CN103607280A - Personal authentication device - Google Patents

Personal authentication device Download PDF

Info

Publication number
CN103607280A
CN103607280A CN201310177699.4A CN201310177699A CN103607280A CN 103607280 A CN103607280 A CN 103607280A CN 201310177699 A CN201310177699 A CN 201310177699A CN 103607280 A CN103607280 A CN 103607280A
Authority
CN
China
Prior art keywords
information
personal authentication
authentication apparatus
content
certificate server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310177699.4A
Other languages
Chinese (zh)
Other versions
CN103607280B (en
Inventor
熊楚渝
陈雨霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU CYBERKEY TECHNOLOGY Co Ltd
Original Assignee
CHENGDU CYBERKEY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENGDU CYBERKEY TECHNOLOGY Co Ltd filed Critical CHENGDU CYBERKEY TECHNOLOGY Co Ltd
Priority to CN201310177699.4A priority Critical patent/CN103607280B/en
Publication of CN103607280A publication Critical patent/CN103607280A/en
Application granted granted Critical
Publication of CN103607280B publication Critical patent/CN103607280B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)

Abstract

The invention relates to a personal authentication device, at least comprising the following units: an acquisition unit, a processing, a communication unit and a storage unit. The processing unit is used for decomposing and processing authentication content RD into content information RC and biological characteristic information RB, used for adopting a preset first algorithm to calculate the biological characteristic information RB, symmetrical confidential information SK and one-time information T and generate first information B, used for adopting a preset second algorithm to calculate the content information RC, the symmetrical confidential information SK and the one-time information T and generate second information C, and used for adopting a preset third algorithm to calculate the first information B and the second information C and obtain third information M. The personal authentication device has the beneficial effects that the authentication factor of ''biological characteristics that a user has'' is effectively integrated with other authentication factors, and thus security and usability of multiple-factor authentication technology are improved.

