pair H₂Is H_2g＝B(H₂,W_g)；

And 5, step 5: to H_1bAnd H_2gPerforming orthogonal fusion operation to obtain a feature ciphertext H_bg＝E1·H_1b+E1·H_1b；

(2) Authentication procedure

The step (1): collecting original face images of users, extracting features to obtain a feature matrix Z^*；

Step (2): generating an orthogonal matrix E^*＝{e₁ ^*,e₂ ^*,…,e_n ^*,e_n+1,e_n+2,…,e_m}＝{E₁ ^*,E₂For feature matrix Z^*Performing an orthogonal operation H^*＝E^*·Z^*To obtain an orthogonal decomposition coefficient H^*＝{h₁ ^*,h₂ ^*,…,h_m ^*}；

Step (3): decomposing the orthogonal matrix E into two independent sub-matrices { E } according to a preset proportion t₁ ^*,E₂In which E₁ ^*＝{e₁ ^*,e₂ ^*,…,e_n ^*}，E₂＝{e_n+1,e_n+2,…,e_mIs divided into { H } corresponding orthogonal decomposition coefficients₁ ^*,H₂ ^*}，H₁ ^*＝{h₁ ^*,h₂ ^*,…,h_n ^*}，H₂ ^*＝{h_n+1 ^*,h_n+2 ^*,…,h_m ^*H, where t ═ H₁/H＝n/m；

Step (4): to H₁ ^*Face encryption is carried out to obtain H_1b ^*＝B(H₁ ^*,W_b ^*) Let H_2g ^*＝H₂ ^*；

Step (5): to H_1b ^*And H_2g ^*Performing orthogonal fusion operation to obtain a feature ciphertext H_bg ^*＝E₁ ^*·H_1b ^*+E₂ ^*·H_2e ^*；

Step (6): by using E₂To H_bgAnd H_bg ^*Performing orthogonal decomposition to extract matching domain feature H_w＝G^-1(E₂·Z_bg,E₂)＝H_2g-E₂＝H₂And H_w ^*＝E₂·Z_bg ^*＝H₂ ^*；

Step (7): solving for H_wAnd H_w ^*The covariance value of (a) completes the specific shell matching.

Face feature collaborative protection model rules based on specific shell transformation:

rule 1: parameter w₁Is defined as a sub-matrix E₁Algorithm f_sDescribed as first sharing a valuew production matrix division ratio t, server identification CJA_iAnd a user private key cw_jGenerating a submatrix E₁；

Rule 2: parameter w₂Is defined as a sub-matrix E₂Algorithm f_cDescribed as first producing a matrix division ratio t from the shared value w, identified by the user VJA_jAnd server private key cw_iGenerating a submatrix E₂；

Rule 3: algorithm g_tbfDescribed as steps 3 to 5 of the registration procedure, registering the template R_jiAs a feature ciphertext H_bgRandom secret key W_bIs a random number factor;

rule 4: algorithm g_dvrDescribed as steps (3) to (5) of the authentication process, the authentication template N_jiAs a feature ciphertext H_bg ^*Random secret key W_b ^*Is a random number factor;

rule 5: algorithm a is described as steps (6) to (7) of the authentication procedure, H_wAnd H_w ^*The covariance value of (a) is within the range of a given error b, namely the matching is successful, otherwise, the matching is failed.

Safety authentication system based on face feature cooperative protection

System architecture

The face processing association algorithm is realized through the client, the server is communicated during identity authentication, authentication data is written into the database, and the face processing association algorithm is written into the safety area for the client. The overall architecture of the system is shown in fig. 5.

The whole system comprises three parts:

(1) the user: providing an original face and necessary identification information;

(2) customer premise equipment: generating parameters, generating a registration template and generating an authentication template, wherein an algorithm associated with a face is realized in a security zone, a specific shell generation module of the security zone collects the face, generates the registration template, sends the registration template to a common zone application program and forwards the registration template to an application server during registration, the specific shell generation module of the security zone sends the original face to generate an encrypted authentication template to the application server through the common zone application program during authentication, before the authentication is started, the security zone carries out security evaluation on user equipment and sends an evaluation result to the application server for verification.

