CN106549973A - A kind of client and its method of work based on living things feature recognition - Google Patents

A kind of client and its method of work based on living things feature recognition Download PDF

Info

Publication number
CN106549973A
CN106549973A CN201611058902.6A CN201611058902A CN106549973A CN 106549973 A CN106549973 A CN 106549973A CN 201611058902 A CN201611058902 A CN 201611058902A CN 106549973 A CN106549973 A CN 106549973A
Authority
CN
China
Prior art keywords
data
value
client
signature
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611058902.6A
Other languages
Chinese (zh)
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201611058902.6A priority Critical patent/CN106549973A/en
Publication of CN106549973A publication Critical patent/CN106549973A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a kind of client and its method of work based on living things feature recognition, belongs to information security field.The client includes client application module and client identity authentication module, and the request data composition authentication request that client application module is obtained according to client identification and from server is simultaneously sent to client identity authentication module;Client identity authentication module is judging to point out user input biological attribute data to be verified after the client identification and request data are legal, it is proved to be successful, assertion data is calculated to private key and the request data according to sign-on ID, key, assertion data is sent to by server by client application module, the request results that simultaneously display server is returned are received.The checking to user biological characteristic information is completed in the present invention in client identity authentication module, the risk attacked by user biological characteristic information is reduced, user's online registration and the safety for logging in is improve.

Description

A kind of client and its method of work based on living things feature recognition
Technical field
The present invention relates to information security field, more particularly to a kind of client and its work side based on living things feature recognition Method.
Background technology
With the development of Internet technology, user can easily pass through network login application program whenever and wherever possible (app) carry out doing shopping etc. various in line service, and as many at present can be related to user's proprietary information in line service, such as Bank's card number etc., therefore, how to ensure that the safety of user profile is the hot issue of current research.
At present, although most of clients provide commercial city and adopt account and password (including character password, gesture password etc.) Mode realize user's registration and login, to protect the safety of user profile, but, either which kind of password have leakage or quilt The risk that hacker usurps, therefore the method registered using the biological information of user when registration is using application program should Transport and give birth to, wherein, biological characteristic may refer to stricture of vagina, face, iris etc..But, biological information belongs to the privacy letter of user Breath, if biological information is stolen by attacker, then attacker can pretend to be user with the biological information using user Identity, the information security of user will face greatly threat.Therefore, online registration is being carried out using biological information and recognized In the application scenarios of card, how to ensure that the safety of biological information becomes a problem demanding prompt solution.
The content of the invention
The invention aims to overcome the deficiencies in the prior art, there is provided a kind of client based on living things feature recognition And its method of work.
Technical scheme is as follows:A kind of client operation method based on living things feature recognition, including:
Step S1:Client application module initiates default request, and the request that the reception server is returned to server Data;
Step S2:Client application module please according to client identification and request data composition authentication Ask, the authentication request is sent to client identity authentication module;
Step S3:Client identity authentication module obtains client identification and number of request from the authentication request According to, judge whether the client identification and request data legal, be then prompting user input biological attribute data, execution step S4, otherwise returns errored response to client application module, terminates;
Step S4:Client identity authentication module carries out identity to active user according to the biological attribute data of user input Checking, execution step S5 if being proved to be successful otherwise return errored response to client application module, terminate;
Step S5:Client identity authentication module is calculated to private key and the request data according to sign-on ID, key Assertion data is obtained, and ID authentication request response is constituted according to the assertion data, institute is returned to client application module State ID authentication request response;
Step S6:Client application module obtains assertion data from ID authentication request response, to service Device sends the assertion data, and the request response that the reception server is returned;Request results are obtained simultaneously from the request response Show, terminate.
For registration request, the request data is specially log-on data, includes in the log-on data for the default request There are user name parameter, challenge value parameter;
Step S5 is specially:Client identity authentication module generates sign-on ID and key pair, preserves the registration Mark and key obtain current signature number of times, using the key to private key to the sign-on ID, the key pair to private key The user name parameter that includes in public key and the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update Current signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, described User name parameter and challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, The ID authentication request response is returned to client application module;Described being calculated after assertion data also include more The new current signature number of times.
For certification request, the request data is specially authentication data, includes in the authentication data for the default request There are challenge value parameter and certification policy parameter, in the certification policy parameter, include sign-on ID field;
Step S5 is specially:Client identity authentication module is according to the registration mark included in the certification policy parameter Character learning segment search simultaneously obtains the sign-on ID and key of preservation to private key, obtains current signature number of times, generates random number, using institute State key to sign the challenge value parameter included in the sign-on ID, the random number and the authentication data private key Name obtains signature value, updates current signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, institute Random number and challenging value parameter composition assertion data are stated, ID authentication request response is constituted according to the assertion data, to Client application module returns ID authentication request response, it is described be calculated assertion data after also include updating The current signature number of times.
For transaction request, the request data is specially transaction data, includes in the transaction data for the default request There are Transaction Information, challenge value parameter and certification policy parameter, in the certification policy parameter, include sign-on ID field;
Step S5 is specially:Client identity authentication module is according to the registration mark included in the certification policy parameter Character learning segment search simultaneously obtains the sign-on ID and key of preservation to private key, obtains current signature number of times, generates random number, using institute State key to private key to include in the sign-on ID, the random number and the transaction data Transaction Information, challenging value Parameter carries out signature calculation and obtains signature value, updates current signature number of times, according to the signature number of times after renewal, the signature value, The sign-on ID, the random number and the Transaction Information, challenging value parameter composition assertion data, assert according to described Data composition ID authentication request response, returns the ID authentication request response, the meter to client application module Calculation also includes updating the current signature number of times after obtaining assertion data.
Present invention also offers a kind of client based on living things feature recognition, including client answers program module and client End authentication module;
The client application module includes the first Transmit-Receive Unit, the first interactive unit, the second interactive unit;
First Transmit-Receive Unit, for initiating default request, and the request data that the reception server is returned to server, Trigger the first interactive unit;Assertion data is sent to server when being additionally operable to receive the triggering of the first interactive unit, and receives clothes The request response that business device is returned;
First interactive unit, for constituting authentication request according to client identification and the request data, to Client identity authentication module sends the authentication request;It is additionally operable to work as and receives the return of client identity authentication module When ID authentication request is responded, assertion data is obtained from ID authentication request response and the first Transmit-Receive Unit is triggered;
Second interactive unit, the request for receiving from first Transmit-Receive Unit obtain request in responding As a result and show;
The client identity authentication module includes the second Transmit-Receive Unit, the first judging unit, the second judging unit and meter Calculate unit;
Second Transmit-Receive Unit, for receiving the authentication request that client application module is sent, from Client identification and request data are obtained in the authentication request and the first judging unit is triggered, being additionally operable to should to client ID authentication request response is returned with program module;
First judging unit, it is whether legal for judging the client identification and request data, it is that then prompting is used Family is input into biological attribute data;Otherwise errored response is returned to client application module;
Second judging unit, tests for carrying out identity to active user according to the biological attribute data of user input Card, triggers computing unit if being proved to be successful, and if authentication failed returns errored response to client application module;
The computing unit, for private key and the request data being calculated and being asserted according to sign-on ID, key Data, constitute ID authentication request according to the assertion data and respond and trigger the second Transmit-Receive Unit.
Beneficial effects of the present invention are as follows:By being heretofore described client body inside the hardware unit of client The checking to user biological characteristic information is completed in part authentication module, the risk attacked by user biological characteristic information is reduced, Improve user's online registration and the safety for logging in.
Description of the drawings
Fig. 1 is a kind of client operation method flow diagram based on living things feature recognition that embodiment 1 is provided;
Fig. 2 is a kind of register method flow chart based on living things feature recognition that embodiment 2 is provided;
Fig. 3 is a kind of certification/method of commerce flow chart based on living things feature recognition that embodiment 3 is provided;
Fig. 4 is a kind of composition frame chart of client based on living things feature recognition that embodiment 4 is provided.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than the embodiment of whole.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
Embodiment 1
A kind of client operation method based on living things feature recognition is present embodiments provided, wherein, the client bag Client application module and client identity authentication module are included, its method of work is concrete as shown in figure 1, including following step Suddenly:
Step S1:Client application module initiates default request, and the request that the reception server is returned to server Data;
Specifically, the default request can be registration request, certification/transaction request;
When the default request is registration request, the request data is specially log-on data, in the log-on data Include using ID, user name parameter, challenge value parameter and certification policy parameter;
When the default request is certification request, the request data is specially authentication data, in the authentication data Include using ID, challenge value parameter and certification policy parameter, in the certification policy parameter, include sign-on ID field;
When the default request is transaction request, the request data is specially transaction data, in the transaction data Include using ID, Transaction Information, challenge value parameter and certification policy parameter, in the certification policy parameter, include registration mark Character learning section.
Step S2:Client application module please according to client identification and request data composition authentication Ask, the authentication request is sent to client identity authentication module;
Step S3:Client identity authentication module obtains client identification and number of request from the authentication request According to, judge whether the client identification and request data legal, be then prompting user input biological attribute data, then perform Step S4, otherwise returns errored response to client application module, terminates;
Specifically, it is described to judge the client identification and whether request data is legal specifically includes:
Step 1:Whether the form of the content included in checking the request data is legal, is then execution step 2, otherwise sentences Disconnected result is illegal;
Step 2:Trust list is obtained according to the application ID included in the request data, judges that the client identification is No presence, in the trust list, is then execution step 3, and otherwise judged result is illegal;
Step 3:Judge the corresponding certification policy parameter of client identity authentication module whether with wrap in the request data The certification policy parameter matching for containing, is that then judged result is legal, and otherwise judged result is illegal.
Further, when the default request is certification/transaction request, described in step S3, point out user input Also include before biological attribute data whether contain Transaction Information in judging the request data, be then to be shown by client The Transaction Information, performs the prompting user input biological attribute data after user confirms;Carry described in otherwise directly performing Show user input biological attribute data.
Step S4:Client identity authentication module carries out identity to active user according to the biological attribute data of user input Checking, execution step S5 if being proved to be successful return errored response, knot to client application module if authentication failed Beam;
Step S5:Client identity authentication module is calculated to private key and the request data according to sign-on ID, key Assertion data is obtained, and ID authentication request response is constituted according to the assertion data, institute is returned to client application module State ID authentication request response;
Step S6:Client application module obtains assertion data from ID authentication request response, to service Device sends the assertion data, and the request response that the reception server is returned;Request results are obtained simultaneously from the request response Show, terminate.
Embodiment 2
Embodiments of the invention 2 provide a kind of register method based on living things feature recognition, it is adaptable to server and visitor The system of family end composition, wherein the client includes client application module and client identity authentication module, such as Fig. 2 It is shown, when user initiates registration operation to client application module, perform following steps:
Step 1:Client application module sends registration request to server;
For example, the registration request of transmission is as follows:
{"userName":"test","method":"registStart","uafResponse":""}。
Step 2:Server generates the note included using ID, user name parameter, challenge value parameter and certification policy parameter Volumes evidence;
For example, the log-on data of generation is as follows:
[{"header":{"upv":{"major":1,"minor":0},"op":"Reg","appID":"https:// uafmagdc.cloudentify.com/uafmanager/facets","serverData":" M21sNEJRdXFsREloaEx5WkZXQUFuNXd5bnJBa0t4cldfdk5oaXVzQ2xWay5NVFEzTWpnd09UZzFNa lF4TncuZEdWemRBLlNrUkthRXBFUlhkS1NGcDBUVEkxVUZFelduVk9SMVpGVmxkRmRtVnJPSFZOYm 5CdVRtNVY"},"challenge":"JDJhJDEwJHZtM25PQ3ZuNGVEVWEvek8uMnpnNnU"," username":"test","policy":{"accepted":[[{"aaid":["001B#0001"]}],[{"aaid":[" 001A#2121"]}],[{"aaid":["0018#0001"]}],[{"aaid":["D409#0301"]}],[{"aaid":[" 0014#0002"]}],[{"aaid":["5AFE#4800"]}],[{"aaid":["0014#0003"]}],[{"aaid":[" 17EF#6010"]}],[{"aaid":["04EF#04EF"]}]]}}]。
Wherein, using ID (appID) it is:
"appID":"https://uafmagdc.cloudentify.com/uafmanager/facets";User name is joined Number is " username ":"test";
Challenging value parameter (challenge) is:
"challenge":"JDJhJDEwJHZtM25PQ3ZuNGVEVWEvek8uMnpnNnU";
Certification policy parameter (policy) is:
"policy":{"accepted":[[{"aaid":["001B#0001"]}],[{"aaid":["001A# 2121"]}],[{"aaid":["0018#0001"]}],[{"aaid":["D409#0301"]}],[{"aaid":["0014# 0002"]}],[{"aaid":["5AFE#4800"]}],[{"aaid":["0014#0003"]}],[{"aaid":["17EF# 6010"]}],[{"aaid":["04EF#04EF"]}]]}。
Step 3:Server returns the log-on data to client application module;
Step 4:Client application module obtains client identification, according to client identification and the note for receiving Volumes is according to composition authentication request;
Specifically, if client operating system is iOS system, client application module directly obtains the client End Bundle ID, and as client identification;If client operating system is android system, client application journey Sequence module obtains client digital signature first, the client digital signature is calculated according to default hash algorithm, and Using calculated cryptographic Hash as client identification.
Step 5:Client application module sends the authentication request to client identity authentication module;
Specifically, if client operating system is iOS system, client application module uses x-callback- Url protocol modes call client identity authentication module, send the authentication request;If client operating system is Android system, then client application module client identity certification is called by android intent api modes Module, sends the authentication request.
Step 6:Client identity authentication module receives and parses through the authentication request and obtains log-on data and client End mark;
Step 7:Client identity authentication module checks whether the log-on data legal, is then execution step 8, otherwise to Client application module returns errored response, and client application module prompts mistake terminates;
It is in this step, described to check whether the log-on data is legal and specifically include:
1) check application ID, user name parameter, challenge value parameter and the certification policy parameter included in the log-on data Whether it is not sky;
2) check whether the accepted items in certification policy parameter policy are an arrays not for sky;
If 1) and 2) above-mentioned inspection result be if the log-on data it is legal, otherwise described log-on data does not conform to Method.
Further, protocol header parameter header, protocol header parameter header are also included in the log-on data In in addition to including using ID, also include appid items, upv items, op items and serverData items;It is described to check the note Whether volumes evidence is legal also to include:
3) check whether the corresponding protocol version of the upv items is correct, whether the op items are equal to " Reg ";
4) check whether serverData items are base64url data of the length between 1-1536;
If above-mentioned inspection result 1), 2), 3) He 4) be if the log-on data it is legal, otherwise described log-on data It is illegal.
Step 8:Client identity authentication module obtains trust list according to the application ID included in the log-on data;
Specifically, client identity authentication module initiates access request to the corresponding addresses of the application ID, and reception is returned The trust list for returning;
For example, using ID it is:
https://uafmagdc.cloudentify.com/uafmanager/facets;
The trust list of acquisition is:
{"trustedFacets":[{"ids":["ios:bundle-id:com.ftsafe.FTUAFRPDemo"," android:apk-key-hash:34omX0Qx5Bo53+0ThQvlvbAPWpk","ios:bundle-id: org.fidoalliance.ios.conformance","android:apk-key-hash:m8Jhom/ txEhttna0wg505d1RciQ88","android:apk-key-hash:SvYZ4Sgas9T2+6DpNj566iscuns"]," version":{"minor":"0","major":"1"}}]}。
Step 9:Client identity authentication module judges that the client identification, with the presence or absence of in the trust list, is Then execution step 10, otherwise return errored response to client application module, client application module prompts mistake, Terminate;
Step 10:Client identity authentication module judge itself corresponding certification policy parameter whether with the log-on data In the certification policy parameter matching that includes, be then execution step 11, otherwise return errored response to client application module, Client application module prompts mistake, terminates;
Specifically, if the certification policy parameter is specially authenticator ID (aaid), this step specially judges described Whether the aaid of authentication module is matched with the aaid included in the log-on data, is then execution step 11, otherwise to visitor Family end application program module returns errored response, and client application module prompts mistake terminates.
Further, the certification policy parameter can also include:Authenticator ID, algorithm types, authentication mode, agreement version Sheet, cryptographic key protection mode, assertionSchemes, attestationTypes, then this step be specially:Judge authentication The authenticator ID that includes in the certification policy parameter of module, algorithm types, authentication mode, protocol version, cryptographic key protection mode, Whether assertionSchemes, attestationTypes are each with the certification policy parameter that includes in the log-on data Item content is consistent, is that then the match is successful, and otherwise it fails to match.
Step 11:Client identity authentication module points out to use according to the certification policy parameter determination current authentication mode Family is input into biological attribute data;
For example, according to the current authentication mode of certification policy parameter determination be finger print identifying, then point out user input fingerprint Information.
General, if the certification policy parameter is specially authenticator ID, the authenticator ID is recognized to there is acquiescence Card mode, determines authentication mode according to the authenticator ID.If also including authentication mode, root in the certification policy parameter Current authentication mode is determined according to the authentication mode included in the certification policy parameter.
Step 12:Client identity authentication module carries out identity to active user according to the biological attribute data of user input Checking, execution step 13 if being proved to be successful return errored response, client to client application module if authentication failed End application program module prompting mistake, terminates;
Step 13:Client identity authentication module generates sign-on ID and key pair, preserves the sign-on ID and key To private key, assertion data is calculated to private key and the log-on data according to the sign-on ID, the key, according to described Assertion data composition ID authentication request response;
This step is specially:Client identity authentication module generates sign-on ID and key pair, preserves the sign-on ID With key to private key, obtain current signature number of times, using the key to private key to the sign-on ID, the key to public key And the user name parameter that includes in the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update current Signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, the user Name parameter and challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, to visitor Family end application program module returns the ID authentication request response;It is described be calculated after assertion data update institute State current signature number of times.
The signature number of times according to after renewal, the signature value, the sign-on ID, the key are to public key, described User name parameter and challenging value parameter composition assertion data are specifically included, and client identity authentication module obtains recognizing for itself Card device ID (aaid), protocol version, signature algorithm and certificate, according to the authenticator ID, the protocol version for obtaining, described Signature number of times, the signature value, the sign-on ID, the key after signature algorithm, the certificate and the renewal is to public affairs Key, the user name parameter and challenging value parameter composition splicing result, using the splicing result as V-value, by the spelling The length value of binding fruit constitutes TLV data according to TLV forms, to the TLV numbers as L-value using the first preset value as T value According to being encoded, using the coding result for obtaining as the assertion data.
Wherein, first preset value is specially fixed numbers 0x3E01, the TLV data be encoded specially will The TLV data carry out Base64url and encode the coding result for obtaining as the assertion data.
Further, can also be by the aaid, the protocol version, the signature algorithm, the certificate with it is described The sign-on ID of customer parameter, the challenging value and generation, the key constitute many according to TLV forms respectively to public key Individual TLV data, then the multiple TLV data for obtaining are carried out splicing the splicing result for obtaining as V-value, by fixed numbers 0x3E01 constitutes TLV data according to TLV forms as T value, and the TLV data are carried out the coding that Base64url codings are obtained As a result as the assertion data.
For example:The sign-on ID (keyid) of generation is: BBWl0kGsuv7uZx3mJGOgsyINgS7UrogfrbsCZjkOud4;
Key to public key is:
3082010A0282010100EDFD3B5CCE6DB5BE834BDB79B157EE9BAC6428512831FB20C59FAAD99D5 D963E193B40FD3A50FB5DD6CC42D1D0ADAD5F53CE3737B5BCA512CA6BD17AE5233AE2ABAB1B39 FD8265BB60E8C1EB7D72469033D53F40F0E4EF84DDA9BB38B0E29F33E9AFFE2D67D0B4F4BDC37 219F803A437DA578C783AB11C0E34D024B8E76BBA5187570BD401C4D448E1D94263505651CCD0 C6C1BE574B4FD9F4AE2211D5C10C3D70921FA4FFB2A880454A537557F9724124B84951CB0E8DC 4864490CC6AF3A9AEB01D6556A08B7F764EC0830E6C79C0F4E8E1786031ECE4214D7B88F1C435 F1645ACAFF1E4EFF7D2059B65839243A2536DCCEF2A5899FC177FD71CC23576956DD020301000 1;
Calculated assertion data is:
{"assertion":"AT42AwM- 1QALLgkAMDAxQSMyMTIxDi4HAAABAQEAAAEKLiAAZaJ3f71dU7hkjfapB-g9U3OUG3v- P86X1ps70W4EbzoJLiAA_TnlQe6eo8U9zSWpLL6r-Lq94UEi4_ Z0VHreGeGq9BANLggAaQAAAEwAAAAMLkEABNfSgmgdfZLTCSrIruCKTL1SAg8EmcVZiFG3EWL- LUb9MUHQ4ORFHiTlU5obcz0aORGi4FyqDXU06nOTofkDoykEASAAWJOLhdZmgLi5nMdt0g3SdqQEm 2lQsSeDQUeoT4OF8NwHPlkCBi5AAAjk49mI_GoJrSsBqP4dlngzaaBPiWGaluqJzS8hjbPubC0S_ 3B2Cokh-tLjbke3oMF7ueY8EQ0Lqf_ CR2seiRQFLhECMIICDTCCAbQCAgCmMAkGByqGSM49BAEwgZExCzAJBgNVBAYTAkNOMRAwDgYDVQQI EwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMRYwFAYDVQQKEw1ub2tub2tsYWJzLmNuMQwwCgYDV QQLFANSJkQxEDAOBgNVBAMTB1JvY2sgQ0ExJjAkBgkqhkiG9w0BCQEWF3JvY2sud2FuZ0Bub2tub2 tsYWJzLmNuMB4XDTE2MDIyNTA4NDgwOVoXDTI2MDIyMjA4NDgwOVowgZMxCzAJBgNVBAYTAkNOMRA wDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMRYwFAYDVQQKEw1ub2tub2tsYWJzLmNu MQwwCgYDVQQLFANSJkQxEjAQBgNVBAMUCTAwMUEjMjEyMTEmMCQGCSqGSIb3DQEJARYXcm9jay53Y W5nQG5va25va2xhYnMuY24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQs0STWZx3DdOKol3w2HR M6ww_SqWqiaK8XFKGRBDQeW7bmHbPbaLzMdRwuicqTrpG1Q94pmo-hD_ WaLCAjPemZMAkGByqGSM49BAEDSAAwRQIhAKG8mZUiC6CVEDTK5moLG2m13ombVJKJR2bbxE- WllgGAiALajY5xvS373zCJG-zfo7nujOPkkhZ-qQ-kpu3vpIRNw","assertionScheme":" UAFV1TLV"}。
Step 14:Client identity authentication module returns the ID authentication request to client application module and rings Should;
Step 15:Client application module receives and parses through the ID authentication request response and obtains assertion data;
Step 16:Client application module sends the assertion data to server;
Step 17:Server is received and processes the assertion data and obtains registering result, is registered according to registering result composition Request response;
Step 18:Server returns the registration request response to client application module;
Step 19:Client application module receives the registration request response, therefrom obtains registering result and shows, Terminate.
Embodiment 3
Embodiments of the invention 3 provide a kind of certification/method of commerce based on living things feature recognition, it is adaptable to server With groups of clients into system, wherein the client includes client application module and client identity authentication module, As shown in figure 3, when user initiates certification/transactional operation to client application module, performing following steps:
Step 1:Client application module sends certification/transaction request to server;
Step 2:Server generates certification/transaction data;
Step 3:Server returns the certification/transaction data to client application module;
Step 4:Client application module obtains client identification, recognizes according to client identification and described in receiving Card/transaction data constitutes authentication request;
Step 5:Client application module sends the authentication request to client identity authentication module;
Specifically, if client operating system is iOS system, client application module uses x-callback- Url protocol modes call client identity authentication module, send the authentication request;If client operating system is Android system, then client application module client identity certification is called by android intent api modes Module, sends the authentication request.
Step 6:Client identity authentication module receive and parse through the authentication request obtain certification/transaction data and Client identification;
Step 7:Client identity authentication module checks whether the certification/transaction data is legal, is then execution step 8, Otherwise errored response is returned to client application module, client application module prompts mistake terminates;
It is in this step, described to check whether the certification/transaction data is legal and specifically include:
1) whether not to check application ID, challenge value parameter and the certification policy parameter included in the certification/transaction data For sky;
2) check whether the accepted items in certification policy parameter policy are an arrays not for sky;
If 1) and 2) above-mentioned inspection result be if the certification/transaction data it is legal, otherwise described certification/transaction Data are illegal.
Step 8:Client identity authentication module is obtained according to the application ID included in the certification/transaction data trusts row Table;
Step 9:Client identity authentication module judges that the client identification, with the presence or absence of in the trust list, is Then execution step 10, otherwise return errored response to client application module, client application module prompts mistake, Terminate;
Step 10:Client identity authentication module judge itself corresponding certification policy parameter whether with the certification/friendship The certification policy parameter matching for easily including in data, is then execution step 11, otherwise returns to client application module wrong Respond by mistake, client application module prompts mistake, terminate;
Step 11:Whether client identity authentication module includes Transaction Information in judging the certification/transaction data, is Then execution step 12, otherwise execution step 13;
Step 12:Client identity authentication module prompting user confirms the Transaction Information, judges whether user confirms, is Then execution step 13, otherwise return errored response to client application module, client application module prompts mistake, Terminate;
Step 13:Client identity authentication module points out to use according to the certification policy parameter determination current authentication mode Family is input into biological attribute data;
Step 14:Client identity authentication module carries out identity to active user according to the biological attribute data of user input Checking, execution step 15 if being proved to be successful return errored response, client to client application module if authentication failed End application program module prompting mistake, terminates;
Step 15:Client identity authentication module obtains the sign-on ID and key that preserve to private key, generates random number, root Assertion data is calculated to private key and the certification/transaction data according to the sign-on ID, the random number, the key, ID authentication request response is constituted according to the assertion data;
Specifically, if including Transaction Information in the certification/transaction data, this step is specially:Client identity The sign-on ID of preservation and close is searched and obtained to authentication module according to the sign-on ID field included in the certification policy parameter Key obtains current signature number of times to private key, generates random number, using the key to private key to the sign-on ID, it is described with The Transaction Information that includes in machine number and the transaction data, challenge value parameter carry out signature calculation and obtain signature value, update and work as Front signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the random number and the transaction Information, challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, to client Application program module returns ID authentication request response, it is described be calculated assertion data after also include updating described working as Front signature number of times.
The signature number of times according to after renewal, the signature value, the sign-on ID, the random number and the transaction Information, challenging value parameter composition assertion data are specifically included:Client identity authentication module obtain itself authenticator ID, Protocol version, signature algorithm and certificate, according to the authenticator ID, the protocol version for the obtaining, signature algorithm, described Signature number of times, the signature value after certificate and the renewal, the sign-on ID, the random number, the challenge value parameter Splicing result is constituted with Transaction Information, using the splicing result as V-value, using the length value of the splicing result as L-value, will Second preset value constitutes TLV data according to TLV forms, the TLV data is encoded as T value, and the coding for obtaining is tied Fruit is used as the assertion data.
If not including Transaction Information in the certification/transaction data, this step is specially:Client identity authentication module Sign-on ID field according to including in the certification policy parameter is searched and obtains the sign-on ID and key of preservation to private key, Current signature number of times is obtained, random number is generated, using the key to private key to the sign-on ID, the random number and institute The challenge value parameter included in stating authentication data carries out signature and obtains signature value, updates current signature number of times, after renewal Signature number of times, the signature value, the sign-on ID, the random number and challenging value parameter composition assertion data, according to The assertion data composition ID authentication request response, returns the ID authentication request to client application module and rings Should, it is described be calculated after assertion data update the current signature number of times.
The signature number of times according to after renewal, the signature value, the sign-on ID and challenging value parameter composition Assertion data, specifically includes:Client identity authentication module obtains authenticator ID, protocol version, signature algorithm and the card of itself Book, according to the label after the authenticator ID, the protocol version, the signature algorithm, the certificate and the renewal for obtaining Name number of times, the signature value, the sign-on ID, the random number and challenging value parameter composition splicing result, will be described Splicing result as V-value, using the length value of the splicing result as L-value, using the second preset value as T value, according to TLV forms The TLV data are encoded, using the coding result for obtaining as the assertion data by composition TLV data.
Wherein, second preset value is specially fixed numbers 0x3E02, the TLV data be encoded specially will The TLV data carry out Base64url and encode the coding result for obtaining as the assertion data.
Step 16:Client identity authentication module returns the ID authentication request to client application module and rings Should;
Step 17:Client application module receives and parses through the ID authentication request response and obtains assertion data;
Step 18:Client application module sends the assertion data to server;
Step 19:Server is received and processes the assertion data and obtains certification/transaction results, according to certification/transaction knot Fruit composition certification/transaction request response;
Step 20:Server returns the certification/transaction request response to client application module;
Step 21:Client application module receives the certification/transaction request response, therefrom obtains certification/transaction As a result and show, terminate.
Embodiment 4
A kind of client based on living things feature recognition is present embodiments provided, as shown in figure 4, including client application journey Sequence module and client identity authentication module;
Wherein, the client application module includes the first Transmit-Receive Unit 401, the first interactive unit 402 and second Interactive unit 403;The client identity authentication module includes that the second Transmit-Receive Unit 404, the first judging unit 405, second are sentenced Disconnected unit 406 and computing unit 407;
In the present embodiment, first Transmit-Receive Unit 401, for initiating default request, and the reception server to server The request data of return, triggers the first interactive unit 402;To server when being additionally operable to receive the triggering of the first interactive unit 402 Send assertion data, and the request response that the reception server is returned;
First interaction is single 402 yuan, for constituting authentication request according to client identification and the request data, The authentication request is sent to client identity authentication module;It is additionally operable to work as and receives the return of client identity authentication module ID authentication request when responding, obtain from ID authentication request response and assertion data trigger the first Transmit-Receive Unit 401;
Second interactive unit 403, the request for receiving from first Transmit-Receive Unit 401 are obtained in responding Take request results and show;
Second Transmit-Receive Unit 404, for receiving the authentication request that client application module is sent, Client identification and request data are obtained from the authentication request and the first judging unit 405 is triggered, is additionally operable to visitor Family end application program module returns ID authentication request response;
First judging unit 405, it is whether legal for judging the client identification and request data, it is to point out User input biological attribute data;Otherwise errored response is returned to client application module;
First judging unit 405, specifically for checking whether the form of the content included in the request data closes Method, when the form of the content included in the request data is legal, is additionally operable to according to the application included in the request data ID obtains trust list, judges the client identification with the presence or absence of in the trust list, is to judge client identity Whether the corresponding certification policy parameter of authentication module is matched with the certification policy parameter included in the request data, is to judge As a result it is legal, prompting user input biological attribute data;Otherwise judged result is illegal, to client application module Return errored response;When the form of the content included in the request data is illegal, judged result is illegal, to client End application program module returns errored response.
First judging unit 405, is additionally operable to when judged result is legal according to the certification policy parameter determination Current authentication mode, points out user input corresponding biological attribute data according to the current authentication mode.
Second judging unit 406, carries out identity to active user for the biological attribute data according to user input Checking, triggers computing unit 407 if being proved to be successful, and returns mistake to client application module and ring if authentication failed Should;
The computing unit 407, it is disconnected for being calculated to private key and the request data according to sign-on ID, key Speech data, constitute ID authentication request according to the assertion data and respond and trigger the second Transmit-Receive Unit 404.
When the client that the present embodiment is provided is used to realize registering functional, the function of corresponding each component units is as follows:
First Transmit-Receive Unit 401, specifically for initiating registration request, and the note that the reception server is returned to server Volumes evidence;Include user name parameter, challenge value parameter in the log-on data;
The computing unit 407 includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, specifically for when the triggering of the second judging unit 406 is received, generating sign-on ID With key pair, the sign-on ID and key are preserved to private key, obtain current signature number of times, trigger described second and calculate sub single Unit;
Second computation subunit, for using the key to private key to the sign-on ID, the key to public affairs The user name parameter that includes in key and the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update and work as Front signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, the use Name in an account book parameter and challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data;It is additionally operable to meter Calculation updates the current signature number of times after obtaining assertion data.
Wherein, above-mentioned second computation subunit, specifically for receiving during the triggering of first computation subunit, acquisition is recognized Card device ID, protocol version, signature algorithm and certificate, for using the key to private key to the sign-on ID, the key The user name parameter that includes in public key and the log-on data, challenge value parameter are carried out by signature calculation obtain signature value, more New current signature number of times;For according to the authenticator ID, the protocol version, the signature algorithm, the certificate for obtaining With the signature number of times after the renewal, the signature value, the sign-on ID, the key to public key, the user name parameter Splicing result is constituted with the challenging value parameter, using the splicing result as V-value, using the length value of the splicing result as L-value, using the first preset value as T value, constitutes TLV data according to TLV forms, the TLV data is encoded, by what is obtained Coding result is used as assertion data.
When the client that the present embodiment is provided is used to realize certification/trading function, the function of corresponding each component units is such as Under:
First Transmit-Receive Unit 401, specifically for initiating certification/transaction request to server, and the reception server is returned Certification/the transaction data for returning;
Whether first judging unit 405, contain Transaction Information in being additionally operable to judge the request data, be to pass through Client shows the Transaction Information, after user confirms points out user input biological attribute data;User is directly pointed out otherwise Input biological attribute data.
Specifically, first Transmit-Receive Unit 401, specifically for initiating certification request, and the reception server to server The authentication data of return;Include challenge value parameter and certification policy parameter, the certification policy parameter in the authentication data In include sign-on ID field;
The computing unit 407 includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, for being searched simultaneously according to the sign-on ID field included in the certification policy parameter The sign-on ID and key that preserve are obtained to private key, current signature number of times is obtained, random number is generated, it is single that triggering second calculates son Unit;
Second computation subunit, for using the key to private key to the sign-on ID, the random number with And the challenge value parameter included in the authentication data carries out signature and obtains signature value, updates current signature number of times, according to renewal Rear signature number of times, the signature value, the sign-on ID, the random number and challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data, is additionally operable to meter Calculation updates the current signature number of times after obtaining assertion data.
Wherein, above-mentioned second computation subunit, specifically for receiving during the triggering of first computation subunit, acquisition is recognized Card device ID, protocol version, signature algorithm and certificate, for using the key to private key to the sign-on ID, described random The challenge value parameter included in the several and authentication data carries out signature and obtains signature value, updates current signature number of times, is used for It is secondary with the signature after the renewal according to the authenticator ID, the protocol version, the signature algorithm, the certificate for obtaining Several, described signature values, the sign-on ID, the random number and challenging value parameter composition splicing result, by the splicing As a result as V-value, using the length value of the splicing result as L-value, using the second preset value as T value, constitute according to TLV forms The TLV data are encoded, using the coding result for obtaining as assertion data by TLV data.
Or specific, first Transmit-Receive Unit 401, specifically for transaction request being initiated to server, and receive clothes The transaction data that business device is returned;Include Transaction Information, challenge value parameter and certification policy parameter in the transaction data, it is described Include sign-on ID field in certification policy parameter;
The computing unit 407 includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, for being searched simultaneously according to the sign-on ID field included in the certification policy parameter The sign-on ID and key that preserve are obtained to private key, current signature number of times is obtained, random number is generated, it is single that triggering second calculates son Unit;
Second computation subunit, for using the key to private key to the sign-on ID, the random number with And the Transaction Information that includes in the transaction data, challenge value parameter carry out signature calculation and obtain signature value, update current signature Number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the random number and the Transaction Information, institute State challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data, is additionally operable to meter Calculation updates the current signature number of times after obtaining assertion data.
Wherein, above-mentioned second computation subunit, specifically for receiving during the triggering of first computation subunit, is obtained from The authenticator ID of body, protocol version, signature algorithm and certificate, for according to the authenticator ID, the protocol version for obtaining, It is signature number of times, the signature value, the sign-on ID after the signature algorithm, the certificate and the renewal, described random Several, described challenge value parameters and Transaction Information composition splicing result, using the splicing result as V-value, by the splicing result Length value as L-value, using the second preset value as T value, constitute TLV data according to TLV forms, the TLV data carried out Coding, using the coding result for obtaining as assertion data.
Further, the client application module in the present embodiment can also include acquiring unit;
The acquiring unit, specifically for when client operating system is iOS system, obtaining the Bundle of client ID, and as client identification;Sign for when client operating system is android system, obtaining client numeral Name, calculates to the client digital signature according to default hash algorithm, and using calculated cryptographic Hash as client End mark.
The above, the only specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, the change or replacement that can be readily occurred in all are answered It is included within the scope of the present invention.Therefore, protection scope of the present invention should be defined by scope of the claims.

Claims (22)

1. a kind of client operation method based on living things feature recognition, it is characterised in that include:
Step S1:Client application module initiates default request, and the request data that the reception server is returned to server;
Step S2:Client application module constitutes authentication request according to client identification and the request data, to Client identity authentication module sends the authentication request;
Step S3:Client identity authentication module obtains client identification and request data from the authentication request, sentences Whether the disconnected client identification and request data are legal, are then to point out user input biological attribute data, and execution step S4 is no Then errored response is returned to client application module, terminate;
Step S4:Client identity authentication module carries out identity to active user according to the biological attribute data of user input and tests Card, execution step S5 if being proved to be successful otherwise return errored response to client application module, terminate;
Step S5:Client identity authentication module is calculated to private key and the request data according to sign-on ID, key Assertion data, constitutes ID authentication request response according to the assertion data, returns the body to client application module Part certification request response;
Step S6:Client application module obtains assertion data from ID authentication request response, sends out to server Send the assertion data, and the request response that the reception server is returned;Request results are obtained from the request response and are shown, Terminate.
2. method according to claim 1, it is characterised in that:It is described to judge whether are the client identification and request data It is legal to specifically include:
Step 1:Whether the form of the content included in checking the request data is legal, is then execution step 2, otherwise judges knot Fruit is illegal;
Step 2:Trust list is obtained according to the application ID included in the request data, judges whether the client identification is deposited In the trust list, it is being then execution step 3, otherwise judged result is illegal;
Step 3:Judge the corresponding certification policy parameter of client identity authentication module whether with include in the request data Certification policy parameter is matched, and is that then judged result is legal, and otherwise judged result is illegal.
3. method according to claim 2, it is characterised in that:The judged result also includes being recognized according to described when being legal Card policing parameter determines current authentication mode;
Point out user input biological attribute data to be specially to point out to use according to the current authentication mode described in step S3 Family is input into corresponding biological attribute data.
4. method according to claim 1, it is characterised in that:The default request for registration request, the request data Specially log-on data, includes user name parameter, challenge value parameter in the log-on data;
Step S5 is specially:Client identity authentication module generates sign-on ID and key pair, preserves the sign-on ID With key to private key, obtain current signature number of times, using the key to private key to the sign-on ID, the key to public key And the user name parameter that includes in the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update current Signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, the user Name parameter and challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, to visitor Family end application program module returns the ID authentication request response;It is described be calculated after assertion data update institute State current signature number of times.
5. method according to claim 4, it is characterised in that:The signature number of times according to after renewal, the signature value, The sign-on ID, the key are specifically wrapped to public key, the user name parameter and challenging value parameter composition assertion data Include, client identity authentication module obtains authenticator ID, protocol version, signature algorithm and the certificate of itself, according to the institute for obtaining State the signature number of times after authenticator ID, the protocol version, the signature algorithm, the certificate and the renewal, the signature Value, the sign-on ID, the key constitute splicing result to public key, the user name parameter and the challenging value parameter, will The splicing result as V-value, using the length value of the splicing result as L-value, using the first preset value as T value, according to TLV Form constitutes TLV data, the TLV data is encoded, using the coding result for obtaining as the assertion data.
6. method according to claim 1, it is characterised in that:The default request for certification/transaction request, the step Point out also to include before user input biological attribute data described in S3 whether believe containing transaction in judging the request data Breath, is to show the Transaction Information by client, and the prompting user input biological characteristic number is performed after user confirms According to;The prompting user input biological attribute data is directly performed otherwise.
7. method according to claim 6, it is characterised in that:The default request for certification request, the request data Specially authentication data, includes challenge value parameter and certification policy parameter, the certification policy parameter in the authentication data In include sign-on ID field;
Step S5 is specially:Client identity authentication module is according to the sign-on ID word included in the certification policy parameter Segment search simultaneously obtains the sign-on ID and key of preservation to private key, obtains current signature number of times, generates random number, using described close Key carries out signing to the challenge value parameter included in the sign-on ID, the random number and the authentication data to private key To signature value, update current signature number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, it is described with Machine number and challenging value parameter composition assertion data, constitute ID authentication request response according to the assertion data, to client End application program module returns ID authentication request response, it is described be calculated assertion data after also include updating described Current signature number of times.
8. method according to claim 7, it is characterised in that:The signature number of times according to after renewal, the signature value, The sign-on ID and challenging value parameter composition assertion data, specifically include:Client identity authentication module obtains itself Authenticator ID, protocol version, signature algorithm and certificate, according to the authenticator ID, the protocol version, the label that obtain Signature number of times, the signature value, the sign-on ID, the random number and institute after name algorithm, the certificate and the renewal Challenging value parameter composition splicing result is stated, using the splicing result as V-value, using the length value of the splicing result as L-value, Using the second preset value as T value, TLV data are constituted according to TLV forms, the TLV data are encoded, by the coding for obtaining As a result as the assertion data.
9. method according to claim 6, it is characterised in that:The default request for transaction request, the request data Specially transaction data, includes Transaction Information, challenge value parameter and certification policy parameter, the certification in the transaction data Include sign-on ID field in policing parameter;
Step S5 is specially:Client identity authentication module is according to the sign-on ID word included in the certification policy parameter Segment search simultaneously obtains the sign-on ID and key of preservation to private key, obtains current signature number of times, generates random number, using described close Key to private key to include in the sign-on ID, the random number and the transaction data Transaction Information, challenge value parameter Carry out signature calculation and obtain signature value, update current signature number of times, according to the signature number of times after renewal, the signature value, described Sign-on ID, the random number and the Transaction Information, challenging value parameter composition assertion data, according to the assertion data Composition ID authentication request response, returns the ID authentication request response to client application module, described to calculate Also include updating the current signature number of times to after assertion data.
10. method according to claim 9, it is characterised in that:The signature number of times according to after renewal, the signature Value, the sign-on ID, the random number and the Transaction Information, challenging value parameter composition assertion data are specifically included: Client identity authentication module obtains authenticator ID, protocol version, signature algorithm and the certificate of itself, recognizes according to obtaining Card device ID, the protocol version, the signature algorithm, the signature number of times after the certificate and the renewal, the signature value, institute State sign-on ID, the random number, the challenge value parameter and Transaction Information composition splicing result, using the splicing result as V-value, using the length value of the splicing result as L-value, using the second preset value as T value, constitutes TLV data according to TLV forms, The TLV data are encoded, using the coding result for obtaining as the assertion data.
11. methods according to claim 1, it is characterised in that:Step S2 also includes obtaining client identification, specifically It is as follows:
If client operating system is iOS system, the client application module obtains the Bundle ID of client, And as client identification;If client operating system is android system, client application module obtains visitor Family end digital signature, calculates to the client digital signature according to default hash algorithm, and by calculated Hash Value is used as client identification.
12. a kind of clients based on living things feature recognition, it is characterised in that answer program module and client body including client Part authentication module;
The client application module includes the first Transmit-Receive Unit, the first interactive unit, the second interactive unit;
First Transmit-Receive Unit, for initiating default request, and the request data that the reception server is returned, triggering to server First interactive unit;Assertion data, and the reception server are sent to server when being additionally operable to receive the triggering of the first interactive unit The request response of return;
First interactive unit, for according to client identification and request data composition authentication request, to client End authentication module sends the authentication request;It is additionally operable to when the identity for receiving the return of client identity authentication module When certification request is responded, assertion data is obtained from ID authentication request response and the first Transmit-Receive Unit is triggered;
Second interactive unit, the request for receiving from first Transmit-Receive Unit obtain request results in responding And show;
The client identity authentication module includes the second Transmit-Receive Unit, the first judging unit, the second judging unit and calculates single Unit;
Second Transmit-Receive Unit, for receiving the authentication request that client application module is sent, from described Client identification and request data are obtained in authentication request and the first judging unit is triggered, is additionally operable to client application journey Sequence module returns ID authentication request response;
First judging unit, it is whether legal for judging the client identification and request data, it is then to point out user defeated Enter biological attribute data;Otherwise errored response is returned to client application module;
Second judging unit, carries out authentication to active user for the biological attribute data according to user input, if Be proved to be successful, trigger computing unit, errored response is returned to client application module if authentication failed;
The computing unit, for assertion data being calculated to private key and the request data according to sign-on ID, key, ID authentication request is constituted according to the assertion data to respond and trigger the second Transmit-Receive Unit.
13. clients according to claim 12, it is characterised in that:
Whether first judging unit, the form specifically for checking the content included in the request data are legal, work as institute When the form of the content included in stating request data is legal, it is additionally operable to obtain letter according to the application ID included in the request data Appoint list, judge the client identification with the presence or absence of in the trust list, being then to judge client identity authentication module Whether corresponding certification policy parameter is matched with the certification policy parameter included in the request data, is that then judged result is conjunction Method, points out user input biological attribute data;Otherwise judged result is illegal, returns mistake to client application module Response;When the form of the content included in the request data is illegal, judged result is illegal, to client application journey Sequence module returns errored response.
14. clients according to claim 13, it is characterised in that:First judging unit is additionally operable to work as judged result For it is legal when according to the certification policy parameter determination current authentication mode, point out user input according to the current authentication mode Corresponding biological attribute data.
15. clients according to claim 12, it is characterised in that:
First Transmit-Receive Unit, specifically for initiating registration request, and the log-on data that the reception server is returned to server; Include user name parameter, challenge value parameter in the log-on data;
The computing unit includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, specifically for when the triggering of the second judging unit is received, generating sign-on ID and key It is right, the sign-on ID and key are preserved to private key, obtain current signature number of times, trigger second computation subunit;
Second computation subunit, for using the key to private key to the sign-on ID, the key to public key with And the user name parameter that includes in the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update current label Name number of times, according to the signature number of times after renewal, the signature value, the sign-on ID, the key to public key, the user name Parameter and challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data;It is additionally operable to calculate The current signature number of times is updated to after assertion data also.
16. clients according to claim 15, it is characterised in that:
Second computation subunit, specifically for receiving during the triggering of first computation subunit, obtains authenticator ID, association View version, signature algorithm and certificate, for using the key to private key to the sign-on ID, the key to public key and The user name parameter that includes in the log-on data, challenge value parameter carry out signature calculation and obtain signature value, update current signature Number of times;For according to the authenticator ID, the protocol version, the signature algorithm, the certificate and the renewal for obtaining Rear signature number of times, the signature value, the sign-on ID, the key are to public key, the user name parameter and the challenge Value parameter constitutes splicing result, using the splicing result as V-value, using the length value of the splicing result as L-value, by first Preset value constitutes TLV data according to TLV forms, the TLV data is encoded as T value, and the coding result for obtaining is made For assertion data.
17. clients according to claim 12, it is characterised in that:First Transmit-Receive Unit, specifically for service Device initiates certification/transaction request, and certification/transaction data that the reception server is returned;
Whether first judging unit, contain Transaction Information in being additionally operable to judge the request data, is then to pass through client The Transaction Information is shown, user input biological attribute data is pointed out after user confirms;User input life is directly pointed out otherwise Thing characteristic.
18. clients according to claim 17, it is characterised in that:First Transmit-Receive Unit, specifically for service Device initiates certification request, and the authentication data that the reception server is returned;Include challenge value parameter in the authentication data and recognize Card policing parameter, includes sign-on ID field in the certification policy parameter;
The computing unit includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, for searching and obtaining according to the sign-on ID field included in the certification policy parameter The sign-on ID and key of preservation obtains current signature number of times to private key, generates random number, triggers the second computation subunit;
Second computation subunit, for using the key to private key to the sign-on ID, the random number and institute The challenge value parameter included in stating authentication data carries out signature and obtains signature value, updates current signature number of times, after renewal Signature number of times, the signature value, the sign-on ID, the random number and challenging value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data, is additionally operable to calculate The current signature number of times is updated to after assertion data.
19. clients according to claim 18, it is characterised in that:Second computation subunit, specifically for receiving During the triggering of first computation subunit, authenticator ID, protocol version, signature algorithm and certificate are obtained, it is described for using Key is signed to the challenge value parameter included in the sign-on ID, the random number and the authentication data to private key Signature value is obtained, current signature number of times is updated, for according to the authenticator ID, the protocol version, the signature for obtaining Signature number of times, the signature value, the sign-on ID, the random number after algorithm, the certificate and the renewal and described Challenging value parameter constitutes splicing result, using the splicing result as V-value, using the length value of the splicing result as L-value, will Second preset value constitutes TLV data according to TLV forms, the TLV data is encoded as T value, and the coding for obtaining is tied Fruit is used as assertion data.
20. clients according to claim 17, it is characterised in that:First Transmit-Receive Unit, specifically for service Device initiates transaction request, and the transaction data that the reception server is returned;Include Transaction Information, challenging value in the transaction data Parameter and certification policy parameter, include sign-on ID field in the certification policy parameter;
The computing unit includes the first computation subunit, the second computation subunit and the 3rd computation subunit;
First computation subunit, for searching and obtaining according to the sign-on ID field included in the certification policy parameter The sign-on ID and key of preservation obtains current signature number of times to private key, generates random number, triggers the second computation subunit;
Second computation subunit, for using the key to private key to the sign-on ID, the random number and institute The Transaction Information that includes in stating transaction data, challenge value parameter carry out signature calculation and obtain signature value, update current signature number of times, According to the signature number of times after renewal, the signature value, the sign-on ID, the random number and the Transaction Information, described choose War value parameter composition assertion data;
3rd computation subunit, for constituting ID authentication request response according to the assertion data, is additionally operable to calculate The current signature number of times is updated to after assertion data also.
21. clients according to claim 20, it is characterised in that:
Second computation subunit, specifically for receiving during the triggering of first computation subunit, obtains the certification of itself Device ID, protocol version, signature algorithm and certificate, for according to the authenticator ID, the protocol version, the signature for obtaining Signature number of times, the signature value, the sign-on ID, the random number after algorithm, the certificate and the renewal, described choose War value parameter and Transaction Information composition splicing result, using the splicing result as V-value, the length value of the splicing result are made For L-value, using the second preset value as T value, TLV data are constituted according to TLV forms, the TLV data are encoded, will be obtained Coding result as assertion data.
22. clients according to claim 12, it is characterised in that:The client application module also includes obtaining Unit;
The acquiring unit, specifically for when client operating system is iOS system, obtaining the Bundle ID of client, and As client identification;For when client operating system is android system, obtaining client digital signature, root The client digital signature is calculated according to default hash algorithm, and using calculated cryptographic Hash as client mark Know.
CN201611058902.6A 2016-11-21 2016-11-21 A kind of client and its method of work based on living things feature recognition Pending CN106549973A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611058902.6A CN106549973A (en) 2016-11-21 2016-11-21 A kind of client and its method of work based on living things feature recognition

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611058902.6A CN106549973A (en) 2016-11-21 2016-11-21 A kind of client and its method of work based on living things feature recognition

Publications (1)

Publication Number Publication Date
CN106549973A true CN106549973A (en) 2017-03-29

Family

ID=58395914

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611058902.6A Pending CN106549973A (en) 2016-11-21 2016-11-21 A kind of client and its method of work based on living things feature recognition

Country Status (1)

Country Link
CN (1) CN106549973A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107919963A (en) * 2017-12-27 2018-04-17 飞天诚信科技股份有限公司 A kind of authenticator and its implementation
CN109214154A (en) * 2017-06-29 2019-01-15 佳能株式会社 Information processing unit and method
CN109784024A (en) * 2018-12-14 2019-05-21 航天信息股份有限公司 One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators
CN109829722A (en) * 2019-02-22 2019-05-31 兴唐通信科技有限公司 A kind of user identity real name identification method of electronic fare payment system
WO2020024852A1 (en) * 2018-08-01 2020-02-06 飞天诚信科技股份有限公司 Authentication method and authentication device
CN110852139A (en) * 2018-08-21 2020-02-28 阿里巴巴集团控股有限公司 Biometric feature recognition method, biometric feature recognition device, biometric feature recognition equipment and storage medium
CN110932858A (en) * 2018-09-19 2020-03-27 阿里巴巴集团控股有限公司 Authentication method and system
CN111382420A (en) * 2018-12-29 2020-07-07 金联汇通信息技术有限公司 Data transaction method, device, system, electronic equipment and readable storage medium
CN112182542A (en) * 2020-12-03 2021-01-05 飞天诚信科技股份有限公司 Method and system for accurate matching of biological recognition
CN112199663A (en) * 2020-12-03 2021-01-08 飞天诚信科技股份有限公司 Authentication method and system for no user name
CN112989309A (en) * 2021-05-21 2021-06-18 统信软件技术有限公司 Login method, authentication method and system based on multi-party authorization and computing equipment
CN113190816A (en) * 2021-05-08 2021-07-30 国民认证科技(北京)有限公司 Man-machine interaction verification method and system using system biological characteristics

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105162785A (en) * 2015-09-07 2015-12-16 飞天诚信科技股份有限公司 Method and equipment for performing registration based on authentication equipment
CN105550558A (en) * 2015-07-31 2016-05-04 宇龙计算机通信科技(深圳)有限公司 Fingerprint reading method and user equipment
CN105827655A (en) * 2016-05-27 2016-08-03 飞天诚信科技股份有限公司 Intelligent key equipment and work method thereof
CN105847247A (en) * 2016-03-21 2016-08-10 飞天诚信科技股份有限公司 Authentication system and working method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105550558A (en) * 2015-07-31 2016-05-04 宇龙计算机通信科技(深圳)有限公司 Fingerprint reading method and user equipment
CN105162785A (en) * 2015-09-07 2015-12-16 飞天诚信科技股份有限公司 Method and equipment for performing registration based on authentication equipment
CN105847247A (en) * 2016-03-21 2016-08-10 飞天诚信科技股份有限公司 Authentication system and working method thereof
CN105827655A (en) * 2016-05-27 2016-08-03 飞天诚信科技股份有限公司 Intelligent key equipment and work method thereof

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109214154A (en) * 2017-06-29 2019-01-15 佳能株式会社 Information processing unit and method
US11042615B2 (en) 2017-06-29 2021-06-22 Canon Kabushiki Kaisha Information processing apparatus and method
CN107919963A (en) * 2017-12-27 2018-04-17 飞天诚信科技股份有限公司 A kind of authenticator and its implementation
CN107919963B (en) * 2017-12-27 2020-10-27 飞天诚信科技股份有限公司 Authenticator and implementation method thereof
WO2020024852A1 (en) * 2018-08-01 2020-02-06 飞天诚信科技股份有限公司 Authentication method and authentication device
US11930118B2 (en) 2018-08-01 2024-03-12 Feitian Technologies Co., Ltd. Authentication method and authentication device
CN110852139B (en) * 2018-08-21 2024-05-24 斑马智行网络(香港)有限公司 Biometric identification method, device, apparatus and storage medium
CN110852139A (en) * 2018-08-21 2020-02-28 阿里巴巴集团控股有限公司 Biometric feature recognition method, biometric feature recognition device, biometric feature recognition equipment and storage medium
CN110932858A (en) * 2018-09-19 2020-03-27 阿里巴巴集团控股有限公司 Authentication method and system
CN110932858B (en) * 2018-09-19 2023-05-02 阿里巴巴集团控股有限公司 Authentication method and system
CN109784024A (en) * 2018-12-14 2019-05-21 航天信息股份有限公司 One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators
CN111382420A (en) * 2018-12-29 2020-07-07 金联汇通信息技术有限公司 Data transaction method, device, system, electronic equipment and readable storage medium
CN109829722A (en) * 2019-02-22 2019-05-31 兴唐通信科技有限公司 A kind of user identity real name identification method of electronic fare payment system
CN112182542B (en) * 2020-12-03 2021-03-16 飞天诚信科技股份有限公司 Method and system for accurate matching of biological recognition
CN112199663A (en) * 2020-12-03 2021-01-08 飞天诚信科技股份有限公司 Authentication method and system for no user name
CN112182542A (en) * 2020-12-03 2021-01-05 飞天诚信科技股份有限公司 Method and system for accurate matching of biological recognition
CN113190816A (en) * 2021-05-08 2021-07-30 国民认证科技(北京)有限公司 Man-machine interaction verification method and system using system biological characteristics
CN112989309B (en) * 2021-05-21 2021-08-20 统信软件技术有限公司 Login method, authentication method and system based on multi-party authorization and computing equipment
CN112989309A (en) * 2021-05-21 2021-06-18 统信软件技术有限公司 Login method, authentication method and system based on multi-party authorization and computing equipment

Similar Documents

Publication Publication Date Title
CN106549973A (en) A kind of client and its method of work based on living things feature recognition
US11068575B2 (en) Authentication system
CN105162785B (en) A kind of method and apparatus registered based on authenticating device
CN106100848B (en) Double factor identity authorization system and method based on smart phone and user password
CN108881310A (en) A kind of Accreditation System and its working method
CN105187450B (en) A kind of method and apparatus authenticated based on authenticating device
US9979721B2 (en) Method, server, client and system for verifying verification codes
CN104767613B (en) Signature verification method, apparatus and system
CN107786547A (en) A kind of auth method based on block chain, device and computer-readable recording medium
CN108959933A (en) Risk analysis device and method for the certification based on risk
CN105164689B (en) Customer certification system and method
CN108989278A (en) Identification service system and method
CN105306490B (en) Payment verifying system, method and device
TWI706269B (en) Service realization method and device
CN106102058B (en) A kind of identity identifying method and device
US11811952B2 (en) Authentication system and working method thereof
CN106330850A (en) Biological characteristic-based security verification method, client and server
CN106411950B (en) Authentication method, apparatus and system based on block chain transaction id
CN106453205B (en) identity verification method and device
CN106453422B (en) Dynamic authentication method and system based on mobile terminal
CN106921640A (en) Identity identifying method, authentication device and Verification System
CN105827571B (en) Multi-modal biological characteristic authentication method and equipment based on UAF agreement
CN105337739B (en) Safe login method, device, server and terminal
CN109784024A (en) One kind authenticating FIDO method and system based on the polyfactorial quick online identity of more authenticators
CN104935548B (en) Auth method, apparatus and system based on intelligent equipment of tatooing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170329

RJ01 Rejection of invention patent application after publication