Description

Personal authentication apparatus
Technical field
The present invention relates to computer safety information technical field, particularly relate to computer identity authentication techniques field.
Background technology
Authentication process, and closely-related transaction control, be that authentication main body (normally service provider) authenticates certified main body (normally user), confirms the process of identity, ownership and affiliated right etc.From most basic level, be the in addition process of certain confirmation of authentication main body information that certified main body is submitted to, that is to say the process that authentication main body is approved the information of these submissions.In principle, the information of submitting to being classified, is exactly the so-called authentication factor.What the first authentication factor i.e. " knowing ", is that certified main body possesses that certain is special, is difficult for the knowledge known for other people, certain password normally, password etc.What the second authentication factor i.e. " having ", is that certified main body has certain concrete object, and foremost example is exactly historical tiger-shaped tally issued to generals as imperial authorization for loop movement in ancient China, and uses at present a lot of tokens, seal and smart card (as credit card etc.) etc.The third authentication factor i.e. " biological characteristic that user has ", distinctive on individual physiological, for example vocal print, fingerprint, eyeprint, vein pattern, face line or behavioural characteristic etc.
Early stage identity identifying technology is that above-mentioned three kinds of factors are used separately, uses separately a kind of identity identifying technology that authenticates the factor to be called as single-factor authentication.In fact, current most applications that Here it is, as the login password of diverse network account number.But single-factor authentication is quite dangerous, for the purpose of improving safety, need to use the two or more factors simultaneously, be called multiple-factor authentication.
But multiple-factor certificate scheme of the prior art exists following not enough: if that is exactly the systems approach not had, cost is just higher, use and also can owe convenient.Particularly the corresponding a lot of service provider of each user (certified main body) (authentication main body), if there is no suitable method, is difficult to multiple-factor authentication to promote and open.
The applicant has proposed application for a patent for invention " identity recognition method for computer system " on 06 27th, 2011, this Patent Application Publication a kind of scheme of double factor authentication.This technical scheme makes double factor authentication (what be known, what has) can easily carry out, but do not integrate owing to not having concrete method the biological characteristic that user has, make it to become the method for three kinds of factors unifications of complete unification, so its fail safe and ease for use or not.
Summary of the invention
The object of the invention is, in order further to improve fail safe and the ease for use of existing multiple-factor authentication techniques scheme, to have proposed a kind of personal authentication apparatus.
Technical scheme of the present invention is: a kind of personal authentication apparatus, for comprising the personal authentication apparatus that user holds, the certificate server that authenticating party is held, between personal authentication apparatus and certificate server, there is the symmetry machine confidential information SK making an appointment, in the identity registration system or identity authorization system of the set of the authentication content RD of content information RC and biological information RB; It is characterized in that,
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, for adopting the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T, for adopting default algorithm to calculate the 3rd information M to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, be used for receiving certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, for personal authentication apparatus, the 3rd information M is sent to certificate server;
Memory cell, the data message obtaining for collecting unit, processing unit and the communication unit of storing from stating personal authentication apparatus;
The collecting unit of above-mentioned personal authentication apparatus, communication unit and memory cell are connected with processing unit respectively, the communication unit of above-mentioned certificate server is connected with processing unit respectively with memory cell, and above-mentioned personal authentication apparatus and certificate server are connected communication by communication unit separately.
The invention has the beneficial effects as follows: in the verification process of technical solution of the present invention, what user knows, what user has, and user's biological characteristic, all must correctly possess simultaneously, correctly use, otherwise cannot be by authentication.The information M of noticing is disposable, even if be acquired, and also can not the reverse biological information that obtains user.Meanwhile, certificate server can be dominated whole verification process completely, and be not only by static biological information (this information always under the shade that may be forged), authenticates.
Further, because biological characteristic must may be produced by this talent of user, even under the worst case of all revealing at whole log-on messages of server, this characteristic also makes the assailant user that can not assume another's name, therefore the damage control in minimum.This character is what current nearly all system and method all can not fine solution.
Because our system adopts personal authentication apparatus very easily, and in user's simple use procedure, made three kinds of factors unifications use, user again need not remember various bothersome passwords, password etc., and comfort level greatly improves.
Therefore, technical scheme of the present invention is effectively integrated " biological characteristic that user has " this authentication factor and other authentication factors, and adopt personal authentication apparatus to concentrate and gather various authentication informations, thereby further improved fail safe and the ease for use of multiple-factor authentication techniques.
Accompanying drawing explanation
Fig. 1 is the hardware logic structure schematic diagram of identity registration of the present invention and Verification System.
Fig. 2 is the more detailed hardware logic structure schematic diagram of identity registration of the present invention and Verification System.
Fig. 3 is the flow chart of identity registration method of the present invention.
Fig. 4 is the flow chart of identity identifying method of the present invention.
Embodiment
For the ease of those skilled in the art, understand fully and implement technical scheme of the present invention, being necessary before describing specific embodiment, the required general hardware logic structure of the present patent application, general definition and principle to be described in detail.
Fig. 1 is the hardware configuration schematic diagram of identity registration system of the present invention and identity authorization system.As can be seen from the figure, the hardware logic structure of identity registration system of the present invention and identity authorization system is consistent.Identity registration system and identity authorization system all comprise: personal authentication apparatus 1 and certificate server 2, also comprise the personal authentication apparatus management server 3 as inessential technical characterictic.
Personal authentication apparatus 1 of the present invention is held and is used by user's (being certified main body), electronic equipment normally hand-held or carrying mode more easily is as the mobile phone with acquisition function or panel computer, and personal authentication apparatus 1 must comprise the collecting unit that can gather " biological characteristic that user has " this authentication factor.Certificate server 2 is held and is used by service side (authentication authorization and accounting side), and general employing has communication function and enough computing capabilitys and the hardware server of storage capacity and supporting software.Personal authentication apparatus management server 3 is by the management and service providing personal authentication apparatus 1, but do not relate to completely, all service providers serve and user's confidential information, and personal authentication apparatus management server 3 will only provide initial help.
User's (certified main body) completes the authentication of three factor unifications with personal authentication apparatus 1, not only convenient but also complete.Certificate server 2 is by the authentication of complete independently three card unifications.Even if there is the information leakage of worst cases in certificate server 2, user's register information flow is spread out of, also extremely can not there is other people assume another's name user's situation.
The basic ideas of technical solution of the present invention are: the authentication based on biological characteristic is the information that user's (being certified main body) submits certain people's biological characteristic to, and then service side (authentication authorization and accounting side) reaches authentication by such information (or information module) of storage before comparison.This specific information based on biological characteristic, vocal print for example, fingerprint, eyeprint, vein pattern, face line, etc., possess some advantages, be for example difficult to forge, be difficult to deny etc.But also possess a lot of shortcomings simultaneously.The present invention is using user's various biological characteristics as corresponding authentication content RD, and authentication content RD answers content information RC and biological information RB, and content information RC can be for " what is known " factor.Thing characteristic information R can be for " biological characteristic " factor, and the acquisition mode of user's the corresponding authentication content RD of various biological characteristics is as follows:
Vocal print: adopt phonetic entry, conventionally use microphone collection; Naturally mixing of content information RC and biological information RB, for example phonetic entry " 35 ", content information RC is exactly 35, and biological information RB is user's vocal print feature.