(3) A server: and the system is responsible for storing the received face registration template into a database, searching the database through the identity provided by the user to obtain the registration template for the authentication template, and calling a matching algorithm to match the registration template with the authentication template.

(II) System Module design

1. Customer premise equipment: the generation of the specific face shell of the user is realized, and the user side operation of the face identity authentication is completed, and the system comprises a communication module, a face specific shell generation module and a face acquisition module, and is designed as shown in fig. 6.

The user terminal is divided into two parts: the method comprises the steps that a client side application program and a write-in safety area program are adopted, original face preprocessing, change item negotiation, generation of a registration template and a verification template of a user are all realized in the safety area, and in the verification process, the safety area carries out safety evaluation on client side equipment and sends an evaluation result to an application server for verification in a change item negotiation stage; the client application program is responsible for carrying out safe communication with the server, and the safe area program realizes face acquisition, change item negotiation, special shell generation and safety evaluation.

2. A server module: the server acts as an identity verifier and plays an important role in the whole system, and the server is designed as shown in fig. 7.

The server is divided into two parts: the system comprises a server program and a database, wherein the server program performs change negotiation with a client, verifies authentication data sent by a user, extracts a face specific shell stored in the database and matches an authentication template; the database stores user registration templates, and the server program comprises four parts: the method comprises a communication module, change item negotiation, specific shell matching and specific shell storage.

(III) System registration Process design

The registration process is a step that a user needs to access a server in an associated application for the first time, only the user who has successfully registered can obtain a service, a security zone is introduced into user end equipment, the security zone independently exists in the process, and the system executes the registration process as shown in the flowchart of fig. 8.

As shown in fig. 8, the user opens an application program requiring identity authentication to trigger a face security authentication system, and the non-security area application program sends an access request to the server; the server receives the access request and then VJA according to the user identification_jInquiring whether a user is registered in a database, and if the user is not registered, starting change item negotiation by the user side equipment and the server; the safety area carries out integrity check on the self program, generates an evaluation report and sends the evaluation report and an intermediate result of the shared value to be negotiated to the server; the server checks the user side evaluation report, and completes change item negotiation with the user side after the check is passed; the user end negotiates a shared value w and generates a parameter w₁,w₂Using these parameters, the client security zone module starts to generate the registration template R_jiThe application program in the non-safety area of the user end sends the generated registration template to the server, and the server stores the registration template R in the database after receiving the registration template_jiAnd shared value w, server parameter w₂And user identification VJA_j。

(IV) System authentication Process design

After the user completes registration in the registration stage, the authentication process is triggered when the user accesses the server again, and under the condition that the security zone participates independently, the authentication process corresponding to the user authentication process executed by the system is shown in the flowchart of fig. 9.

As shown in fig. 9, the user opens the application program requiring identity authentication to trigger the face security authentication system, the non-security area application program sends an access request to the server, and the server receives the access request and then VJA according to the user identifier_jInquiring whether a user is registered in a database, and starting a user process if the user is registered; the safety area carries out integrity check on the self program, generates an evaluation report and sends the evaluation report to the server together with the parameter request; the server checks the user side evaluation report, and responds the shared value w negotiated during registration to a user side security area after the check is passed; the user terminal generates a parameter w according to the shared value w₁User side safety zone module utilizationParameter w₁Generating an authentication template N_jiThe non-safety area application program of the user side sends the generated authentication template to the server; after the server receives the authentication template, it is identified VJA according to the user's ID_jQuerying a database for a registration template R_jiAnd server parameter w₂Server pair registration template R_jiAnd an authentication template N_jiAnd executing matching operation, and returning a matching result, namely an authentication result, to the user side application program, so that the user knows whether the user successfully authenticates. The specific implementation sequence diagram of the authentication process is shown in fig. 10.

