CN103997504A - Identity authentication system and method - Google Patents

Abstract

The invention provides an identity authentication system and method. The identity authentication method comprises the biological information obtaining and storing step and the authentication step, wherein in the biological information obtaining and storing step, biological information is obtained, numeralization is carried out on the obtained biological information, the numerical biological information is encrypted, encrypted data are processed in a decentralized mode to form three or more data blocks, the data blocks are stored in different storage devices respectively, and each data block does not contain the complete data of the biological information; in the authentication step, the data stored in the storage devices are obtained, the obtained data are combined, the combined data are decrypted, the decrypted data are compared with data obtained after numeralization is carried out on biological information obtained by an identity authentication device, and the authenticity of an identity is authenticated according to a comparison result. The method is applied to authenticating the identity through the identity authentication system. Safety of data storage can be improved, and complete personal information leakage caused by data leakage is avoided.

Description

Authentication system and auth method

Technical field

The present invention relates to authentication field, particularly, be a kind of authentication system and apply the method for this system to authentication.

Background technology

People conventionally need to carry out authentication when departure or immigration, as fingerprint is carried out to scanning recognition.Common way is the finger print information that entry-exit management department obtains people in advance, as in advance people's fingerprint is scanned while producing entry document, and the fingerprint image after scanning is quantized, and is stored on the server of entry-exit management department.When people departure or immigration on finger scan equipment scanning fingerprint, after finger scan equipment obtains fingerprint image and fingerprint image is quantized, contrast with the finger print information that is stored in entry-exit management department server, thereby verify entry personnel's identity reality.

Along with the development of network technology and electronic technology, cloud memory technology becomes a kind of generally the Internet memory technology of application.In order to ensure the fail safe of the data of the network storage, conventionally access to your password the data of storage are protected.Yet because the password on numerous different systems and platform requires all differences, the password that is stored in different system is conventionally different, causes people to remember and managerial difficulty.

And superimpose data is stored in single network system, and the safety of data is brought to great risk.For example, network system is subject to external attack, hacker attacks or poisoning intrusion and will causes data to reveal, and data management leak also can cause data to be copied usurping, and data also may be by accident or malicious modification, steal or betray, loss etc.In addition, data manager's unreasonable use, can arbitrarily view the data of the server that is stored in another department etc. such as Yi Ge department, and these all cause the data that are stored in network to be revealed.

Once the people's that entry-exit management department stores finger print information is revealed, the leakage of people's personal information will be caused.And, once people's finger print information is utilized by lawless person, also will cause great harm to society.Therefore, how to ensure the data security that the Internet cloud memory technology is stored, especially ensure that the safety of the data that are directly connected to people's personal information becomes the important topic of current internet data memory technology.

Summary of the invention

Main purpose of the present invention is to provide a kind of effective guarantee data storage security authentication system.

Another object of the present invention is to provide a kind of personally identifiable information and is difficult for the auth method of revealing.

In order to realize above-mentioned main purpose, authentication system provided by the invention comprises that biological information is obtained and storage device, it comprises biological information acquisition module, be used for obtaining biological information, and the biological information of obtaining is quantized, wherein, biological information is obtained and storage device also comprises dispersion treatment module, biological information for logarithm value is encrypted, and the data dispersion treatment after encrypting is formed to three above data blocks, each data block is stored into respectively in different storage devices, and each data block does not all comprise the partial data of biological information, authentication system also has demo plant, it has data acquisition module, data merge module and authentication module, data acquisition module is for obtaining the data that a plurality of storage devices are stored, data merge module for the data that obtain are merged, and by the data deciphering after merging, data after authentication module quantizes the biological information of the data after deciphering and identity-validation device acquisition contrast, according to the authenticity of comparing result identity verification.

From such scheme, after biological information is obtained and storage device quantizes the biological informations such as finger print information, disperse to form a plurality of data blocks, and a plurality of data blocks are stored into respectively in different storage devices, and each data block does not all comprise complete biological information.Like this, cause data to reveal even if a certain storage device is under attack, also can not cause complete biological information to be revealed, guarantee the fail safe of data storage, people's personal information security is protected.

A preferred scheme is, when dispersion treatment module forms a plurality of data block by the data dispersion treatment after encrypting, choose an One-place 2-th Order function and key pair, the binary numeral of the data after encrypting is converted to a plurality of matrixes that are no less than storage device quantity, the value of a file of each matrix for take key to and the value of the binary numeral One-place 2-th Order function that is parameter, using each matrix as a data block.

As can be seen here, dispersion treatment module is not that data are divided into a plurality of data blocks simply, but data transaction is become to a plurality of matrixes, because the content of each matrix all can not reflect the situation of initial data, by the dispersion treatment of dispersion treatment module, be more conducive to improve the fail safe of data.

Further scheme is, when data merging module merges data, the initial value of the matrix of data acquisition module acquisition is set, and calculates the intercept of the One-place 2-th Order function that each matrix is corresponding, according to the right lookup table of key, find out binary numeral corresponding to intercept.

As can be seen here, the computing that merges module by data can fast and effeciently merge original data, and the authentication time is shorter.

Further scheme is, demo plant is also provided with data recovery module, merges module data are merged while makeing mistakes in data, and the data of storing according at least three storage devices generate the data after biological information encryption, and by data dispersion treatment.

Visible, once the data that a certain storage device is stored are modified, can initial data be recovered by data recovery module, avoid loss of data, the fail safe of data storage improves greatly.

In order to realize another above-mentioned object, auth method provided by the invention comprises that biological information is obtained and storing step: obtain biological information, and the biological information of obtaining is quantized, the biological information of logarithm value is encrypted, and the data dispersion treatment after encrypting is formed to three above data blocks, each data block is stored into respectively in different storage devices, and each data block does not all comprise the partial data of biological information; Verification step: obtain the data that a plurality of storage devices are stored, the data that obtain are merged, by the data deciphering after merging, the data after the biological information of the data after deciphering and identity-validation device acquisition is quantized contrast, according to the authenticity of comparing result identity verification.

From such scheme, because each data after quantizing can not be stored in single storage device, but store into respectively on a plurality of storage devices after disperseing, can effectively avoid so a certain storage device attacked and cause complete data to be revealed, improve the fail safe of data storage.And, because individual's complete biological information is not easy to be revealed, therefore can effectively protect personal information, reduce the risk that personal information is revealed.

Accompanying drawing explanation

Fig. 1 is the structured flowchart of authentication system of the present invention.

Fig. 2 is that in auth method of the present invention, biological information is obtained and the flow chart of storing step.

Fig. 3 is the flow chart of verification step in auth method of the present invention.

Below in conjunction with drawings and Examples, the invention will be further described.

Embodiment

Authentication system of the present invention is for the authentication of entry-exit management department to inward and outward personnel, and auth method is mainly applied above-mentioned authentication system inward and outward personnel's identity is verified.Certainly, authentication system can also be applied in other occasions that need to carry out authentication, as the office space of the national treasury of bank, office, secret department of government, only allow club that member enters etc.

Authentication system of the present invention need to obtain people's biological information, comprise finger print information or iris information, finger print information can obtain by fingerprint scanner, iris information can obtain by iris scanner, fingerprint scanner and iris scanner are all common prior aries, and the present invention no longer elaborates.

Referring to Fig. 1, authentication system of the present invention has that finger print information obtains and storage device 10 and demo plant 15, finger print information obtains and storage device 10 has finger print information acquisition module 11 and dispersion treatment module 12, and demo plant 15 has data acquisition module 16, data merge module 17, data recovery module 18 and authentication module 19.

Finger print information acquisition module 11 can obtain the fingerprint image that fingerprint scanner generates, and fingerprint image is quantized, and be about to image and convert numerical data to, and the characteristic information taking the fingerprint.Dispersion treatment module 12 is for carrying out dispersion treatment to form three above data blocks to the data of obtaining, each data block does not all comprise complete finger print information, obtains arbitrary data block and all cannot generate complete finger print information.Meanwhile, dispersion treatment module 12 also stores a plurality of data blocks respectively in different storage devices.

As shown in Figure 1; dispersion treatment module 12 stores a plurality of data blocks respectively at least three storage devices 21,22,23; preferably; a plurality of storage devices 21,22,23 are for being arranged on three different local memories; and a plurality of storage devices 21,22,23 are applied respectively different data safe processing technology data are carried out to safeguard protection, to avoid a plurality of storage devices 21,22,23 simultaneously under attack.For example, three partial datas are stored in respectively on storage chip, the server of entry-exit management department and the server of public security department of people's identity card.

Certainly, data after encryption disperse to form more data block, as five, and three data blocks are wherein stored into respectively in storage chip, the server of entry-exit management department and the server of public security department of people's identity card, the standby block that two other data block is recovered as data, standby block can be stored in the special server of entry-exit management department, and this server only have in specific situation could be accessed.

The data acquisition module 16 of demo plant 15 is for obtaining data from a plurality of different storage devices 21,22,23, and that as obtained from card reader of ID card, is read is stored in the data in identity card storage chip.

Data merge module 17 for the data of obtaining are merged, and the data after merging are the data of biological information through quantizing and obtaining.Certainly, once the data that any storage device is stored are modified, data merge makes mistakes, and the data that data recovery module 18 utilizes at least three storage devices to store are carried out data recovery, and the data after recovering are stored into respectively in a plurality of storage devices.

Authentication module 19 receives the data that finger print information obtains equipment 20, and finger print information obtains equipment 20 for fingerprint scanner, scanning people's fingerprint image, and fingerprint image is quantized, characteristic information takes the fingerprint.Meanwhile, 19 pairs of authentication modules obtain data that equipment 20 obtains and data from finger print information and merge the data that module 17 obtains and contrast, if comparing result is that two data are identical, and authentication success, otherwise authentication is failed.

Below, in conjunction with Fig. 2, illustrate that finger print information obtains and the workflow of storage device 10.First, finger print information acquisition module 11 obtains finger print information, performs step S1, and fingerprint scanner scanning people's fingerprint image, then performs step S2, and fingerprint image is quantized, and characteristic information takes the fingerprint.Then, execution step S3, is encrypted the data that obtain.The present invention can adopt iterative replacement encryption method or numeral displacement encryption method to realize and encrypt, and also can realize in conjunction with both encryption methods.

Iterative replacement encryption method is the numerical iteration that application Ruffini theorem realizes.Introduce the data theory of iterative cryptographic method below.Suppose σ be by set 1,2,3 ..., M}, to self a function, claims that σ is an arrangement in this set.If σ is one-one function, to any j ₁, j ₂∈ 1,2,3 ..., M}, if σ is (j ₁)=σ (j ₂), perseverance has j ₁=j ₂.The application defines S _mfor 1,2 ..., what the upper all arrangements of M} formed closes.

Set 1,2,3 ..., and arrangement on M} always total Individual, suppose M=10, set 1,2,3 ..., the arrangement on 10} just has 3628800.Suppose σ ∈ S _m, j ∈ 1,2,3 ..., M}, sets σ ⁰(j)=j, σ ^k+1(j)=σ (σ ^k(j)), k=0 wherein, 1,2 ..., there is a minimum positive integer k _minmake k _min≤ M and the application defines k _minfor integer j is to arranging the iteration cycle of σ, and be designated as T _j.

According to above-mentioned theory, Ruffini theorem is as follows: known σ ∈ S _m, and set T _σfor minimum positive integer, make all j=1,2 ..., M, meets σ ^t(j)=j, T _σto arrange all iteration cycle T of σ ₁, T ₂..., T _mleast common multiple, and T _σbe called the rank of arranging σ.

If σ ∈ is S _m, and j ₁=1, make j ₂for being less than or equal to M again not at A ₁in minimum positive integer, establish and j ₃for being less than or equal to M again not at A ₁and A ₂in minimum positive integer, establish go on doing to limited step like this, always and stop.

If can infinitely continue and A _ielement number be not less than 1, be impossible like this because 1,2 ..., M} is finite aggregate.Therefore, can obtain a limited sequence of sets A ₁, A ₂..., A _r.Set A _ielement number be $T_{j_i}(i=\mathrm{1,2},...,r),$ ? $M=T_{j_1}+T_{j_2}+...+T_{j_r}$ And T _σalso be $T_{j_1},T_{j_2},...,T_{j_r}$ Least common multiple.The pattern that the application defines arrangement σ is

For example, suppose S ₁₀the iteration cycle that is and supposes without loss of generality pattern is that descending order is arranged, set 1,2 ..., on 10}, meet again T ₁>=5 possible patterns, have

(10)

(9)(1)

(8)(2)，(8)(1)(1)

(7)(3)，(7)(2)(1)，(7)(1)(1)(1)

(6)(4)，(6)(3)(1)，(6)(2)(2)，(6)(2)(1)(1)，(6)(1)(1)(1)(1)

(5)(5)，(5)(4)(1)，(5)(3)(2)，(5)(3)(1)(1)，(5)(2)(2)(1)，(5)(2)(1)(1)(1)，(5)(1)(1)(1)(1)(1)

Visible, the maximum of the corresponding least common multiple of above pattern is 5 * 3 * 2=30, and it is to be provided by pattern (5) (3) (2).Work as T ₁during < 5, the possible numerical value of each iteration cycle is 1,2,3 and 4, so its corresponding least common multiple must be less than 3 and 4 least common multiple 12.Therefore at S ₁₀in, take the arrangement that (5) (3) (2) are pattern, its rank are maximum and equal 30.For example

j	1	2	3	4	5	6	7	8	9	10
											σ(j)	2	3	4	5	1	7	8	6	10	9

Arrange the rank T of σ _σ=30.The modal representation of σ is (12345) (678) (9 10).

Binary data after finger print information is quantized is considered as a binary character string, applies above-mentioned pattern the numerical value of binary character string is carried out to permutation and combination, can change the order of each character of character string, thereby realizes the encryption to data.

Numeral displacement encryption method is a kind of encryption method that letter or character are rearranged.For example utilize typewriter coding art, do not need to key in desired letter, but input is a key of this letter correspondence, the so just input of realization to required input alphabet.For example, the letter of required input is " I love you ", by numeral, replaces, and only needs input " 8o9f3697 ".Numeral displacement encryption method is exactly that the mode of replacing other characters in former data by specific character realizes.

Certainly, during practical application, can also have more encryption method, existing common encryption method all can realize the encryption of the finger print information after logarithm value.

Then, dispersion treatment module 12 execution step S4, carry out dispersion treatment to the data after encrypting, and are about to data and change, and form and are no less than a plurality of data blocks that need storage device quantity.For example, the quantity of storage device is three, and the quantity of the data block forming is no less than three, if storage device is quantity, is five, and the quantity of the data block forming is no less than five.

Introduce the mathematical theory basis of data being carried out to dispersion treatment below.

Suppose (x ₀, y ₀), (x ₁, y ₁) and (x ₂, y ₂) be 3 points in real domain, and meet x ₀, x ₁and x ₂different, for One-place 2-th Order function f (x)=a ₀+ a ₁(x-x ₀)+a ₂(x-x ₀) (x-x ₁), as meet the following conditions: a ₀, a ₁and a ₂unknown constant, and

f(x ₀)＝a ₀

f(x ₁)＝a ₀+a ₁(x ₁-x ₀)

f(x ₂)＝a ₀+a ₁(x ₂-x ₀)+a ₂(x ₂-x ₀)(x ₂-x ₁)

Utilize method of substitution solution, can calculate

$a_0=y_0,a_1=\frac{y_1-y_0}{x_1-x_0},a_2=\frac{1}{x_2-x_0}[\frac{y_2-y_0}{x_2-x_0}-\frac{y_1-y_0}{x_1-x_0}].$

Therefore, can obtain newton's multinomial

$f\left(x\right)=y_0+\frac{y_1-y_0}{x_1-x_0}(x-x_0)+\frac{1}{x_2-x_0}[\frac{y_2-y_0}{x_2-x_0}-\frac{y_1-y_0}{x_1-x_0}](x-x_0)(x-x_1).$

If x=0, has

$f\left(0\right)=y_0-\frac{y_1-y_0}{x_1-x_0}\left(x_0\right)+\frac{x_0{x}_1}{x_2-x_0}[\frac{y_2-y_0}{x_2-x_0}-\frac{y_1-y_0}{x_1-x_0}]$

Known, f (0) is the intercept of quadratic function f namely.

Set real number m ₁and m ₂and meet 1 < m ₁< m ₂, the application defines the even (m of order ₁, m ₂) be key to (key pair), and define α β for position right.If the value of α and β is 0 or 1, to any position to α β, definition quadratic function f _{α β}for

And for the variable x under real domain, can obtain form below:

α	β	fαβ(x)	fαβ(0)
				0	0	f 00(x)＝(x-1)(x-1)	f 00(0)＝1
1	0	f 10(x)＝(x-m 1)(x-1)	f 10(0)＝m 1
				0	1	f 01(x)＝(x-1)(x-m 2)	f 01(0)＝m 2
1	1	f 11(x)＝(x-m 1)(x-m 2)	f 11(0)＝m 1m 2

Due to 1, m ₁, m ₂and m ₁m ₂different each other, therefore position is to α β and f _{α β}(0), i.e. function f _{α β}intercept be corresponding one by one.Therefore the application defines associated key to (m ₁, m ₂) lookup table (Look up table) as follows:

α	β	fαβ(0)
			0	0	1
1	0	m 1
			0	1	m 2
1	1	m 1m 2

Wherein, $f_{\mathrm{\&alpha;\&beta;}}\left(x\right)=(x-m_1^{\mathrm{\&alpha;}})(x-m_2^{\mathrm{\&beta;}}).$

For example, set m ₁=2, m ₂=3, key to the lookup table of (2,3) is

α	β	fαβ(0)
			0	0	1
1	0	2
			0	1	3
1	1	6

And f _{α β}(x)=(x-2 ^α) (x-3 ^β).

The process that the mathematical theory that introduction application is below introduced is above changed binary character string.

If N is a positive integer, s is that length is the binary character string of 2N.If there is s=α ₁β ₁α ₂β ₂α _nβ _n, and α _kand β _kvalue be 0 or 1.

Preset key to (m ₁, m ₂), and set c ₁, c ₂..., c _mfor M different real number, and M > 3.In the application, M is the quantity of the data block that is divided into of data, and because data merge the needs that recover with data, the value of M is at least 3, and M is positive integer.The binary character string s=α that is 2N for length ₁β ₁α ₂β ₂α _nβ _n, s with respect to key to (m ₁, m ₂) and the sequence of integer M be a M the sequence C that N * 2 matrix forms ₁, C ₂..., C _m, and meet

$C_j=\left[\begin{array}{cc}{c}_j& f_1\left(c_j\right)\\ c_j& f_2\left(c_j\right)\\ .& .\\ .& .\\ .& .\\ c_j& f_N\left(c_j\right)\end{array}\right]$

And j=1,2 ..., M, and

For example, establish (m ₁, m ₂)=(2,3), M=5, c _j=j (j=1,2,3,4,5).If binary character string s is α ₁β ₁α ₂β ₂α ₃β ₃α ₄β ₄=00101101, j the data block C of s _jbe one 4 * 2 matrixes, this matrix is as follows:

$C_j=\left[\begin{array}{cc}j& f_1\left(c_j\right)\\ j& f_2\left(c_j\right)\\ j& f_3\left(c_j\right)\\ j& f_4\left(c_j\right)\end{array}\right]=\left[\begin{array}{cc}j& {(j-1)}^2\\ j& (j-2)(j-1)\\ j& (j-2)(j-3)\\ j& (j-1)(j-3)\end{array}\right]$

Wherein, j=1,2,3,4,5.Therefore, can calculate five matrixes as follows:

$C_1=\left[\begin{array}{cc}1& 0\\ 1& 0\\ 1& 2\\ 1& 0\end{array}\right],C_2=\left[\begin{array}{cc}2& 1\\ 2& 0\\ 2& 0\\ 2& -1\end{array}\right],C_3=\left[\begin{array}{cc}3& 4\\ 3& 2\\ 3& 0\\ 3& 0\end{array}\right],C_4=\left[\begin{array}{cc}4& 9\\ 4& 6\\ 4& 2\\ 4& 3\end{array}\right],C_5=\left[\begin{array}{cc}5& 16\\ 5& 12\\ 5& 6\\ 5& 8\end{array}\right].$

In above-mentioned matrix, there is unique negative value in second matrix, for convenience of calculation, can modify to quadratic function, for example

$C_j=\left[\begin{array}{cc}j& f_1\left(c_j\right)\\ j& f_2\left(c_j\right)\\ j& f_3\left(c_j\right)\\ j& f_4\left(c_j\right)\end{array}\right]=\left[\begin{array}{cc}j& {(j-1)}^2+1\\ j& (j-2)(j-1)+1\\ j& (j-2)(j-3)+1\\ j& (j-1)(j-3)+1\end{array}\right],$

C _jevery positive integer that is.

Suppose that the binary data that finger print information is obtained after quantizing is considered as a binary character string s, the binary character string that can to apply above-mentioned method be 2N by length converts M matrix to, and each matrix is exactly to disperse the data block that obtains.While converting binary character string to a plurality of data block, be actually using each numerical value of binary character string and key to the parameter as One-place 2-th Order function a file of compute matrix.

Finally, dispersion treatment module 12 execution step S5, store a plurality of matrixes respectively in a plurality of storage devices.

Below in conjunction with Fig. 3, introduce the workflow of demo plant.First, authentication module 19 obtains the data that finger print information obtains equipment 20, performs step S11, and fingerprint scanner scans fingerprint, obtains fingerprint image, and performs step S12, fingerprint image is quantized, and the characteristic information taking the fingerprint.

Meanwhile, data acquisition module 16 execution step S13, obtain data from least three storage devices, and data merge module 17 execution step S14, and the data of obtaining are merged.Introduce the detailed process that data merge below.

The key using while first, obtaining data dispersion is to (m ₁, m ₂) and corresponding One-place 2-th Order function, suppose any three different data blocks of binary character string s and as follows

$C_{j_1}=\left[\begin{array}{cc}{c}_{j_1}& f_1\left(c_{j_1}\right)\\ c_{j_1}& f_2\left(c_{j_1}\right)\\ .& .\\ .& .\\ .& .\\ c_{j_1}& f_N\left(c_{j_1}\right)\end{array}\right],C_{j_2}=\left[\begin{array}{cc}{c}_{j_2}& f_1\left(c_{j_2}\right)\\ c_{j_2}& f_2\left(c_{j_2}\right)\\ .& .\\ .& .\\ .& .\\ c_{j_2}& f_N\left(c_{j_2}\right)\end{array}\right],C_{j_3}=\left[\begin{array}{cc}{c}_{j_3}& f_1\left(c_{j_3}\right)\\ c_{j_3}& f_2\left(c_{j_3}\right)\\ .& .\\ .& .\\ .& .\\ c_{j_3}& f_N\left(c_{j_3}\right)\end{array}\right]$

Set and collect matrix (collector matrix) the k capable (row) that wherein collects matrix K is designated as K _k, have $K_k=[c_{j_1},f_k\left(c_{j_1}\right),c_{j_2},f_k\left(c_{j_2}\right),c_{j_3},f_k\left(c_{j_3}\right)].$

Set k=1, and the length character string s that is 2N _r=s ₁s ₂s ₃s ₄s _2N-1s _2Nevery is 0, and the k that reads collection matrix K is capable for by K _kthree dissimilaritys that read and can calculate:

$f_k\left(0\right)=f_k\left(c_{j_1}\right)-\frac{f_k\left(c_{j_2}\right)-f_k\left(c_{j_1}\right)}{c_{j_2}-c_{j_1}}\left(c_{j_1}\right)+\frac{1}{c_{j_3}-c_{j_1}}[\frac{f_k\left(c_{j_3}\right)-f_k\left(c_{j_1}\right)}{c_{j_3}-c_{j_1}}-\frac{f_k\left(c_{j_2}\right)-f_k\left(c_{j_1}\right)}{c_{j_2}-c_{j_1}}]\left(c_{j_1}\right)\left(c_{j_2}\right)$

Can calculate like this quadratic function f through three dissimilaritys _kintercept.

Then, according to key to (m ₁, m ₂) lookup table search the corresponding character of intercept that above-mentioned steps calculates to α β.Then, set s _2k-1=α and s _2k=β, calculates the numerical value of two characters in character string.So double counting, until k=N, output string s _r.As character string, do not calculate completely, make k=k+1 and continue to calculate.

For example, the key of character string is to being (2,3), c _j=j, j=1,2,3,4,5, there are 5 data blocks.Suppose to obtain that wherein three data blocks are as follows:

$C_{j_1}=C_1=\left[\begin{array}{cc}1& 0\\ 1& 0\\ 1& 2\\ 1& 0\end{array}\right],C_{j_2}=C_3=\left[\begin{array}{cc}3& 4\\ 3& 2\\ 3& 0\\ 3& 0\end{array}\right],C_{j_3}=C_4=\left[\begin{array}{cc}4& 9\\ 4& 6\\ 4& 2\\ 4& 3\end{array}\right]$

Collect matrix K as follows:

$K=\left[\begin{array}{cccccc}1& 0& 3& 4& 4& 9\\ 1& 0& 3& 2& 4& 6\\ 1& 2& 3& 0& 4& 2\\ 1& 0& 3& 0& 4& 3\end{array}\right].$

Set the initial value of character string, each character of setting character string is 0, has s _r=s ₁s ₂s ₃s ₄s ₅s ₆s ₇s ₈=00000000, there is K ₁=[1 0344 9].Now can obtain (c ₁, f ₁(c ₁))=(1,0), (c ₃, f ₁(c ₃))=(3,4) and (c ₄, f ₁(c ₄))=(4,9) three dissimilaritys.Calculate f ₁intercept be $f_1\left(0\right)=-\frac{4}{3-1}+\frac{1}{4-3}[\frac{9}{4-1}-\frac{4}{3-1}]\&times;3=1.$

Search key as follows to the lookup table of (2,3):

α	β	f(0)
			0	0	1
1	0	2
			0	1	3
1	1	6

And according to function f (x)=(x-2 ^α) (x-3 ^β), can obtain f ₁(x)=(x-2 ⁰) (x-3 ⁰).Therefore can calculate s ₁=0, s ₂=0.Then, establish k=k+1, repeat said process until k > 4.Therefore, can calculate s ₃=1, s ₄=0, s ₅=1, s ₆=1, s ₇=0, s ₈=1.Finally calculate character string s _r=00101101, namely realized merging, the recovery of data.

As the data of each data block are not modified, can calculate intercept corresponding to collection matrix and all can in lookup table, find corresponding numerical value, namely in character string S, the value of each character is 0 or 1.Once a certain data block is modified, collect intercept corresponding to matrix and can not in lookup table, find corresponding numerical value, namely cannot calculate the value of each character in character string, data merge unsuccessfully.

Therefore,, in step S15, data merge module can judge whether data merging makes mistakes, as do not made mistakes, represent that data block is not modified, perform step S16, data after being combined are decrypted, the anti-process that the process of deciphering is ciphering process, thus obtain the data after deciphering.

As finger print information obtains and storage device 10 uses iterative cryptographic methods to be encrypted data, the anti-permutation and combination method that pushes away initial data of pattern of the permutation and combination that application generates, thus data are decrypted.As use digital encryption method to be encrypted, and according to the replacement corresponding relation of character, carry out contrary displacement, can realize deciphering.

In step S15, as judgement data merge unsuccessfully, represent that the data of at least one data block are modified, perform step S17, data are recovered.The process merging according to data is known, and data merge and do not need to obtain all data blocks, and only need three data blocks.Three data blocks that data recovering step applies storage in other storage devices calculate original data, and data are carried out as the dispersion treatment of step S4, thereby obtain the data block that stores each storage device into, storage device corresponding to the data block of recovery store respectively into.

As data are merged into merit, perform step S18, by authentication module 19, judge and data merge data after module 17 merges to obtain the data that equipment 20 obtains identical with finger print information, as two data consistents, by checking, execution step S19, output is by the information of authentication, otherwise, execution step S20, the information of output authentication failure.

The method according to this invention, the data of people's finger print information can't solely be stored on a storage device, even if some storage devices are attacked and caused data to be revealed, also can not reveal people's finger print information, and the fail safe of data improves greatly.In addition, even if the data of some memory device stores are modified, the data that also can store by other storage devices are recovered data rapidly, more can promote the fail safe of data.

Certainly, above-described embodiment is only preferably execution mode of the present invention, during practical application, can also have more change, and for example, the encryption of data, decryption method can be selected common encryption, decryption method now; Or, disperse the quantity of the data block of formation to increase and decrease according to actual conditions, such change also can realize object of the present invention.

Finally it is emphasized that and the invention is not restricted to above-mentioned execution mode, as the change of the One-place 2-th Order function of choosing, the right variations such as change also should be included in the protection range of the claims in the present invention to choose key.

Claims (10)

1. authentication system, comprising:

Biological information is obtained and storage device, comprises biological information acquisition module, for obtaining biological information, and the described biological information of obtaining is quantized;

It is characterized in that:

Described biological information is obtained and storage device also comprises dispersion treatment module, described biological information for logarithm value is encrypted, and the data dispersion treatment after encrypting is formed to three above data blocks, data block described in each is stored into respectively in different storage devices, and described in each, data block does not all comprise the partial data of described biological information;

Described authentication system also has demo plant, and described demo plant has

Data acquisition module, the data of storing for obtaining a plurality of described storage devices;

Data merge module, for the data that obtain are merged, and by the data deciphering after merging;

Authentication module, the data after the biological information of the data after deciphering and identity-validation device acquisition is quantized contrast, according to the authenticity of comparing result identity verification.

2. authentication system according to claim 1, is characterized in that:

When described dispersion treatment module forms a plurality of data block by the data dispersion treatment after encrypting, choose an One-place 2-th Order function and key pair, the binary numeral of the data after described encryption is converted to a plurality of matrixes that are no less than described storage device quantity, the value of a file of each matrix for take described key to and the value of the described binary numeral described One-place 2-th Order function that is parameter, using described in each matrix as a described data block.

3. authentication system according to claim 2, is characterized in that:

When described data merging module merges data, the initial value of the matrix of described data acquisition module acquisition is set, and calculate the intercept of the described One-place 2-th Order function that matrix is corresponding described in each, according to the right lookup table of described key, find out binary numeral corresponding to described intercept.

4. according to the authentication system described in claims 1 to 3 any one, it is characterized in that:

Described demo plant is also provided with data recovery module, merges module data are merged while makeing mistakes in described data, and the data of storing according to three described storage devices generate the data after described biological information encryption, and by described data dispersion treatment.

5. according to the authentication system described in claims 1 to 3 any one, it is characterized in that:

Described dispersion treatment module application iterative replacement encryption method and/or numeral displacement encryption method realize encrypts described biological information.

6. auth method, comprises

Biological information is obtained and storing step: obtain biological information, and the described biological information of obtaining is quantized;

It is characterized in that:

The described biological information of logarithm value is encrypted, and the data dispersion treatment after encrypting is formed to three above data blocks, data block described in each is stored into respectively in different storage devices, and described in each, data block does not all comprise the partial data of described biological information;

Verification step: obtain the data that a plurality of described storage devices are stored, the data that obtain are merged, by the data deciphering after merging, the data after the biological information of the data after deciphering and identity-validation device acquisition is quantized contrast, according to the authenticity of comparing result identity verification.

7. auth method according to claim 6, is characterized in that:

Described biological information obtain and storing step in, the step that data dispersion treatment after encrypting is formed to a plurality of data blocks is: choose an One-place 2-th Order function and key pair, the binary numeral of the data after described encryption is converted to a plurality of matrixes that are no less than described storage device quantity, the value of a file of each matrix for take described key to and the value of the described binary numeral described One-place 2-th Order function that is parameter, using described in each matrix as a described data block.

8. auth method according to claim 7, is characterized in that:

In described verification step, the step that data are merged comprises: the initial value that the matrix of described data acquisition module acquisition is set, and calculate the intercept of the described One-place 2-th Order function that matrix is corresponding described in each, according to the right lookup table of described key, find out binary numeral corresponding to described intercept.

9. according to the auth method described in claim 6 to 8 any one, it is characterized in that:

Described verification step is also provided with data recovering step, and after data merging makes mistakes, the data of storing according to three described storage devices generate the data after described biological information is encrypted, and the data after described biological information is encrypted are carried out dispersion treatment.

10. according to the auth method described in claim 6 to 8 any one, it is characterized in that:

Described encryption method is iterative replacement encryption method and/or numeral displacement encryption method.