CN101945114A - Identity authentication method based on fuzzy vault and digital certificate - Google Patents
Identity authentication method based on fuzzy vault and digital certificate Download PDFInfo
- Publication number
- CN101945114A CN101945114A CN2010102898707A CN201010289870A CN101945114A CN 101945114 A CN101945114 A CN 101945114A CN 2010102898707 A CN2010102898707 A CN 2010102898707A CN 201010289870 A CN201010289870 A CN 201010289870A CN 101945114 A CN101945114 A CN 101945114A
- Authority
- CN
- China
- Prior art keywords
- user
- digital certificate
- fingerprint
- minutiae point
- vault
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Collating Specific Patterns (AREA)
Abstract
The invention relates to an identity authentication method based on a fuzzy vault and a digital certificate, wherein the digital certificate and fingerprint identification are combined in a smart card, so that the digital identity and the physical identity of a user correspond to realize the identity authentication with high safety. The method comprises the following steps of: firstly generating an RSA key pair in a user UK, and sending a public key and relevant registration information to an RA for auditing by the user UK; when the auditing is passed, transferring user information to a CA for verification by the RA; after the verification is successful, generating the digital certificate for the user and sending to the user to be stored in the UK by the CA; and inputting a fingerprint in the UK by the registered user, extracting the true detail points in the fingerprint, dispensing the true detail points into the UK and a fingerprint server, and locking the PIN of the UK by the true detail points of the user, so that the digital certificate stored in the UK and a corresponding private key can be safely protected. In order to reduce the calculation amount of the smart card, a secret sharing method is introduced, so that only when the information in both the smart card and the server can be obtained, the PIN of the smart card can be recovered to release the digital certificate containing the private key.
Description
Technical field
The invention belongs to the crossing domain of information security technology and biological identification technology, relate in the information security technology based on the authentication of digital certificate and the fingerprint fuzzy vault in the biological identification technology, be specially a kind of two strong factor identity identifying method, be applicable to high-end user or have the high degree of safety client identity authentication of special requirement to authenticate based on fuzzy vault and digital certificate.
Background technology
Identity identifying technology is the first road barrier of network security and information system security, is in computer network, to confirm the process of operator's identity and the solution that produces, and be a research field that receives much concern in the information security epoch.
Our real world of life is a real physical world, and everyone has unique physical identity.Now we also live in the digital world, and all information comprise that user's identity information all is to represent with one group of specific data in the computer network world.Computer can only be discerned user's digital identity, and all also carry out at the number identity user's mandate.How to guarantee with the visitor that digital identity is operated to be exactly the lawful owner of this digital identity, that is to say that the physical identity that guarantees the operator is corresponding with digital identity, become an important safety problem.The birth of identity identifying technology is exactly in order to address this problem.
Identification authentication mode commonly used mainly contains usemame/password mode, digital certificate, IC-card/smart card authentication, dynamic password, biological characteristic mode etc. in computer and the network system now.
From the condition that authentication need be verified, identity identifying technology can also be divided into single-factor authentication and double factor authentication.Only verify that by a condition technology of a personal identification is called the single-factor authentication.Relative double factor, the single-factor authentication is easier of counterfeit, because it only uses a kind of condition judgment user's identity.Prove a people's identity by making up two kinds of different conditions during double factor authentication, fail safe is significantly improved.
General system applies digital certificate carries out authentication now.People adopt and have realized authentication, safe transmission, non-repudiation, functions such as data integrity based on the digital certificate of PKI.In fact, digital certificate is that the public-key cryptography with the certificate holder carries out related proof with holder's identity, can allow communication parties confirm the legal identity of holder relievedly.Use digital certificate to realize that authentication needs emphasis to consider how to guarantee the safety of certificate corresponding private key, the private key of certificate correspondence is stored in the hard disk of computer dangerous, and any user that can access certificate may visit the private key that obtains this certificate correspondence.If adopt to encrypt storage, depositing of encryption key also is an important problem, and malicious user may be deleted and carries out the encrypted secret key data.Adopt the security intensity of password encryption not enough, the length of password has determined the security intensity that can reach.In order to guarantee the safety of digital certificate corresponding private key, the best way is that the digital certificate that will comprise private key is kept in the smart card, and this is a kind of authentication mode that generally adopts at present.Private key is grasped by the user, has solved the defective of certificate PC storage, has improved the fail safe of authentication to a certain extent, and smart card can be preserved private key, and can finish work such as digital signature.But this technology also has some big potential safety hazards, be that this kind mode needs the user to import PIN code when authentication, PIN code may be monitored or interception by victim, thereby thoroughly do not solve hacker's interception or monitor PIN code, the risk of analog subscriber operation, the risk that also exists smart card to lose or falsely used by the people when stolen simultaneously.
Summary of the invention
The problem to be solved in the present invention is the safe storage problem at the above-mentioned digital certificate corresponding private key of mentioning, propose a kind of " double strong factor authentication " method, be applicable to high-end user or have in the high degree of safety client identity authentication authentication of special requirement based on fuzzy vault and digital certificate.