Claims (10)

1. A face feature collaborative protection safety authentication system under a public network is characterized in that a safety authentication model based on biological feature protection under a public network environment is respectively constructed from two aspects of a safety authentication protocol of face feature collaborative protection and a safety authentication system of face feature collaborative protection based on the face feature collaborative protection problem in a face safety authentication protocol, and a safety authentication framework with participation of two parties is provided;

firstly, a safety authentication protocol based on face feature collaborative protection comprises: the system comprises a safety authentication framework based on face feature collaborative protection, a face feature collaborative protection model, a certificateless public key and secret key collaborative protection system, a certificateless change negotiation protocol and a face feature collaborative protection method based on specific shell transformation; wherein, the face characteristic cooperative protection model comprises: model structural feature definition, a human face security authentication protocol and a protocol mathematical model;

combining the characteristics of the biological characteristic identity authentication under a public network environment and an authentication interaction process, obtaining a server, undertaking tasks of storing a characteristic specific shell and completing characteristic matching, and realizing cross-terminal identity authentication based on biological characteristics, designing a safety authentication framework based on face characteristic cooperative protection suitable for participation of two parties under a cross-terminal application scene, abstracting a characteristic cooperative protection algorithm based on a transformation technology, paying attention to the safety of the characteristic specific shell and authentication data, and providing safety guarantee on a face identity authentication interaction process;

secondly, the safety certification system based on face feature collaborative protection comprises: the system comprises a system overall architecture, a system module design, a system registration process design and a system authentication process design, and realizes an interactive flow from a bottom processing module to protocol authentication.

2. The system for the cooperative protection and the safety certification of the face features under the public network according to the claim 1 is characterized in that a safety certification framework for the cooperative protection of the face features under a central model is provided, a server executes matching operation, only an authentication template needs to be submitted during certification, and the server can carry out matching;

and (3) registration process: the method comprises the steps that a user side acquires associated information and necessary parameters of an application server, the user side acquires face data of a user, the user side binds an original face with a server identifier and generates a face specific shell in an irreversible transformation mode, and the user side sends the user identifier and the face specific shell to the application server;

and (3) authentication process: the method comprises the steps that a user side acquires the associated information and necessary parameters of an application server, the user side acquires user face data, the user side binds an original face with a server identifier and can not perform inverse transformation to generate an authentication template, then the authentication template and the user identifier are sent to a server, the server searches a registration template according to the user identifier, and the registration template is matched with the authentication template to complete the whole identity authentication;

the face characteristic cooperative protection algorithm is modeled, identity authentication is completed based on the face characteristic cooperative protection algorithm, a user terminal equipment registration protocol is designed, and evaluation of the environment and performance of the user terminal equipment and negotiation of a characteristic cooperative protection algorithm change item are achieved.

3. The system for face feature collaborative protection security authentication under the public network according to claim 1, wherein the model structure feature definition: the face feature collaborative protection model is divided into three modules, which are respectively: the system comprises a user registration template generation module, a user authentication template generation module and a specific shell matching module, wherein the user registration template generation module is completed in the registration process, and the latter two modules are completed in the authentication process;

the user end equipment firstly scans the face of a user J through a face sensor to obtain an original face image J_jThen, extracting the features to obtain the face feature data Z_jThe face feature is transformed by using a special shell transformation method, and feature data Z is obtained_jConverting the special cipher shell into a special cipher shell, wherein the conversion parameters are divided into user side parameters and server side parameters, the user side parameters are used when a template is generated, the server side parameters are used for de-converting the special shell before the special shell is matched, the conversion parameters are generated by a value shared by a user j and a server i and respective private keys, and the respective private keys of the user j and the server i do not directly participate in the generation of the special shell and the matching of the special shell;

