Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of use safety, improves method, the Apparatus and system of biometric identification security reliably.
For solving the problems of the technologies described above, the invention provides technical scheme as follows:
Improve a method for biometric identification security, comprising:
Host computer generates expressly;
Host computer is encrypted the plaintext generated, and obtains ciphertext;
Plaintext and ciphertext are sent to the master chip of outside living things feature recognition equipment by host computer simultaneously;
The plaintext received and ciphertext are transmitted to the encryption chip of this living things feature recognition equipment by the master chip of living things feature recognition equipment;
Described encryption chip is decrypted process to the ciphertext received, and obtains expressly;
The plaintext that the plaintext received and deciphering obtain is carried out comparing by described encryption chip, and sends to described master chip after being encoded by comparison result;
The comparison result received is transmitted to host computer by described master chip;
The comparison result received is carried out decoding process by host computer, thus judges living things feature recognition equipment whether pass through by certification.
A kind of host computer, comprising:
Expressly generation module, for generating expressly;
Encrypting module, for being encrypted the plaintext generated, obtains ciphertext;
Sending module, for sending to the master chip of outside living things feature recognition equipment simultaneously by plaintext and ciphertext;
Authentication module: the comparison result for receiving carries out decoding process, thus judges living things feature recognition equipment whether pass through by certification.
A kind of living things feature recognition equipment, comprises master chip and encryption chip, wherein:
Described master chip comprises:
Forwarding module, for being transmitted to the encryption chip of this living things feature recognition equipment and the comparison result received being transmitted to host computer by the plaintext received and ciphertext;
Described encryption chip comprises:
Deciphering module, for being decrypted process to the ciphertext received, obtains expressly;
Data processing module, carries out comparing for the plaintext plaintext received and deciphering obtained, and sends to described master chip after being encoded by comparison result.
Improve a system for biometric identification security, comprise above-mentioned host computer and above-mentioned living things feature recognition equipment.
The present invention has following beneficial effect:
Compared with prior art, present invention achieves the certification of host computer to living things feature recognition equipment, prevent the bio-identification external device between client phase double replacement or after losing by phenomenon that other people maliciously use, add encryption chip simultaneously, the encryption of high reliability can be carried out to the data be stored in encryption chip, make the data of need to be keep secret be difficult to illegally be stolen, improve the fail safe of biological recognition system use, reliability.
Embodiment
For making the technical problem to be solved in the present invention, technical scheme and advantage clearly, be described in detail below in conjunction with the accompanying drawings and the specific embodiments.
On the one hand, the invention provides a kind of method improving biometric identification security, as shown in Figure 1, comprising:
Step S101: host computer generates expressly;
In this step, the plaintext that host computer produces can be made each all different, strengthens the fail safe of data communication.
Step S102: host computer is encrypted the plaintext generated, and obtains ciphertext;
In this step, adopt cryptographic algorithm to be encrypted described plaintext, achieve and the reliable of cleartext information is hidden.
Step S103: plaintext and ciphertext are sent to the master chip of outside living things feature recognition equipment by host computer simultaneously;
In this step, the communication between host computer and living things feature recognition equipment can adopt the various communication meanss that engineering field is conventional, as usb communication, CAN communication or Ethernet etc.
Step S104: the plaintext received and ciphertext are transmitted to the encryption chip of this living things feature recognition equipment by the master chip of living things feature recognition equipment;
In this step, the master chip in living things feature recognition equipment and the communication interface between encryption chip can adopt communication interface conventional in processor chips, as IIC, SCI or SPI etc.
Step S105: encryption chip is decrypted process to the ciphertext received, obtains expressly;
In this step, encryption chip adopts the decipherment algorithm corresponding with cryptographic algorithm to be decrypted ciphertext.
Step S106: the plaintext that the plaintext received and deciphering obtain is carried out comparing by encryption chip, and send to described master chip after being encoded by comparison result;
In this step, what the plaintext that encryption chip receives and deciphering obtained is expressly two string datas, character string comparison function stricmp can be adopted in the present invention to realize comparing, obtaining comparison result is 0 or non-zero, wherein, 0 to represent two data the same, and non-zero to represent two data different.
Step S107: the comparison result received is transmitted to host computer by master chip;
Step S108: the comparison result received is carried out decoding process by host computer, thus judges living things feature recognition equipment whether pass through by certification.
In the present invention, the plaintext that host computer issues living things feature recognition equipment is each all different, has very large randomness.After system electrification, system performs the verification process of host computer to living things feature recognition equipment immediately, prevent the living things feature recognition equipment between client phase double replacement or lose after by the phenomenon that other people maliciously use, ensure that the fail safe of host computer and living things feature recognition devices communicating.
In the present invention, encryption chip issues host computer after comparison result is carried out encoding and decoding process, encoding and decoding processing procedure is the encryption and decryption communication process of hardware device and host computer, namely the data on communication link are not plaintext transmission, data send to host computer after needing to use session key, host computer uses session key data decryption after receiving enciphered data, thus the plaintext data that restore hardware equipment sends, wherein, the secret key of session can adopt encrypted private key private key to decipher, encrypted private key public key decryptions, public key encryption private key is deciphered, in public key encryption public key decryptions four kinds of forms any one.
As a modification of the present invention, as shown in Figure 2, also comprise after step 8:
Step S201: encryption chip generates expressly;
In this step, in order to strengthen the fail safe of reverse certification, the plaintext that encryption chip is produced can be undertaken putting upside down or plus and minus calculation generation by the plaintext received;
Step S202: encryption chip is encrypted the plaintext generated, and obtains ciphertext;
Step S203: plaintext and ciphertext are sent to master chip by encryption chip simultaneously;
Step S204: the plaintext received and ciphertext are transmitted to host computer by master chip;
Step S205: host computer is decrypted process to the ciphertext received, obtains expressly;
Step S206: the plaintext that the plaintext received and deciphering obtain is carried out comparing by host computer, and send to master chip after being encoded by comparison result;
Step S207: the comparison result received is transmitted to encryption chip by master chip;
Step S208: the comparison result received is carried out decoding process by encryption chip, thus judges host computer whether pass through by certification.
By mutual certification, host computer in system just must can guarantee that the pairing of the two uses to calling of living things feature recognition equipment at every turn, in the present embodiment, achieve the two-way hardware certification of biological recognition system, only has mutual authentication success, system could normally work, and ensure that the fail safe of information exchanging process.
In order to prevent data in transmitting procedure, illegally understood the information leakage caused, step 1 is further: host computer utilizes local date-time information (date Hour Minute Second) of system, as 12: 12: 12 on the 26th March in 2015, temporal information and user authorization code (each client is unique) composition character string, and the data of 16 byte lengths are generated as plaintext through hash algorithm md5 encryption to this character string;
Step 2 is further:
SDK adopts local aes algorithm or DES algorithm, and the plaintext combining the double secret key generation prestored is encrypted, and obtains the ciphertext of 16 byte lengths;
Step 5 is further:
Encryption chip adopts aes algorithm or DES algorithm, and the ciphertext combining 16 byte lengths that the double secret key that prestores receives is decrypted process, obtains the plaintext of 16 byte lengths.
Key in the present invention, the management of a customer ID can be done, different client distributes different customer IDs, the tool of production inputs customer ID, instrument produces a firmware length data through computing, these data as the key of identifying procedure, in the equipment that key needs download online to arrive to have produced (firmware programming).
As the authenticate reverse of biological recognition system, principle is identical with above-mentioned verification process, and at living things feature recognition equipment in the verification process of host computer, step 9 is further:
Host computer is carried out XOR to the plaintext generated during living things feature recognition device authentication by encryption chip, produces the data of 16 byte lengths as plaintext;
Step 10 is further:
Encryption chip adopts aes algorithm or DES algorithm, and the plaintext combining the double secret key generation prestored is encrypted, and obtains the ciphertext of 16 byte lengths;
Step 13 is further:
Host computer adopts local aes algorithm or DES algorithm, and the ciphertext combining 16 byte lengths that the double secret key that prestores receives is decrypted process, obtains the plaintext of 16 byte lengths.
In order to strengthen the fail safe of host computer and living things feature recognition devices communicating in biometric identification process, at least one bio-identification algorithm is employed in the living creature characteristic recognition system of host computer and living things feature recognition equipment composition, bio-identification algorithm at least comprises the first calculating process, the second calculating process and the 3rd calculating process that associate successively, and the method also comprises:
Host computer runs the first calculating process, obtains the first operation result, and the first operation result is sent to encryption chip;
Encryption chip runs the second calculating process in conjunction with the first operation result, obtains the second operation result, and the second operation result is sent to host computer;
Host computer runs the 3rd calculating process in conjunction with the second operation result.
In the present invention, in the safe handling scheme of host computer and living things feature recognition equipment, bio-identification algorithm is divided into three sections, two sections in host computer, another section is in encryption chip.As shown in Figure 3, be described for Algorithm of Iris Recognition, Algorithm of Iris Recognition is divided into iris detection, Iris Location, extraction characteristic sum iris comparison four parts, in order to ensure the safety of algorithm, the carrying out of each part of algorithm is split.
On the other hand, corresponding with above-mentioned method, the invention provides a kind of host computer 1, as shown in Figure 4, comprising:
Expressly generation module 11, for generating expressly;
Encrypting module 12, for being encrypted the plaintext generated, obtains ciphertext;
Sending module 13, for sending to the master chip of outside living things feature recognition equipment 2 simultaneously by plaintext and ciphertext;
Authentication module 14, the comparison result for receiving carries out decoding process, thus judges living things feature recognition equipment whether pass through by certification.
In the present invention, the plaintext that host computer 1 issues living things feature recognition equipment 2 is each all different, and it produces a random data by internal processes, adds that local zone time and date and time information draw through computing, have very large randomness.After system electrification, system performs the verification process of host computer 1 pair of living things feature recognition equipment 2 immediately, prevent the living things feature recognition equipment 2 between client phase double replacement or lose after by the phenomenon that other people maliciously use, ensure that the fail safe that host computer 1 communicates with living things feature recognition equipment 2.
In order to realize the reverse certification of living things feature recognition equipment 2 pairs of host computers 1, also comprise:
Deciphering module, for being decrypted process to the ciphertext received, obtains expressly;
Data processing module, carries out comparing for the plaintext plaintext received and deciphering obtained, and sends to described master chip after being encoded by comparison result.
Again on the one hand, corresponding with above-mentioned method, the present invention also provides a kind of living things feature recognition equipment 2, as shown in Figure 5, comprises master chip 21 and encryption chip 22, wherein:
Master chip 21 comprises:
Forwarding module 211, for being transmitted to the encryption chip 22 of this living things feature recognition equipment 2 and the comparison result received being transmitted to host computer 1 by the plaintext received and ciphertext;
Encryption chip 22 comprises:
Deciphering module 221, for being decrypted process to the ciphertext received, obtains expressly;
Data processing module 222, carries out comparing for the plaintext plaintext received and deciphering obtained, and sends to master chip 21 after being encoded by comparison result.
In the present invention, master chip 21 and encryption chip 22 can coordinate host computer 21 to realize the verification process of host computer 1 pair of living things feature recognition equipment 2.Compared with prior art, invention increases encryption chip 22, the encryption of high reliability can be carried out the data being stored in encryption chip 22 li, make the data of need to be keep secret be difficult to illegally be stolen, improve the fail safe of biological recognition system use, reliability.
In order to realize the reverse verification process of living things feature recognition equipment 2 pairs of host computers 1:
Encryption chip 22 also comprises:
Expressly generation module: for generating expressly;
Encrypting module: for being encrypted the plaintext generated, obtain ciphertext;
Sending module: for plaintext and ciphertext are sent to described master chip simultaneously;
Authentication module: the comparison result for receiving carries out decoding process, thus judges host computer whether pass through by certification;
Master chip 21 also comprises:
Forwarding module: for the plaintext received and ciphertext being transmitted to host computer 1 and the comparison result received being transmitted to encryption chip 22.
Again on the one hand, present invention also offers a kind of system improving biometric identification security, comprise above-mentioned host computer 1 and above-mentioned living things feature recognition equipment 2.
In the present invention, by host computer 1 and living things feature recognition equipment 2 with the use of, the certification of host computer 1 pair of living things feature recognition equipment 2 and the reverse certification of living things feature recognition equipment 2 pairs of host computers 1 can be realized.Effectively prevent host computer 1 or living things feature recognition equipment 2 phase double replacement or lose after by the phenomenon that other people maliciously use, ensure that the fail safe that host computer 1 communicates with living things feature recognition equipment 2.
In the present invention, employ at least one bio-identification algorithm in system, bio-identification algorithm at least comprises the first calculating process, the second calculating process and the 3rd calculating process that associate successively;
Host computer 1 also comprises:
First computing module, for running described first calculating process, obtains the first operation result, and the first operation result is sent to encryption chip 22;
Encryption chip 22 also comprises:
Second computing module, for running described second calculating process in conjunction with described first operation result, obtaining the second operation result, and described second operation result is sent to host computer 1;
Host computer 1 also comprises:
3rd computing module, for running the 3rd calculating process in conjunction with described second operation result.
When the two-way authentication of system is passed through, system can carry out normal biometric identification process.Use safely in biometric identification process in order to ensure system, system is divided into two parts complete bio-identification algorithm, and a part is integrated in the software algorithm of host computer 1, another part is embedded in encryption chip 22, after biological computation terminates, integrate, complete bio-identification and calculate.
The above is the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the prerequisite not departing from principle of the present invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.