Technical scheme of the present invention is: the customer digital certificate that generates is stored in the user smart card; protect the PIN of smart card again with user fingerprints fuzzyvault; simultaneously in order to alleviate the computation burden of smart card; adopted secret shared method, relevant secret computing has been distributed on smart card and the server.The safety certification of PKI that this scheme is further perfect.
Specifically comprise following content:
(1) at user's registration phase, the RSA key that at first generates the user in registered user's smart card is right; Registered user's smart card sends pk to digital certificate registration mechanism then
UAnd related registration information.The checking user's of digital certificate registration mechanism log-on message guarantees that registered user's identity is legal, and whether reexamine registered user's private key is that it has; If audit is passed through, digital certificate registration mechanism passes to the digital certificate authentication center to user's log-on message and carries out necessary checking.If successfully by checking, the digital certificate authentication center generates digital certificate to the registered user, and with the private key of oneself digital certificate is signed, and issues the registered user again, and has a digital certificate record.Digital certificate that generates and corresponding private key are stored in the user smart card.Digital certificate can be used for encryption or signature etc.; Next the registered user imports fingerprint, and fingerprint feature point extracts from user's registered fingerprint image, is called true minutiae point.Respectively true minutiae point is distributed in smart card and the fingerprint server, and with the name a person for a particular job PIN locking of user smart card of user's details in fingerprint.Thereby the exclusive digital certificate of user successfully generates, and is stored in the smart card, and the PIN of smart card is bound by the user fingerprints minutiae point.
(2) the user fingerprints Qualify Phase is to import reconstruct multinomial the fingerprint from the user, with the step of the PIN of the UK that discharges the fingerprint minutiae binding.Because user's true minutiae point is distributed to respectively in smart card and the fingerprint server, when the information in therefore and if only if server and the smart card all can get, fingerprint with validated user, just can successful reconstruct multinomial, to smart card PIN sign indicating number release wherein, and discharge digital certificate and corresponding private key thereof, be used for the safety encipher and the signature of back information interaction.
(3) at the user fingerprints Qualify Phase, the user that need communicate imports fingerprint respectively and verifies in the UK of oneself, discharge the PIN that is bound to user smart card wherein after being proved to be successful separately, in user UK separately, comprise private key sk thereby discharge safe storage
UDigital certificate.User both sides can use digital certificate data are encrypted or to sign, to guarantee the fail safe of data in transmission course, integrality, and non repudiation.
The present invention adopts fingerprint fuzzy vault to come the PIN of smart card is encrypted, thus the private key of digital certificate in the safeguard protection smart card.Therefore the digital certificate that uses corresponding private key to be under the high safety environment carries out authentication, and fail safe and credibility are significantly improved.This programme has following advantage:
1, because the uniqueness of fingerprint; and its direct end user's physical features is represented everyone digital identity; hardly may be by counterfeit; come the PIN code of encrypted smart card with fingerprint; private key obtains the high safety protection; really recognize people and do not recognize thing, do not have the loss problem, therefore also fundamentally avoided the problem of forward secrecy.
2, digital certificate is the core element of PKI, and it is that the entity identities in the virtual network world proves, is that the third party's ca authentication mechanism with authority, credibility and fairness signs and issues.Digital certificate has been set up a kind of contact between the public affairs/private key that the holder had of an identity and this identity.Smart card is mainly used in the sign of storage user identity and carries out the computing of security related information, the digital certificate that comprises private key properly can be stored in the smart card.Biological characteristic authentication is to utilize intrinsic physiological property of human body or behavioural characteristic to differentiate personal identification by computer.It directly utilizes people's physical features to represent everyone digital identity, hardly may be by counterfeit.Therefore on smart card in conjunction with the advantage of digital certificate authentication and biological characteristic authentication, just can realize " the double strong factor authentication " of high safety.
3, Fuzzy vault scheme is to be used for one of the most comprehensive mechanism of safe biologic authentication and cryptographic key protection, by biological characteristic and key are bound in the framework of an encryption, can protect the safety of key and biological template.Protect the PIN of smart card by the fuzzy vault that uses fingerprint, guarantee that digital certificate in the smart card and corresponding private key only by user's use, make data encryption and digital signature more reliable.Solved the security bottleneck of smart card, determined holder's identity, protected the private key of digital certificate, improved the safe class of digital certificate management, can effectively finish the management of personal certificate with fingerprint with fingerprint.The use that the user opens digital certificate in the smart card by the authentication fingerprint has only by finger print identifying and just can carry out identity validation.Make the user exempt the memory password, lose password, or even lose the worry of smart card, really accomplish to recognize people simultaneously and do not recognize thing, improved fail safe.
4, aiming at is a very important step in the fingerprint fuzzy vault scheme, the amount of calculation of alignment work is bigger for the limited smart card of computing capability, in order to improve the speed that smart card authentication calculates, adopted secret shared method, alignment work is distributed on the smart card, the speed of fingerprint matching is greatly improved.
