CN105743648A - Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method - Google Patents
Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method Download PDFInfo
- Publication number
- CN105743648A CN105743648A CN201410751946.1A CN201410751946A CN105743648A CN 105743648 A CN105743648 A CN 105743648A CN 201410751946 A CN201410751946 A CN 201410751946A CN 105743648 A CN105743648 A CN 105743648A
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- usbkey
- central server
- authentication
- described fingerprint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Collating Specific Patterns (AREA)
Abstract
The invention, which belongs to the information security field, discloses a fingerprint USB KEY and fingerprint center server for identity authentication, and a system and method. The system comprises a fingerprint center server and a fingerprint USB KEY. A screen of the fingerprint USB KEY is pressed to carry out fingerprint collection; the collected fingerprints are compared respectively inside the fingerprint USB KEY and the fingerprint center server; a fingerprint comparison success result inside the fingerprint USB KEY is returned to the fingerprint center server; and when the fingerprint center server determines that a return result and a comparison result in the fingerprint center server are correct, a digital certificate instruction for invoking the fingerprint USB KEY is sent to the fingerprint USB KEY. According to the invention, dual-factor identity authentication is carried out by network fingerprint comparison and the network fingerprint authentication and the PKI system digital certificate authentication are independent of each other and are also associated with each other, so that the system security is substantially improved.
Description
Technical field
The present invention relates to field of information security technology, be specifically related to a kind of be applied to the fingerprint USBKEY of authentication, fingerprint central server and System and method for.
Background technology
The theoretical basis of USBKEY is PKI (PublicKEYInfrastructure, Public Key Infrastructure) security system, and it is a set of system solving open the Internet network information security demand in the world.PKI system supports authentication, information transmission, the integrity stored, message transmission, the confidentiality stored, and the non-repudiation of operation.The effect of " infrastructure ", it is simply that as long as deferring to the principle of necessity, different entities can be conveniently used the service that basis implements to provide.
The core of PKI is authentication center (CA, CertificateAuthority) and digital certificate.CA provides digital certificate such a proof of identification providing identity card just as public security bureau.PKI adopts the asymmetric encryption and decryption technology of RSA, utilizes digital certificate, it is possible to be encrypted and sign, the perfect demand for security solved under open the Internet network environment.
USBKEY is special hardware, includes computing chip, it is possible to complete various encryption and decryption computing, generates public/private keys pair, has hardware random number generator.USBKEY can store digital certificate and private key, and private key can only participate in computing inside USBKEY, it is impossible to is read out.USBKEY can prevent artificial destruction sexual assault.USBKEY is a kind of important application that terminal use participates in PKI security system, it is possible to complete authentication, data encrypting and deciphering, the confidentiality of guarantee transaction, integrity and non-repudiation.
When enabling USBKEY and participating in safe computing, it is necessary to the owner of UKEY inputs correct PIN code, so, even if taking others' USBKEY, if it is not known that PIN code, can not be traded equally.USBKEY needs to connect could use with PC.
Dynamic password is also referred to as dynamic password word, generally by hardware password generator automatically, dynamically produce.Inside this equipment, built-in chip and battery, had cured password generating algorithm in chip, and this algorithm is associated with time factor, and each password generator has unique 128 seed files.Seed file, in conjunction with specific Time synchronization algorithm, can produce a dynamic password in every 60 seconds.Each equipment is issued to different user, and requires that this user sets a PIN code when first this equipment of use.After, when every secondary input password, it is necessary to be simultaneously entered PIN code and add the combination of dynamic password namely dual factors password.
Certificate server is after the certification receiving authentication proxy's software is asked, it is only necessary to namely whether the dynamic password of comparison user input is consistent with the dynamic password of this equipment that certificate server produces can determine whether validated user.Visible, system rely on identical time+identical algorithms+identical seed file produced by the so simple extremely effective mode of identical operation result (dynamic password) to realize authentication.Therefore, need not any writing to each other between password generator and certificate server, its core is that time synchronized patented technology.Dynamic password adopts AES or 3DES symmetry encryption and decryption technology.Dynamic password mainly completes the authentication part in security system.Dynamic password need not connect with PC.
To sum up, USBKEY needs and PC is online, when needs input PIN code, exists by the possibility of assault;The shortcoming of dynamic password is mainly manifested in, and during running down of battery, equipment needs to reinitialize, and the product of different manufacturers can not be compatible.
Summary of the invention
In view of the above problems, propose the present invention so as to provide a kind of overcome the problems referred to above or at least in part solve the problems referred to above be applied to the fingerprint USBKEY of authentication, fingerprint central server and System and method for, carry out double factor authentication by network fingerprinting comparison, substantially increase the safety of system.
According to one aspect of the present invention, it is provided that a kind of fingerprint USBKEY being applied to authentication, including safety chip, storage chip, fingerprint sensor and peripheral chip group, also include:
Fingerprint comparison module, it is adaptable to call described fingerprint sensor and gather user fingerprints, and by the fingerprint of collection compared with the fingerprint stored before;
Fingerprint transmission module, it is adaptable to the fingerprint of described collection is passed to fingerprint central server, compared with the fingerprint of storage in fingerprint central server;
Fingerprint comparison result sending module, it is adaptable to internal for the described fingerprint USBKEY successful result of fingerprint comparison is sent to fingerprint central server;
Receive call instruction module, it is adaptable to when the fingerprint comparison result in described fingerprint USBKEY and fingerprint central server is all correct, receive the instruction calling himself digital certificate that fingerprint central server sends.
Further, fingerprint storage module is also included, it is adaptable to carry out the collection of user fingerprints the characteristic storage that takes the fingerprint in advance at described fingerprint USBKEY end.
Further, described safety chip is applicable to the computing dispatched with coordination and internal hardware IP kernel of the storage of die terminals program, MCU, and it includes memory block in COS file management system, MassStorage command processing module, USB transmission processing module, NANDFLASH document management module, AES processing module, Hardware I P kernel interface module, fingerprint algorithm processing module and sheet.