Fingerprint and palmmprint: contact input, conventionally adopt contact collector; Only can contain very small amount of content information RC, for example the forefinger of the right hand is as content information RC, and most of information is that biological information RB(is fingerprint or palmmprint).
Eyeprint, face line and vein pattern: optics input, adopts optical collector conventionally; Not containing content information RC, only having biological information RB(is eyeprint etc. completely).
Behavioural characteristic (gesture, person's handwriting, typewriting vestige): conventionally adopt and calculate input equipment, as keyboard, the collections such as screen; Authentication content RD is naturally mixing of content information RC and biological information RB, but biological information RB content is far fewer than vocal print, for example keyboard input " abcde ", content information RC is exactly abcde, and the biological information RB input vestige that to be user input (i.e. some statistics invariants to user's keyboard input), the amount of information of this feature is all little conventionally.
Content information RC and the biological information RB of above-mentioned various biological characteristics have its purposes.If Information Monitoring comprises two kinds of information simultaneously, just better.Therefore, vocal print and behavioural characteristic will have unique advantage.And this collector of two kinds is all quite cheap, cost is very low.
From the input message of physical characteristics collecting, extracting content information RC and biological information RB is very special technology, and this technology is not in the innovation and protection range of this patent.But we are ready to point out, although this special technology is quite highly difficult science and technology, recently the several years, there is good progress.Therefore we can think, from authentication content RD corresponding to the biological characteristic of Gather and input, can extract content information RC and biological information RB, this technology is regarded as prior art and is not described in detail and launches, but its concrete scheme does not affect enforcement of the present invention.
Those skilled in the art is to be appreciated that, authentication content RD corresponding to biological characteristic that user collects by personal authentication apparatus 1 is divided into content information RC and biological information RB after extracting, described content information RC and biological information RB can send certificate server 2 to, these information both can directly be transmitted, and also can after several layer functions calculate, become content information RC and the corresponding average information of biological information RB transmits.
In the present invention, for the collection of biological characteristic, can repeatedly carry out forming set and the application of biological characteristic.Can for the data message of collector collection, be collecting sample information, all can be called and gather set for the Information Monitoring adopting, symbol is that CJ registers and authenticate the element that the data message of use is CJ, but, may not use whole CJ, and be only a proper subclass of CJ, this set is called enrolled set, symbol is ZJ, is the subset (may be proper subclass) of CJ, and example is as follows:
Example 1:CJ is the fingerprint of user's all fingers, ZJ=CJ, and collecting sample is exactly the fingerprint of certain finger.
Example 2:CJ is voice set 0-99, ZJ={10, and 20,30,40,50,60,70,80,90}, collecting sample is exactly the data of certain regulation voice.
Example 3:CJ is 5 alphabetical whole set, ZJ=CJ, and collecting sample is to input certain 5 alphabetical character string with keyboard, abcde for example, ijkom etc.
The present invention can be implemented and be possessed the principle that the authentication of making possesses higher fail safe and ease for use:
Principle 1: biological information should directly not used.If directly used, particularly in remote authentication, directly use, just characteristic information must be directly used in to Internet Transmission, this has just manufactured sizable potential safety hazard.If occur leaking in transmitting procedure, in later use procedure, just more dangerous, because conventionally biological characteristic is expressed to quite high safe confidence, by more difficult pinpointing the problems.And common biological characteristic fewer (for example everyone only can use with ten fingerprints), once leakage appears in characteristic information, be just not so good as easy the modifications and correction such as password.Therefore directly use the potential safety hazard of biological characteristic too many.Best mode is to mix use with other modes, for example with hand-held authenticating device in symmetry secret (being called SK) mix and use.Like this, just can guarantee the disposable code of only use in transmitting procedure, and be random code.And the information that registration is used is only that certain of biological characteristic represents, even leak out completely, also extremely can not there is other people assume another's name user's situation under worst case.Meanwhile, owing to registering the biological information of use, not direct biological information, but certain expression, and directly use of this expression, the biological information of user's height secret is just adequately protected.
Principle 2: should dominate authentication by authentication main body, the use of leading biological characteristic, and be not only the biological information that authenticates main body passive receive static state.Authentication main body just possesses multiple means and deals with various potential attacks like this.
Technical scheme of the present invention is based on above-mentioned two principles, and in conjunction with personal authentication's (registration) equipment 1, thereby form authentication (registration) system, and coordinate authentication (registration) method with coupling, thereby can in authentication, accomplish tight security and ease for use.
For the ease of those skilled in the art's understanding with implement the present patent application, below in conjunction with accompanying drawing and specific embodiment, the present invention is described further.
Embodiment 1: the biological characteristic that the present embodiment adopts is vocal print, corresponding to this scheme, has comprised following technical scheme.
The scheme 1 of embodiment 1: a kind of identity registration method, as shown in Figure 3, between the personal authentication apparatus that the certificate server of holding at authenticating party in advance and user hold, arrange symmetry machine confidential information SK, the set of the authentication content RD of content information RC and biological information RB; Personal authentication apparatus in the present embodiment is smart mobile phone, and the software on smart mobile phone, and smart mobile phone possesses microphone and network function, and certificate server comprises hardware server and corresponding software.The process of arranging symmetry machine confidential information SK between certificate server and personal authentication apparatus is prior art, therefore how to generate and store symmetric cryptography, is not describing in detail.
Described identity registration method comprises the steps:
S1. certificate server sends instruction and corresponding disposable information T is provided to personal authentication apparatus (smart mobile phone), described disposable information T comprises the information of selected authentication content RD type, and personal authentication apparatus is pointed out user's input authentication content RD after receiving instruction;
Concrete measure is: require user to read in numeral 1234.
S2. user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB by authentication content RD resolution process;
Concrete measure is: user as requested, the microphone of mobile phone is read in to input numeral 1234, microphone collects after speech input information, voice messaging is sent into the processor of smart mobile phone, processor is processed this information with software, and obtain content information (i.e. numeral 1234), and user's sound characteristic information, sound characteristic information comprises the biological informations such as fundamental tone, these information are physiological characteristics based on individual, different people will have different information, and these information are difficult to forge (for convenience, we can claim that content information is RC, and biological information RB),
S3. personal authentication apparatus (processor of smart mobile phone) adopts the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T;
Above-mentioned first information B is the information directly related with biological information RB.
The requirement of a kind of specific algorithm of the first algorithm in this step is, even when SK and T are known, can not go out RB from B backstepping, algorithm can change arbitrarily meeting under above-mentioned condition.For example a kind of from SK, T, RB produces the specific algorithm of B, be expressed as SK ⊕ RB=B, first information B is the biological information of registering use in server, here ⊕ represents hybrid algorithm, and an example of hybrid algorithm can be used HMAC_h conventionally, and HMAC_h is the general designation of the hash algorithm one class authentication method of being combined with message authentication code calculation.HMAC is the abbreviation of Hash Message authentication code, the meaning is irreversible message authentication code, the hash algorithm that h representative is here selected, and hash algorithm is the general designation of the unidirectional non-reversible algorithm of a class, domesticly conventionally be called: hash algorithm, hashing algorithm etc.; .But for transmitting procedure will not be this, but
Figure BDA00003189800500061
wherein represent cryptographic algorithm, for example (Advanced Encryption Standard in cryptography (Advanced Encryption Standard, AES), claims again Rijndael enciphered method to AES cryptographic algorithm, is a kind of block encryption standard that Federal Government adopts.), or the close algorithm of state etc.At server, can from TB, calculate B like this, then for registration.
S4. personal authentication apparatus adopts the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T;
Above-mentioned the second information C is the information directly related with content information RC.