5, adopt the secret method of sharing, more hash point can be added to advance among the vault, make the true point of wherein hiding safer.Finger print information is distributed in smart card and the fingerprint server simultaneously, only obtains the information in the smart card or only obtain information in the fingerprint server, all can't the reconstruct multinomial discharge the PIN of smart card.And if only if when the both can get, and validated user just can pass through finger print identifying smoothly under the collaborative work of smart card and server, to the smart card release and discharge digital certificate and the private key of wherein preserving thereof, therefore makes system safer.
Description of drawings
Fig. 1 is an authenticating user identification system flow chart among the present invention
Fig. 2 is the user's registration phase and the schematic flow sheet in fingerprint authentication stage among the present invention
Fig. 3 is the schematic flow sheet of digital certificate operational phase among the present invention
Symbol description
PKI: PKIX
PIN: personal identification number
UK: user smart card
CA: digital certificate authentication center
RA: digital certificate registration mechanism
FS: fingerprint server
Pk
U: the PKI of digital certificate among the UK
Sk
U: the private key of digital certificate among the UK
Sk
CA: the private key of CA
RI: user's registration information
K
AB: symmetric session keys
R: random number
M1, M2: minutiae point set
AI: fingerprint alignment information
CO
Q (x): the coefficient of multinomial Q (x)
Embodiment
Major programme of the present invention is combination in smart card with digital certificate and finger print identifying, make user's digital identity corresponding with physical identity, the customer digital certificate that will comprise corresponding private key simultaneously is stored in the smart card, use user fingerprints fuzzy vault that the PIN of this smart card is encrypted, reach the authentication purpose of high safety thus.In order to alleviate the computation burden of smart card, adopted secret shared method simultaneously.Alignment work is distributed in the fingerprint server, when the information in make that and if only if smart card and the server all can get, just can successfully recovers the PIN of smart card, thereby discharge the digital certificate that wherein comprises private key.
This programme has solved the security bottleneck of smart card, determines holder's identity with fingerprint, promotes the safe class of key management, is applied to authentication, has thoroughly solved the security risk that exists in existing technology and the method, can finish the management of personal certificate effectively.The user opens smart card by the authentication fingerprint, has only by finger print identifying and just can carry out identity validation.The worry that makes the user exempt the memory password and lose password is really accomplished to recognize people simultaneously and is not recognized thing, has improved fail safe.
Authenticating user identification system flow chart of the present invention as shown in Figure 1, at first, it is right to generate RSA key in user UK, user UK sends PKI and the related registration information correctness to the RA msu message, after audit was passed through, RA passed to CA with user profile and verifies.After checking, CA Generates Certificate for the user and sends to the user and be stored among the user UK.The registered user imports fingerprint in UK, the true minutiae point in the fingerprint is extracted out, respectively true minutiae point is distributed in UK and the fingerprint server, with the name a person for a particular job PIN locking of UK of user's details in fingerprint.
Below in conjunction with the accompanying drawing in the specification, the technical scheme of this invention is carried out detailed, complete description according to user's registration phase, user fingerprints Qualify Phase and digital certificate operational phase:
One, user's registration phase
User's registration phase schematic flow sheet of the present invention as shown in Figure 2, key step is described below:
Step 1.1: it is right to generate RSA key in registered user's UK: PKI pk
UWith private key sk
U
Step 1.2: the pk that generates among registered user's the UK
UBe sent to RA with registered user's related registration information RI, RA at first verifies registered user's RI, guarantees that registered user's identity is legal, reexamines registered user's private key sk
UWhether be that it has, process is: RA generates random number r, the PKI pk that sends over the registered user
UR is encrypted, and send it back the registered user.If the registered user can be with its private key sk
UR is decrypted to random number, and then this registered user has this private key sk
U
The agreement flow process of step 1.2 is among Fig. 2:
UK→RA:pk
U‖RI
RA→UK:R=E
pkU[r]
UK→RA:r=D
skU[R]
Step 1.3: if audit is passed through, RA passes to CA to registered user's RI, and CA carries out necessary checking.If successfully by checking, CA generates digital certificate to the registered user, and with oneself private key sk
CADigital certificate is signed, issue the registered user again, and have a certificate record.The certificate that generates can be used for encryption or signature etc.;
The agreement flow process of step 1.3 is among Fig. 2:
RA→CA:RI
CA→RA:RI‖pkU‖S
skCA[RI‖pk
U]
So far, digital certificate successfully generates, and is stored among the UK.