Further, described fingerprint sensor is capacitive fingerprint sensing device.
Further, described MassStorage command processing module realizes Bulk-only sub-protocol and the UFI sub-protocol of USBMassStorage agreement, it is achieved the fingerprint USBKEY that free drive is dynamic.
According to another aspect of the invention, it is provided that a kind of fingerprint central server being applied to authentication, including:
Fingerprint template memory element, it is adaptable to carry out the collection of user fingerprints the characteristic storage that takes the fingerprint in advance at described fingerprint center server;
Fingerprint receives unit, it is adaptable to described fingerprint central server receives the fingerprint gathered when the fingerprint USBKEY user sent uses, and compared with the fingerprint characteristic of described fingerprint template memory element storage;
Fingerprint comparison result receives unit, it is adaptable to described fingerprint central server receives the internal successful result of fingerprint comparison of the fingerprint USBKEY fingerprint USBKEY returned;
Call instruction transmitting element, it is adaptable to when the fingerprint comparison result in described fingerprint central server and fingerprint USBKEY is all correct, described fingerprint central server sends the instruction calling himself digital certificate to fingerprint USBKEY.
According to another aspect of the present invention, provide a kind of identity authorization system based on fingerprint USBKEY, the fingerprint USBKEY arbitrary including preceding claim and arbitrary described fingerprint central server, described fingerprint central server and described fingerprint USBKEY electrical connection.
According to another aspect of the present invention, it is provided that the identity identifying method of a kind of fingerprint USBKEY, comprise the following steps:
Step (1), when use described fingerprint USBKEY time, user presses fingerprint on this fingerprint USBKEY, by the fingerprint of collection compared with the fingerprint prestored, and this fingerprint is passed to fingerprint central server, compared with the fingerprint of storage in fingerprint central server;
The internal successful result of fingerprint comparison of step (2), described fingerprint USBKEY is sent to fingerprint central server;
Step (3), when the fingerprint comparison result in described fingerprint USBKEY and fingerprint central server is all correct, described fingerprint USBKEY receives the instruction calling himself digital certificate that fingerprint central server sends.
Further, the collection carrying out user fingerprints in advance at described fingerprint USBKEY end the characteristic storage that takes the fingerprint also are included.
Further, further comprising the steps of after described step (3):
Step (4), described fingerprint USBKEY open storage chip after receiving the instruction calling self digital certificate;
Step (5), judge that described fingerprint USBKEY is used as KEY and is also used as USB flash disk;
Step (6) if described fingerprint USBKEY is used as USB flash disk, then carries out the safe read-write of data under the protection of the close algorithm of state;
Step (7) if described fingerprint USBKEY is used as KEY, then carries out digital certificate authentication.
Further, the fingerprint USBKEY in described step (7) is used as KEY, and the step carrying out digital certificate authentication includes:
Described fingerprint USBKEY is used as KEY and carries out digital certificate authentication;
Authentication result is passed to fingerprint central server;
The authentication result received is judged by fingerprint central server with twice fingerprint comparison result before;
If being all correct, then return to described fingerprint USBKEY by comparing the result passed through;
Described fingerprint USBKEY receive described in after the result passed through, it is possible to login system.
According to another aspect of the present invention, it is provided that the identity identifying method of a kind of fingerprint central server, comprise the following steps:
Described fingerprint central server receives the fingerprint gathered when the fingerprint USBKEY user sent uses, and compared with the fingerprint characteristic of storage in described fingerprint central server;
Described fingerprint central server receives the internal successful result of fingerprint comparison of the fingerprint USBKEY fingerprint USBKEY returned;
When the fingerprint comparison result in described fingerprint central server and fingerprint USBKEY is all correct, described fingerprint central server sends the instruction calling himself digital certificate to fingerprint USBKEY.
Further, the collection carrying out user fingerprints in advance at described fingerprint center server the characteristic storage that takes the fingerprint also are included.
According to another aspect of the present invention, it is provided that a kind of identity identifying method, comprise the following steps:
Step (1), when using described fingerprint USBKEY, the screen pressing described fingerprint USBKEY carries out fingerprint collecting;
Step (2), will internal at described fingerprint USBKEY respectively for the fingerprint that gather in step (1) and described fingerprint central server be compared;
Step (3), the fingerprint comparison successful result within described fingerprint USBKEY is returned to described fingerprint central server;
Step (4), described fingerprint central server judge, when the comparison result in described return result and fingerprint central server is all correct, to send the digital certificate instruction calling fingerprint USBKEY self to described fingerprint USBKEY.
Further, the fingerprint gathered in described step (1), when transmitting to described fingerprint central server, is carry out under the protection of the close algorithm of state.
Further, the increasing or delete and completed by the professional with administrator right of fingerprint in described fingerprint central server, and same USBKEY can store the user fingerprints of more than a piece simultaneously.
Further, also including carrying out fingerprint collecting at described fingerprint center server and described fingerprint USBKEY end respectively, the feature that takes the fingerprint also stores.
The method have the advantages that the present invention proposes a kind of identity authorization system based on fingerprint USBKEY and method, fingerprint USBKEY, fingerprint central server, carrying out double factor authentication by network fingerprinting comparison, not only network authentication independent but also interrelated with PKI system digital certificate authentication.Wherein the result of fingerprint comparison is not return to fingerprint USBKEY, but returns to fingerprint central server, and time only the fingerprint comparison result in the comparing result of fingerprint central server and fingerprint USBKEY is all correct, digital certificate can open use.User uses the number of times pressing fingerprint during USBKEY to be only once.Both having made user add fingerprint in fingerprint USBKEY, but at server end, user cannot increase fingerprint voluntarily, the fingerprint USBKEY usurped also cannot by final certification.Safety is a lot of undoubtedly in safety for this mode.
And on the other hand, based on domestic cryptographic technique, fingerprint identification technology is combined with USBKEY technology and has the fingerprint USBKEY of encrypted U disk function concurrently, solve usual USBKEY especially to use PIN code that user carries out authentication to there is counterfeiting potential security risk, also effectively evaded simultaneously and fingerprint USBKEY lends the risk that other people use.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, and can be practiced according to the content of description, and in order to above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit those of ordinary skill in the art be will be clear from understanding.Figure of description is only for illustrating the purpose of preferred implementation, and is not considered as limitation of the present invention.It should be evident that drawings discussed below is only some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.And in whole accompanying drawing, it is denoted by the same reference numerals identical parts.In the accompanying drawings:
Fig. 1 illustrates the identity authorization system structural representation based on fingerprint USBKEY of according to embodiments of the present invention three;
Fig. 2 illustrates based on the structural representation of fingerprint USBKEY in system described in Fig. 1;
Fig. 3 illustrates the identity identifying method flow chart of the fingerprint USBKEY of according to embodiments of the present invention four.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although accompanying drawing showing the exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure and should do not limited by embodiments set forth here.On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
It should be noted that employ some vocabulary in the middle of description and claim to censure specific components.Those skilled in the art it would be appreciated that, hardware manufacturer may call same assembly with different nouns.This specification and claims are not used as distinguishing in the way of assembly by the difference of noun, but are used as the criterion distinguished with assembly difference functionally." comprising " or " including " as mentioned in the middle of description and claim in the whole text is an open language, therefore should be construed to " comprise but be not limited to ".Description subsequent descriptions is implement the better embodiment of the present invention, and right described description is for the purpose of the rule of description, is not limited to the scope of the present invention.Protection scope of the present invention is when being as the criterion depending on the defined person of claims.
Fingerprint USBKEY is the improvement of USBKEY, mainly it is improved by being integrated on USBKEY by fingerprint identification technology, USBKEY includes algorithm for recognizing fingerprint, and fingerprint template can be stored, USBKEY completes fingerprint comparison, when needs input PIN code time, instead of carry out the identity of fingerprint comparison checking owner.
In PKI system, current fingerprint recognition mainly have following two mode:
1, KEY is passed through
Fingerprint USBKEY is used to preserve digital certificate, when using digital certificate, it is necessary to carry out fingerprint identification, after fingerprint authentication passes through, the associative operation of digital certificate can be carried out.This have the advantage that, fingerprint USBKEY is banned tradition USBKEY and digital certificate is protected by PIN code the drawback brought.Use fingerprint, it is not necessary to remember, will not pass into silence, it is not necessary to knock keyboard, fingerprint can not be tracked.Now, finger print identifying carries out in fingerprint USBKEY, and fingerprint comparison does not go out USBKEY.Fingerprint characteristic value template is also deposited in fingerprint USBKEY, and the authority of fingerprint management is in that fingerprint USBKEY.The number of times of pressing fingerprint is only once.
2, by network fingerprinting certification and KEY fingerprint comparison, fingerprint USBKEY is protected
In order to prevent from holding the holder himself of digital certificate, artificially voluntarily fingerprint USBKEY is handed to other people, or in the fingerprint USBKEY of oneself, register other people fingerprint, it is possible to carry out secondary fingerprint authentication by network fingerprinting authentication.That is: network is set up fingerprint central server, when user uses fingerprint USBKEY time, system can press fingerprint by automatically prompting user, after now user presses fingerprint, fingerprint is comparison in fingerprint USBKEY first, and then fingerprint can be transferred in fingerprint central server and compare, and then successful for comparison result is returned to fingerprint USBKEY, after the fingerprint comparison success at two places, digital certificate just can use.User uses the USBKEY number of times pressing fingerprint to be only once.This mode needs to set up unified fingerprint central server.This mode is compared to first kind of way, and this mode is safer.
For ease of the understanding to the embodiment of the present invention, it is further explained explanation below in conjunction with accompanying drawing for several specific embodiments, and each accompanying drawing is not intended that the restriction to the embodiment of the present invention.
Embodiment one, it is applied to the fingerprint USBKEY of authentication.
The embodiment of the invention discloses a kind of fingerprint USBKEY being applied to authentication, including safety chip, storage chip, fingerprint sensor and peripheral chip group, here storage chip selects NANDFLASH storage chip, naturally it is also possible to is other storage chips, also includes:
Fingerprint comparison module, it is adaptable to call described fingerprint sensor and gather user fingerprints, and by the fingerprint of collection compared with the fingerprint stored before;
Fingerprint transmission module, it is adaptable to the fingerprint of described collection is passed to fingerprint central server, compared with the fingerprint of storage in fingerprint central server;
Fingerprint comparison result sending module, it is adaptable to internal for the described fingerprint USBKEY successful result of fingerprint comparison is sent to fingerprint central server;
Receive call instruction module, it is adaptable to when the fingerprint comparison result in described fingerprint USBKEY and fingerprint central server is all correct, receive the instruction calling himself digital certificate that fingerprint central server sends.
In the embodiment of the present invention preferably, fingerprint storage module is also included, it is adaptable to carry out the collection of user fingerprints the characteristic storage that takes the fingerprint in advance at described fingerprint USBKEY end.
In the embodiment of the present invention preferably, described safety chip is applicable to the computing dispatched with coordination and internal hardware IP kernel of the storage of die terminals program, MCU, and it includes memory block in COS file management system, MassStorage command processing module, USB transmission processing module, NANDFLASH document management module, AES processing module, Hardware I P kernel interface module, fingerprint algorithm processing module and sheet.
In the embodiment of the present invention preferably, described fingerprint sensor is capacitive fingerprint sensing device.
In the embodiment of the present invention preferably, described MassStorage command processing module realizes Bulk-only sub-protocol and the UFI sub-protocol of USBMassStorage agreement, it is achieved the fingerprint USBKEY that free drive is dynamic.
Embodiment two, it is applied to the fingerprint central server of authentication.
The embodiment of the invention discloses a kind of fingerprint central server being applied to authentication, including:
Fingerprint template memory element, it is adaptable to carry out the collection of user fingerprints the characteristic storage that takes the fingerprint in advance at described fingerprint center server;
Fingerprint receives unit, it is adaptable to described fingerprint central server receives the fingerprint gathered when the fingerprint USBKEY user sent uses, and compared with the fingerprint characteristic of described fingerprint template memory element storage;
Fingerprint comparison result receives unit, it is adaptable to described fingerprint central server receives the internal successful result of fingerprint comparison of the fingerprint USBKEY fingerprint USBKEY returned;
Call instruction transmitting element, it is adaptable to when the fingerprint comparison result in described fingerprint central server and fingerprint USBKEY is all correct, described fingerprint central server sends the instruction calling himself digital certificate to fingerprint USBKEY.
Embodiment three, identity authorization system based on fingerprint USBKEY.
Fig. 1 is the identity authorization system structural representation based on fingerprint USBKEY of the embodiment of the present invention three, as shown in Figure 1, system described in the embodiment of the present invention includes fingerprint central server 101, usb bus 102 and fingerprint USBKEY103, described usb bus 102 realizes described fingerprint central server 101 and the connection of described fingerprint USBKEY103, wherein, as shown in Figure 2:
Described fingerprint USBKEY103 includes safety chip 201, NANDFLASH storage chip 202, fingerprint sensor 203 and peripheral chip group 204;
Described fingerprint central server 101 end and described fingerprint USBKEY103 end carry out the collection of user fingerprints the characteristic storage that takes the fingerprint respectively;
The successful result of fingerprint comparison carried out in described fingerprint USBKEY103 does not return to described fingerprint USBKEY103, and is to return to described fingerprint central server 101;
When fingerprint comparison result in described fingerprint central server 101 and described fingerprint USBKEY103 is all correct, just carry out digital certificate authentication.
In the embodiment of the present invention preferably, described safety chip 201 is applicable to the computing dispatched with coordination and internal hardware IP kernel of the storage of die terminals program, MCU, and it includes memory block 2018 in COS file management system 2011, MassStorage command processing module 2012, USB transmission processing module 2013, NANDFLASH document management module 2014, AES processing module 2015, Hardware I P kernel interface module 2016, fingerprint algorithm processing module 2017 and sheet.
In the embodiment of the present invention preferably, described fingerprint sensor is capacitive fingerprint sensing device.
In the embodiment of the present invention preferably, described MassStorage command processing module realizes Bulk-only sub-protocol and the UFI sub-protocol of USBMassStorage agreement, it is achieved the fingerprint USBKEY that free drive is dynamic.USBMassStorage agreement and mass storage protocol are applicable to the mass-memory unit such as hard disk, USB flash disk.The interface end points that agreement uses has BulkIn, BulkOut and Interrupt end points.This equipment class comprises again 6 independent subclasses and 3 kinds of host-host protocols.
In the embodiment of the present invention preferably, described COS file management system includes security mechanism control, key management mechanism and document management module.
Described safety chip 201 is connected with described NANDFLASH storage chip 202, described fingerprint sensor 203, described peripheral chip group 204 respectively as main control chip, controls the work of whole fingerprint USBKEY303.Described safety chip 201 is connected with described fingerprint central server 301 by described usb bus 302.
In the embodiment of the present invention, the core component based on the described fingerprint USBKEY103 of the close algorithm of state is described safety chip 201, and this chip adopts 32 bit CPU cores, built-in high performance coprocessor, and having fast throughput, program and data storage area is 512K byte.
NANDFLASH storage chip described in the embodiment of the present invention 202 is used for storing jumbo file data, the non-linear macroelement pattern of internal employing, and the realization for solid-state large-capacity internal memory provides cheap effective solution.Described NANDFLASH storage chip 202 has the advantages such as capacity is relatively big, rewriting speed is fast, it is adaptable to the storage of mass data, it is a kind of nonvolatile storage, it is possible to the memory cell block being called block is carried out erasable and reprogram.
What fingerprint sensor 203 described in the embodiment of the present invention was selected is capacitive fingerprint sensor, and it is to realize the Primary Component that fingerprint gathers automatically.The embodiment of the present invention have employed second filial generation fingerprint recognition system, it is achieved that identification range conversion from epidermis to corium, thus substantially increasing the accuracy rate of identification and the safety of system.
Described peripheral chip group 204 includes the components and parts such as power management chip, clock chip, USB interface.Voltage is done blood pressure lowering and processes by described power management chip, is filtered electric current processing simultaneously, provide stable electric current and voltage for other hardware while, circuit is protected, take corresponding measure during electric voltage exception.Described hour hands chip is by oscillating circuit for producing the frequency of chip normal operation, and the operating frequency selected in the embodiment of the present invention is 60M hertz, 80M hertz and 100M hertz, inputs the crystal oscillator into 12M hertz.Described USB interface is used for realizing fingerprint USBKEY and is connected with described fingerprint central server 301.
NANDFLASH document management module described in the embodiment of the present invention 2014 is used for managing the read-write erasing of described NANDFLASH storage chip 202.
AES processing module described in the embodiment of the present invention 2015 and described Hardware I P kernel interface module 2016, be used for the IP kernel calling the close algorithm of state in chip to realize safe and reliable high-speed encryption/deciphering.
Fingerprint algorithm processing module described in the embodiment of the present invention 2017 is for processing the finger print information that described fingerprint sensor 203 collects.Described fingerprint algorithm processing module 2017 is WSQ fingerprint image compression, fingerprint image quality judgement, autonomically adaptive fingerprint processing algorithms, merging algorithm for images, multi-platform fingerprint algorithm, the multinomial fingerprint recognition key technology such as comparison, BioMatchInCOS fingerprint comparison technology of intersecting.Wherein said autonomically adaptive fingerprint processing algorithms is developed voluntarily by the applicant, there is independent intellectual property right, it is adaptive image processing algorithm, narrow in particular for the fingerprint lines of asian population, part chaser is shallow, have the features such as wet finger phenomenon to do special improvement.The indices of described autonomically adaptive fingerprint processing algorithms is all reached advanced world standards.
In the embodiment of the present invention preferably, described interior memory block 2018 is one piece of memory area at described safety chip 201, is used for depositing the important safety information such as authentication information, key information, finger print information.
In the embodiment of the present invention preferably, described COS file management system 2011 is the kernel software of whole system, and it comprises security mechanism control, key management mechanism and three parts of document management module.
In the planning process carrying out security system, it is achieved that following several security mechanisms: authentication mechanism;Access control mechanisms;Secure packet forwarding mechanism;Prevent pulling out and power down protection mechanism.Wherein, described authentication mechanism includes terminal authentication (i.e. external authentication), device authentication (i.e. internal authentication) and authenticating user identification (i.e. finger print identifying).Described access control mechanisms includes safe condition, arranges state machine, arranges catalogue, the access rights of file, arrange the access rights of key file, arrange the access rights of key in key file and the number of retries of key.Described secure packet forwarding mechanism includes authentication circuitry mode (expressly+MAC Address), link encryption mode (ciphertext) and link encryption authentication mode (ciphertext+MAC Address).Described anti-pulling out guarantees to pull up or the integrity of data storage when unexpected power down when improper with power down protection mechanism.
Described key management mechanism includes master control key, external authentication key, internal authentication key, and fingerprint can have multiple, is identified by key ID.The use of key, will meet the management requirement of read right.Current safe state meets key and uses the requirement of authority just can use key.The renewal of key, will meet the management requirement of write permission, and current safe state meets the requirement of key write permission just can more new key.The use authority of key and write permission are stored in the key attribute of key file.
Described document management module realizes the file system on NORFLASH, it is provided that unified file access interface, it is achieved the secure access of file.The file type of file system support includes: binary file, fixed-length record file, variable-length record file and cycle index file.File system complies fully with ISO/IEC7816 standard, and meet the application characteristic of PKI application system, various files are realized safety operation and access, including master control file (MF), application catalogue file (DF) and constituent instruments (EF).Five layers of directory file structure can be supported, before to catalogue, file and data manipulation thereof, the security attribute according to current directory or file is checked the safe condition of equipment, to determine operation such as the feasibility of establishment, deletion and read-write.Operation and management to catalogue or file data will carry out according to certain rule.
Embodiment four, fingerprint USBKEY identity identifying method.
Below in conjunction with Fig. 3, the method for the embodiment of the present invention four is described in detail.
Fig. 3 is the identity identifying method flow chart of the fingerprint USBKEY of the embodiment of the present invention four, as it is shown on figure 3, the embodiment of the present invention comprises the following steps:
Carrying out fingerprint collecting at described fingerprint center server and described fingerprint USBKEY end respectively, the feature that takes the fingerprint also stores;
In another inventive embodiments, described step can also be omitted, and described fingerprint USBKEY end is not necessarily required to prestore user fingerprints feature, but directly transfers from server end or directly only carry out fingerprint comparison at server.
Step S301, when using described fingerprint USBKEY, the screen pressing described fingerprint USBKEY carries out fingerprint collecting;
Step S302, the fingerprint gathered in step S301 is compared respectively in the internal and described fingerprint central server of described fingerprint USBKEY;
Step S303, the fingerprint comparison successful result within described fingerprint USBKEY is returned to described fingerprint central server;
Step S304, described fingerprint central server judge, when the comparison result in described return result and fingerprint central server is all correct, to send the digital certificate instruction calling fingerprint USBKEY self to described fingerprint USBKEY.
In the embodiment of the present invention preferably, further comprising the steps of after described step S304:
After described fingerprint USBKEY receives the instruction calling self digital certificate, open described NANDFLASH storage chip;
Judge that described fingerprint USBKEY is used as KEY and is also used as USB flash disk;
If described fingerprint USBKEY is used as USB flash disk, then under the protection of the close algorithm of state, carry out the safe read-write of data;
If described fingerprint USBKEY is used as KEY, then carry out digital certificate authentication.
In the embodiment of the present invention preferably, described fingerprint USBKEY is used as KEY, and the step carrying out digital certificate authentication includes:
Described fingerprint USBKEY is used as KEY and carries out digital certificate authentication;
Authentication result is passed to described fingerprint central server;
The authentication result received is judged by described fingerprint central server with twice fingerprint comparison result before;
If being all correct, then return to described fingerprint USBKEY by comparing the result passed through;
Described fingerprint USBKEY receive described in after the result passed through, it is possible to login system.
In the embodiment of the present invention preferably, the fingerprint gathered in described step S301, when transmitting to described fingerprint central server, is carry out under the protection of the close algorithm of state.
In the embodiment of the present invention preferred, the increasing or delete and completed by the professional with administrator right of fingerprint in described fingerprint central server, and can simultaneously store the user fingerprints of more than a piece in same USBKEY.
User, before using USBKEY, prestores user fingerprints template.In this stage, the collection of user fingerprints is divided into two parts, refers respectively to stricture of vagina center server and fingerprint USBKEY end carries out fingerprint collecting.At fingerprint center server, user fingerprints, under the control of server administrators, is acquired and is stored in background server, and the increase of fingerprint, deletion are completed by the professional with administrator right.
When user uses fingerprint USBKEY for the first time, first gather fingerprint and be stored in inside described fingerprint USBKEY, it is possible to gather at least one piece, it is also possible to gather and be stored concurrently in inside described USBKEY up to ten pieces of fingerprints.If revising fingerprint such as increase fingerprint or delete fingerprint, then requiring to input pre-determined PIN code, if PIN code is correct, just allowing amendment fingerprint;If PIN code is incorrect, can re-entering, attempt three times at most, after mistake three times, described fingerprint USBKEY is locked, it is impossible to be continuing with.Certainly, PIN code trial and error number of times here is can be predefined, it is also possible to be predefined as five times or seven times etc..
When using fingerprint USBKEY; first prompting gathers fingerprint; user presses the screen of described fingerprint USBKEY and carries out fingerprint collecting; internal at described fingerprint USBKEY respectively and described fingerprint central server are compared by the fingerprint gathered; the user fingerprints that this stage gathers in USBKEY passes to described fingerprint central server; comparing with the fingerprint template of this user of storage in fingerprint central server, the fingerprint of collection is carry out under the protection of the close algorithm of state when transmitting to described fingerprint central server.After described fingerprint USBKEY carries out fingerprint comparison, comparison result is passed to described fingerprint central server, comparison result in comparison result in server and described USBKEY is judged by described fingerprint central server, if both of which is correct, then described fingerprint central server sends signal to described fingerprint USBKEY, it is allowed to described fingerprint USBKEY calls the digital certificate of self.After described fingerprint USBKEY receives the instruction calling self digital certificate; open described NANDFLASH storage chip; then judge that being used as KEY is also used as USB flash disk, if described fingerprint USBKEY is used as USB flash disk, then carry out the safe read-write of data under the protection of the close algorithm of state;If described fingerprint USBKEY is used as KEY, so carry out digital certificate authentication, and authentication result is passed to described fingerprint central server, authentication result and previous result are judged by described fingerprint central server, if be all correct i.e. " YES ", then will determine that the result " YES " being verified returns to KEY, after described fingerprint USBKEY receives " YES ", learn that final authentication obtains and pass through.So far, final authentication is passed through, and user can log in the systems such as OA.
The step of method described in the present embodiment also necessarily needs to perform in strict accordance with the order of array, can be inverted order, it is also possible to carry out simultaneously, have no effect on the realization of the present invention between step.
Embodiment five, fingerprint central server identity identifying method.
The embodiment of the invention discloses the identity identifying method of a kind of fingerprint central server, comprise the following steps:
Described fingerprint central server receives the fingerprint gathered when the fingerprint USBKEY user sent uses, and compared with the fingerprint characteristic of storage in described fingerprint central server;
Described fingerprint central server receives the internal successful result of fingerprint comparison of the fingerprint USBKEY fingerprint USBKEY returned;
When the fingerprint comparison result in described fingerprint central server and fingerprint USBKEY is all correct, described fingerprint central server sends the instruction calling himself digital certificate to fingerprint USBKEY.
In the embodiment of the present invention preferably, the collection carrying out user fingerprints in advance at described fingerprint center server the characteristic storage that takes the fingerprint also are included.
Embodiment six, identity identifying method.
The embodiment of the invention discloses a kind of identity identifying method, comprise the following steps:
Step (1), carrying out fingerprint collecting at described fingerprint center server and described fingerprint USBKEY end respectively, the feature that takes the fingerprint also stores;
Step (2), when using described fingerprint USBKEY, the screen pressing described fingerprint USBKEY carries out fingerprint collecting;
Step (3), will internal at described fingerprint USBKEY respectively for the fingerprint that gather in step (2) and described fingerprint central server be compared;
Step (4), the fingerprint comparison successful result within described fingerprint USBKEY is returned to described fingerprint central server;
Step (5), described fingerprint central server judge, when the comparison result in described return result and fingerprint central server is all correct, to send the digital certificate instruction calling fingerprint USBKEY self to described fingerprint USBKEY.
Described in concrete implementation details such as above-described embodiment three and embodiment four, do not repeat them here.
A kind of identity authorization system based on fingerprint USBKEY disclosed by the invention and method, carry out double factor authentication by network fingerprinting comparison, and network fingerprinting certification is separate interrelated again with PKI system digital certificate authentication.When adopting in this way, the successful result of network fingerprinting comparison is not return to fingerprint USBKEY, but returns to fingerprint central server, and after carrying out fingerprint comparison success in fingerprint central server, digital certificate can be allowed to use simultaneously.Only return to the fingerprint comparison result in the comparison result of server and fingerprint USBKEY and when digital certificate authentication is correct, be just identified as by certification.This authentication mode substantially increases security performance in safety, so that enterprise network system is further ensured that for the reliable authentication of user identity and the transmitting of information, " confidentiality ", " verity ", " integrity " of network data, " can not low bad property " be made to be further strengthened.
One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of an embodiment, module or flow process in accompanying drawing are not necessarily implemented necessary to the present invention.
In description mentioned herein, describe a large amount of detail.It is to be appreciated, however, that embodiments of the invention can be put into practice when not having these details.In some instances, known method, structure and technology it are not shown specifically, in order to do not obscure the understanding of this description.
Obviously, the present invention can be carried out various change and modification without deviating from the spirit and scope of the present invention by those skilled in the art.So, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (17)
1. it is applied to a fingerprint USBKEY for authentication, including safety chip, storage chip, fingerprint sensor and peripheral chip group, it is characterised in that: also include
Fingerprint comparison module, it is adaptable to call described fingerprint sensor and gather user fingerprints, and by the fingerprint of collection compared with the fingerprint stored before;
Fingerprint transmission module, it is adaptable to the fingerprint of described collection is passed to fingerprint central server, compared with the fingerprint of storage in fingerprint central server;
Fingerprint comparison result sending module, it is adaptable to internal for the described fingerprint USBKEY successful result of fingerprint comparison is sent to fingerprint central server;
Receive call instruction module, it is adaptable to when the fingerprint comparison result in described fingerprint USBKEY and fingerprint central server is all correct, receive the instruction calling himself digital certificate that fingerprint central server sends.
2. the fingerprint USBKEY being applied to authentication according to claim 1, it is characterised in that: also include fingerprint storage module, it is adaptable to carry out the collection of user fingerprints the characteristic storage that takes the fingerprint in advance at described fingerprint USBKEY end.
3. the fingerprint USBKEY being applied to authentication according to claim 1 and 2, it is characterized in that: described safety chip is applicable to the computing dispatched with coordination and internal hardware IP kernel of the storage of die terminals program, MCU, and it includes memory block in COS file management system, MassStorage command processing module, USB transmission processing module, document management module, AES processing module, Hardware I P kernel interface module, fingerprint algorithm processing module and sheet.
4. according to the arbitrary described fingerprint USBKEY being applied to authentication of claims 1 to 3, it is characterised in that: described fingerprint sensor is capacitive fingerprint sensing device.
5. the fingerprint USBKEY being applied to authentication according to claim 3, it is characterized in that: described MassStorage command processing module realizes Bulk-only sub-protocol and the UFI sub-protocol of USBMassStorage agreement, it is achieved the fingerprint USBKEY that free drive is dynamic.
6. the fingerprint central server being applied to authentication, it is characterised in that: include
Fingerprint template memory element, it is adaptable to carry out the collection of user fingerprints the characteristic storage that takes the fingerprint in advance at described fingerprint center server;
Fingerprint receives unit, it is adaptable to described fingerprint central server receives the fingerprint gathered when the fingerprint USBKEY user sent uses, and compared with the fingerprint characteristic of described fingerprint template memory element storage;
Fingerprint comparison result receives unit, it is adaptable to described fingerprint central server receives the internal successful result of fingerprint comparison of the fingerprint USBKEY fingerprint USBKEY returned;
Call instruction transmitting element, it is adaptable to when the fingerprint comparison result in described fingerprint central server and fingerprint USBKEY is all correct, described fingerprint central server sends the instruction calling himself digital certificate to fingerprint USBKEY.
7. the identity authorization system based on fingerprint USBKEY, it is characterised in that: include fingerprint central server described in the arbitrary described fingerprint USBKEY of claim 1 to 5 and claim 6, described fingerprint central server and described fingerprint USBKEY electrical connection.
8. an identity identifying method of fingerprint USBKEY, comprises the following steps:
Step (1), when use described fingerprint USBKEY time, user presses fingerprint on this fingerprint USBKEY, by the fingerprint of collection compared with the fingerprint prestored, and this fingerprint is passed to fingerprint central server, compared with the fingerprint of storage in fingerprint central server;
The internal successful result of fingerprint comparison of step (2), described fingerprint USBKEY is sent to fingerprint central server;
Step (3), when the fingerprint comparison result in described fingerprint USBKEY and fingerprint central server is all correct, described fingerprint USBKEY receives the instruction calling himself digital certificate that fingerprint central server sends.
9. the identity identifying method of fingerprint USBKEY according to claim 8, it is characterised in that: also include the collection carrying out user fingerprints in advance at described fingerprint USBKEY end the characteristic storage that takes the fingerprint.
10. the identity identifying method of fingerprint USBKEY according to claim 8 or claim 9, it is characterised in that: further comprising the steps of after described step (3):
Step (4), described fingerprint USBKEY open NANDFLASH storage chip after receiving the instruction calling self digital certificate;
Step (5), judge that described fingerprint USBKEY is used as KEY and is also used as USB flash disk;
Step (6) if described fingerprint USBKEY is used as USB flash disk, then carries out the safe read-write of data under the protection of the close algorithm of state;
Step (7) if described fingerprint USBKEY is used as KEY, then carries out digital certificate authentication.
11. the identity identifying method of fingerprint USBKEY according to claim 10, it is characterised in that: the fingerprint USBKEY in described step (7) is used as KEY, and the step carrying out digital certificate authentication includes:
Described fingerprint USBKEY is used as KEY and carries out digital certificate authentication;
Authentication result is passed to fingerprint central server;
The authentication result received is judged by fingerprint central server with twice fingerprint comparison result before;
If being all correct, then return to described fingerprint USBKEY by comparing the result passed through;
Described fingerprint USBKEY receive described in after the result passed through, it is possible to login system.
12. an identity identifying method for fingerprint central server, comprise the following steps:
Described fingerprint central server receives the fingerprint gathered when the fingerprint USBKEY user sent uses, and compared with the fingerprint characteristic of storage in described fingerprint central server;
Described fingerprint central server receives the internal successful result of fingerprint comparison of the fingerprint USBKEY fingerprint USBKEY returned;
When the fingerprint comparison result in described fingerprint central server and fingerprint USBKEY is all correct, described fingerprint central server sends the instruction calling himself digital certificate to fingerprint USBKEY.
13. the identity identifying method of fingerprint central server according to claim 12, it is characterised in that: also include the collection carrying out user fingerprints in advance at described fingerprint center server the characteristic storage that takes the fingerprint.
14. an identity identifying method, it is characterised in that comprise the following steps:
Step (1), when using described fingerprint USBKEY, the screen pressing described fingerprint USBKEY carries out fingerprint collecting;
Step (2), will internal at described fingerprint USBKEY respectively for the fingerprint that gather in step (1) and described fingerprint central server be compared;
Step (3), the fingerprint comparison successful result within described fingerprint USBKEY is returned to described fingerprint central server;
Step (4), described fingerprint central server judge, when the comparison result in described return result and fingerprint central server is all correct, to send the digital certificate instruction calling fingerprint USBKEY self to described fingerprint USBKEY.
15. identity identifying method according to claim 14, it is characterised in that: the fingerprint gathered in described step (1), when transmitting to described fingerprint central server, is carry out under the protection of the close algorithm of state.
16. the identity identifying method according to claim 13 or 14, it is characterized in that: the increasing or delete and completed by the professional with administrator right of fingerprint in described fingerprint central server, and same USBKEY can store the user fingerprints of more than a piece simultaneously.
17. identity identifying method according to claim 14, it is characterised in that: also including carrying out fingerprint collecting at described fingerprint center server and described fingerprint USBKEY end respectively before described step (1), the feature that takes the fingerprint also stores.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410751946.1A CN105743648A (en) | 2014-12-09 | 2014-12-09 | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410751946.1A CN105743648A (en) | 2014-12-09 | 2014-12-09 | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105743648A true CN105743648A (en) | 2016-07-06 |
Family
ID=56238501
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410751946.1A Pending CN105743648A (en) | 2014-12-09 | 2014-12-09 | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105743648A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108337913A (en) * | 2018-02-01 | 2018-07-27 | 深圳市汇顶科技股份有限公司 | Fingerprint login method, micro-control unit, fingerprint power supply module and electric terminal |
| CN110704834A (en) * | 2019-10-17 | 2020-01-17 | 淮北师范大学 | Digital certificate authentication method using cryptography |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789062A (en) * | 2010-01-21 | 2010-07-28 | 北京中天一维科技有限公司 | Certificate authentication system based on certificate storage device with fingerprint identification and authentication method thereof |
| CN101945114A (en) * | 2010-09-20 | 2011-01-12 | 西安电子科技大学 | Identity authentication method based on fuzzy vault and digital certificate |
| CN102254119A (en) * | 2011-07-15 | 2011-11-23 | 华南理工大学 | Safe mobile data storage method based on fingerprint U disk and virtual machine |
| CN102769531A (en) * | 2012-08-13 | 2012-11-07 | 鹤山世达光电科技有限公司 | Identity authentication device and method thereof |
| CN102833235A (en) * | 2012-08-13 | 2012-12-19 | 鹤山世达光电科技有限公司 | Identity authentication and management device and identity authentication and management method |
| CN103117853A (en) * | 2011-11-16 | 2013-05-22 | 航天信息股份有限公司 | Account input and authentication method of safe storing device |
| CN104134030A (en) * | 2014-07-31 | 2014-11-05 | 中山市品汇创新专利技术开发有限公司 | E-bank safety certification method based on living fingerprint verification |
-
2014
- 2014-12-09 CN CN201410751946.1A patent/CN105743648A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789062A (en) * | 2010-01-21 | 2010-07-28 | 北京中天一维科技有限公司 | Certificate authentication system based on certificate storage device with fingerprint identification and authentication method thereof |
| CN101945114A (en) * | 2010-09-20 | 2011-01-12 | 西安电子科技大学 | Identity authentication method based on fuzzy vault and digital certificate |
| CN102254119A (en) * | 2011-07-15 | 2011-11-23 | 华南理工大学 | Safe mobile data storage method based on fingerprint U disk and virtual machine |
| CN103117853A (en) * | 2011-11-16 | 2013-05-22 | 航天信息股份有限公司 | Account input and authentication method of safe storing device |
| CN102769531A (en) * | 2012-08-13 | 2012-11-07 | 鹤山世达光电科技有限公司 | Identity authentication device and method thereof |
| CN102833235A (en) * | 2012-08-13 | 2012-12-19 | 鹤山世达光电科技有限公司 | Identity authentication and management device and identity authentication and management method |
| CN104134030A (en) * | 2014-07-31 | 2014-11-05 | 中山市品汇创新专利技术开发有限公司 | E-bank safety certification method based on living fingerprint verification |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108337913A (en) * | 2018-02-01 | 2018-07-27 | 深圳市汇顶科技股份有限公司 | Fingerprint login method, micro-control unit, fingerprint power supply module and electric terminal |
| WO2019148413A1 (en) * | 2018-02-01 | 2019-08-08 | 深圳市汇顶科技股份有限公司 | Fingerprint login method, micro-control unit, fingerprint power supply assembly, and electronic terminal |
| CN108337913B (en) * | 2018-02-01 | 2020-01-07 | 深圳市汇顶科技股份有限公司 | Fingerprint login method, micro control unit, fingerprint power supply assembly and electronic terminal |
| US11507647B2 (en) | 2018-02-01 | 2022-11-22 | Shenzhen GOODIX Technology Co., Ltd. | Fingerprint-based login system, microcontroller unit, fingerprint-based power assembly, and electronic terminal |
| CN110704834A (en) * | 2019-10-17 | 2020-01-17 | 淮北师范大学 | Digital certificate authentication method using cryptography |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108681966B (en) | Information supervision method and device based on block chain | |
| CN106789875B (en) | A kind of block chain service unit, block chain service system and its communication means | |
| CN105743853A (en) | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method | |
| US8386795B2 (en) | Information security device of Universal Serial Bus Human Interface Device class and data transmission method for same | |
| WO2020073513A1 (en) | Blockchain-based user authentication method and terminal device | |
| CN107528688A (en) | A kind of keeping of block chain key and restoration methods, device based on encryption commission technology | |
| CN108476404A (en) | Safety equipment matches | |
| CN202795383U (en) | Device and system for protecting data | |
| US20180247313A1 (en) | Fingerprint security element (se) module and payment verification method | |
| CN103117853B (en) | A kind of safe storage device account input and authentication method | |
| CN101631020A (en) | Identity authentication system combining fingerprint identification and PKI system | |
| CN103957202A (en) | Safety login method and system | |
| JP2015504222A (en) | Data protection method and system | |
| CN104079413A (en) | Enhancement type one-time dynamic password authentication method and system | |
| CN109936552A (en) | A kind of cipher key authentication method, server and system | |
| CN108540457A (en) | A kind of safety equipment and its biological identification control method and device | |
| WO2021101632A1 (en) | Know your customer (kyc) and anti-money laundering (aml) verification in a multi-decentralized private blockchains network | |
| CN114556356A (en) | User authentication framework | |
| WO2022042745A1 (en) | Key management method and apparatus | |
| CN201286105Y (en) | Identity authentication system combining fingerprint recognition with PKI system | |
| CN101409622A (en) | Digital signing system and method | |
| CN105743648A (en) | Fingerprint USB KEY and fingerprint center server for identity authentication, and system and method | |
| Cavoukian et al. | Keynote paper: Biometric encryption: Technology for strong authentication, security and privacy | |
| CN116112242B (en) | Unified safety authentication method and system for power regulation and control system | |
| CN204883745U (en) | Fingerprint safety unit SE module |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160706 |
|
| RJ01 | Rejection of invention patent application after publication |