defining one: in the face feature cooperative protection model, VJA_jIdentity, CJA, representing user j_iThe identity mark of the server i is represented, and the registration template stored in the server i by the user j is R_jiN for authentication template generated at the time of authentication of user j_jiRepresents;

definition II: if the parameter of the known user terminal equipment is w₁Server side parameter w₂The sharing parameter between the user and the server is w, and the private key of the user is cw_jThe server private key is cw_iThe user side parameter generation algorithm is f_sThe server-side parameter number generation algorithm is f_cThen, there are:

w₁＝f_s(w,cw_j,CJA_i),w₂＝f_c(w,cw_i,VJA_j)；

defining three: if t represents a random value, the registration template generation algorithm of the user j is g_tbfThen, there are:

R_ji＝g_tbf(Z_j,w₁,w₂,t)；

defining four: the authentication template generation algorithm of user j is g_dvrThen, there are:

N_ji＝g_dvr(Z_j,w₁,t)；

definition of five: the specific shell matching algorithm of the server i is a, the visual value set by the system is b, and the matching result is expressed by s, then:

s＝a(R_ji,N_ji,w₂,b)∈{accepted,rejected}；

design algorithm f that satisfies the following properties_s、f_c、g_tbf、g_dvrAnd a, establishing a face feature collaborative protection model, and satisfying the following features based on a feature collaborative protection algorithm:

the method is characterized in that: algorithm g_tbfAnd g_dvrThe operation on the original characteristic data has irreversibility, namely for the algorithm x, under the condition of lacking a random value t used in the generation of the specific shell, the original face characteristic data Z is recovered_jComputationally infeasible;

the second characteristic: the parameters are bound with the private key, and the binding of the private key has irreversibility, namely a known parameter generation algorithm f_sAnd f_cFrom w₁Recovery of cw_jAnd by w₂Recovery of cw_iComputationally infeasible;

the characteristics are three: registration template R_jiAnd an authentication template N_jiWith matchability, or at parameter w₂Has matching property after the solution of (1), namely to R_jiAnd N_jiSimilarity calculation can be carried out;

raw feature data Z_jAnd the matching operation of the enrollment template and the authentication template irreversibly guarantees the safety of Z, the peculiar shell R_jiAnd N_jiMatching can be carried out to ensure that the face authentication is available.

4. The system for collaborative protection and security authentication of human face features under public network according to claim 1, wherein the human face security authentication protocol: the registration process of the face security authentication comprises the following steps:

the first process is as follows: between the user side and the server side: w, w₂,VJA_j，CJA_i

Negotiating a sharing parameter w between the client device and the server for generating respective characteristic cooperative protection parameters w₁,w₂User side execution of w₁＝f_s(w,cw_j,CJA_j) Server execution w₂＝f_c(w,cw_i,VJA_i)；

And a second process: user side to server side: r_ji

User end equipment captures original face J_jExtracting characteristic data Z_jGenerating an algorithm g using the authentication template_dvrGenerating a registration template R_jiAnd sending to the server; server receiving characteristic special shell R_jiAnd storing the VJA in own database_j,w,w₂,R_ji}；

After the registration is completed, the authentication process of the user comprises the following steps:

scheme 1: user side to server side: VJA_j

The user end sends VJA the identity of the user to be authenticated to the server_j；

And (2) a flow scheme: server-to-client: w is a

The server is according to VJA_jFinding out the sharing value w and sending the sharing value w to the user side equipment;

and (3) a flow path: user side to server side: n is a radical of_ji

The user end equipment is according to the shared value w and the private key cw_jGenerating a parameter w₁The user end equipment captures an original face J_jExtracting characteristic data Z_jGenerating an algorithm g using the authentication template_tbfGenerating an authentication template N_jiAnd sending to the server; the server is according to VJA_jFind register template R_jiCalling the specific shell matching algorithm a and the authentication template N_jiMatching is carried out, a matching result s is sent to the user terminal equipment, if the result is accepted, the authentication is passed, otherwise, the service is refused; the generation of the registration template and the authentication template depends on the shared value negotiated by the user end device and the application server in the registration stage, and the cancellation of the face peculiar shell is realized by changing the shared value w.