Step 1.4: the registered user imports fingerprint in UK, minutiae point takes the fingerprint from the registered fingerprint image, these fingerprint minutiaes are defined as true minutiae point, and the true minutiae point of a part wherein is distributed among the FS, and the fingerprint minutiae among UK and the FS locks the PIN of UK jointly then;
The concrete steps that wherein relate to are divided into:
(1) at first with the additional error-checking code CRC16 of the PIN of UK as coefficient, make up the multinomial P (x) on n rank, select the set M1 of n minutiae point from user's registered fingerprint, register in UK, the set M2 of remaining j minutiae point composition is registered among the FS.N true minutiae point among the minutiae point set M1 that stores among the UK is at territory F=GF (2
16) in be encoded as element, to the mapping value of the encoded radio evaluator P (x) of the true minutiae point of n, generate s at random respectively
UKIndividual and the irrelevant hash point of multinomial P (x) are used for protecting the true minutiae point of UK, and the hash point of n true minutiae point and generation is carried out vault among the scramble generation UK, i.e. vault
UK, and be stored among the user UK.
UK:vault
UK
(2) go up at multinomial P (x) and select i arbitrarily, (the individual point different with a front n minutiae point of i≤n) as coefficient, constructed (2i-1) rank multinomial Q (x) on the FS with this i error-checking code CRC16 of x-y coordinate affix that puts.Be distributed to j the true minutiae point of the minutiae point set M2 of FS, at territory F=GF (2
16) in be encoded as element, respectively to the mapping value of the encoded radio evaluator Q (x) of the true minutiae point of this j.Generate s at random
FSIndividual and the irrelevant hash point of multinomial Q (x) are with the true minutiae point among the protection FS.The hash point of the true minutiae point of j and generation is carried out vault among the scramble generation FS, i.e. vaultFS, and be stored among the FS.
FS:vault
FS
Therefore, the PIN of UK is by vault
UKAnd vault
FSCommon protection.
Two, user fingerprints Qualify Phase
The user fingerprints Qualify Phase is to import reconstruct multinomial P (x) the fingerprint from the user, to discharge the PIN of UK.Because multinomial P (x) is the n rank, the true minutiae point that is registered among the UK has only n, uses Lagrange's interpolation reconstruct multinomial P (x), need possess (n+1) individual true minutiae point at least.Therefore only possesses the true minutiae point of storing among the UK, can't reconstruct multinomial P (x), need use the coefficient of the multinomial Q (x) that the true minutiae point registered among the UK and FS reconstruct simultaneously, could use Lagrange's interpolation to reconstruct multinomial P (x).
The user fingerprints Qualify Phase schematic flow sheet of this programme as shown in Figure 2, key step is described below:
Step 2.1: the checking user imports fingerprint in UK, from the checking minutiae point that takes the fingerprint the fingerprint image, it is transferred among the FS, at first in FS to the minutiae point that extracts be stored in vault among the FS
FSTrue minutiae point between carry out fingerprint and aim at, generate alignment information AI, this alignment information AI is transferred to UK, is used for minutiae point and the vault of UK to extracting
UKAligning between the true minutiae point of middle storage is to alleviate the amount of calculation of smart card;
The agreement flow process of step 2.1 is among Fig. 2:
FS→UK:AI
Step 2.2: use the alignment result and the error-checking code CRC16 of step 2.1, to user rs authentication fingerprint minutiae that sends to FS and the vault that is stored among the FS
FSTrue minutiae point carry out minutiae point coupling, to obtain vault
FSIn true minutiae point, thereby use multinomial Q (x) among the Lagrange's interpolation reconstruct FS.If successfully reconstruct multinomial Q (x), then with the multinomial coefficient CO that reconstructs
Q(x) send to UK, otherwise it fails to match, need re-enter user fingerprints and verify;
The agreement flow process of step 2.2 is among Fig. 2:
FS→UK:CO
Q(x)
Step 2.3: the alignment information AI that uses FS to send, in checking user UK to the fingerprint minutiae of input be stored in vault
UKIn true minutiae point carry out fingerprint and aim at.This simple aligned operation will be carried out in real time, even on the controlled UK of resource.Use this alignment result, in checking user UK to the fingerprint minutiae of input be stored in vault
UKIn true minutiae point carry out fingerprint matching, to obtain vault
UKIn true minutiae point;
Step 2.4: use the matching result of step 2.3, the coefficient CO of the multinomial Q (x) that sends over FS
Q(x), and bug patch code CRC16 come reconstruct multinomial P (x).If can correctly reconstruct multinomial Q (x) and P (x), can discharge the PIN that is bundled in UK wherein by multinomial P (x), so smart card is unlocked.Otherwise it fails to match, needs the checking user to re-enter fingerprint and verify.
Three, digital certificate operational phase
Success reconstruct multinomial P (x) discharges after the PIN that is bound to UK wherein, and the digital certificate that the user comprises private key in just can the UK of being stored in safe in utilization carries out a series of operation.