The requirement of a kind of specific algorithm of the second algorithm in this step is, even when SK and T are known, can not go out RC from C backstepping, algorithm can change arbitrarily meeting under above-mentioned condition.
S5. personal authentication apparatus adopts default algorithm to calculate the 3rd information M to described first information B and the second information C;
The requirement of a kind of specific algorithm of the second algorithm in this step is, M=B+C, or M=B+C+TC, and TC is the encryption of T, algorithm can change arbitrarily.
Concrete measure corresponding to above-mentioned steps S3, S4 and S5 is: processor further uses information SK, T, and RC, RB further processes, acquired information M.Concrete algorithm is as follows:
A. this is a kind of hybrid algorithm of general mixed information in the world to use algorithm Hmac_sha(), to SK, RB is hmac and calculates, acquired information BRg, and then be that key is encrypted BRg with algorithm AES use T, acquired information B;
B. use algorithm Hmac_sha to SK, RC and T are hmac and calculate, acquired information C;
C. link information B and information C and obtain information M;
Those skilled in the art is to be appreciated that, although the present embodiment has provided the specific algorithm Hmac_sha that calculates the 3rd information M, but do not thinking that above-mentioned steps can only adopt this specific algorithm, any existing algorithm that other can be encrypted data can be applied in above-mentioned steps.
S6. personal authentication apparatus is sent to certificate server by the 3rd information M, and described certificate server carries out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained to first information B and the second information C;
Concrete measure is: smart mobile phone is sent certificate server back to the 3rd information M, and the channel that transmits information can be the channel of encrypting, and we are recommendation encryption channel also, still, even open channel also can not damage verification process; In this step, if use transmission security key e, eM=M encrypts with e, for transmitting, can further strengthen the fail safe in transmitting procedure.At certificate server end, from eM, recover M, from M, obtain B, C(or possible TC).
The second average information CRg corresponding to the first average information BRg that the first information B that S7. certificate server obtains decomposition computation or the second information C or first information B are corresponding or the second information C be as user's log-on data W, and be stored in the database of certificate server.
Concrete measure corresponding to above-mentioned steps S6 and S7 is: mobile phone is sent server back to information M, and server by utilizing M does following calculating, first decomposes B and C, utilizes C to do preliminary identification; Then with algorithm AES, B is deciphered to (T is key) and obtain BRg, BRg will be stored in the database of server, as this user's main log-on data.
The scheme 2 of embodiment 1: a kind of identity registration system, as shown in Figure 2, it is characterized in that, comprise the personal authentication apparatus that user holds, the certificate server that authenticating party is held, between personal authentication apparatus and certificate server, there is the symmetry machine confidential information SK making an appointment, the set of the authentication content RD of content information RC and biological information RB;
Personal authentication apparatus in the present embodiment in the present embodiment is smart mobile phone, and the software on smart mobile phone, and smart mobile phone possesses microphone and network function, and certificate server comprises hardware server and corresponding software.
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
In the present embodiment, in the present embodiment, authentication content RD is " user is read in numeral 1234 ", and the numeral of refining from authentication content RD " 1234 " is content information RC, and the vocal print refining from authentication content RD is biological information RB;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, for adopting the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T, for adopting default algorithm to calculate the 3rd information M to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, be used for receiving certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, for personal authentication apparatus, the 3rd information M is sent to certificate server;
Memory cell, the data message obtaining for collecting unit, processing unit and the communication unit of storing from stating personal authentication apparatus;
Described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, for certificate server, to personal authentication apparatus, send instruction and corresponding disposable information T is provided, for receiving personal authentication apparatus, be sent to the 3rd information M of certificate server;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to default algorithm by the 3rd information M decomposition computation; The first information B or the second information C or corresponding the first average information BRg or the second average information CRg corresponding to the second information C of first information B that for decomposition computation, obtain, and aforementioned information is stored in the database of certificate server, as user's log-on data W;
Memory cell, for storing the data message obtaining from communication unit and the processing unit of certificate server.
The scheme 3 of embodiment 1: a kind of identity identifying method, as shown in Figure 4, between the personal authentication apparatus that the certificate server of holding at authenticating party in advance and user hold, arrange symmetry machine confidential information SK, the set of the authentication content RD of content information RC and biological information RB;
Described identity identifying method comprises the steps:
S1. certificate server sends instruction and corresponding disposable information T is provided to personal authentication apparatus,, described disposable information T comprises the information of selected authentication content RD type, personal authentication apparatus is pointed out user's input authentication content RD after receiving instruction;
Concrete measure is: server sends instruction to smart mobile phone, the content of smart mobile phone display requirement user input, for example, require user to read in numeral 1234, simultaneously, server sends a disposal password (for convenience, being called T) to smart mobile phone;
S2. user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB by authentication content RD resolution process;
Concrete measure is: user as requested, is read in input numeral 1234 to the microphone of mobile phone;
S3. personal authentication apparatus adopts the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T;
S4. personal authentication apparatus adopts the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T;
S5. personal authentication apparatus adopts default algorithm to calculate the 3rd information M to described first information B and the second information C;
Concrete measure corresponding to above-mentioned steps S3, S4 and S5 is: processor further uses information SK, T, and RC, RB further processes, acquired information M.Concrete algorithm is as follows:
A. this is a kind of hybrid algorithm of general mixed information in the world to use algorithm Hmac_sha(), to SK, RB is hmac and calculates, acquired information BRg, and then be that key is encrypted BRg with algorithm AES use T, acquired information B;
B. use algorithm Hmac_sha to SK, RC and T are hmac and calculate, acquired information C;
C. link information B and information C and obtain information M;
S6. personal authentication apparatus is sent to certificate server by the 3rd information M, and described certificate server carries out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained to first information B and the second information C;
The second average information CRg corresponding to the first average information BRg that the first information B that S7. certificate server obtains decomposition computation or the second information C or first information B are corresponding or the second information C is as authentication log-on data W1;
S8. certificate server is compared the authentication log-on data W1 obtaining in step S7 and the log-on data W that calculates and be stored on certificate server in advance, if W1 is consistent with log-on data W for authentication log-on data, user's authentication is passed through, otherwise user's authentication failure.
Concrete measure corresponding to above-mentioned steps S6, S7 and S8 is: mobile phone is sent server back to information M, the channel of transmission information can be the channel of encrypting, and we are recommendation encryption channel also, still, even open channel, also can not damage verification process; It is exactly SK and T that server possesses the information that enough information calculates alone in addition C and B(and need, and RC, BRg), then by the information that the information calculating like this and mobile phone send, do contrast coupling, so server can be verified to M.
The scheme 4 of embodiment 1: a kind of identity authorization system, it is characterized in that, as shown in Figure 2, comprise the personal authentication apparatus that user holds, the certificate server that authenticating party is held, between personal authentication apparatus and certificate server, there is the symmetry machine confidential information SK making an appointment, the set of the authentication content RD of content information RC and biological information RB;
Personal authentication apparatus in the present embodiment in the present embodiment is smart mobile phone, and the software on smart mobile phone, and smart mobile phone possesses microphone and network function, and certificate server comprises hardware server and corresponding software.
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
In the present embodiment, in the present embodiment, authentication content RD is " user is read in numeral 1234 ", and the numeral of refining from authentication content RD " 1234 " is content information RC, and the vocal print refining from authentication content RD is biological information RB;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, for adopting the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T, for adopting default algorithm to calculate the 3rd information M to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, be used for receiving certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, for personal authentication apparatus, the 3rd information M is sent to certificate server;