5. The system for cooperative protection and security authentication of human face features under public network according to claim 1, wherein the protocol mathematical model is: the specific shell generation algorithm in the face feature cooperative protection model carries out reversible and irreversible transformation on features, and the definition of the face feature cooperative protection model based on the feature transformation comprises the following steps:

define six: face feature cooperative protection model based on feature transformation_s、f_c、g_tbf、g_dvrAnd a, five algorithms are composed:

input user side private key cw_jParameter generation algorithm f_sOutput w₁；

Inputting the server private key cw_iParameter generation algorithm f_cOutput w₂；

Inputting user face feature data Z_jUser side parameter w₁Server parameter w₂Algorithm output registration template N_ji；

Inputting user face feature data Z_jAnd user side parameter w₁Algorithm output authentication template R_ji；

Input registration template N_jiAnd an authentication template R_jiOutputting a matching result s by a specific shell matching algorithm, wherein s belongs to { accepted, rejected };

correctness: g_tbfRegistration process for face identity authentication, { g_dvrA, forming an authentication process of face identity authentication, a corresponding to a matching process of the face, acquiring an original face by a user side, defaulting to have enough protection on the original face, generating all specific shells at the user side, and protecting the specific shells by the whole model according to an implemented specific shell generation algorithm g_tbf、g_dvrAnd parameters w, w participating in the algorithm₁，w₂；

Feasibility: by algorithm f_cGenerated parameter w₂With the server private key cw_iBinding, Algorithm f_cEnsuring private key cw_iSecurity of (2), register template R_jiAnd an authentication template N_jiAdding random number factor to ensure original face feature not to be revealed, R_jiAnd N_jiAt w₂Is matched.

6. The system for face feature collaborative protection and security authentication under a public network according to claim 1, wherein the certificateless public key and secret key collaborative protection system comprises: the key pairs of the user side and the server are obtained by the following method:

with S_jRepresenting member j in the system, identified as SJA_jThe key agreement step includes:

the first step is as follows: s_j→ secret key generation system: v. of_j,SJA_j

S_jSetting random numbers

As part of the master key of its own,

is F_qA multiplier subgroup of F_qIs a finite cyclic group, calculates partial key pairs

S_jStart negotiating a complete key pair with the key generation system, S_jV is to be_jAnd its own SJA_jSending to a key generation system;

the second step is that: key generating System → S_j：k_j，AW_j

Key generation system setup random number

Computing partial key pairs

And according to v_jAnd user SJA_jCalculating V_j＝H₁(SJA_j,k_j,v_j) And a partial private key AW_j，H₁For a particular hash function, then part of the public key k_jAnd a partial private key AW_jTo S_j；

S_jReceipt of AW_jAnd k_jThen calculate V first_j＝H₁(SJA_j,k_j,v_j) And AW_jThen start to check AW_jValidity of, if valid, computing the private key C_j＝AW_j+x_jPublic key (k)_j,v_j) Thus obtaining a complete key pair { (C)_j,x_j),(k_j,v_j) Else discard AW_jAnd k_jAnd returns to the first step to restart negotiating keys.

7. The system for collaborative protection and security authentication of human face features under public network according to claim 1, wherein the method for collaborative protection of human face features based on specific shell transformation comprises: the biological specific shell is transformed into G (BR, Z) under the action of a random key Z, and is divided into two types of reversible transformation and irreversible transformation, wherein the reversible transformation key Z is used for recovering the original biological characteristic specific shell (BR), the irreversible transformation Z is a one-way key, the original biological specific shell cannot be recovered from a transformed result even if Z is known, and the definition of the human face characteristic cooperative protection model requires irreversible transformation on original characteristic data

The face feature collaborative protection method based on the specific shell transformation comprises a registration process and an authentication process:

(1) registration procedure

Step 1: collecting an original face image of a user, and extracting features to obtain a feature matrix Z;

step 2: generating a specific shell transform matrix E ═ E₁,e₂,…,e_mPerforming orthogonal operation H-E.Z on the characteristic matrix Z to obtain an orthogonal decomposition coefficient H-H₁,h₂,…,h_m}；

And 3, step 3: decomposing the specific shell transformation matrix E into two independent submatrices { E) according to a preset proportion t₁,E₂In which E₁＝{e₁,e₂,…,e_n}，E₂＝{e_n+1,e_n+2,…,e_mIs divided into { H } corresponding orthogonal decomposition coefficients₁,H₂}，H₁＝{h₁,h₂,…,h_n}，H₂＝{h_n+1,h_n+2,…,h_mH, where t ═ H₁/H＝n/m；

And 4, step 4: to H₁Face encryption is carried out, and the encryption operation is set as B, W_bIs a randomly generated key, then pair H₁Is H_1b＝B(H₁,W_b) (ii) a To H₂Performing key binding, and setting the binding operation as G, W_gIs the key to bind, then pair H₂Is H_2g＝B(H₂,W_g)；

And 5, step 5: to H_1bAnd H_2gPerforming orthogonal fusion operation to obtain a feature ciphertext H_bg＝E1·H_1b+E1·H_1b；

(2) Authentication procedure

The step (1): collecting original face images of users, extracting features to obtain a feature matrix Z^*；

Step (2): generating an orthogonal matrix E^*＝{e₁ ^*,e₂ ^*,…,e_n ^*,e_n+1,e_n+2,…,e_m}＝{E₁ ^*,E₂For feature matrix Z^*Performing an orthogonal operation H^*＝E^*·Z^*To obtain an orthogonal decomposition coefficient H^*＝{h₁ ^*,h₂ ^*,…,h_m ^*}；

Step (3): decomposing the orthogonal matrix E into two independent sub-matrices { E } according to a preset proportion t₁ ^*,E₂In which E₁ ^*＝{e₁ ^*,e₂ ^*,…,e_n ^*}，E₂＝{e_n+1,e_n+2,…,e_mIs divided into { H } corresponding orthogonal decomposition coefficients₁ ^*,H₂ ^*}，H₁ ^*＝{h₁ ^*,h₂ ^*,…,h_n ^*}，H₂ ^*＝{h_n+1 ^*,h_n+2 ^*,…,h_m ^*H, where t ═ H₁/H＝n/m；

Step (4): to H₁ ^*Face encryption is carried out to obtain H_1b ^*＝B(H₁ ^*,W_b ^*) Let H_2g ^*＝H₂ ^*；

Step (5): to H_1b ^*And H_2g ^*Performing orthogonal fusion operation to obtain a feature ciphertext H_bg ^*＝E₁ ^*·H_1b ^*+E₂ ^*·H_2e ^*；

Step (6): by using E₂To H_bgAnd H_bg ^*Performing orthogonal decomposition to extract matching domain feature H_w＝G^-1(E₂·Z_bg,E₂)＝H_2g-E₂＝H₂And H_w ^*＝E₂·Z_bg ^*＝H₂ ^*；

Step (7): solving for H_wAnd H_w ^*Completing the matching of the specific shells by the covariance values;

face feature collaborative protection model rules based on specific shell transformation:

rule 1: parameter w₁Is defined as a sub-matrix E₁Algorithm f_sDescribed as first producing a matrix partition ratio t from a shared value w, identifying CJA by a server_iAnd a user private key cw_jGenerating a submatrix E₁；

Rule 2: parameter w₂Is defined as a sub-matrix E₂Algorithm f_cDescribed as first producing a matrix division ratio t from the shared value w, identified by the user VJA_jAnd server private key cw_iGenerating a submatrix E₂；

Rule 3: algorithm g_tbfDescribed as steps 3 to 5 of the registration procedure, registering the template R_jiAs a feature ciphertext H_bgRandom secret key W_bIs a random number factor;

rule 4: algorithm g_dvrDescribed as steps (3) to (5) of the authentication process, the authentication template N_jiAs a feature ciphertext H_bg ^*Random secret key W_b ^*Is a random number factor;

rule 5: algorithm a is described as steps (6) to (7) of the authentication procedure, H_wAnd H_w ^*The covariance value of (a) is within the range of a given error b, namely the matching is successful, otherwise, the matching is failed.