Digital certificate operational phase schematic flow sheet of the present invention as shown in Figure 3, key step is described below:
Step 3.1: at the user fingerprints Qualify Phase, user both sides A that need communicate and B import fingerprint respectively and verify in the UK of oneself, discharge wherein the smart card PIN of binding after being proved to be successful separately, in user UK separately, comprise private key sk thereby discharge safe storage
UDigital certificate;
Step 3.2: user A can carry out encrypting and transmitting to data m with the PKI of user B digital certificate and give user B, and with the fail safe of assurance data m in transmission course, otherwise user B also can carry out same operation to user A.The concrete steps that wherein relate to are divided into:
(1) user A at first generates a symmetric session keys K
AB, use symmetric session keys K
ABM encrypts to data, uses the PKI pk of user B then
BTo symmetric session keys K
ABEncrypt, then data encrypted and symmetric session keys are sent to user B together;
Its agreement flow process is:
A→B:E
KAB(m)‖E
pkB(K
AB)
(2) after user B receives the message of encryption, use the private key sk of oneself earlier
BTo symmetric session keys K
ABBe decrypted, obtain symmetric session keys K
AB, use symmetric session keys K again
ABData encrypted is decrypted, recovers initial data m.
Its agreement flow process is:
B:K
AB=D
skB(E
pkB(K
AB))
m=DK
AB(EK
AB(m))
Step 3.3: user A can sign to data m and sends to user B with the digital certificate that comprises private key that own UK discharges, with integrality and the non repudiation of assurance data m in transmission course, otherwise user B also can carry out same operation to user A.The concrete steps that wherein relate to are divided into:
(1) user A at first asks Hash Value to the data m that will send, and uses the private key sk of oneself then
AHash Value is signed, and send to user B;
Its agreement flow process is:
A:H=h(m)
A→B:S
skA(H)
(2) user B receives after the signed data, and m is obtained Hash Value H ' with same hash algorithm, uses the PKI pk of A then
AThe signature of checking A.If the H that the Hash Value H ' and the signature verification of trying to achieve obtain equates that then signature is effective, the information that proves is by the A signature, otherwise the information that then proves is not signed by A.
Its agreement flow process is:
B:H′=h(m)
H=V
pkA(S
skA(H))
Embodiment described above only is a part of embodiment of the present invention, rather than whole embodiment.Based on above-described embodiment, those of ordinary skills are under the prerequisite of not making creative work, and other embodiment of all that are obtained belongs to the scope of protection of the invention.
Claims (7)
1. identity identifying method based on fuzzy vault and digital certificate, it is characterized in that: combination in smart card digital certificate and finger print identifying, make user's digital identity corresponding with physical identity, the customer digital certificate that will comprise corresponding private key simultaneously is stored in the smart card, use user fingerprints fuzzy vault that the PIN of this smart card is encrypted, reach the authentication of high safety thus, simultaneously, adopt the secret amount of calculation that method alleviates smart card of sharing, alignment work is distributed to fingerprint server, when the information in make that and if only if smart card and the server all can get, could successfully recover the PIN of smart card, thereby discharge the digital certificate that wherein comprises private key; Whole authentication process comprises user's registration phase, user fingerprints Qualify Phase and digital certificate operational phase:
User's registration phase comprises following steps:
Step 1.1 generates RSA key in registered user's UK right: PKI pk
UWith private key sk
U
The pk that generates among step 1.2 registered user's the UK
UBe sent to RA with registered user's related registration information RI, RA at first verifies registered user's RI, guarantees that registered user's identity is legal, reexamines registered user's private key sk
UWhether be that it has;
If step 1.3 audit is passed through, RA passes to CA to registered user's RI and verifies, if by checking, CA generates digital certificate to the registered user, and with oneself private key sk
CADigital certificate is signed, issue the registered user again, and have the digital certificate record;
Step 1.4 registered user imports fingerprint in UK, minutiae point takes the fingerprint from the registered fingerprint image, these fingerprint minutiaes are defined as true minutiae point, and the true minutiae point of a part wherein is distributed among the FS, and the fingerprint minutiae among UK and the FS locks the PIN of UK jointly then;
The user fingerprints Qualify Phase comprises following steps:
Step 2.1 checking user imports fingerprint in UK, the minutiae point that takes the fingerprint from the checking fingerprint image is transferred to it among FS, at first in FS to the minutiae point that extracts be stored in vault among the FS
FSTrue minutiae point between carry out fingerprint and aim at, generate alignment information AI, this alignment information AI is transferred to UK, is used for minutiae point and the vault of UK to extracting
UKAligning between the true minutiae point of middle storage is to alleviate the amount of calculation of smart card;
Step 2.2 is used the alignment result and the error-checking code CRC16 of step 2.1, to user rs authentication fingerprint minutiae that sends to FS and the vault that is stored among the FS
FSTrue minutiae point carry out minutiae point coupling, to obtain vault
FSIn true minutiae point, thereby use multinomial Q (x) among the Lagrange's interpolation reconstruct FS, if the reconstruct success, then with the coefficient CO of the multinomial Q (x) that reconstructs
Q(x) send to UK; Otherwise it fails to match, need re-enter user fingerprints and verify;
The alignment information AI that step 2.3 uses FS to send, in checking user UK to the fingerprint minutiae of input be stored in vault
UKIn true minutiae point carry out fingerprint and aim at, alignment function carries out in real time, uses this alignment result, in checking user UK to the fingerprint minutiae of input be stored in vault
UKIn true minutiae point carry out fingerprint matching, obtain vault
UKIn true minutiae point;
Step 2.4 is used the matching result of step 2.3, the coefficient CO of the multinomial Q (x) that sends over FS
Q(x) and bug patch code CRC16 come reconstruct multinomial P (x), if can correctly reconstruct multinomial Q (x) and P (x), can discharge the PIN that is bundled in UK wherein by multinomial P (x), smart card is unlocked; Otherwise it fails to match, needs the checking user to re-enter fingerprint and verify;
The digital certificate operational phase comprises following steps:
Step 3.1 is at the user fingerprints Qualify Phase, user both sides A that need communicate and B import fingerprint respectively and verify in the UK of oneself, discharge wherein the smart card PIN of binding after being proved to be successful separately, in user UK separately, comprise private key sk thereby discharge safe storage
UDigital certificate;
Step 3.2 user A can carry out encrypting and transmitting to data m with the PKI of user B digital certificate and give user B, and with the fail safe of assurance data m in transmission course, otherwise user B also can carry out same operation to user A;
Step 3.3 user A can sign to data m and sends to user B with the digital certificate that comprises private key that own UK discharges, and guaranteeing integrality and the non repudiation of data m in transmission course, otherwise user B also can carry out same operation to user A.
2. the identity identifying method based on fuzzy vault and digital certificate according to claim 1 is characterized in that: the described inspection of the step 1.2 of user's registration phase registered user has private key sk
UProcess be: RA generates random number r, the PKI pk that sends over the registered user
UR is encrypted, and send it back the registered user, if the registered user can be with its private key sk
UR is decrypted to random number, and then this registered user has this private key sk
U
3. the identity identifying method based on fuzzy vault and digital certificate according to claim 1, it is characterized in that: the digital certificate that the described CA of the step 1.3 of user's registration phase generates the registered user can be used for encrypting or signature operation, and is stored among the UK.
4. the identity identifying method based on fuzzy vault and digital certificate according to claim 1 is characterized in that: the described fingerprint minutiae with the user of the step 1.4 of user's registration phase is as follows to the PIN lock step of UK:
1) at first with the additional error-checking code CRC16 of the PIN of UK as coefficient, make up the multinomial P (x) on n rank, from user's registered fingerprint, select the set M1 of n minutiae point, in UK, register, the set M2 of remaining j minutiae point composition is registered among the FS, n true minutiae point among the minutiae point set M1 that stores among the UK is at territory F=GF (2
16) in be encoded as element, to the mapping value of the encoded radio evaluator P (x) of the true minutiae point of n, generate s at random respectively
UKIndividual and the irrelevant hash point of multinomial P (x) are used for protecting the true minutiae point of UK, and the hash point of n true minutiae point and generation is carried out vault among the scramble generation UK
UK, and be stored among the user UK;
2) go up i coordinate points of selection arbitrarily at multinomial P (x), i≤n as coefficient, constructs the 2i-1 rank multinomial Q (x) on the FS with i error-checking code CRC16 of x-y coordinate affix that puts, be distributed to j the true minutiae point of the minutiae point set M2 of FS, at territory F=GF (2
16) in be encoded as element, to the mapping value of the encoded radio evaluator Q (x) of the true minutiae point of this j, generate s at random respectively
FSIndividual and the irrelevant hash point of multinomial Q (x) with the true minutiae point among the protection FS, carry out vault among the scramble generation FS with the hash point of j true minutiae point and generation
FS, and be stored among the FS, the PIN that makes UK is by vault
UKAnd vault
FSCommon protection.
5. the identity identifying method based on fuzzy vault and digital certificate according to claim 1 is characterized in that:
The user fingerprints Qualify Phase is reconstruct multinomial P (x) from the fingerprint of checking user input, to discharge the PIN of UK, needs to use the coefficient CO of the multinomial Q (x) that the true minutiae point registered among the UK and FS reconstruct
Q(x), adopt Lagrange's interpolation to reconstruct multinomial P (x).
6. according to the described identity identifying method based on fuzzy vault and digital certificate of claim 1, it is characterized in that: the step 3.2 of digital certificate operational phase is described with digital certificate to data m ciphering process to be:
1) user A generates a symmetric session keys K
AB, use symmetric session keys K
ABM encrypts to data, uses the PKI pk of user B then
BTo symmetric session keys K
ABEncrypt, data encrypted and symmetric session keys are sent to user B together;
2) after user B receives the message of encryption, use the private key sk of oneself earlier
BTo symmetric session keys K
ABBe decrypted, obtain symmetric session keys K
AB, use symmetric session keys K again
ABData encrypted is decrypted, recovers initial data m.
7. according to the described identity identifying method based on fuzzy vault and digital certificate of claim 1, it is characterized in that: the step 3.3 of digital certificate operational phase is described with digital certificate to data m signature process to be:
1) user A asks Hash Value H to the data m that will send, and uses the private key sk of oneself then
AHash Value is signed, and send to user B;
2) user B receives after the signed data, asks the Hash Value H ' of m, uses the PKI pk of A then
AThe signature of checking A is if the Hash Value H ' that tries to achieve equates that with the H that signature verification obtains then signature effectively; Otherwise it is invalid to sign.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010289870 CN101945114B (en) | 2010-09-20 | 2010-09-20 | Identity authentication method based on fuzzy vault and digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010289870 CN101945114B (en) | 2010-09-20 | 2010-09-20 | Identity authentication method based on fuzzy vault and digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101945114A true CN101945114A (en) | 2011-01-12 |
| CN101945114B CN101945114B (en) | 2013-06-12 |
Family
ID=43436881
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010289870 Expired - Fee Related CN101945114B (en) | 2010-09-20 | 2010-09-20 | Identity authentication method based on fuzzy vault and digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101945114B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102769623A (en) * | 2012-07-24 | 2012-11-07 | 北京华财理账顾问有限公司 | Two-factor authentication method based on digital certificate and biological identification information |
| CN105023154A (en) * | 2014-04-21 | 2015-11-04 | 航天信息股份有限公司 | Electronic paying method and apparatus based on multifunctional financial IC cards |
| CN105743648A (en) * | 2014-12-09 | 2016-07-06 | 航天信息股份有限公司 | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method |
| CN106850201A (en) * | 2017-02-15 | 2017-06-13 | 济南晟安信息技术有限公司 | Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system |
| CN108595318A (en) * | 2018-03-31 | 2018-09-28 | 西安电子科技大学 | The difference test method of digital certificate authentication module during the SSL/TLS of RFC guidances is realized |
| CN108768643A (en) * | 2018-06-22 | 2018-11-06 | 哈尔滨工业大学 | A kind of private data guard method and system |
| CN109309658A (en) * | 2018-06-14 | 2019-02-05 | 孔德键 | The identity identifying method and identity-validation device and identity authorization system of multiple authentication |
| CN109992942A (en) * | 2019-01-03 | 2019-07-09 | 西安电子科技大学 | Secret protection face authentication method and system, intelligent terminal based on privacy sharing |
| CN110390746A (en) * | 2019-06-16 | 2019-10-29 | 广州智慧城市发展研究院 | A kind of implementation method of fingerprint anti-theft gate inhibition |
| CN110430204A (en) * | 2019-08-12 | 2019-11-08 | 徐州恒佳电子科技有限公司 | A kind of modified JSON safety communicating method based on third party's password book server |
| CN110493272A (en) * | 2019-09-25 | 2019-11-22 | 北京风信科技有限公司 | Use the communication means and communication system of multiple key |
| CN113139166A (en) * | 2021-03-16 | 2021-07-20 | 标信智链(杭州)科技发展有限公司 | Evaluation expert signature method and device based on cloud certificate |
| CN113691365A (en) * | 2020-05-16 | 2021-11-23 | 成都天瑞芯安科技有限公司 | Cloud private key generation and use method |
| CN114007218A (en) * | 2020-07-28 | 2022-02-01 | 中国电信股份有限公司 | Authentication method, system, terminal and digital identity authentication functional entity |
| CN114372274A (en) * | 2021-12-07 | 2022-04-19 | 广州大学 | Remote data backup encryption method, system, device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350724A (en) * | 2008-08-15 | 2009-01-21 | 西安电子科技大学 | Encrypting method base on biology characteristic information |
| CN101369892A (en) * | 2008-08-08 | 2009-02-18 | 西安电子科技大学 | Method for reinforcing fingerprint Fuzzy Vault system security |
| CN101552776A (en) * | 2009-04-14 | 2009-10-07 | 西安电子科技大学 | Fuzzy Vault encrypting method based on secrete sharing |
| US20090262990A1 (en) * | 2008-04-17 | 2009-10-22 | Electronics And Telecommunications Research Institute | Apparatus and method for polynomial reconstruction in fuzzy vault system |
-
2010
- 2010-09-20 CN CN 201010289870 patent/CN101945114B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090262990A1 (en) * | 2008-04-17 | 2009-10-22 | Electronics And Telecommunications Research Institute | Apparatus and method for polynomial reconstruction in fuzzy vault system |
| CN101369892A (en) * | 2008-08-08 | 2009-02-18 | 西安电子科技大学 | Method for reinforcing fingerprint Fuzzy Vault system security |
| CN101350724A (en) * | 2008-08-15 | 2009-01-21 | 西安电子科技大学 | Encrypting method base on biology characteristic information |
| CN101552776A (en) * | 2009-04-14 | 2009-10-07 | 西安电子科技大学 | Fuzzy Vault encrypting method based on secrete sharing |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102769623A (en) * | 2012-07-24 | 2012-11-07 | 北京华财理账顾问有限公司 | Two-factor authentication method based on digital certificate and biological identification information |
| CN105023154A (en) * | 2014-04-21 | 2015-11-04 | 航天信息股份有限公司 | Electronic paying method and apparatus based on multifunctional financial IC cards |
| CN105743648A (en) * | 2014-12-09 | 2016-07-06 | 航天信息股份有限公司 | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method |
| CN106850201A (en) * | 2017-02-15 | 2017-06-13 | 济南晟安信息技术有限公司 | Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system |
| CN106850201B (en) * | 2017-02-15 | 2019-11-08 | 济南晟安信息技术有限公司 | Intelligent terminal multiple-factor authentication method, intelligent terminal, certificate server and system |
| CN108595318B (en) * | 2018-03-31 | 2021-05-14 | 西安电子科技大学 | Difference test method for digital certificate verification module in RFC-guided SSL/TLS implementation |
| CN108595318A (en) * | 2018-03-31 | 2018-09-28 | 西安电子科技大学 | The difference test method of digital certificate authentication module during the SSL/TLS of RFC guidances is realized |
| CN109309658A (en) * | 2018-06-14 | 2019-02-05 | 孔德键 | The identity identifying method and identity-validation device and identity authorization system of multiple authentication |
| CN108768643A (en) * | 2018-06-22 | 2018-11-06 | 哈尔滨工业大学 | A kind of private data guard method and system |
| CN109992942A (en) * | 2019-01-03 | 2019-07-09 | 西安电子科技大学 | Secret protection face authentication method and system, intelligent terminal based on privacy sharing |
| CN110390746A (en) * | 2019-06-16 | 2019-10-29 | 广州智慧城市发展研究院 | A kind of implementation method of fingerprint anti-theft gate inhibition |
| CN110430204A (en) * | 2019-08-12 | 2019-11-08 | 徐州恒佳电子科技有限公司 | A kind of modified JSON safety communicating method based on third party's password book server |
| CN110493272B (en) * | 2019-09-25 | 2020-10-02 | 北京风信科技有限公司 | Communication method and communication system using multiple keys |
| CN110493272A (en) * | 2019-09-25 | 2019-11-22 | 北京风信科技有限公司 | Use the communication means and communication system of multiple key |
| CN113691365A (en) * | 2020-05-16 | 2021-11-23 | 成都天瑞芯安科技有限公司 | Cloud private key generation and use method |
| CN113691365B (en) * | 2020-05-16 | 2024-04-26 | 成都天瑞芯安科技有限公司 | Cloud private key generation and use method |
| CN114007218A (en) * | 2020-07-28 | 2022-02-01 | 中国电信股份有限公司 | Authentication method, system, terminal and digital identity authentication functional entity |
| CN114007218B (en) * | 2020-07-28 | 2024-01-26 | 中国电信股份有限公司 | Authentication method, authentication system, terminal and digital identity authentication functional entity |
| CN113139166A (en) * | 2021-03-16 | 2021-07-20 | 标信智链(杭州)科技发展有限公司 | Evaluation expert signature method and device based on cloud certificate |
| CN114372274A (en) * | 2021-12-07 | 2022-04-19 | 广州大学 | Remote data backup encryption method, system, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101945114B (en) | 2013-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101945114B (en) | Identity authentication method based on fuzzy vault and digital certificate | |
| CN106548345B (en) | Method and system for realizing block chain private key protection based on key partitioning | |
| CN103440444B (en) | The signing method of electronic contract | |
| CN106357401B (en) | A kind of storage of private key and application method | |
| US6073237A (en) | Tamper resistant method and apparatus | |
| CN112217807B (en) | Cone block chain key generation method, authentication method and system | |
| CN101013943B (en) | Method for binding/recovering key using fingerprint details | |
| CN102082790B (en) | Method and device for encryption/decryption of digital signature | |
| CN107925581A (en) | 1:N organism authentications, encryption, signature system | |
| RU2584500C2 (en) | Cryptographic authentication and identification method with real-time encryption | |
| CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
| Kumar et al. | Development of a new cryptographic construct using palmprint-based fuzzy vault | |
| KR20060127080A (en) | User authentication method based on the utilization of biometric identification techniques and related architecture | |
| CN105207776A (en) | Fingerprint authentication method and system | |
| CN107592308A (en) | A kind of two server multiple-factor authentication method towards mobile payment scene | |
| CN107171796A (en) | A kind of many KMC key recovery methods | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN108566273A (en) | Identity authorization system based on quantum network | |
| JP2013084034A (en) | Template distribution type cancelable biometric authentication system and method therefor | |
| CN106936588A (en) | A kind of trustship method, the apparatus and system of hardware controls lock | |
| CN109981290A (en) | The communication system and method close based on no certificate label under a kind of intelligent medical environment | |
| CN109889669A (en) | A kind of unlocked by mobile telephone method and system based on secure cryptographic algorithm | |
| US20120124378A1 (en) | Method for personal identity authentication utilizing a personal cryptographic device | |
| TWI476629B (en) | Data security and security systems and methods | |
| CN1953366B (en) | Password management method and system for intelligent secret key device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130612 Termination date: 20160920 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |