CN106549973A - A kind of client and its method of work based on living things feature recognition - Google Patents
A kind of client and its method of work based on living things feature recognition Download PDFInfo
- Publication number
- CN106549973A CN106549973A CN201611058902.6A CN201611058902A CN106549973A CN 106549973 A CN106549973 A CN 106549973A CN 201611058902 A CN201611058902 A CN 201611058902A CN 106549973 A CN106549973 A CN 106549973A
- Authority
- CN
- China
- Prior art keywords
- data
- value
- client
- signature
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of client and its method of work based on living things feature recognition, belongs to information security field.The client includes client application module and client identity authentication module, and the request data composition authentication request that client application module is obtained according to client identification and from server is simultaneously sent to client identity authentication module;Client identity authentication module is judging to point out user input biological attribute data to be verified after the client identification and request data are legal, it is proved to be successful, assertion data is calculated to private key and the request data according to sign-on ID, key, assertion data is sent to by server by client application module, the request results that simultaneously display server is returned are received.The checking to user biological characteristic information is completed in the present invention in client identity authentication module, the risk attacked by user biological characteristic information is reduced, user's online registration and the safety for logging in is improve.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of client and its work side based on living things feature recognition
Method.
Background technology
With the development of Internet technology, user can easily pass through network login application program whenever and wherever possible
(app) carry out doing shopping etc. various in line service, and as many at present can be related to user's proprietary information in line service, such as
Bank's card number etc., therefore, how to ensure that the safety of user profile is the hot issue of current research.
At present, although most of clients provide commercial city and adopt account and password (including character password, gesture password etc.)
Mode realize user's registration and login, to protect the safety of user profile, but, either which kind of password have leakage or quilt
The risk that hacker usurps, therefore the method registered using the biological information of user when registration is using application program should
Transport and give birth to, wherein, biological characteristic may refer to stricture of vagina, face, iris etc..But, biological information belongs to the privacy letter of user
Breath, if biological information is stolen by attacker, then attacker can pretend to be user with the biological information using user
Identity, the information security of user will face greatly threat.Therefore, online registration is being carried out using biological information and recognized
In the application scenarios of card, how to ensure that the safety of biological information becomes a problem demanding prompt solution.
The content of the invention
The invention aims to overcome the deficiencies in the prior art, there is provided a kind of client based on living things feature recognition
And its method of work.
Technical scheme is as follows:A kind of client operation method based on living things feature recognition, including:
Step S1:Client application module initiates default request, and the request that the reception server is returned to server
Data;
Step S2:Client application module please according to client identification and request data composition authentication
Ask, the authentication request is sent to client identity authentication module;
Step S3:Client identity authentication module obtains client identification and number of request from the authentication request
According to, judge whether the client identification and request data legal, be then prompting user input biological attribute data, execution step
S4, otherwise returns errored response to client application module, terminates;
Step S4:Client identity authentication module carries out identity to active user according to the biological attribute data of user input
Checking, execution step S5 if being proved to be successful otherwise return errored response to client application module, terminate;
Step S5:Client identity authentication module is calculated to private key and the request data according to sign-on ID, key
Assertion data is obtained, and ID authentication request response is constituted according to the assertion data, institute is returned to client application module
State ID authentication request response;
Step S6:Client application module obtains assertion data from ID authentication request response, to service
Device sends the assertion data, and the request response that the reception server is returned;Request results are obtained simultaneously from the request response
Show, terminate.
For registration request, the request data is specially log-on data, includes in the log-on data for the default request
There are user name parameter, challenge value parameter;
Step S5 is specially:Client identity authentication module generates sign-on ID and key pair, preserves the registration
Mark and key obtain current signature number of times, using the key to private key to the sign-on ID, the key pair to private key
The user name parameter that includes in public key and the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update
Current signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, described
User name parameter and challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data,
The ID authentication request response is returned to client application module;Described being calculated after assertion data also include more
The new current signature number of times.
For certification request, the request data is specially authentication data, includes in the authentication data for the default request
There are challenge value parameter and certification policy parameter, in the certification policy parameter, include sign-on ID field;
Step S5 is specially:Client identity authentication module is according to the registration mark included in the certification policy parameter
Character learning segment search simultaneously obtains the sign-on ID and key of preservation to private key, obtains current signature number of times, generates random number, using institute
State key to sign the challenge value parameter included in the sign-on ID, the random number and the authentication data private key
Name obtains signature value, updates current signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, institute
Random number and challenging value parameter composition assertion data are stated, ID authentication request response is constituted according to the assertion data, to
Client application module returns ID authentication request response, it is described be calculated assertion data after also include updating
The current signature number of times.
For transaction request, the request data is specially transaction data, includes in the transaction data for the default request
There are Transaction Information, challenge value parameter and certification policy parameter, in the certification policy parameter, include sign-on ID field;
Step S5 is specially:Client identity authentication module is according to the registration mark included in the certification policy parameter
Character learning segment search simultaneously obtains the sign-on ID and key of preservation to private key, obtains current signature number of times, generates random number, using institute
State key to private key to include in the sign-on ID, the random number and the transaction data Transaction Information, challenging value
Parameter carries out signature calculation and obtains signature value, updates current signature number of times, according to the signature number of times after renewal, the signature value,
The sign-on ID, the random number and the Transaction Information, challenging value parameter composition assertion data, assert according to described
Data composition ID authentication request response, returns the ID authentication request response, the meter to client application module
Calculation also includes updating the current signature number of times after obtaining assertion data.
Present invention also offers a kind of client based on living things feature recognition, including client answers program module and client
End authentication module;
The client application module includes the first Transmit-Receive Unit, the first interactive unit, the second interactive unit;
First Transmit-Receive Unit, for initiating default request, and the request data that the reception server is returned to server,
Trigger the first interactive unit;Assertion data is sent to server when being additionally operable to receive the triggering of the first interactive unit, and receives clothes
The request response that business device is returned;
First interactive unit, for constituting authentication request according to client identification and the request data, to
Client identity authentication module sends the authentication request;It is additionally operable to work as and receives the return of client identity authentication module
When ID authentication request is responded, assertion data is obtained from ID authentication request response and the first Transmit-Receive Unit is triggered;
Second interactive unit, the request for receiving from first Transmit-Receive Unit obtain request in responding
As a result and show;
The client identity authentication module includes the second Transmit-Receive Unit, the first judging unit, the second judging unit and meter
Calculate unit;
Second Transmit-Receive Unit, for receiving the authentication request that client application module is sent, from
Client identification and request data are obtained in the authentication request and the first judging unit is triggered, being additionally operable to should to client
ID authentication request response is returned with program module;
First judging unit, it is whether legal for judging the client identification and request data, it is that then prompting is used
Family is input into biological attribute data;Otherwise errored response is returned to client application module;
Second judging unit, tests for carrying out identity to active user according to the biological attribute data of user input
Card, triggers computing unit if being proved to be successful, and if authentication failed returns errored response to client application module;
The computing unit, for private key and the request data being calculated and being asserted according to sign-on ID, key
Data, constitute ID authentication request according to the assertion data and respond and trigger the second Transmit-Receive Unit.
Beneficial effects of the present invention are as follows:By being heretofore described client body inside the hardware unit of client
The checking to user biological characteristic information is completed in part authentication module, the risk attacked by user biological characteristic information is reduced,
Improve user's online registration and the safety for logging in.
Description of the drawings
Fig. 1 is a kind of client operation method flow diagram based on living things feature recognition that embodiment 1 is provided;
Fig. 2 is a kind of register method flow chart based on living things feature recognition that embodiment 2 is provided;
Fig. 3 is a kind of certification/method of commerce flow chart based on living things feature recognition that embodiment 3 is provided;
Fig. 4 is a kind of composition frame chart of client based on living things feature recognition that embodiment 4 is provided.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than the embodiment of whole.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
Embodiment 1
A kind of client operation method based on living things feature recognition is present embodiments provided, wherein, the client bag
Client application module and client identity authentication module are included, its method of work is concrete as shown in figure 1, including following step
Suddenly:
Step S1:Client application module initiates default request, and the request that the reception server is returned to server
Data;
Specifically, the default request can be registration request, certification/transaction request;
When the default request is registration request, the request data is specially log-on data, in the log-on data
Include using ID, user name parameter, challenge value parameter and certification policy parameter;
When the default request is certification request, the request data is specially authentication data, in the authentication data
Include using ID, challenge value parameter and certification policy parameter, in the certification policy parameter, include sign-on ID field;
When the default request is transaction request, the request data is specially transaction data, in the transaction data
Include using ID, Transaction Information, challenge value parameter and certification policy parameter, in the certification policy parameter, include registration mark
Character learning section.
Step S2:Client application module please according to client identification and request data composition authentication
Ask, the authentication request is sent to client identity authentication module;
Step S3:Client identity authentication module obtains client identification and number of request from the authentication request
According to, judge whether the client identification and request data legal, be then prompting user input biological attribute data, then perform
Step S4, otherwise returns errored response to client application module, terminates;
Specifically, it is described to judge the client identification and whether request data is legal specifically includes:
Step 1:Whether the form of the content included in checking the request data is legal, is then execution step 2, otherwise sentences
Disconnected result is illegal;
Step 2:Trust list is obtained according to the application ID included in the request data, judges that the client identification is
No presence, in the trust list, is then execution step 3, and otherwise judged result is illegal;
Step 3:Judge the corresponding certification policy parameter of client identity authentication module whether with wrap in the request data
The certification policy parameter matching for containing, is that then judged result is legal, and otherwise judged result is illegal.
Further, when the default request is certification/transaction request, described in step S3, point out user input
Also include before biological attribute data whether contain Transaction Information in judging the request data, be then to be shown by client
The Transaction Information, performs the prompting user input biological attribute data after user confirms;Carry described in otherwise directly performing
Show user input biological attribute data.
Step S4:Client identity authentication module carries out identity to active user according to the biological attribute data of user input
Checking, execution step S5 if being proved to be successful return errored response, knot to client application module if authentication failed
Beam;
Step S5:Client identity authentication module is calculated to private key and the request data according to sign-on ID, key
Assertion data is obtained, and ID authentication request response is constituted according to the assertion data, institute is returned to client application module
State ID authentication request response;
Step S6:Client application module obtains assertion data from ID authentication request response, to service
Device sends the assertion data, and the request response that the reception server is returned;Request results are obtained simultaneously from the request response
Show, terminate.
Embodiment 2
Embodiments of the invention 2 provide a kind of register method based on living things feature recognition, it is adaptable to server and visitor
The system of family end composition, wherein the client includes client application module and client identity authentication module, such as Fig. 2
It is shown, when user initiates registration operation to client application module, perform following steps:
Step 1:Client application module sends registration request to server;
For example, the registration request of transmission is as follows:
{"userName":"test","method":"registStart","uafResponse":""}。
Step 2:Server generates the note included using ID, user name parameter, challenge value parameter and certification policy parameter
Volumes evidence;
For example, the log-on data of generation is as follows:
[{"header":{"upv":{"major":1,"minor":0},"op":"Reg","appID":"https://
uafmagdc.cloudentify.com/uafmanager/facets","serverData":"
M21sNEJRdXFsREloaEx5WkZXQUFuNXd5bnJBa0t4cldfdk5oaXVzQ2xWay5NVFEzTWpnd09UZzFNa
lF4TncuZEdWemRBLlNrUkthRXBFUlhkS1NGcDBUVEkxVUZFelduVk9SMVpGVmxkRmRtVnJPSFZOYm
5CdVRtNVY"},"challenge":"JDJhJDEwJHZtM25PQ3ZuNGVEVWEvek8uMnpnNnU","
username":"test","policy":{"accepted":[[{"aaid":["001B#0001"]}],[{"aaid":["
001A#2121"]}],[{"aaid":["0018#0001"]}],[{"aaid":["D409#0301"]}],[{"aaid":["
0014#0002"]}],[{"aaid":["5AFE#4800"]}],[{"aaid":["0014#0003"]}],[{"aaid":["
17EF#6010"]}],[{"aaid":["04EF#04EF"]}]]}}]。
Wherein, using ID (appID) it is:
"appID":"https://uafmagdc.cloudentify.com/uafmanager/facets";User name is joined
Number is " username ":"test";
Challenging value parameter (challenge) is:
"challenge":"JDJhJDEwJHZtM25PQ3ZuNGVEVWEvek8uMnpnNnU";
Certification policy parameter (policy) is:
"policy":{"accepted":[[{"aaid":["001B#0001"]}],[{"aaid":["001A#
2121"]}],[{"aaid":["0018#0001"]}],[{"aaid":["D409#0301"]}],[{"aaid":["0014#
0002"]}],[{"aaid":["5AFE#4800"]}],[{"aaid":["0014#0003"]}],[{"aaid":["17EF#
6010"]}],[{"aaid":["04EF#04EF"]}]]}。
Step 3:Server returns the log-on data to client application module;
Step 4:Client application module obtains client identification, according to client identification and the note for receiving
Volumes is according to composition authentication request;
Specifically, if client operating system is iOS system, client application module directly obtains the client
End Bundle ID, and as client identification;If client operating system is android system, client application journey
Sequence module obtains client digital signature first, the client digital signature is calculated according to default hash algorithm, and
Using calculated cryptographic Hash as client identification.
Step 5:Client application module sends the authentication request to client identity authentication module;
Specifically, if client operating system is iOS system, client application module uses x-callback-
Url protocol modes call client identity authentication module, send the authentication request;If client operating system is
Android system, then client application module client identity certification is called by android intent api modes
Module, sends the authentication request.
Step 6:Client identity authentication module receives and parses through the authentication request and obtains log-on data and client
End mark;
Step 7:Client identity authentication module checks whether the log-on data legal, is then execution step 8, otherwise to
Client application module returns errored response, and client application module prompts mistake terminates;
It is in this step, described to check whether the log-on data is legal and specifically include:
1) check application ID, user name parameter, challenge value parameter and the certification policy parameter included in the log-on data
Whether it is not sky;
2) check whether the accepted items in certification policy parameter policy are an arrays not for sky;
If 1) and 2) above-mentioned inspection result be if the log-on data it is legal, otherwise described log-on data does not conform to
Method.
Further, protocol header parameter header, protocol header parameter header are also included in the log-on data
In in addition to including using ID, also include appid items, upv items, op items and serverData items;It is described to check the note
Whether volumes evidence is legal also to include:
3) check whether the corresponding protocol version of the upv items is correct, whether the op items are equal to " Reg ";
4) check whether serverData items are base64url data of the length between 1-1536;
If above-mentioned inspection result 1), 2), 3) He 4) be if the log-on data it is legal, otherwise described log-on data
It is illegal.
Step 8:Client identity authentication module obtains trust list according to the application ID included in the log-on data;
Specifically, client identity authentication module initiates access request to the corresponding addresses of the application ID, and reception is returned
The trust list for returning;
For example, using ID it is:
https://uafmagdc.cloudentify.com/uafmanager/facets;
The trust list of acquisition is:
{"trustedFacets":[{"ids":["ios:bundle-id:com.ftsafe.FTUAFRPDemo","
android:apk-key-hash:34omX0Qx5Bo53+0ThQvlvbAPWpk","ios:bundle-id:
org.fidoalliance.ios.conformance","android:apk-key-hash:m8Jhom/
txEhttna0wg505d1RciQ88","android:apk-key-hash:SvYZ4Sgas9T2+6DpNj566iscuns"],"
version":{"minor":"0","major":"1"}}]}。
Step 9:Client identity authentication module judges that the client identification, with the presence or absence of in the trust list, is
Then execution step 10, otherwise return errored response to client application module, client application module prompts mistake,
Terminate;
Step 10:Client identity authentication module judge itself corresponding certification policy parameter whether with the log-on data
In the certification policy parameter matching that includes, be then execution step 11, otherwise return errored response to client application module,
Client application module prompts mistake, terminates;
Specifically, if the certification policy parameter is specially authenticator ID (aaid), this step specially judges described
Whether the aaid of authentication module is matched with the aaid included in the log-on data, is then execution step 11, otherwise to visitor
Family end application program module returns errored response, and client application module prompts mistake terminates.
Further, the certification policy parameter can also include:Authenticator ID, algorithm types, authentication mode, agreement version
Sheet, cryptographic key protection mode, assertionSchemes, attestationTypes, then this step be specially:Judge authentication
The authenticator ID that includes in the certification policy parameter of module, algorithm types, authentication mode, protocol version, cryptographic key protection mode,
Whether assertionSchemes, attestationTypes are each with the certification policy parameter that includes in the log-on data
Item content is consistent, is that then the match is successful, and otherwise it fails to match.
Step 11:Client identity authentication module points out to use according to the certification policy parameter determination current authentication mode
Family is input into biological attribute data;
For example, according to the current authentication mode of certification policy parameter determination be finger print identifying, then point out user input fingerprint
Information.
General, if the certification policy parameter is specially authenticator ID, the authenticator ID is recognized to there is acquiescence
Card mode, determines authentication mode according to the authenticator ID.If also including authentication mode, root in the certification policy parameter
Current authentication mode is determined according to the authentication mode included in the certification policy parameter.
Step 12:Client identity authentication module carries out identity to active user according to the biological attribute data of user input
Checking, execution step 13 if being proved to be successful return errored response, client to client application module if authentication failed
End application program module prompting mistake, terminates;
Step 13:Client identity authentication module generates sign-on ID and key pair, preserves the sign-on ID and key
To private key, assertion data is calculated to private key and the log-on data according to the sign-on ID, the key, according to described
Assertion data composition ID authentication request response;
This step is specially:Client identity authentication module generates sign-on ID and key pair, preserves the sign-on ID
With key to private key, obtain current signature number of times, using the key to private key to the sign-on ID, the key to public key
And the user name parameter that includes in the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update current
Signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, the user
Name parameter and challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, to visitor
Family end application program module returns the ID authentication request response;It is described be calculated after assertion data update institute
State current signature number of times.
The signature number of times according to after renewal, the signature value, the sign-on ID, the key are to public key, described
User name parameter and challenging value parameter composition assertion data are specifically included, and client identity authentication module obtains recognizing for itself
Card device ID (aaid), protocol version, signature algorithm and certificate, according to the authenticator ID, the protocol version for obtaining, described
Signature number of times, the signature value, the sign-on ID, the key after signature algorithm, the certificate and the renewal is to public affairs
Key, the user name parameter and challenging value parameter composition splicing result, using the splicing result as V-value, by the spelling
The length value of binding fruit constitutes TLV data according to TLV forms, to the TLV numbers as L-value using the first preset value as T value
According to being encoded, using the coding result for obtaining as the assertion data.
Wherein, first preset value is specially fixed numbers 0x3E01, the TLV data be encoded specially will
The TLV data carry out Base64url and encode the coding result for obtaining as the assertion data.
Further, can also be by the aaid, the protocol version, the signature algorithm, the certificate with it is described
The sign-on ID of customer parameter, the challenging value and generation, the key constitute many according to TLV forms respectively to public key
Individual TLV data, then the multiple TLV data for obtaining are carried out splicing the splicing result for obtaining as V-value, by fixed numbers
0x3E01 constitutes TLV data according to TLV forms as T value, and the TLV data are carried out the coding that Base64url codings are obtained
As a result as the assertion data.
For example:The sign-on ID (keyid) of generation is:
BBWl0kGsuv7uZx3mJGOgsyINgS7UrogfrbsCZjkOud4;
Key to public key is:
3082010A0282010100EDFD3B5CCE6DB5BE834BDB79B157EE9BAC6428512831FB20C59FAAD99D5
D963E193B40FD3A50FB5DD6CC42D1D0ADAD5F53CE3737B5BCA512CA6BD17AE5233AE2ABAB1B39
FD8265BB60E8C1EB7D72469033D53F40F0E4EF84DDA9BB38B0E29F33E9AFFE2D67D0B4F4BDC37
219F803A437DA578C783AB11C0E34D024B8E76BBA5187570BD401C4D448E1D94263505651CCD0
C6C1BE574B4FD9F4AE2211D5C10C3D70921FA4FFB2A880454A537557F9724124B84951CB0E8DC
4864490CC6AF3A9AEB01D6556A08B7F764EC0830E6C79C0F4E8E1786031ECE4214D7B88F1C435
F1645ACAFF1E4EFF7D2059B65839243A2536DCCEF2A5899FC177FD71CC23576956DD020301000
1;
Calculated assertion data is:
{"assertion":"AT42AwM-
1QALLgkAMDAxQSMyMTIxDi4HAAABAQEAAAEKLiAAZaJ3f71dU7hkjfapB-g9U3OUG3v-
P86X1ps70W4EbzoJLiAA_TnlQe6eo8U9zSWpLL6r-Lq94UEi4_
Z0VHreGeGq9BANLggAaQAAAEwAAAAMLkEABNfSgmgdfZLTCSrIruCKTL1SAg8EmcVZiFG3EWL-
LUb9MUHQ4ORFHiTlU5obcz0aORGi4FyqDXU06nOTofkDoykEASAAWJOLhdZmgLi5nMdt0g3SdqQEm
2lQsSeDQUeoT4OF8NwHPlkCBi5AAAjk49mI_GoJrSsBqP4dlngzaaBPiWGaluqJzS8hjbPubC0S_
3B2Cokh-tLjbke3oMF7ueY8EQ0Lqf_
CR2seiRQFLhECMIICDTCCAbQCAgCmMAkGByqGSM49BAEwgZExCzAJBgNVBAYTAkNOMRAwDgYDVQQI
EwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMRYwFAYDVQQKEw1ub2tub2tsYWJzLmNuMQwwCgYDV
QQLFANSJkQxEDAOBgNVBAMTB1JvY2sgQ0ExJjAkBgkqhkiG9w0BCQEWF3JvY2sud2FuZ0Bub2tub2
tsYWJzLmNuMB4XDTE2MDIyNTA4NDgwOVoXDTI2MDIyMjA4NDgwOVowgZMxCzAJBgNVBAYTAkNOMRA
wDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMRYwFAYDVQQKEw1ub2tub2tsYWJzLmNu
MQwwCgYDVQQLFANSJkQxEjAQBgNVBAMUCTAwMUEjMjEyMTEmMCQGCSqGSIb3DQEJARYXcm9jay53Y
W5nQG5va25va2xhYnMuY24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQs0STWZx3DdOKol3w2HR
M6ww_SqWqiaK8XFKGRBDQeW7bmHbPbaLzMdRwuicqTrpG1Q94pmo-hD_
WaLCAjPemZMAkGByqGSM49BAEDSAAwRQIhAKG8mZUiC6CVEDTK5moLG2m13ombVJKJR2bbxE-
WllgGAiALajY5xvS373zCJG-zfo7nujOPkkhZ-qQ-kpu3vpIRNw","assertionScheme":"
UAFV1TLV"}。
Step 14:Client identity authentication module returns the ID authentication request to client application module and rings
Should;
Step 15:Client application module receives and parses through the ID authentication request response and obtains assertion data;
Step 16:Client application module sends the assertion data to server;
Step 17:Server is received and processes the assertion data and obtains registering result, is registered according to registering result composition
Request response;
Step 18:Server returns the registration request response to client application module;
Step 19:Client application module receives the registration request response, therefrom obtains registering result and shows,
Terminate.
Embodiment 3
Embodiments of the invention 3 provide a kind of certification/method of commerce based on living things feature recognition, it is adaptable to server
With groups of clients into system, wherein the client includes client application module and client identity authentication module,
As shown in figure 3, when user initiates certification/transactional operation to client application module, performing following steps:
Step 1:Client application module sends certification/transaction request to server;
Step 2:Server generates certification/transaction data;
Step 3:Server returns the certification/transaction data to client application module;
Step 4:Client application module obtains client identification, recognizes according to client identification and described in receiving
Card/transaction data constitutes authentication request;
Step 5:Client application module sends the authentication request to client identity authentication module;
Specifically, if client operating system is iOS system, client application module uses x-callback-
Url protocol modes call client identity authentication module, send the authentication request;If client operating system is
Android system, then client application module client identity certification is called by android intent api modes
Module, sends the authentication request.
Step 6:Client identity authentication module receive and parse through the authentication request obtain certification/transaction data and
Client identification;
Step 7:Client identity authentication module checks whether the certification/transaction data is legal, is then execution step 8,
Otherwise errored response is returned to client application module, client application module prompts mistake terminates;
It is in this step, described to check whether the certification/transaction data is legal and specifically include:
1) whether not to check application ID, challenge value parameter and the certification policy parameter included in the certification/transaction data
For sky;
2) check whether the accepted items in certification policy parameter policy are an arrays not for sky;
If 1) and 2) above-mentioned inspection result be if the certification/transaction data it is legal, otherwise described certification/transaction
Data are illegal.
Step 8:Client identity authentication module is obtained according to the application ID included in the certification/transaction data trusts row
Table;
Step 9:Client identity authentication module judges that the client identification, with the presence or absence of in the trust list, is
Then execution step 10, otherwise return errored response to client application module, client application module prompts mistake,
Terminate;
Step 10:Client identity authentication module judge itself corresponding certification policy parameter whether with the certification/friendship
The certification policy parameter matching for easily including in data, is then execution step 11, otherwise returns to client application module wrong
Respond by mistake, client application module prompts mistake, terminate;
Step 11:Whether client identity authentication module includes Transaction Information in judging the certification/transaction data, is
Then execution step 12, otherwise execution step 13;
Step 12:Client identity authentication module prompting user confirms the Transaction Information, judges whether user confirms, is
Then execution step 13, otherwise return errored response to client application module, client application module prompts mistake,
Terminate;
Step 13:Client identity authentication module points out to use according to the certification policy parameter determination current authentication mode
Family is input into biological attribute data;
Step 14:Client identity authentication module carries out identity to active user according to the biological attribute data of user input
Checking, execution step 15 if being proved to be successful return errored response, client to client application module if authentication failed
End application program module prompting mistake, terminates;
Step 15:Client identity authentication module obtains the sign-on ID and key that preserve to private key, generates random number, root
Assertion data is calculated to private key and the certification/transaction data according to the sign-on ID, the random number, the key,
ID authentication request response is constituted according to the assertion data;
Specifically, if including Transaction Information in the certification/transaction data, this step is specially:Client identity
The sign-on ID of preservation and close is searched and obtained to authentication module according to the sign-on ID field included in the certification policy parameter
Key obtains current signature number of times to private key, generates random number, using the key to private key to the sign-on ID, it is described with
The Transaction Information that includes in machine number and the transaction data, challenge value parameter carry out signature calculation and obtain signature value, update and work as
Front signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the random number and the transaction
Information, challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, to client
Application program module returns ID authentication request response, it is described be calculated assertion data after also include updating described working as
Front signature number of times.
The signature number of times according to after renewal, the signature value, the sign-on ID, the random number and the transaction
Information, challenging value parameter composition assertion data are specifically included:Client identity authentication module obtain itself authenticator ID,
Protocol version, signature algorithm and certificate, according to the authenticator ID, the protocol version for the obtaining, signature algorithm, described
Signature number of times, the signature value after certificate and the renewal, the sign-on ID, the random number, the challenge value parameter
Splicing result is constituted with Transaction Information, using the splicing result as V-value, using the length value of the splicing result as L-value, will
Second preset value constitutes TLV data according to TLV forms, the TLV data is encoded as T value, and the coding for obtaining is tied
Fruit is used as the assertion data.
If not including Transaction Information in the certification/transaction data, this step is specially:Client identity authentication module
Sign-on ID field according to including in the certification policy parameter is searched and obtains the sign-on ID and key of preservation to private key,
Current signature number of times is obtained, random number is generated, using the key to private key to the sign-on ID, the random number and institute
The challenge value parameter included in stating authentication data carries out signature and obtains signature value, updates current signature number of times, after renewal
Signature number of times, the signature value, the sign-on ID, the random number and challenging value parameter composition assertion data, according to
The assertion data composition ID authentication request response, returns the ID authentication request to client application module and rings
Should, it is described be calculated after assertion data update the current signature number of times.
The signature number of times according to after renewal, the signature value, the sign-on ID and challenging value parameter composition
Assertion data, specifically includes:Client identity authentication module obtains authenticator ID, protocol version, signature algorithm and the card of itself
Book, according to the label after the authenticator ID, the protocol version, the signature algorithm, the certificate and the renewal for obtaining
Name number of times, the signature value, the sign-on ID, the random number and challenging value parameter composition splicing result, will be described
Splicing result as V-value, using the length value of the splicing result as L-value, using the second preset value as T value, according to TLV forms
The TLV data are encoded, using the coding result for obtaining as the assertion data by composition TLV data.
Wherein, second preset value is specially fixed numbers 0x3E02, the TLV data be encoded specially will
The TLV data carry out Base64url and encode the coding result for obtaining as the assertion data.
Step 16:Client identity authentication module returns the ID authentication request to client application module and rings
Should;
Step 17:Client application module receives and parses through the ID authentication request response and obtains assertion data;
Step 18:Client application module sends the assertion data to server;
Step 19:Server is received and processes the assertion data and obtains certification/transaction results, according to certification/transaction knot
Fruit composition certification/transaction request response;
Step 20:Server returns the certification/transaction request response to client application module;
Step 21:Client application module receives the certification/transaction request response, therefrom obtains certification/transaction
As a result and show, terminate.
Embodiment 4
A kind of client based on living things feature recognition is present embodiments provided, as shown in figure 4, including client application journey
Sequence module and client identity authentication module;
Wherein, the client application module includes the first Transmit-Receive Unit 401, the first interactive unit 402 and second
Interactive unit 403;The client identity authentication module includes that the second Transmit-Receive Unit 404, the first judging unit 405, second are sentenced
Disconnected unit 406 and computing unit 407;
In the present embodiment, first Transmit-Receive Unit 401, for initiating default request, and the reception server to server
The request data of return, triggers the first interactive unit 402;To server when being additionally operable to receive the triggering of the first interactive unit 402
Send assertion data, and the request response that the reception server is returned;
First interaction is single 402 yuan, for constituting authentication request according to client identification and the request data,
The authentication request is sent to client identity authentication module;It is additionally operable to work as and receives the return of client identity authentication module
ID authentication request when responding, obtain from ID authentication request response and assertion data trigger the first Transmit-Receive Unit
401;
Second interactive unit 403, the request for receiving from first Transmit-Receive Unit 401 are obtained in responding
Take request results and show;
Second Transmit-Receive Unit 404, for receiving the authentication request that client application module is sent,
Client identification and request data are obtained from the authentication request and the first judging unit 405 is triggered, is additionally operable to visitor
Family end application program module returns ID authentication request response;
First judging unit 405, it is whether legal for judging the client identification and request data, it is to point out
User input biological attribute data;Otherwise errored response is returned to client application module;
First judging unit 405, specifically for checking whether the form of the content included in the request data closes
Method, when the form of the content included in the request data is legal, is additionally operable to according to the application included in the request data
ID obtains trust list, judges the client identification with the presence or absence of in the trust list, is to judge client identity
Whether the corresponding certification policy parameter of authentication module is matched with the certification policy parameter included in the request data, is to judge
As a result it is legal, prompting user input biological attribute data;Otherwise judged result is illegal, to client application module
Return errored response;When the form of the content included in the request data is illegal, judged result is illegal, to client
End application program module returns errored response.
First judging unit 405, is additionally operable to when judged result is legal according to the certification policy parameter determination
Current authentication mode, points out user input corresponding biological attribute data according to the current authentication mode.
Second judging unit 406, carries out identity to active user for the biological attribute data according to user input
Checking, triggers computing unit 407 if being proved to be successful, and returns mistake to client application module and ring if authentication failed
Should;
The computing unit 407, it is disconnected for being calculated to private key and the request data according to sign-on ID, key
Speech data, constitute ID authentication request according to the assertion data and respond and trigger the second Transmit-Receive Unit 404.
When the client that the present embodiment is provided is used to realize registering functional, the function of corresponding each component units is as follows:
First Transmit-Receive Unit 401, specifically for initiating registration request, and the note that the reception server is returned to server
Volumes evidence;Include user name parameter, challenge value parameter in the log-on data;
The computing unit 407 includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, specifically for when the triggering of the second judging unit 406 is received, generating sign-on ID
With key pair, the sign-on ID and key are preserved to private key, obtain current signature number of times, trigger described second and calculate sub single
Unit;
Second computation subunit, for using the key to private key to the sign-on ID, the key to public affairs
The user name parameter that includes in key and the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update and work as
Front signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, the use
Name in an account book parameter and challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data;It is additionally operable to meter
Calculation updates the current signature number of times after obtaining assertion data.
Wherein, above-mentioned second computation subunit, specifically for receiving during the triggering of first computation subunit, acquisition is recognized
Card device ID, protocol version, signature algorithm and certificate, for using the key to private key to the sign-on ID, the key
The user name parameter that includes in public key and the log-on data, challenge value parameter are carried out by signature calculation obtain signature value, more
New current signature number of times;For according to the authenticator ID, the protocol version, the signature algorithm, the certificate for obtaining
With the signature number of times after the renewal, the signature value, the sign-on ID, the key to public key, the user name parameter
Splicing result is constituted with the challenging value parameter, using the splicing result as V-value, using the length value of the splicing result as
L-value, using the first preset value as T value, constitutes TLV data according to TLV forms, the TLV data is encoded, by what is obtained
Coding result is used as assertion data.
When the client that the present embodiment is provided is used to realize certification/trading function, the function of corresponding each component units is such as
Under:
First Transmit-Receive Unit 401, specifically for initiating certification/transaction request to server, and the reception server is returned
Certification/the transaction data for returning;
Whether first judging unit 405, contain Transaction Information in being additionally operable to judge the request data, be to pass through
Client shows the Transaction Information, after user confirms points out user input biological attribute data;User is directly pointed out otherwise
Input biological attribute data.
Specifically, first Transmit-Receive Unit 401, specifically for initiating certification request, and the reception server to server
The authentication data of return;Include challenge value parameter and certification policy parameter, the certification policy parameter in the authentication data
In include sign-on ID field;
The computing unit 407 includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, for being searched simultaneously according to the sign-on ID field included in the certification policy parameter
The sign-on ID and key that preserve are obtained to private key, current signature number of times is obtained, random number is generated, it is single that triggering second calculates son
Unit;
Second computation subunit, for using the key to private key to the sign-on ID, the random number with
And the challenge value parameter included in the authentication data carries out signature and obtains signature value, updates current signature number of times, according to renewal
Rear signature number of times, the signature value, the sign-on ID, the random number and challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data, is additionally operable to meter
Calculation updates the current signature number of times after obtaining assertion data.
Wherein, above-mentioned second computation subunit, specifically for receiving during the triggering of first computation subunit, acquisition is recognized
Card device ID, protocol version, signature algorithm and certificate, for using the key to private key to the sign-on ID, described random
The challenge value parameter included in the several and authentication data carries out signature and obtains signature value, updates current signature number of times, is used for
It is secondary with the signature after the renewal according to the authenticator ID, the protocol version, the signature algorithm, the certificate for obtaining
Several, described signature values, the sign-on ID, the random number and challenging value parameter composition splicing result, by the splicing
As a result as V-value, using the length value of the splicing result as L-value, using the second preset value as T value, constitute according to TLV forms
The TLV data are encoded, using the coding result for obtaining as assertion data by TLV data.
Or specific, first Transmit-Receive Unit 401, specifically for transaction request being initiated to server, and receive clothes
The transaction data that business device is returned;Include Transaction Information, challenge value parameter and certification policy parameter in the transaction data, it is described
Include sign-on ID field in certification policy parameter;
The computing unit 407 includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, for being searched simultaneously according to the sign-on ID field included in the certification policy parameter
The sign-on ID and key that preserve are obtained to private key, current signature number of times is obtained, random number is generated, it is single that triggering second calculates son
Unit;
Second computation subunit, for using the key to private key to the sign-on ID, the random number with
And the Transaction Information that includes in the transaction data, challenge value parameter carry out signature calculation and obtain signature value, update current signature
Number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the random number and the Transaction Information, institute
State challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data, is additionally operable to meter
Calculation updates the current signature number of times after obtaining assertion data.
Wherein, above-mentioned second computation subunit, specifically for receiving during the triggering of first computation subunit, is obtained from
The authenticator ID of body, protocol version, signature algorithm and certificate, for according to the authenticator ID, the protocol version for obtaining,
It is signature number of times, the signature value, the sign-on ID after the signature algorithm, the certificate and the renewal, described random
Several, described challenge value parameters and Transaction Information composition splicing result, using the splicing result as V-value, by the splicing result
Length value as L-value, using the second preset value as T value, constitute TLV data according to TLV forms, the TLV data carried out
Coding, using the coding result for obtaining as assertion data.
Further, the client application module in the present embodiment can also include acquiring unit;
The acquiring unit, specifically for when client operating system is iOS system, obtaining the Bundle of client
ID, and as client identification;Sign for when client operating system is android system, obtaining client numeral
Name, calculates to the client digital signature according to default hash algorithm, and using calculated cryptographic Hash as client
End mark.
The above, the only specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, the change or replacement that can be readily occurred in all are answered
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be defined by scope of the claims.
Claims (22)
1. a kind of client operation method based on living things feature recognition, it is characterised in that include:
Step S1:Client application module initiates default request, and the request data that the reception server is returned to server;
Step S2:Client application module constitutes authentication request according to client identification and the request data, to
Client identity authentication module sends the authentication request;
Step S3:Client identity authentication module obtains client identification and request data from the authentication request, sentences
Whether the disconnected client identification and request data are legal, are then to point out user input biological attribute data, and execution step S4 is no
Then errored response is returned to client application module, terminate;
Step S4:Client identity authentication module carries out identity to active user according to the biological attribute data of user input and tests
Card, execution step S5 if being proved to be successful otherwise return errored response to client application module, terminate;
Step S5:Client identity authentication module is calculated to private key and the request data according to sign-on ID, key
Assertion data, constitutes ID authentication request response according to the assertion data, returns the body to client application module
Part certification request response;
Step S6:Client application module obtains assertion data from ID authentication request response, sends out to server
Send the assertion data, and the request response that the reception server is returned;Request results are obtained from the request response and are shown,
Terminate.
2. method according to claim 1, it is characterised in that:It is described to judge whether are the client identification and request data
It is legal to specifically include:
Step 1:Whether the form of the content included in checking the request data is legal, is then execution step 2, otherwise judges knot
Fruit is illegal;
Step 2:Trust list is obtained according to the application ID included in the request data, judges whether the client identification is deposited
In the trust list, it is being then execution step 3, otherwise judged result is illegal;
Step 3:Judge the corresponding certification policy parameter of client identity authentication module whether with include in the request data
Certification policy parameter is matched, and is that then judged result is legal, and otherwise judged result is illegal.
3. method according to claim 2, it is characterised in that:The judged result also includes being recognized according to described when being legal
Card policing parameter determines current authentication mode;
Point out user input biological attribute data to be specially to point out to use according to the current authentication mode described in step S3
Family is input into corresponding biological attribute data.
4. method according to claim 1, it is characterised in that:The default request for registration request, the request data
Specially log-on data, includes user name parameter, challenge value parameter in the log-on data;
Step S5 is specially:Client identity authentication module generates sign-on ID and key pair, preserves the sign-on ID
With key to private key, obtain current signature number of times, using the key to private key to the sign-on ID, the key to public key
And the user name parameter that includes in the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update current
Signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, the user
Name parameter and challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, to visitor
Family end application program module returns the ID authentication request response;It is described be calculated after assertion data update institute
State current signature number of times.
5. method according to claim 4, it is characterised in that:The signature number of times according to after renewal, the signature value,
The sign-on ID, the key are specifically wrapped to public key, the user name parameter and challenging value parameter composition assertion data
Include, client identity authentication module obtains authenticator ID, protocol version, signature algorithm and the certificate of itself, according to the institute for obtaining
State the signature number of times after authenticator ID, the protocol version, the signature algorithm, the certificate and the renewal, the signature
Value, the sign-on ID, the key constitute splicing result to public key, the user name parameter and the challenging value parameter, will
The splicing result as V-value, using the length value of the splicing result as L-value, using the first preset value as T value, according to TLV
Form constitutes TLV data, the TLV data is encoded, using the coding result for obtaining as the assertion data.
6. method according to claim 1, it is characterised in that:The default request for certification/transaction request, the step
Point out also to include before user input biological attribute data described in S3 whether believe containing transaction in judging the request data
Breath, is to show the Transaction Information by client, and the prompting user input biological characteristic number is performed after user confirms
According to;The prompting user input biological attribute data is directly performed otherwise.
7. method according to claim 6, it is characterised in that:The default request for certification request, the request data
Specially authentication data, includes challenge value parameter and certification policy parameter, the certification policy parameter in the authentication data
In include sign-on ID field;
Step S5 is specially:Client identity authentication module is according to the sign-on ID word included in the certification policy parameter
Segment search simultaneously obtains the sign-on ID and key of preservation to private key, obtains current signature number of times, generates random number, using described close
Key carries out signing to the challenge value parameter included in the sign-on ID, the random number and the authentication data to private key
To signature value, update current signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, it is described with
Machine number and challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, to client
End application program module returns ID authentication request response, it is described be calculated assertion data after also include updating described
Current signature number of times.
8. method according to claim 7, it is characterised in that:The signature number of times according to after renewal, the signature value,
The sign-on ID and challenging value parameter composition assertion data, specifically include:Client identity authentication module obtains itself
Authenticator ID, protocol version, signature algorithm and certificate, according to the authenticator ID, the protocol version, the label that obtain
Signature number of times, the signature value, the sign-on ID, the random number and institute after name algorithm, the certificate and the renewal
Challenging value parameter composition splicing result is stated, using the splicing result as V-value, using the length value of the splicing result as L-value,
Using the second preset value as T value, TLV data are constituted according to TLV forms, the TLV data are encoded, by the coding for obtaining
As a result as the assertion data.
9. method according to claim 6, it is characterised in that:The default request for transaction request, the request data
Specially transaction data, includes Transaction Information, challenge value parameter and certification policy parameter, the certification in the transaction data
Include sign-on ID field in policing parameter;
Step S5 is specially:Client identity authentication module is according to the sign-on ID word included in the certification policy parameter
Segment search simultaneously obtains the sign-on ID and key of preservation to private key, obtains current signature number of times, generates random number, using described close
Key to private key to include in the sign-on ID, the random number and the transaction data Transaction Information, challenge value parameter
Carry out signature calculation and obtain signature value, update current signature number of times, according to the signature number of times after renewal, the signature value, described
Sign-on ID, the random number and the Transaction Information, challenging value parameter composition assertion data, according to the assertion data
Composition ID authentication request response, returns the ID authentication request response to client application module, described to calculate
Also include updating the current signature number of times to after assertion data.
10. method according to claim 9, it is characterised in that:The signature number of times according to after renewal, the signature
Value, the sign-on ID, the random number and the Transaction Information, challenging value parameter composition assertion data are specifically included:
Client identity authentication module obtains authenticator ID, protocol version, signature algorithm and the certificate of itself, recognizes according to obtaining
Card device ID, the protocol version, the signature algorithm, the signature number of times after the certificate and the renewal, the signature value, institute
State sign-on ID, the random number, the challenge value parameter and Transaction Information composition splicing result, using the splicing result as
V-value, using the length value of the splicing result as L-value, using the second preset value as T value, constitutes TLV data according to TLV forms,
The TLV data are encoded, using the coding result for obtaining as the assertion data.
11. methods according to claim 1, it is characterised in that:Step S2 also includes obtaining client identification, specifically
It is as follows:
If client operating system is iOS system, the client application module obtains the Bundle ID of client,
And as client identification;If client operating system is android system, client application module obtains visitor
Family end digital signature, calculates to the client digital signature according to default hash algorithm, and by calculated Hash
Value is used as client identification.
12. a kind of clients based on living things feature recognition, it is characterised in that answer program module and client body including client
Part authentication module;
The client application module includes the first Transmit-Receive Unit, the first interactive unit, the second interactive unit;
First Transmit-Receive Unit, for initiating default request, and the request data that the reception server is returned, triggering to server
First interactive unit;Assertion data, and the reception server are sent to server when being additionally operable to receive the triggering of the first interactive unit
The request response of return;
First interactive unit, for according to client identification and request data composition authentication request, to client
End authentication module sends the authentication request;It is additionally operable to when the identity for receiving the return of client identity authentication module
When certification request is responded, assertion data is obtained from ID authentication request response and the first Transmit-Receive Unit is triggered;
Second interactive unit, the request for receiving from first Transmit-Receive Unit obtain request results in responding
And show;
The client identity authentication module includes the second Transmit-Receive Unit, the first judging unit, the second judging unit and calculates single
Unit;
Second Transmit-Receive Unit, for receiving the authentication request that client application module is sent, from described
Client identification and request data are obtained in authentication request and the first judging unit is triggered, is additionally operable to client application journey
Sequence module returns ID authentication request response;
First judging unit, it is whether legal for judging the client identification and request data, it is then to point out user defeated
Enter biological attribute data;Otherwise errored response is returned to client application module;
Second judging unit, carries out authentication to active user for the biological attribute data according to user input, if
Be proved to be successful, trigger computing unit, errored response is returned to client application module if authentication failed;
The computing unit, for assertion data being calculated to private key and the request data according to sign-on ID, key,
ID authentication request is constituted according to the assertion data to respond and trigger the second Transmit-Receive Unit.
13. clients according to claim 12, it is characterised in that:
Whether first judging unit, the form specifically for checking the content included in the request data are legal, work as institute
When the form of the content included in stating request data is legal, it is additionally operable to obtain letter according to the application ID included in the request data
Appoint list, judge the client identification with the presence or absence of in the trust list, being then to judge client identity authentication module
Whether corresponding certification policy parameter is matched with the certification policy parameter included in the request data, is that then judged result is conjunction
Method, points out user input biological attribute data;Otherwise judged result is illegal, returns mistake to client application module
Response;When the form of the content included in the request data is illegal, judged result is illegal, to client application journey
Sequence module returns errored response.
14. clients according to claim 13, it is characterised in that:First judging unit is additionally operable to work as judged result
For it is legal when according to the certification policy parameter determination current authentication mode, point out user input according to the current authentication mode
Corresponding biological attribute data.
15. clients according to claim 12, it is characterised in that:
First Transmit-Receive Unit, specifically for initiating registration request, and the log-on data that the reception server is returned to server;
Include user name parameter, challenge value parameter in the log-on data;
The computing unit includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, specifically for when the triggering of the second judging unit is received, generating sign-on ID and key
It is right, the sign-on ID and key are preserved to private key, obtain current signature number of times, trigger second computation subunit;
Second computation subunit, for using the key to private key to the sign-on ID, the key to public key with
And the user name parameter that includes in the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update current label
Name number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, the user name
Parameter and challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data;It is additionally operable to calculate
The current signature number of times is updated to after assertion data also.
16. clients according to claim 15, it is characterised in that:
Second computation subunit, specifically for receiving during the triggering of first computation subunit, obtains authenticator ID, association
View version, signature algorithm and certificate, for using the key to private key to the sign-on ID, the key to public key and
The user name parameter that includes in the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update current signature
Number of times;For according to the authenticator ID, the protocol version, the signature algorithm, the certificate and the renewal for obtaining
Rear signature number of times, the signature value, the sign-on ID, the key are to public key, the user name parameter and the challenge
Value parameter constitutes splicing result, using the splicing result as V-value, using the length value of the splicing result as L-value, by first
Preset value constitutes TLV data according to TLV forms, the TLV data is encoded as T value, and the coding result for obtaining is made
For assertion data.
17. clients according to claim 12, it is characterised in that:First Transmit-Receive Unit, specifically for service
Device initiates certification/transaction request, and certification/transaction data that the reception server is returned;
Whether first judging unit, contain Transaction Information in being additionally operable to judge the request data, is then to pass through client
The Transaction Information is shown, user input biological attribute data is pointed out after user confirms;User input life is directly pointed out otherwise
Thing characteristic.
18. clients according to claim 17, it is characterised in that:First Transmit-Receive Unit, specifically for service
Device initiates certification request, and the authentication data that the reception server is returned;Include challenge value parameter in the authentication data and recognize
Card policing parameter, includes sign-on ID field in the certification policy parameter;
The computing unit includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, for searching and obtaining according to the sign-on ID field included in the certification policy parameter
The sign-on ID and key of preservation obtains current signature number of times to private key, generates random number, triggers the second computation subunit;
Second computation subunit, for using the key to private key to the sign-on ID, the random number and institute
The challenge value parameter included in stating authentication data carries out signature and obtains signature value, updates current signature number of times, after renewal
Signature number of times, the signature value, the sign-on ID, the random number and challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data, is additionally operable to calculate
The current signature number of times is updated to after assertion data.
19. clients according to claim 18, it is characterised in that:Second computation subunit, specifically for receiving
During the triggering of first computation subunit, authenticator ID, protocol version, signature algorithm and certificate are obtained, it is described for using
Key is signed to the challenge value parameter included in the sign-on ID, the random number and the authentication data to private key
Signature value is obtained, current signature number of times is updated, for according to the authenticator ID, the protocol version, the signature for obtaining
Signature number of times, the signature value, the sign-on ID, the random number after algorithm, the certificate and the renewal and described
Challenging value parameter constitutes splicing result, using the splicing result as V-value, using the length value of the splicing result as L-value, will
Second preset value constitutes TLV data according to TLV forms, the TLV data is encoded as T value, and the coding for obtaining is tied
Fruit is used as assertion data.
20. clients according to claim 17, it is characterised in that:First Transmit-Receive Unit, specifically for service
Device initiates transaction request, and the transaction data that the reception server is returned;Include Transaction Information, challenging value in the transaction data
Parameter and certification policy parameter, include sign-on ID field in the certification policy parameter;
The computing unit includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, for searching and obtaining according to the sign-on ID field included in the certification policy parameter
The sign-on ID and key of preservation obtains current signature number of times to private key, generates random number, triggers the second computation subunit;
Second computation subunit, for using the key to private key to the sign-on ID, the random number and institute
The Transaction Information that includes in stating transaction data, challenge value parameter carry out signature calculation and obtain signature value, update current signature number of times,
According to the signature number of times after renewal, the signature value, the sign-on ID, the random number and the Transaction Information, described choose
War value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data, is additionally operable to calculate
The current signature number of times is updated to after assertion data also.
21. clients according to claim 20, it is characterised in that:
Second computation subunit, specifically for receiving during the triggering of first computation subunit, obtains the certification of itself
Device ID, protocol version, signature algorithm and certificate, for according to the authenticator ID, the protocol version, the signature for obtaining
Signature number of times, the signature value, the sign-on ID, the random number after algorithm, the certificate and the renewal, described choose
War value parameter and Transaction Information composition splicing result, using the splicing result as V-value, the length value of the splicing result are made
For L-value, using the second preset value as T value, TLV data are constituted according to TLV forms, the TLV data are encoded, will be obtained
Coding result as assertion data.
22. clients according to claim 12, it is characterised in that:The client application module also includes obtaining
Unit;
The acquiring unit, specifically for when client operating system is iOS system, obtaining the Bundle ID of client, and
As client identification;For when client operating system is android system, obtaining client digital signature, root
The client digital signature is calculated according to default hash algorithm, and using calculated cryptographic Hash as client mark
Know.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611058902.6A CN106549973A (en) | 2016-11-21 | 2016-11-21 | A kind of client and its method of work based on living things feature recognition |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611058902.6A CN106549973A (en) | 2016-11-21 | 2016-11-21 | A kind of client and its method of work based on living things feature recognition |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106549973A true CN106549973A (en) | 2017-03-29 |
Family
ID=58395914
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611058902.6A Pending CN106549973A (en) | 2016-11-21 | 2016-11-21 | A kind of client and its method of work based on living things feature recognition |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106549973A (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107919963A (en) * | 2017-12-27 | 2018-04-17 | 飞天诚信科技股份有限公司 | A kind of authenticator and its implementation |
CN109214154A (en) * | 2017-06-29 | 2019-01-15 | 佳能株式会社 | Information processing unit and method |
CN109784024A (en) * | 2018-12-14 | 2019-05-21 | 航天信息股份有限公司 | One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators |
CN109829722A (en) * | 2019-02-22 | 2019-05-31 | 兴唐通信科技有限公司 | A kind of user identity real name identification method of electronic fare payment system |
WO2020024852A1 (en) * | 2018-08-01 | 2020-02-06 | 飞天诚信科技股份有限公司 | Authentication method and authentication device |
CN110852139A (en) * | 2018-08-21 | 2020-02-28 | 阿里巴巴集团控股有限公司 | Biometric feature recognition method, biometric feature recognition device, biometric feature recognition equipment and storage medium |
CN110932858A (en) * | 2018-09-19 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Authentication method and system |
CN111382420A (en) * | 2018-12-29 | 2020-07-07 | 金联汇通信息技术有限公司 | Data transaction method, device, system, electronic equipment and readable storage medium |
CN112182542A (en) * | 2020-12-03 | 2021-01-05 | 飞天诚信科技股份有限公司 | Method and system for accurate matching of biological recognition |
CN112199663A (en) * | 2020-12-03 | 2021-01-08 | 飞天诚信科技股份有限公司 | Authentication method and system for no user name |
CN112989309A (en) * | 2021-05-21 | 2021-06-18 | 统信软件技术有限公司 | Login method, authentication method and system based on multi-party authorization and computing equipment |
CN113190816A (en) * | 2021-05-08 | 2021-07-30 | 国民认证科技(北京)有限公司 | Man-machine interaction verification method and system using system biological characteristics |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105162785A (en) * | 2015-09-07 | 2015-12-16 | 飞天诚信科技股份有限公司 | Method and equipment for performing registration based on authentication equipment |
CN105550558A (en) * | 2015-07-31 | 2016-05-04 | 宇龙计算机通信科技(深圳)有限公司 | Fingerprint reading method and user equipment |
CN105827655A (en) * | 2016-05-27 | 2016-08-03 | 飞天诚信科技股份有限公司 | Intelligent key equipment and work method thereof |
CN105847247A (en) * | 2016-03-21 | 2016-08-10 | 飞天诚信科技股份有限公司 | Authentication system and working method thereof |
-
2016
- 2016-11-21 CN CN201611058902.6A patent/CN106549973A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105550558A (en) * | 2015-07-31 | 2016-05-04 | 宇龙计算机通信科技(深圳)有限公司 | Fingerprint reading method and user equipment |
CN105162785A (en) * | 2015-09-07 | 2015-12-16 | 飞天诚信科技股份有限公司 | Method and equipment for performing registration based on authentication equipment |
CN105847247A (en) * | 2016-03-21 | 2016-08-10 | 飞天诚信科技股份有限公司 | Authentication system and working method thereof |
CN105827655A (en) * | 2016-05-27 | 2016-08-03 | 飞天诚信科技股份有限公司 | Intelligent key equipment and work method thereof |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109214154A (en) * | 2017-06-29 | 2019-01-15 | 佳能株式会社 | Information processing unit and method |
US11042615B2 (en) | 2017-06-29 | 2021-06-22 | Canon Kabushiki Kaisha | Information processing apparatus and method |
CN107919963A (en) * | 2017-12-27 | 2018-04-17 | 飞天诚信科技股份有限公司 | A kind of authenticator and its implementation |
CN107919963B (en) * | 2017-12-27 | 2020-10-27 | 飞天诚信科技股份有限公司 | Authenticator and implementation method thereof |
WO2020024852A1 (en) * | 2018-08-01 | 2020-02-06 | 飞天诚信科技股份有限公司 | Authentication method and authentication device |
US11930118B2 (en) | 2018-08-01 | 2024-03-12 | Feitian Technologies Co., Ltd. | Authentication method and authentication device |
CN110852139B (en) * | 2018-08-21 | 2024-05-24 | 斑马智行网络(香港)有限公司 | Biometric identification method, device, apparatus and storage medium |
CN110852139A (en) * | 2018-08-21 | 2020-02-28 | 阿里巴巴集团控股有限公司 | Biometric feature recognition method, biometric feature recognition device, biometric feature recognition equipment and storage medium |
CN110932858A (en) * | 2018-09-19 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Authentication method and system |
CN110932858B (en) * | 2018-09-19 | 2023-05-02 | 阿里巴巴集团控股有限公司 | Authentication method and system |
CN109784024A (en) * | 2018-12-14 | 2019-05-21 | 航天信息股份有限公司 | One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators |
CN111382420A (en) * | 2018-12-29 | 2020-07-07 | 金联汇通信息技术有限公司 | Data transaction method, device, system, electronic equipment and readable storage medium |
CN109829722A (en) * | 2019-02-22 | 2019-05-31 | 兴唐通信科技有限公司 | A kind of user identity real name identification method of electronic fare payment system |
CN112182542B (en) * | 2020-12-03 | 2021-03-16 | 飞天诚信科技股份有限公司 | Method and system for accurate matching of biological recognition |
CN112199663A (en) * | 2020-12-03 | 2021-01-08 | 飞天诚信科技股份有限公司 | Authentication method and system for no user name |
CN112182542A (en) * | 2020-12-03 | 2021-01-05 | 飞天诚信科技股份有限公司 | Method and system for accurate matching of biological recognition |
CN113190816A (en) * | 2021-05-08 | 2021-07-30 | 国民认证科技(北京)有限公司 | Man-machine interaction verification method and system using system biological characteristics |
CN112989309B (en) * | 2021-05-21 | 2021-08-20 | 统信软件技术有限公司 | Login method, authentication method and system based on multi-party authorization and computing equipment |
CN112989309A (en) * | 2021-05-21 | 2021-06-18 | 统信软件技术有限公司 | Login method, authentication method and system based on multi-party authorization and computing equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106549973A (en) | A kind of client and its method of work based on living things feature recognition | |
US11068575B2 (en) | Authentication system | |
CN105162785B (en) | A kind of method and apparatus registered based on authenticating device | |
CN106100848B (en) | Double factor identity authorization system and method based on smart phone and user password | |
CN108881310A (en) | A kind of Accreditation System and its working method | |
CN105187450B (en) | A kind of method and apparatus authenticated based on authenticating device | |
US9979721B2 (en) | Method, server, client and system for verifying verification codes | |
CN104767613B (en) | Signature verification method, apparatus and system | |
CN107786547A (en) | A kind of auth method based on block chain, device and computer-readable recording medium | |
CN108959933A (en) | Risk analysis device and method for the certification based on risk | |
CN105164689B (en) | Customer certification system and method | |
CN108989278A (en) | Identification service system and method | |
CN105306490B (en) | Payment verifying system, method and device | |
TWI706269B (en) | Service realization method and device | |
CN106102058B (en) | A kind of identity identifying method and device | |
US11811952B2 (en) | Authentication system and working method thereof | |
CN106330850A (en) | Biological characteristic-based security verification method, client and server | |
CN106411950B (en) | Authentication method, apparatus and system based on block chain transaction id | |
CN106453205B (en) | identity verification method and device | |
CN106453422B (en) | Dynamic authentication method and system based on mobile terminal | |
CN106921640A (en) | Identity identifying method, authentication device and Verification System | |
CN105827571B (en) | Multi-modal biological characteristic authentication method and equipment based on UAF agreement | |
CN105337739B (en) | Safe login method, device, server and terminal | |
CN109784024A (en) | One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators | |
CN104935548B (en) | Auth method, apparatus and system based on intelligent equipment of tatooing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170329 |
|
RJ01 | Rejection of invention patent application after publication |