8. The system for face feature collaborative protection security authentication under the public network according to claim 1, wherein the system overall architecture is as follows: the face processing association algorithm is realized through the client, the server is communicated during identity authentication, authentication data are written into the database, the face processing association algorithm is written into a safety area for the client, and the whole system comprises three parts:

(1) the user: providing an original face and necessary identification information;

(2) customer premise equipment: generating parameters, generating a registration template and generating an authentication template, wherein an algorithm associated with a face is realized in a security zone, a specific shell generation module of the security zone collects the face, generates the registration template, sends the face, generates the registration template to a common zone application program and forwards the registration template to an application server during registration, the specific shell generation module of the security zone sends the original face, generates and encrypts the authentication template to the application server through the common zone application program during authentication, and before the authentication is started, the security zone performs security evaluation on user equipment and sends an evaluation result to the application server for verification;

(3) a server: and the system is responsible for storing the received face registration template into a database, searching the database through the identity provided by the user to obtain the registration template for the authentication template, and calling a matching algorithm to match the registration template with the authentication template.

9. The system for collaborative protection and security authentication of human face features under public network according to claim 1, wherein the system registration process is designed as follows: the registration process is a step which is required to be carried out when a user accesses the server in the associated application for the first time, only the user which is successfully registered can obtain the service, a safety area is introduced into user terminal equipment, and the safety area independently exists in the process;

the user opens an application program needing identity authentication to trigger a face security authentication system, and the application program in the non-security area sends an access request to the server; the server receives the access request and then VJA according to the user identification_jInquiring whether a user is registered in a database, and if the user is not registered, starting change item negotiation by the user side equipment and the server; the safety area carries out integrity check on the self program, generates an evaluation report and sends the evaluation report and an intermediate result of the shared value to be negotiated to the server; the server checks the user side evaluation report, and completes change item negotiation with the user side after the check is passed; the user end negotiates a shared value w and generates a parameter w₁,w₂Using these parameters, the client security zone module starts to generate the registration template R_jiThe application program in the non-safety area of the user end sends the generated registration template to the server, and the server stores the registration template R in the database after receiving the registration template_jiAnd shared value w, server parameter w₂And user identification VJA_j。

10. The system for face feature collaborative protection security authentication under a public network according to claim 1, wherein the system authentication process is designed as follows: after the user finishes the registration in the registration stage, the authentication process is triggered when the user accesses the server again, under the condition that the safe area participates independently, the user opens an application program needing identity authentication to trigger the face safety authentication system, the non-safe area application program sends an access request to the server, and the server receives the access request and then sends VJA user identification_jInquiring whether a user is registered in a database, and starting a user process if the user is registered; the safety area carries out integrity check on the self program, generates an evaluation report and sends the evaluation report to the server together with the parameter request; the server checks the user side evaluation report, and responds the shared value w negotiated during registration to a user side security area after the check is passed; the user terminal generates a parameter w according to the shared value w₁User side safety zone module utilizing parameter w₁Generating an authentication template N_jiAuthentication module to be generated by application program in non-safety zone of user endThe board is sent to the server; after the server receives the authentication template, it is identified VJA according to the user's ID_jQuerying a database for a registration template R_jiAnd server parameter w₂Server pair registration template R_jiAnd an authentication template N_jiAnd executing matching operation, and returning a matching result, namely an authentication result, to the user side application program, so that the user knows whether the user successfully authenticates.

Images