Memory cell, the data message obtaining for collecting unit, processing unit and the communication unit of storing from stating personal authentication apparatus;
Described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, for certificate server, to personal authentication apparatus, send instruction and corresponding disposable information T is provided, for receiving personal authentication apparatus, be sent to the 3rd information M of certificate server;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to default algorithm by the 3rd information M decomposition computation; The first information B or the second information C or corresponding the first average information BRg or the second average information CRg corresponding to the second information C of first information B that for decomposition computation, obtain, and aforementioned information is stored in the database of certificate server, as user's log-on data W1; For certificate server, authentication log-on data W1 is compared with the log-on data W that calculates and be stored on certificate server in advance, if authentication log-on data W1 is consistent with log-on data W, user's authentication is passed through, otherwise user's authentication failure;
Memory cell, for storing the data message obtaining from communication unit and the processing unit of certificate server.
The scheme 5 of embodiment 1: a kind of personal authentication apparatus, for comprising the personal authentication apparatus that user holds, the certificate server that authenticating party is held, between personal authentication apparatus and certificate server, there is the symmetry machine confidential information SK making an appointment, in the identity registration system or identity authorization system of the set of the authentication content RD of content information RC and biological information RB; It is characterized in that,
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
In the present embodiment, in the present embodiment, authentication content RD is " user is read in numeral 1234 ", and the numeral of refining from authentication content RD " 1234 " is content information RC, and the vocal print refining from authentication content RD is biological information RB;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, for adopting the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T, for adopting default algorithm to calculate the 3rd information M to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, be used for receiving certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, for personal authentication apparatus, the 3rd information M is sent to certificate server;
Memory cell, the data message obtaining for collecting unit, processing unit and the communication unit of storing from stating personal authentication apparatus.
The scheme 6 of embodiment 1: a kind of certificate server, for comprising the personal authentication apparatus that user holds, the certificate server that authenticating party is held, between personal authentication apparatus and certificate server, there is the symmetry machine confidential information SK making an appointment, in the identity registration system of the set of the authentication content RD of content information RC and biological information RB;
In the present embodiment, in the present embodiment, authentication content RD is " user is read in numeral 1234 ", and the numeral of refining from authentication content RD " 1234 " is content information RC, and the vocal print refining from authentication content RD is biological information RB;
It is characterized in that, described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, for certificate server, to personal authentication apparatus, send instruction and corresponding disposable information T is provided, for receiving personal authentication apparatus, be sent to the 3rd information M of certificate server;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to default algorithm by the 3rd information M decomposition computation; The first information B or the second information C or corresponding the first average information BRg or the second average information CRg corresponding to the second information C of first information B that for decomposition computation, obtain, and aforementioned information is stored in the database of certificate server, as user's log-on data W;
Memory cell, for storing the data message obtaining from communication unit and the processing unit of certificate server.
The scheme 7 of embodiment 1: a kind of certificate server, for comprising the personal authentication apparatus that user holds, the certificate server that authenticating party is held, between personal authentication apparatus and certificate server, there is the symmetry machine confidential information SK making an appointment, in the identity authorization system of the set of the authentication content RD of content information RC and biological information RB;
In the present embodiment, in the present embodiment, authentication content RD is " user is read in numeral 1234 ", and the numeral of refining from authentication content RD " 1234 " is content information RC, and the vocal print refining from authentication content RD is biological information RB;
It is characterized in that, described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, for certificate server, to personal authentication apparatus, send instruction and corresponding disposable information T is provided, for receiving personal authentication apparatus, be sent to the 3rd information M of certificate server;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to default algorithm by the 3rd information M decomposition computation; The first information B or the second information C or corresponding the first average information BRg or the second average information CRg corresponding to the second information C of first information B that for decomposition computation, obtain, and aforementioned information is stored in the database of certificate server, as user's log-on data W1; For certificate server, authentication log-on data W1 is compared with the log-on data W that calculates and be stored on certificate server in advance, if authentication log-on data W1 is consistent with log-on data W, user's authentication is passed through, otherwise user's authentication failure;
Memory cell, for storing the data message obtaining from communication unit and the processing unit of certificate server.
Embodiment 2: the present embodiment based on hardware system identical with embodiment 1, be no longer repeated in this description.
The biological characteristic of the authentication content RD that the present embodiment adopts is behavioural characteristic (gesture), to draw the circle of a regulation with thumb and forefinger specifically, smart mobile phone will collect input message (authentication authorization and accounting content RD), authentication content RD can resolve into two kinds, a kind of is content information RC, i.e. position of this circle etc., a kind of is individual behavior characteristic information (being biological information RB), be the information such as the speed of gesture and statistical relationship, these information are processed the processor by smart mobile phone and obtain to the inputs of gesture, these information are physiological characteristic based on individual and habitual feature, different people will have different information, and these information are difficult to forge.
Because the hardware system in the present embodiment is identical with embodiment 1, it is authentication content RD difference to some extent, therefore its processing procedure and technical scheme are identical with embodiment 1, are no longer repeated in this description 7 concrete technical schemes such as identity registration based on this different authentication content and authentication method, system, personal authentication apparatus and certificate server.
Embodiment 3: the present embodiment based on hardware system identical with embodiment 1, be no longer repeated in this description.
The biological characteristic of the authentication content RD that the present embodiment adopts is fingerprint, and authentication content RD is still divided into content information RC and biological information RB, and content information is certain fingerprint, left index finger for example, and in the present embodiment, content information is fewer, only has 10; Biological information RB is fingerprint, and finger print information is physiological characteristic based on individual, and different people will have different information, and these information are difficult to forge.
Because the hardware system in the present embodiment is identical with embodiment 1, it is authentication content RD difference to some extent, therefore its processing procedure and technical scheme are identical with embodiment 1, are no longer repeated in this description 7 concrete technical schemes such as identity registration based on this different authentication content and authentication method, system, personal authentication apparatus and certificate server.
Embodiment 4: the present embodiment based on hardware system comprise the certificate server that authenticating party is held, the personal authentication apparatus that user holds, personal authentication apparatus has comprised hardware identification device and has independently possessed the browser device of network function, in the present embodiment, hardware system can be with the difference of embodiment 1 in embodiment 1 that hardware identification device and browser device are integrated into a hardware device is personal authentication apparatus, in embodiment 4, personal authentication apparatus is separated into the browser device that two relatively independent hardware devices are hardware identification device and independently possess network function, hardware identification device in embodiment 4 is the hardware identification device (or being called token etc.) of particular design and the software of installing above, networking in verification process is confirmed to communicate by Yi Ge browser device intermediary, and described browser device is the hardware platform with network function of browser software to be installed as computer, mobile phone etc.
For the ease of those skilled in the art's understanding with implement the present patent application, below in conjunction with accompanying drawing and specific embodiment, the present invention is described further.
