CN101631020A - Identity authentication system combining fingerprint identification and PKI system - Google Patents
Identity authentication system combining fingerprint identification and PKI system Download PDFInfo
- Publication number
- CN101631020A CN101631020A CN200810040644A CN200810040644A CN101631020A CN 101631020 A CN101631020 A CN 101631020A CN 200810040644 A CN200810040644 A CN 200810040644A CN 200810040644 A CN200810040644 A CN 200810040644A CN 101631020 A CN101631020 A CN 101631020A
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- certificate
- identity
- authentication
- pki
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Collating Specific Patterns (AREA)
Abstract
The invention relates to an identity authentication system combining fingerprint identification and a PKI system in the technical field of information security, which comprises a certificate identity authentication subsystem, a fingerprint identity authentication subsystem, a service terminal and an intelligent password fingerprint instrument, wherein the certificate identity authentication subsystem, the fingerprint identity authentication subsystem and the service terminal are connected with one another through a network, the intelligent password fingerprint instrument is directly connected with the service terminal, and the certificate identity authentication subsystem is used for network identity authentications to ensure the data secure communications between each subsystems; and the fingerprint identity authentication subsystem consists of a fingerprint verification server which stores personnel fingerprints and identity information, supports the encryption function and simultaneously can transmit fingerprint templates to the certificate identity authentication subsystem, the service terminal and the intelligent password fingerprint instrument according to requests, and can verify the fingerprint templates and return information on matching or not matching according to the requests. The security strength of the identity authentication system is strengthened greatly.
Description
Technical field
The present invention relates to a kind of system of field of information security technology, specifically is the identity authorization system that a kind of fingerprint recognition combines with the PKI system.
Background technology
Information security relates to collection, storage, transmission, the visit overall process of information.Information operating executor's illegal property and all can influence information security to unauthorised broken of information etc., various recognition technologies are exactly in order to set up matching, the consistency between operator and the information operating.In the past, to authentication, adopt modes such as password, voucher mostly, these modes are in still extensive use today, though the foundation of this mode is simple and convenient, is accompanied by easily and loses, forget, duplicate and many congenital bad shortcomings such as stolen.
In broad terms, all provide the system of public key encryption and digital signature service, all can be called PKI system (public key architecture), the main purpose of PKI is by automatic managing keys and certificate, can set up the networking operational environment of a safety for the user, the user can be convenient to use under multiple applied environment to encrypt and digital signature technology, thereby guarantee the confidentiality of online data, integrality, validity, the confidentiality of data is meant that data are in transmission course, can not be stolen a glance at by the unauthorized person, the integrality of data is meant that data can not illegally be distorted in transmission course, the validity of data is meant that data can not be denied.Typical case, complete, an effective PKI application system should have at least with the lower part: the public key certificate management.The issue of blacklist and management.The backup of key and recovery.Automatically new key more.Automatically manage historical key.Support cross-certification.
Because the PKI architecture is present comparative maturity, perfect Internet network security solution, the a series of network security product of the numerous and confused release of some external big network security companies based on PKI, Verisign as the U.S., IBM, safety product suppliers such as Entrust provide the safety product of a series of client and server end for the user, for Development of E-business provides safety assurance.Advanced all in the world Web banks all are based on the PKI system.
Derived widely used now PKI system by cryptography.The most significant problem is the management of key in the whole PKI system.The administrative relationships of private key are to the safety of whole PKI, so the carrier of private key also becomes the part of most fragile in the whole system.For secret key safety, present popular form is the authentication of dual factors, is about to certificate (private key) and is kept among the believable hardware carrier (Smart Card or USB Key equipment etc.).Even if but like this, also may exist and lose, usurp equivalent risk.
Biometrics identification technology is undoubtedly the preferred manner of authentication.Fingerprint identification technology is as the most widely used technology of field of biological recognition, and its main cause is that the fingerprint collecting process is simple, and the collecting device cost is relatively low and the fingerprint comparison algorithm is relatively ripe through long-term optimization.The fingerprint characteristic is the part of human body, can not lose, and needn't worry to leave behind; Fingerprint characteristic is that everyone is unique, cannot duplicate, and does not worry stolen.So utilizing fingerprint identification technology is safety, accurate, reliable as the means of authentication.But because bio-identification is because himself characteristic can't be accomplished hundred-percent accurate identification, so can't be competent at fully for the application scenario that any mistake can not occur.
Summary of the invention
The present invention is directed to above-mentioned deficiency of the prior art, the identity authorization system that provides a kind of fingerprint recognition to combine with the PKI system.The technical scheme that fingerprint recognition combines with the PKI technology has been proposed, determine personnel's authenticity by the fingerprint identity recognizing technology, the auxiliary figure certificate is realized the accurate judgement of personnel identity and is ensured the communication two party identity legitimacy, ensures the integrality of data and the fail safe of storage by digital signature technology.
The present invention is achieved through the following technical solutions, the present invention includes: certificate identity authentication subsystem, fingerprint identity validation subsystem, service terminal and intelligent cipher fingerprint instrument, wherein:
Connect by network between certificate identity authentication subsystem, fingerprint identity validation subsystem, service terminal three, the intelligent cipher fingerprint instrument is directly connected in service terminal, the certificate identity authentication subsystem is used for the authentication on the network, guarantees the data security communication between each subsystem; The fingerprint identity validation subsystem is made up of the fingerprint authentication server, personnel's fingerprint and identity information have been deposited in the fingerprint authentication server, the fingerprint authentication server is supported encryption function, can accept, store encrypted from the fingerprint template in the intelligent cipher fingerprint instrument, simultaneously can issue fingerprint template to certificate identity authentication subsystem and service terminal and intelligent cipher fingerprint instrument according to request, the fingerprint authentication server can and return the information of whether mating according to the requests verification fingerprint template.
Described certificate identity authentication subsystem, i.e. pki system, be responsible for following operation: 1. the additions and deletions of operator message, mechanism information change and look into; 2. digital certificate is signed and issued, abolishes, is freezed; 3. signature verification service, data encryption service.
Described fingerprint identity validation subsystem is responsible for following operation: 1. the increase of fingerprint recognition data, deletion, modification; 2. fingerprint inquiry comparison service.
Described service terminal cooperatively interacts with certificate identity authentication subsystem and the input of fingerprint identity validation subsystem respectively as verification terminal.
Described intelligent cipher fingerprint instrument, it is responsible for the connecting system personnel fingerprint of (promptly being called for short the operator), fingerprint is finished in the intelligent cipher fingerprint instrument and is gathered and generate fingerprint template (fingerprint characteristic data), and be built-in with memory, storage fingerprint characteristic information, the digital certificate that the operator is correlated with, key etc. also are sent to certificate identity authentication subsystem and fingerprint identity validation subsystem realization double authentication (being double factor authentication) by service terminal with feedback information simultaneously.
Described certificate identity authentication subsystem, comprise: RA registration center, AA authorization services device, LDAP Lightweight Directory Access Protocol server, the SSL secure socket layer protocol of ca authentication center (certificate granting center), RA (registration power) registration center and branch, above-mentioned submodule cooperates cooperation each other, the security service of PKI foundation of trust facility externally is provided, instruction flow therebetween has ripe international standard, the international standard that relates to comprises that X.509 ITU reaches ITU and X.500 wait, wherein:
The ca authentication center is the core of PKI PKIX, it mainly finish generation/grant a certificate, generation/grant a certificate revocation list (CRL), issue certificate and CRL to LIST SERVER, safeguard functions such as certificate database and audit log storehouse, as the third party who is trusted in the e-commerce transaction, solve the legitimacy problem of PKI in the PKI system specially.
The ca authentication center can classification: CA of general headquarters and root CA, wherein the CA of general headquarters refers to use the CA system of the tissue of native system, and root CA refers to CA professional or even nationwide system, for the CA system of this tissue provides legitimate verification.
RA registration center is the mechanism of application, audit and the registration of digital certificate, is the extension at ca authentication center, and logically RA and CA are an integral body, mainly are responsible for the function that certificate registration is provided, examines and issues licence.
AA (Authentication and Authorization) authorization services device provides the management of user profile, authentication and authorization for the system manager.
LDAP (Lightweight Directory Access Protocol) Lightweight Directory Access Protocol server, storage and uniform user profile, certificate and authorization message, LDAP/DB is a database server of realizing this function.
SSL (Secure Sockets Layer) secure socket layer protocol, the authentication that is widely used on the Internet is communicated by letter with the data security between Web server and the user side browser.
Described fingerprint authentication server, comprise: database and alignment algorithm module, encrypting-decrypting module, database can be any relevant database such as SQLSERVER/SYBASE/INFORMIX/DB2/ORECAL etc., alignment algorithm module and encrypting-decrypting module have been set up site mechanism table in database, the site equipment list, person chart, the fingerprint template table, the Operation Log table, system manager's table, set up personnel's finger print information and operation system personnel's number corresponding relation in the table, formation personnel mechanism and post Rights Management System, thus provide the site organization management, equipment control, the post rights management, the fingerprint template management, Operation Log Management.
Described intelligent cipher fingerprint instrument, comprise main process chip and COS (Chip OperatingSystem) management system, be responsible for connecting system personnel's (being the operator) fingerprint, and built-in memory, deposit fingerprint characteristic information (being fingerprint template), the digital certificate that the operator is correlated with, key etc.Therefore, safety of data is extremely important in the intelligent cipher fingerprint instrument.
Described main process chip adopts safety chip, is achieved as follows function: key management on the sheet (key generation, key storage, key updating etc.); Signature and authentication (can support public key algorithms such as RSA, ECC territory) on the sheet; Tailor-made algorithm is downloaded and is carried out and high data rate encryption and decryption (support the DES/3DES algorithm and comprise the close various special purpose system algorithms of doing tailor-made algorithm of state).Private key leaves in the safety chip, never goes out chip, thereby has guaranteed the being perfectly safe property of private key.
Described COS management system, be used for the storage in the intelligent cipher fingerprint instrument of managing digital certificate, private key and fingerprint template, the ca authentication center is initiated instruction by the routine interface of realizing defining to the intelligent cipher fingerprint instrument, the intelligent cipher fingerprint instrument responds in view of the above, thereby the illegal invasion of system is had very strong antijamming capability.
Described intelligent cipher fingerprint instrument, gather connecting system personnel's (being the operator) finger print information, it is the core of safety problem, can be in different ways: if system scale is less according to system scale, take the concentrated collection of appointed place, avoiding the illegal correspondence that may exist on fingerprint and the personnel identity from root; If system scale is bigger, fingerprint collecting work can be taked the pattern of differentiated control, sets up the administrative mechanism of the keeper of general headquarters, the keeper of branch, three grades of combinations of operating agency keeper separately.According to the scale of institutional framework and information system, can RA operator be set in general headquarters or branch, finish the work and the generation of audit and typing operator message.Carry out the process that fingerprint is registered according to authorization code, the suggestion place is that branch finishes, with the safety of safeguards system.
When the present invention worked, the corresponding business flow process was as follows:
1, newly-increased operator
RA typing review operations person information → generation fingerprint authorization code → fingerprint identification system according to authorization code register fingerprint → foreground according to the authorization code downloading digital certificate to follow-up business flow processs such as fingerprint instrument → register, mandates.
2, deletion action person
A, RA abolish certificate → deletion certificate information, delete fingerprint masterplate, the digital certificate of the operator in the finger print information → deletion fingerprint instrument in user profile → deletion system of fingerprints.
3, retouching operation person
A, operating agency are responsible for fingerprint masterplate, the digital certificate of the operator in checking fingerprint → deletion fingerprint instrument.
B, RA abolish certificate → deletion certificate, user profile → newly-increased operator's flow process (not containing the fingerprint registration).
4, register, encryption flow
Fingerprint instrument built-in check fingerprint → extraction digital certificate → digital signature → certificate verification center certifying digital signature → follow-up business is handled.
5, authorization flow
The information of taking the fingerprint → finger print identifying center identity verification → follow-up authorization flow.
The present invention is by combining fingerprint recognition fingerprint biological characteristic and PKI system, this verification system can be good at solving the leak that certificate in the simple PKI system/the private key carrier is used by the unauthorized personnel, also can overcome simultaneously the false problem of the knowledge that exists in the fingerprint recognition, strengthen the security intensity of identification system greatly.The probability that is obtained by the unauthorized personnel by information when in theory, using PKI finger print identifying fingerprint instrument levels off to 0.Owing to the written or printed documents innovation biological identification technology and PKI system are combined, solve the developing certificate of present PKI system (private key) and deposited the leak of existence, strengthened the fail safe of whole PKI authentication system greatly, will bring into play bigger promotion to the development of PKI system, thereby improve the fail safe of information system.Compared with prior art, the present invention has following beneficial effect:
1. the communication information between fingerprint template and fingerprint authentication server uses the asymmetric arithmetic of PKI system to encrypt, even guarantee that fingerprint template is is also intercepted and captured and can't be revealed.When uploading fingerprint template, therefore most unencryptions transmit data in case intercepted and captured in existing fingerprint authentication terminal (fingerprint instrument), and fingerprint template may be used by bootlegging, thereby has lost the function of fingerprint template as authentication.Have part fingerprint authentication terminal to claim that the fingerprint template data upload encrypts now, but, can only adopt symmetry algorithm owing to do not combine with PKI, if thereby Crypted password in case reveal, fingerprint template still might be used by bootlegging.And in the PKI system, introduced certificate, by cooperating cryptographic algorithm, digest algorithm etc., even having guaranteed the communication between intelligent cipher fingerprint instrument and the fingerprint authentication server also can't crack after intercepting and capturing, and communication process can be not disturbed.
2. the legitimacy that traditional certificate terminals such as USB Key come identity verification by the PKI system, but owing to can't judge different users's identity, and make the certificate terminals only can use for a people.USB Key also can judge the different users by password in theory, but password reveal easily, thereby make the certificate terminals become in the whole P K I system a weak ring, so do not use substantially in practice.In system of the present invention, the intelligent cipher fingerprint instrument is as the certificate terminals, wherein can deposit a plurality of users' fingerprint template and user's certificate, and set up between fingerprint template by the user and the certificate thereof association promptly can be on same certificate terminals the different user of (intelligent cipher fingerprint instrument) difference, thereby reach different users and only can call its corresponding certificate, both made same certificate terminals to use simultaneously, guaranteed the fail safe of system again for many people.
3. fingerprint is finished collection in the intelligent cipher fingerprint instrument, and downloads fingerprint template (fingerprint characteristic data) and all finish by encryption in the fingerprint identity validation subsystem, thereby has guaranteed the fail safe of fingerprint template (fingerprint characteristic data) in transmission course.System of the present invention has solved the leak of the finger print data leakage of traditional fingerprint verification system existence by encryption.In the system that the present invention uses, even fingerprint template is intercepted and captured in transmission, the interceptor also can't obtain fingerprint characteristic, thereby also can't be by the camouflage fingerprint authentication of out-tricking.
The present invention can be widely used in following place:
1. the debarkation authentication of transaction system such as Web bank, Internet securities;
2. the information system of E-Government, classified information net, financial industry etc. has strict industry and place to authentication
3. can be widely used in other safety guarantee of the information system more than three grades particularly of all five levels of confirming according to " information security hierarchical protection management method " that the Ministry of Public Security, the office that maintains secrecy, the close office of merchant etc. announce.
Description of drawings
Fig. 1 is the structural representation of system of the present invention.
Fig. 2 is the present invention's schematic flow sheet that fingerprint template is encrypted in the fingerprint template gatherer process.
Embodiment
Below in conjunction with accompanying drawing embodiments of the invention are elaborated: present embodiment has provided detailed execution mode being to implement under the prerequisite with the technical solution of the present invention, but protection scope of the present invention is not limited to following embodiment.
As shown in Figure 1, present embodiment comprises: certificate identity authentication subsystem, fingerprint identity validation subsystem, service terminal and intelligent cipher fingerprint instrument, wherein: connect by network between certificate identity authentication subsystem, fingerprint identity validation subsystem, service terminal three, the intelligent cipher fingerprint instrument is directly connected in service terminal, the certificate identity authentication subsystem is used for the authentication on the network, guarantees the data security communication between each subsystem; The fingerprint identity validation subsystem is made up of the fingerprint authentication server, personnel's fingerprint and identity information have been deposited in the fingerprint authentication server, the fingerprint authentication server is supported encryption function, can accept, store encrypted from the fingerprint template in the intelligent cipher fingerprint instrument, simultaneously can issue fingerprint template to certificate identity authentication subsystem and service terminal and intelligent cipher fingerprint instrument according to request, the fingerprint authentication server is according to the requests verification fingerprint template and return the information of whether mating.
Described certificate identity authentication subsystem, i.e. pki system, be responsible for following operation: 1. the additions and deletions of operator message, mechanism information change and look into; 2. digital certificate is signed and issued, abolishes, is freezed; 3. signature verification service, data encryption service.
Described fingerprint identity validation subsystem is responsible for following operation: 1. the increase of fingerprint recognition data, deletion, modification; 2. fingerprint inquiry comparison service, its concrete parameter is as follows:
Operating system Windows 98/SE, Windows ME, Windows 2000, Windows XP hardware interface USB (universal serial bus), USB1.1/2.0
Capacity 256M-4G
Read-write speed is read: 30M/S writes: 20M/S
Refuse sincere (FRR)≤1%
Know false rate (FAR)≤0.0001%
Built-in algorithms RSA (1024/2048)/ECC192/SCB2
Certificate and standard P KCS#11, CSP, X.509v3, SSLv3, IPSec
Working temperature-10 ℃-70 ℃
The safety Design product is by Ministry of Public Security's safety product test;
Useful life>1,000,000 times.
Described service terminal cooperatively interacts with certificate identity authentication subsystem and the input of fingerprint identity validation subsystem respectively as verification terminal.
Described intelligent cipher fingerprint instrument, it is responsible for the connecting system personnel fingerprint of (promptly being called for short the operator), fingerprint is finished in the intelligent cipher fingerprint instrument and is gathered and generate fingerprint template (fingerprint characteristic data), and be built-in with memory, storage fingerprint characteristic information, the digital certificate that the operator is correlated with, key etc. also are sent to certificate identity authentication subsystem and fingerprint identity validation subsystem realization double authentication (being double factor authentication) by service terminal with feedback information simultaneously.
Described certificate identity authentication subsystem, comprise: the RA registration center of ca authentication center, RA registration center and branch, AA authorization services device, LDAP Lightweight Directory Access Protocol server, SSL secure socket layer protocol, above-mentioned submodule cooperates cooperation each other, the security service of PKI foundation of trust facility externally is provided, instruction flow therebetween has ripe international standard, the international standard that relates to comprises that X.509 ITU reaches ITU and X.500 wait, wherein:
The ca authentication center is the core of PKI PKIX, it mainly finish generation/grant a certificate, generation/grant a certificate revocation list (CRL), issue certificate and CRL to LIST SERVER, safeguard functions such as certificate database and audit log storehouse, as the third party who is trusted in the e-commerce transaction, solve the legitimacy problem of PKI in the PKI system specially.
The ca authentication center can classification: CA of general headquarters and root CA, wherein the CA of general headquarters refers to use the CA system of the tissue of native system, and root CA refers to CA professional or even nationwide system, for the CA system of this tissue provides legitimate verification.
RA registration center is the mechanism of application, audit and the registration of digital certificate, is the extension at ca authentication center, and logically RA and CA are an integral body, mainly are responsible for the function that certificate registration is provided, examines and issues licence.
AA (Authentication and Authorization) authorization services device provides the management of user profile, authentication and authorization for the system manager.
LDAP (Lightweight Directory Access Protocol) Lightweight Directory Access Protocol server, storage and uniform user profile, certificate and authorization message, LDAP/DB is a database server of realizing this function.
SSL (Secure Sockets Layer) secure socket layer protocol, the authentication that is widely used on the Internet is communicated by letter with the data security between Web server and the user side browser.
Described fingerprint authentication server, comprise: database and alignment algorithm module, encrypting-decrypting module, database can be any relevant database such as SQLSERVER/SYBASE/INFORMIX/DB2/ORECAL etc., alignment algorithm module and encrypting-decrypting module have been set up site mechanism table in database, the site equipment list, person chart, the fingerprint template table, the Operation Log table, system manager's table, set up personnel's finger print information and operation system personnel's number corresponding relation in the table, formation personnel mechanism and post Rights Management System, thus provide the site organization management, equipment control, the post rights management, the fingerprint template management, Operation Log Management.
Described intelligent cipher fingerprint instrument, comprise main process chip and COS (Chip OperatingSystem) management system, be responsible for connecting system personnel's (being the operator) fingerprint, and built-in memory, deposit fingerprint characteristic information (being fingerprint template), the digital certificate that the operator is correlated with, key etc.Therefore, safety of data is extremely important in the intelligent cipher fingerprint instrument.
Described main process chip adopts safety chip, is achieved as follows function: key management on the sheet (key generation, key storage, key updating etc.); Signature and authentication (can support public key algorithms such as RSA, ECC territory) on the sheet; Tailor-made algorithm is downloaded and is carried out and high data rate encryption and decryption (support the DES/3DES algorithm and comprise the close various special purpose system algorithms of doing tailor-made algorithm of state).Private key leaves in the safety chip, never goes out chip, thereby has guaranteed the being perfectly safe property of private key.
Described COS management system, be used for the storage in the intelligent cipher fingerprint instrument of managing digital certificate, private key and fingerprint template, the ca authentication center is initiated instruction by the routine interface of realizing defining to the intelligent cipher fingerprint instrument, the intelligent cipher fingerprint instrument responds in view of the above, thereby the illegal invasion of system is had very strong antijamming capability.
Described intelligent cipher fingerprint instrument, gather connecting system personnel's (being the operator) finger print information, it is the core of safety problem, can be in different ways: if system scale is less according to system scale, take the concentrated collection of appointed place, avoiding the illegal correspondence that may exist on fingerprint and the personnel identity from root; If system scale is bigger, fingerprint collecting work can be taked the pattern of differentiated control, sets up the administrative mechanism of the keeper of general headquarters, the keeper of branch, three grades of combinations of operating agency keeper separately.According to the scale of institutional framework and information system, can RA operator be set in general headquarters or branch, finish the work and the generation of audit and typing operator message.Carry out the process that fingerprint is registered according to authorization code, the suggestion place is that branch finishes, with the safety of safeguards system.
As shown in Figure 2, it is fingerprint template ciphering process in the fingerprint template gatherer process, at first be responsible for (operator) and initiate the fingerprint collecting request from service terminal, intelligent cipher fingerprint instrument prompting operation person gathers fingerprint, the intelligent cipher fingerprint instrument is encrypted finger print data and is uploaded, and upload the encryption fingerprint template, feedback acknowledgment information after the deciphering.
Described intelligent cipher fingerprint instrument, its parameter is specific as follows:
Sensor type reflection capacitance type fingerprint transducer (Capacitive area sensor)
Chip model producer: FingerPrint Card model: FPC1011C
Transducer useful life 1,000,000 times (1,000,000 times)
The reflective 3D fingerprint collecting of Detection Techniques technology has the living body finger print detecting function
The detecting location skin corium
Resolution 363DPI
Applicability all has favorable applicability to dried wet finger, dirty finger, damaged finger
Memory space 8M can store the user profile of 1100 pieces of finger print informations and each user's 160 byte at most, extends to 2400 pieces.
Environmental index working temperature-10 ℃~55 ℃
Storage temperature-20 ℃~60 ℃
Relative humidity 20%~90%
Vibration 10-55Hz, 0.35mm, 1 octave/min, X, Y, the Z direction 30min that respectively circulates
The communication interface communication interface is supported RS232, RS458, USB1.1
RS232 communications parameter data bit: 8, parity check bit: do not have position of rest: 1
1200BPS-115200BPS is adjustable for the RS232 communication baud rate
In the present embodiment, realize fingerprint recognition, public and private key is to generating cryptographic key protection, certificate storage, all kinds of cryptographic algorithm.Performance index for certificate and cipher key operation have:
1) read data: certificate size X.509V3 is about the 2K byte, therefore Intelligent key read or write speed amount of test data is set at the 2K byte.Carry out the operation of reading the 2K data 50 times during test continuously, the mean value of operation required time is 650 milliseconds.
2) write data: carry out writing for 50 times the operation of 2K data during test continuously, the mean value of operation required time is 1800 milliseconds.
3) 1024 keys of generation are right: in order to guarantee the safety of private key, key is produced by fingerprint USBKEY inside chip.The computing relevant with private key all finished in fingerprint USBKEY, and private key can't be read forever.Carry out 50 times during test continuously and produce 1024 operations that key is right.The generation key is 10 seconds to the mean value of required time.The public key encryption time is about 40ms, and the private key deciphering time is about 790ms.The private key signature time is the 750ms. PKI deciphering time to be about 50ms.
4) versatility: the upright fingerprint KEY in side provides the interface of the MicrosoftCryptoAPI standard that meets industry-wide adoption, can satisfy the demand of application and development easily.
Electro Magnetic Compatibility is antistatic ± 15KV
Anti-electromagnetic interference satisfies the FCC of International Electrotechnical Commission standard
Claims (10)
1, the identity authorization system that combines with the PKI system of a kind of fingerprint recognition, it is characterized in that, comprise: certificate identity authentication subsystem, fingerprint identity validation subsystem, service terminal and intelligent cipher fingerprint instrument, wherein: connect by network between certificate identity authentication subsystem, fingerprint identity validation subsystem, service terminal three, the intelligent cipher fingerprint instrument is directly connected in service terminal, the certificate identity authentication subsystem is used for the authentication on the network, guarantees the data security communication between each subsystem; The fingerprint identity validation subsystem is made up of the fingerprint authentication server, personnel's fingerprint and identity information have been deposited in the fingerprint authentication server, the fingerprint authentication server is supported encryption function, can accept, store encrypted from the fingerprint template in the intelligent cipher fingerprint instrument, simultaneously can issue fingerprint template to certificate identity authentication subsystem and service terminal and intelligent cipher fingerprint instrument according to request, the fingerprint authentication server can and return the information of whether mating according to the requests verification fingerprint template.
2, fingerprint recognition according to claim 1 and the identity authorization system that the PKI system combines is characterized in that, described certificate identity authentication subsystem, i.e. and pki system, be responsible for following operation: 1. the additions and deletions of operator message, mechanism information change and look into; 2. digital certificate is signed and issued, abolishes, is freezed; 3. signature verification service, data encryption service.
3, fingerprint recognition according to claim 1 and the identity authorization system that the PKI system combines is characterized in that, described fingerprint identity validation subsystem is responsible for following operation: 1. the increase of fingerprint recognition data, deletion, modification; 2. fingerprint inquiry comparison service.
4, the identity authorization system that fingerprint recognition according to claim 1 combines with the PKI system, it is characterized in that, described certificate identity authentication subsystem, comprise: the ca authentication center, the RA registration center of RA registration center and branch, AA authorization services device, LDAP Lightweight Directory Access Protocol server, the SSL secure socket layer protocol, above-mentioned submodule cooperates cooperation each other, the security service of PKI foundation of trust facility externally is provided, instruction flow therebetween has ripe international standard, the international standard that relates to comprises that X.500 X.509 ITU reach ITU, wherein:
The ca authentication center is the core of PKI PKIX, it mainly finish generation/grant a certificate, generation/grant a certificate revocation list, issue certificate and CRL to LIST SERVER, safeguard functions such as certificate database and audit log storehouse, as the third party who is trusted in the e-commerce transaction, solve the legitimacy problem of PKI in the PKI system specially;
The ca authentication center can classification: CA of general headquarters and root CA, and wherein the CA of general headquarters refers to use the CA system of the tissue of native system, and root CA refers to CA professional or even nationwide system, for the CA system of this tissue provides legitimate verification;
RA registration center is the mechanism of application, audit and the registration of digital certificate, is the extension at ca authentication center, and logically RA and CA are an integral body, mainly are responsible for the function that certificate registration is provided, examines and issues licence;
AA authorization services device provides the management of user profile, authentication and authorization for the system manager;
LDAP Lightweight Directory Access Protocol server, storage and uniform user profile, certificate and authorization message, LDAP/DB is a database server of realizing this function;
The SSL secure socket layer protocol, the authentication that is widely used on the Internet is communicated by letter with the data security between Web server and the user side browser.
5, the identity authorization system that fingerprint recognition according to claim 1 combines with the PKI system, it is characterized in that, described fingerprint authentication server, comprise: database and alignment algorithm module, encrypting-decrypting module, database can be any relevant database, alignment algorithm module and encrypting-decrypting module have been set up site mechanism table in database, the site equipment list, person chart, the fingerprint template table, the Operation Log table, system manager's table, set up personnel's finger print information and operation system personnel's number corresponding relation in the table, formation personnel mechanism and post Rights Management System, thus provide the site organization management, equipment control, the post rights management, the fingerprint template management, Operation Log Management.
6, the identity authorization system that combines with the PKI system of fingerprint recognition according to claim 1, it is characterized in that, described intelligent cipher fingerprint instrument, it is responsible for connecting system personnel's fingerprint, fingerprint is finished in the intelligent cipher fingerprint instrument and is gathered and generate fingerprint template, and be built-in with memory, storage fingerprint characteristic information, the digital certificate that the operator is correlated with, key etc. also are sent to certificate identity authentication subsystem and fingerprint identity validation subsystem realization double authentication by service terminal with feedback information simultaneously.
7, the identity authorization system that combines with the PKI system according to claim 1 or 6 described fingerprint recognition, it is characterized in that, described intelligent cipher fingerprint instrument, comprise main process chip and COS management system, be responsible for connecting system personnel's fingerprint, and built-in memory, deposit fingerprint characteristic information, the digital certificate that the operator is correlated with, key.
8, fingerprint recognition according to claim 7 and the identity authorization system that the PKI system combines is characterized in that, described main process chip adopts safety chip, is achieved as follows function: key management on the sheet; Signature and authentication on the sheet; Tailor-made algorithm is downloaded and is carried out and the high data rate encryption and decryption, and private key leaves in the safety chip, never goes out chip, thereby has guaranteed the being perfectly safe property of private key.
9, the identity authorization system that combines with the PKI system of fingerprint recognition according to claim 7, it is characterized in that, described COS management system, be used for the storage in the intelligent cipher fingerprint instrument of managing digital certificate, private key and fingerprint template, the ca authentication center is initiated instruction by the routine interface of realizing defining to the intelligent cipher fingerprint instrument, the intelligent cipher fingerprint instrument responds in view of the above, thereby the illegal invasion of system is had very strong antijamming capability.
10, the identity authorization system that combines with the PKI system according to claim 1 or 6 described fingerprint recognition, it is characterized in that, described intelligent cipher fingerprint instrument, gather connecting system personnel's finger print information, it is the core of safety problem, can be in different ways: if system scale is less, taking the concentrated collection of appointed place, avoiding the illegal correspondence that may exist on fingerprint and the personnel identity from root according to system scale; If system scale is bigger, fingerprint collecting work can be taked the pattern of differentiated control, the administrative mechanism that sets up the keeper of general headquarters, the keeper of branch, three grades of combinations of operating agency keeper separately, scale according to institutional framework and information system, can RA operator be set in general headquarters or branch, finish the work and the generation of audit and typing operator message, carry out the process of fingerprint registration according to authorization code, the suggestion place is that branch finishes, with the safety of safeguards system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810040644A CN101631020A (en) | 2008-07-16 | 2008-07-16 | Identity authentication system combining fingerprint identification and PKI system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810040644A CN101631020A (en) | 2008-07-16 | 2008-07-16 | Identity authentication system combining fingerprint identification and PKI system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101631020A true CN101631020A (en) | 2010-01-20 |
Family
ID=41575981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810040644A Pending CN101631020A (en) | 2008-07-16 | 2008-07-16 | Identity authentication system combining fingerprint identification and PKI system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101631020A (en) |
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281288A (en) * | 2011-07-11 | 2011-12-14 | 北京信安世纪科技有限公司 | Method for enhancing security of digital certificate revocation list (CRL) |
| CN102737189A (en) * | 2012-06-28 | 2012-10-17 | 成都卫士通信息产业股份有限公司 | Control method for enhancing using security of cryptographic machine by adopting dual-factor mandatory certification technology |
| CN102769623A (en) * | 2012-07-24 | 2012-11-07 | 北京华财理账顾问有限公司 | Two-factor authentication method based on digital certificate and biological identification information |
| CN103701977A (en) * | 2013-12-25 | 2014-04-02 | 深圳市江波龙电子有限公司 | Portable electronic device, communication system and information authentication method |
| CN104053020A (en) * | 2013-03-15 | 2014-09-17 | 深圳市九洲电器有限公司 | Method and system for realizing electronic commerce interaction by set-top box |
| CN104578422A (en) * | 2015-01-13 | 2015-04-29 | 国电南瑞科技股份有限公司 | Remote maintenance method for transformer substation telecontrol forwarding table |
| CN104639315A (en) * | 2013-11-10 | 2015-05-20 | 航天信息股份有限公司 | Dual-authentication method and device based on identity passwords and fingerprint identification |
| CN104660412A (en) * | 2014-10-22 | 2015-05-27 | 南京泽本信息技术有限公司 | Password-less security authentication method and system for mobile equipment |
| WO2015110037A1 (en) * | 2014-01-27 | 2015-07-30 | 邵通 | Dual-channel identity authentication method and system |
| CN104852928A (en) * | 2015-06-01 | 2015-08-19 | 上海雷腾软件股份有限公司 | Authentication method for fingerprint encryption |
| CN105207987A (en) * | 2015-08-10 | 2015-12-30 | 上海闻泰电子科技有限公司 | Fingerprint identification system based on Bluetooth mobile phone terminal |
| CN105227562A (en) * | 2015-10-14 | 2016-01-06 | 公安部第三研究所 | The key business data transmission mediation device of identity-based checking and using method thereof |
| CN105516180A (en) * | 2015-12-30 | 2016-04-20 | 北京金科联信数据科技有限公司 | Cloud secret key authentication system based on public key algorithm |
| CN105740682A (en) * | 2016-01-12 | 2016-07-06 | 黑河学院 | Computer system as well as identification method and system of user thereof |
| CN106101111A (en) * | 2016-06-24 | 2016-11-09 | 郑州信大捷安信息技术股份有限公司 | Vehicle electronics safe communication system and communication means |
| CN106156569A (en) * | 2015-03-30 | 2016-11-23 | 重庆邮电大学 | A kind of event execution method, electronic equipment, relevant apparatus and system |
| CN103731262B (en) * | 2013-12-26 | 2017-01-18 | 中金金融认证中心有限公司 | Digital certificate authentication device and digital certificate authentication system |
| CN106936775A (en) * | 2015-12-29 | 2017-07-07 | 航天信息股份有限公司 | A kind of authentication method and system based on fingerprint recognition |
| CN106934621A (en) * | 2015-12-30 | 2017-07-07 | 远光软件股份有限公司 | The examination & approval safety certifying method and system of payment funding |
| CN107004376A (en) * | 2014-06-27 | 2017-08-01 | 伊利诺斯工具制品有限公司 | The system and method for welding system operator identification |
| CN107045684A (en) * | 2016-02-06 | 2017-08-15 | 戴见霖 | Identification system and its recognition methods |
| CN107070949A (en) * | 2017-05-24 | 2017-08-18 | 江苏大学 | A kind of vehicle-mounted net Lightweight Identify Authentication Protocol Design Method based on device-fingerprint |
| CN107370601A (en) * | 2017-09-18 | 2017-11-21 | 山东确信信息产业股份有限公司 | A kind of intelligent terminal, system and method for integrating a variety of safety certifications |
| CN108023979A (en) * | 2017-11-30 | 2018-05-11 | 公安部第三研究所 | Safety strong portable operation terminal and system |
| CN108650271A (en) * | 2018-05-17 | 2018-10-12 | 深圳大普微电子科技有限公司 | A kind of method for managing user right and system |
| CN108737376A (en) * | 2018-04-16 | 2018-11-02 | 北京明朝万达科技股份有限公司 | A kind of double factor authentication method and system based on fingerprint and digital certificate |
| CN109756333A (en) * | 2018-11-26 | 2019-05-14 | 西安得安信息技术有限公司 | key management system |
| CN109842491A (en) * | 2017-11-28 | 2019-06-04 | 上海耕岩智能科技有限公司 | A kind of electronic equipment |
| CN109885994A (en) * | 2019-01-08 | 2019-06-14 | 深圳禾思众成科技有限公司 | A kind of offline identity authorization system, equipment and computer readable storage medium |
| CN110912693A (en) * | 2019-11-22 | 2020-03-24 | 福建金密网络安全测评技术有限公司 | Digital certificate format compliance detection system |
| CN111131142A (en) * | 2019-10-22 | 2020-05-08 | 北京握奇智能科技有限公司 | Fingerprint authentication encryption system and method for multi-application system |
| CN111404688A (en) * | 2019-11-19 | 2020-07-10 | 浙江机电职业技术学院 | Portable authentication system and method |
| CN111767531A (en) * | 2020-09-01 | 2020-10-13 | 南京壹证通信息科技有限公司 | Authentication system and method based on biological characteristics |
| CN112035818A (en) * | 2020-09-23 | 2020-12-04 | 南京航空航天大学 | Identity authentication system based on physical encryption radiation imaging |
| CN113037742A (en) * | 2021-03-04 | 2021-06-25 | 上海华申智能卡应用系统有限公司 | Fingerprint authentication method and system |
| CN114884654A (en) * | 2022-04-29 | 2022-08-09 | 江西锐盾智能科技有限公司 | Safety interaction system of banking library |
-
2008
- 2008-07-16 CN CN200810040644A patent/CN101631020A/en active Pending
Cited By (47)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281288A (en) * | 2011-07-11 | 2011-12-14 | 北京信安世纪科技有限公司 | Method for enhancing security of digital certificate revocation list (CRL) |
| CN102737189A (en) * | 2012-06-28 | 2012-10-17 | 成都卫士通信息产业股份有限公司 | Control method for enhancing using security of cryptographic machine by adopting dual-factor mandatory certification technology |
| CN102737189B (en) * | 2012-06-28 | 2014-12-24 | 成都卫士通信息产业股份有限公司 | Control method for enhancing using security of cryptographic machine by adopting dual-factor mandatory certification technology |
| CN102769623A (en) * | 2012-07-24 | 2012-11-07 | 北京华财理账顾问有限公司 | Two-factor authentication method based on digital certificate and biological identification information |
| CN104053020A (en) * | 2013-03-15 | 2014-09-17 | 深圳市九洲电器有限公司 | Method and system for realizing electronic commerce interaction by set-top box |
| CN104639315B (en) * | 2013-11-10 | 2018-06-05 | 航天信息股份有限公司 | The method and apparatus of ID-based cryptosystem and fingerprint recognition double authentication |
| CN104639315A (en) * | 2013-11-10 | 2015-05-20 | 航天信息股份有限公司 | Dual-authentication method and device based on identity passwords and fingerprint identification |
| CN103701977A (en) * | 2013-12-25 | 2014-04-02 | 深圳市江波龙电子有限公司 | Portable electronic device, communication system and information authentication method |
| CN103731262B (en) * | 2013-12-26 | 2017-01-18 | 中金金融认证中心有限公司 | Digital certificate authentication device and digital certificate authentication system |
| WO2015110037A1 (en) * | 2014-01-27 | 2015-07-30 | 邵通 | Dual-channel identity authentication method and system |
| CN107004376B (en) * | 2014-06-27 | 2021-01-26 | 伊利诺斯工具制品有限公司 | System and method for welding system operator identification |
| CN107004376A (en) * | 2014-06-27 | 2017-08-01 | 伊利诺斯工具制品有限公司 | The system and method for welding system operator identification |
| CN104660412A (en) * | 2014-10-22 | 2015-05-27 | 南京泽本信息技术有限公司 | Password-less security authentication method and system for mobile equipment |
| CN104578422A (en) * | 2015-01-13 | 2015-04-29 | 国电南瑞科技股份有限公司 | Remote maintenance method for transformer substation telecontrol forwarding table |
| CN106156569B (en) * | 2015-03-30 | 2020-01-10 | 重庆邮电大学 | Event execution method, electronic equipment, related device and system |
| CN106156569A (en) * | 2015-03-30 | 2016-11-23 | 重庆邮电大学 | A kind of event execution method, electronic equipment, relevant apparatus and system |
| CN104852928A (en) * | 2015-06-01 | 2015-08-19 | 上海雷腾软件股份有限公司 | Authentication method for fingerprint encryption |
| CN105207987A (en) * | 2015-08-10 | 2015-12-30 | 上海闻泰电子科技有限公司 | Fingerprint identification system based on Bluetooth mobile phone terminal |
| CN105227562A (en) * | 2015-10-14 | 2016-01-06 | 公安部第三研究所 | The key business data transmission mediation device of identity-based checking and using method thereof |
| CN105227562B (en) * | 2015-10-14 | 2019-05-24 | 公安部第三研究所 | The key business data transmission mediation device and its application method of identity-based verifying |
| CN106936775A (en) * | 2015-12-29 | 2017-07-07 | 航天信息股份有限公司 | A kind of authentication method and system based on fingerprint recognition |
| CN106934621A (en) * | 2015-12-30 | 2017-07-07 | 远光软件股份有限公司 | The examination & approval safety certifying method and system of payment funding |
| CN105516180A (en) * | 2015-12-30 | 2016-04-20 | 北京金科联信数据科技有限公司 | Cloud secret key authentication system based on public key algorithm |
| CN105740682B (en) * | 2016-01-12 | 2018-08-31 | 黑河学院 | The personal identification method and system of a kind of computer system and its user |
| CN105740682A (en) * | 2016-01-12 | 2016-07-06 | 黑河学院 | Computer system as well as identification method and system of user thereof |
| CN107045684A (en) * | 2016-02-06 | 2017-08-15 | 戴见霖 | Identification system and its recognition methods |
| CN106101111A (en) * | 2016-06-24 | 2016-11-09 | 郑州信大捷安信息技术股份有限公司 | Vehicle electronics safe communication system and communication means |
| CN107070949A (en) * | 2017-05-24 | 2017-08-18 | 江苏大学 | A kind of vehicle-mounted net Lightweight Identify Authentication Protocol Design Method based on device-fingerprint |
| CN107070949B (en) * | 2017-05-24 | 2020-05-05 | 江苏大学 | Vehicle-mounted network lightweight identity authentication protocol design method based on device fingerprints |
| CN107370601A (en) * | 2017-09-18 | 2017-11-21 | 山东确信信息产业股份有限公司 | A kind of intelligent terminal, system and method for integrating a variety of safety certifications |
| CN107370601B (en) * | 2017-09-18 | 2023-09-05 | 确信信息股份有限公司 | Intelligent terminal, system and method integrating multiple security authentications |
| CN109842491A (en) * | 2017-11-28 | 2019-06-04 | 上海耕岩智能科技有限公司 | A kind of electronic equipment |
| CN108023979A (en) * | 2017-11-30 | 2018-05-11 | 公安部第三研究所 | Safety strong portable operation terminal and system |
| CN108737376A (en) * | 2018-04-16 | 2018-11-02 | 北京明朝万达科技股份有限公司 | A kind of double factor authentication method and system based on fingerprint and digital certificate |
| CN108650271A (en) * | 2018-05-17 | 2018-10-12 | 深圳大普微电子科技有限公司 | A kind of method for managing user right and system |
| CN109756333A (en) * | 2018-11-26 | 2019-05-14 | 西安得安信息技术有限公司 | key management system |
| CN109885994A (en) * | 2019-01-08 | 2019-06-14 | 深圳禾思众成科技有限公司 | A kind of offline identity authorization system, equipment and computer readable storage medium |
| CN111131142A (en) * | 2019-10-22 | 2020-05-08 | 北京握奇智能科技有限公司 | Fingerprint authentication encryption system and method for multi-application system |
| CN111404688A (en) * | 2019-11-19 | 2020-07-10 | 浙江机电职业技术学院 | Portable authentication system and method |
| CN111404688B (en) * | 2019-11-19 | 2022-06-17 | 浙江机电职业技术学院 | Portable authentication system and method |
| CN110912693B (en) * | 2019-11-22 | 2022-06-03 | 福建金密网络安全测评技术有限公司 | Digital certificate format compliance detection system |
| CN110912693A (en) * | 2019-11-22 | 2020-03-24 | 福建金密网络安全测评技术有限公司 | Digital certificate format compliance detection system |
| CN111767531A (en) * | 2020-09-01 | 2020-10-13 | 南京壹证通信息科技有限公司 | Authentication system and method based on biological characteristics |
| CN112035818A (en) * | 2020-09-23 | 2020-12-04 | 南京航空航天大学 | Identity authentication system based on physical encryption radiation imaging |
| CN112035818B (en) * | 2020-09-23 | 2023-08-18 | 南京航空航天大学 | Physical encryption radiation imaging-based identity authentication system |
| CN113037742A (en) * | 2021-03-04 | 2021-06-25 | 上海华申智能卡应用系统有限公司 | Fingerprint authentication method and system |
| CN114884654A (en) * | 2022-04-29 | 2022-08-09 | 江西锐盾智能科技有限公司 | Safety interaction system of banking library |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101631020A (en) | Identity authentication system combining fingerprint identification and PKI system | |
| TWI237978B (en) | Method and apparatus for the trust and authentication of network communications and transactions, and authentication infrastructure | |
| US20030115475A1 (en) | Biometrically enhanced digital certificates and system and method for making and using | |
| KR100876003B1 (en) | User Authentication Method Using Biological Information | |
| US8447991B2 (en) | Card authentication system | |
| US6321333B1 (en) | Efficient digital certificate processing in a data processing system | |
| US7549057B2 (en) | Secure transactions with passive storage media | |
| JP4460763B2 (en) | Encryption key generation method using biometric data | |
| EP1571525A1 (en) | A method, a hardware token, and a computer program for authentication | |
| WO2003007527A2 (en) | Biometrically enhanced digital certificates and system and method for making and using | |
| US20090293111A1 (en) | Third party system for biometric authentication | |
| CN201286105Y (en) | Identity authentication system combining fingerprint recognition with PKI system | |
| KR19990044692A (en) | Document authentication system and method | |
| KR100341147B1 (en) | A user Authentication system and control method using Bio-Information in Internet/Intranet environment | |
| CN2609069Y (en) | Fingerprint digital autograph device | |
| CN102004872A (en) | Fingerprint encryption-based identity authentication system and implementation method thereof | |
| KR20160139885A (en) | Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method | |
| CN111798224A (en) | SGX-based digital currency payment method | |
| WO2022042745A1 (en) | Key management method and apparatus | |
| Cavoukian et al. | Keynote paper: Biometric encryption: Technology for strong authentication, security and privacy | |
| CN113781689A (en) | Access control system based on block chain | |
| CN103295169B (en) | Method and system for safely supervising real estate real person registration information | |
| Bosworth et al. | Entities, identities, identifiers and credentials—what does it all mean? | |
| KR101360843B1 (en) | Next Generation Financial System | |
| KR20030042639A (en) | Multi-certification system and the method using smart card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20100120 |