The scheme 1 of embodiment 4: a kind of identity registration method, it is characterized in that, between the personal authentication apparatus that the certificate server of holding at authenticating party in advance and user hold, arrange symmetry machine confidential information SK, the set of the authentication content RD of content information RC and biological information RB;
Described identity registration method comprises the steps:
S1. certificate server sends instruction and corresponding disposable information T is provided to personal authentication apparatus,, described disposable information T comprises the information of selected authentication content RD type, personal authentication apparatus is pointed out user's input authentication content RD after receiving instruction;
The biological characteristic of the authentication content RD that the present embodiment adopts is fingerprint, and authentication content RD is still divided into content information RC and biological information RB, and content information is certain fingerprint, left index finger for example, and in the present embodiment, content information is fewer, only has 10; Biological information RB is fingerprint, and finger print information is physiological characteristic based on individual, and different people will have different information, and these information are difficult to forge.
S2. user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB by authentication content RD resolution process;
S3. personal authentication apparatus adopts the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T;
S4. personal authentication apparatus adopts the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T;
S5. personal authentication apparatus adopts default algorithm to calculate the 3rd information M to described first information B and the second information C;
In the present embodiment, the concrete measure of step S4 and S5 is: the hardware identification device in personal authentication apparatus is further to information SK, RC, and RB further processes, acquired information M.
Concrete algorithm is as follows:
Use hmac_sha algorithm, to SK, RB is hmac and calculates, acquired information BRg;
Use hmac_sha algorithm, to SK, RC is hmac and calculates, acquired information C;
Link information BRg and information C and obtain information M1;
Hardware identification device is presented at information M1 in its display unit, and user is information M1 input browser device, and then browser device is done following calculating to information:
Decompose M1, obtain BRg and C;
Then use T for key, BRg is encrypted to acquired information KBRg;
Link information KBRg and information C and obtain information M;
S6. personal authentication apparatus is sent to certificate server by the 3rd information M, and described certificate server carries out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained to first information B and the second information C;
The second average information CRg corresponding to the first average information BRg that the first information B that S7. certificate server obtains decomposition computation or the second information C or first information B are corresponding or the second information C be as user's log-on data W, and be stored in the database of certificate server.
In the present embodiment, the concrete measure of step S6 and S7 is: the browser device in personal authentication apparatus is sent to certificate server by the 3rd information M, and certificate server utilizes M to do following calculating, first obtains KBRg and C, utilizes C to do preliminary identification; Then with algorithm AES, KBRg is deciphered to (T is key) and obtain BRg, BRg will be stored in the database of server, as this user's main log-on data.
The scheme 2 of embodiment 4: a kind of identity identifying method, it is characterized in that, between the personal authentication apparatus that the certificate server of holding at authenticating party in advance and user hold, arrange symmetry machine confidential information SK, the set of the authentication content RD of content information RC and biological information RB;
Described identity identifying method comprises the steps:
S1. certificate server sends instruction and corresponding disposable information T is provided to personal authentication apparatus, and described disposable information T comprises the information of selected authentication content RD type, and personal authentication apparatus is pointed out user's input authentication content RD after receiving instruction;
The biological characteristic of the authentication content RD that the present embodiment adopts is fingerprint, and authentication content RD is still divided into content information RC and biological information RB, and content information is certain fingerprint, left index finger for example, and in the present embodiment, content information is fewer, only has 10; Biological information RB is fingerprint, and finger print information is physiological characteristic based on individual, and different people will have different information, and these information are difficult to forge.
S2. user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB by authentication content RD resolution process;
S3. personal authentication apparatus adopts the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T;
S4. personal authentication apparatus adopts the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T;
S5. personal authentication apparatus adopts default algorithm to calculate the 3rd information M to described first information B and the second information C;
In the present embodiment, the concrete measure of step S4 and S5 is: the hardware identification device in personal authentication apparatus is further to information SK, RC, and RB further processes, acquired information M.
Concrete algorithm is as follows:
Use hmac_sha algorithm, to SK, RB is hmac and calculates, acquired information BRg;
Use hmac_sha algorithm, to SK, RC is hmac and calculates, acquired information C;
Link information BRg and information C and obtain information M1;
Hardware identification device is presented at information M1 in its display unit, and user is information M1 input browser device, and then browser device is done following calculating to information:
Decompose M1, obtain BRg and C;
Then use T for key, BRg is encrypted to acquired information KBRg;
Link information KBRg and information C and obtain information M;
S6. personal authentication apparatus is sent to certificate server by the 3rd information M, and described certificate server carries out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained to first information B and the second information C;
The second average information CRg corresponding to the first average information BRg that the first information B that S7. certificate server obtains decomposition computation or the second information C or first information B are corresponding or the second information C is as authentication log-on data W1;
S8. certificate server is compared the authentication log-on data W1 obtaining in step S7 and the log-on data W that calculates and be stored on certificate server in advance, if W1 is consistent with log-on data W for authentication log-on data, user's authentication is passed through, otherwise user's authentication failure.
In the present embodiment, the concrete measure of step S6, S7 and S8 is: the browser device in personal authentication apparatus is sent to certificate server by the 3rd information M, and certificate server utilizes M to do following calculating, first obtains KBRg and C, utilizes C to do preliminary identification; Then with algorithm AES, KBRg is deciphered to (T is key) and obtain BRg, the BRg obtaining is temporary as authentication log-on data W1, then authentication log-on data W1 is done to contrast with pre-stored log-on data W in certificate server and mate, thereby realize the authentication to user.
Because the hardware system in embodiment 4 only exists difference with embodiment 1 in the specific implementation of personal authentication apparatus, authentication content RD is identical with embodiment 3, is therefore no longer repeated in this description identity registration and a concrete technical scheme such as Verification System, personal authentication apparatus and certificate server based on this different authentication content.
In numerous technical schemes in a plurality of embodiment of the present patent application, three kinds of factors are all fully used, indispensable.During the course, what user knows, what user has, and user's biological characteristic, all must correctly possess simultaneously, correctly use, otherwise cannot be by authentication.The information M of noticing is disposable, even if be acquired, and also can not the reverse biological information that obtains user.Meanwhile, certificate server (authentication authorization and accounting main body) can be dominated whole verification process completely, and be not only by static biological information (this information always under the shade that may be forged), authenticates.
Further, because biological characteristic must may be produced by this talent of user, even under the worst case of all revealing at whole log-on messages of server, this characteristic also makes the assailant user that can not assume another's name, therefore the damage control in minimum.So being current almost system and method, this character all can not solve.Adopt our systems approach, just can reach this target.
Because our system adopts personal authentication apparatus very easily, and in user's simple use procedure, made three kinds of factors unifications use, user again need not remember various bothersome passwords, password etc., and comfort level greatly improves.Our system makes a user only need an authenticator, just can do binding service with any service provider, and cost greatly declines.High like this safe condition, user's experience so easily, system and low use cost are all that current system and method is inaccessiable so cheaply, are also that market is actively being sought.
Those of ordinary skill in the art will appreciate that, embodiment described here is in order to help reader understanding's principle of the present invention, should be understood to that protection scope of the present invention is not limited to such special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combinations that do not depart from essence of the present invention according to these technology enlightenments disclosed by the invention, and these distortion and combination are still in protection scope of the present invention.

Claims (4)

1. a personal authentication apparatus, for comprising the personal authentication apparatus that user holds, the certificate server that authenticating party is held, between personal authentication apparatus and certificate server, there is the symmetry machine confidential information SK making an appointment, in the identity registration system or identity authorization system of the set of the authentication content RD of content information RC and biological information RB; It is characterized in that,
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, for adopting the first default algorithm to calculate and produce first information B described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to calculate and produce the second information C described content information RC, symmetry machine confidential information SK, disposable information T, for adopting default algorithm to calculate the 3rd information M to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, be used for receiving certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, for personal authentication apparatus, the 3rd information M is sent to certificate server;
Memory cell, the data message obtaining for collecting unit, processing unit and the communication unit of storing from stating personal authentication apparatus;
The collecting unit of above-mentioned personal authentication apparatus, communication unit and memory cell are connected with processing unit respectively, and above-mentioned personal authentication apparatus is connected communication with certificate server by communication unit.
2. a kind of personal authentication apparatus according to claim 1, is characterized in that, above-mentioned personal authentication apparatus is smart mobile phone.
3. a kind of personal authentication apparatus according to claim 1, is characterized in that, above-mentioned personal authentication apparatus has comprised hardware identification device and independently possessed the browser device of network function.
4. a kind of personal authentication apparatus according to claim 3, is characterized in that, described browser device is the hardware platform with network function of browser software to be installed as computer, mobile phone.
CN201310177699.4A 2013-05-14 2013-05-14 Personal authentication apparatus Active CN103607280B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310177699.4A CN103607280B (en) 2013-05-14 2013-05-14 Personal authentication apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310177699.4A CN103607280B (en) 2013-05-14 2013-05-14 Personal authentication apparatus

Publications (2)

Publication Number Publication Date
CN103607280A true CN103607280A (en) 2014-02-26
CN103607280B CN103607280B (en) 2016-08-24

Family

ID=50125481

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310177699.4A Active CN103607280B (en) 2013-05-14 2013-05-14 Personal authentication apparatus

Country Status (1)

Country Link
CN (1) CN103607280B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050235148A1 (en) * 1998-02-13 2005-10-20 Scheidt Edward M Access system utilizing multiple factor identification and authentication
CN101075868A (en) * 2006-05-19 2007-11-21 华为技术有限公司 Long-distance identity-certifying system, terminal, servo and method
CN101098232A (en) * 2007-07-12 2008-01-02 兰州大学 Dynamic password and multiple biological characteristics combined identification authenticating method
CN101442407A (en) * 2007-11-22 2009-05-27 杭州中正生物认证技术有限公司 Method and system for identification authentication using biology characteristics
CN103297237B (en) * 2013-05-14 2015-10-28 成都天钥科技有限公司 Identity registration and authentication method, system, personal authentication apparatus and certificate server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050235148A1 (en) * 1998-02-13 2005-10-20 Scheidt Edward M Access system utilizing multiple factor identification and authentication
CN101075868A (en) * 2006-05-19 2007-11-21 华为技术有限公司 Long-distance identity-certifying system, terminal, servo and method
CN101098232A (en) * 2007-07-12 2008-01-02 兰州大学 Dynamic password and multiple biological characteristics combined identification authenticating method
CN101442407A (en) * 2007-11-22 2009-05-27 杭州中正生物认证技术有限公司 Method and system for identification authentication using biology characteristics
CN103297237B (en) * 2013-05-14 2015-10-28 成都天钥科技有限公司 Identity registration and authentication method, system, personal authentication apparatus and certificate server

Also Published As

Publication number Publication date
CN103607280B (en) 2016-08-24

Similar Documents

Publication Publication Date Title
US11855983B1 (en) Biometric electronic signature authenticated key exchange token
EP3257194B1 (en) Systems and methods for securely managing biometric data
EP2648163B1 (en) A personalized biometric identification and non-repudiation system
US10075437B1 (en) Secure authentication of a user of a device during a session with a connected server
Kim et al. A method of risk assessment for multi-factor authentication
US11764971B1 (en) Systems and methods for biometric electronic signature agreement and intention
Wei et al. An intelligent terminal based privacy-preserving multi-modal implicit authentication protocol for internet of connected vehicles
US9152779B2 (en) Protecting codes, keys and user credentials with identity and patterns
JP7139414B2 (en) Authentication terminal, authentication device, and authentication method and system using the same
CN104321777B (en) Public identifier is generated to verify the personal method for carrying identification object
WO2012042775A1 (en) Biometric authentication system, communication terminal device, biometric authentication device, and biometric authentication method
CN103297237B (en) Identity registration and authentication method, system, personal authentication apparatus and certificate server
CN107209821A (en) For the method and authentication method being digitally signed to e-file
JP2009510644A (en) Method and configuration for secure authentication
CN109067766A (en) A kind of identity identifying method, server end and client
CN101420301A (en) Human face recognizing identity authentication system
JP2006209697A (en) Individual authentication system, and authentication device and individual authentication method used for the individual authentication system
CN103067390A (en) User registration authentication method and system based on facial features
US11405387B1 (en) Biometric electronic signature authenticated key exchange token
CN110290134A (en) A kind of identity identifying method, device, storage medium and processor
CN104038509A (en) Fingerprint authentication cloud system
JP2006155547A (en) Individual authentication system, terminal device and server
CN203243360U (en) Identity registration system
CN103297238B (en) Identity authorization system
CN103248629B (en) Identity registration system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant