CN106886699A

CN106886699A - A kind of fingerprint authentication method and relevant device

Info

Publication number: CN106886699A
Application number: CN201710052108.9A
Authority: CN
Inventors: 程力行
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: Beijing Anyun Century Technology Co Ltd
Priority date: 2017-01-20
Filing date: 2017-01-20
Publication date: 2017-06-23
Anticipated expiration: 2037-01-20
Also published as: CN106886699B

Abstract

A kind of fingerprint authentication method and relevant device are the embodiment of the invention provides, the method application in the terminal, has mutually isolated non-secure domains and security domain in the mobile terminal, the security domain accesses safety chip；Methods described includes：Fingerprint authentication request collection target fingerprint data in the non-secure domains according to application；The security domain is switched to from the non-secure domains；The first fingerprint template fragment is extracted in the security domain, by the first fingerprint template fragment and the target fingerprint data is activation to the safety chip；The second fingerprint template fragment is extracted in the safety chip, fingerprint authentication is carried out to the target fingerprint data with the second fingerprint template fragment according to the first fingerprint template fragment；The first fingerprint template fragment belongs to same fingerprint template data with the second fingerprint template fragment.Insecure area, safety zone, the Layered Security framework of safety chip are built, the security of fingerprint template data is improve.

Description

A kind of fingerprint authentication method and relevant device

Technical field

The present invention relates to communication technical field, more particularly to a kind of fingerprint authentication method and relevant device.

Background technology

With the development of mobile communication technology, the mobile terminal such as mobile phone is increasingly popularized, give people life, learn Practise, work brings great convenience.

Because finger print data can play easily defencive function, the trouble for being manually entered password is eliminated, therefore, a lot The finger print data of mobile terminal typing user, is directly decrypted after finger print data is verified, pays etc. and to operate.

The finger print data of mobile terminal typing is generally stored inside mobile terminal locally, if lawless person is stealing movement Terminal, then can using program crack with the mode such as physical attacks, the finger print data of user is locally stolen from mobile terminal, carry out Decryption, the operation such as pay, cause the leakage of user profile, or even cause the loss of property, security is relatively low.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on State a kind of fingerprint authentication method and relevant device of problem.

In a first aspect, the embodiment of the invention provides a kind of fingerprint authentication method, using in the terminal, the movement There are mutually isolated non-secure domains and security domain, the security domain accesses safety chip in terminal；

Methods described includes：

Fingerprint authentication request collection target fingerprint data in the non-secure domains according to application；

The security domain is switched to from the non-secure domains；

The first fingerprint template fragment is extracted in the security domain, the first fingerprint template fragment and the target are referred to Line data is activation is to the safety chip；

The second fingerprint template fragment is extracted in the safety chip, according to the first fingerprint template fragment and described Two fingerprint template fragments carry out fingerprint authentication to the target fingerprint data；The first fingerprint template fragment refers to described second Line template segments belong to same fingerprint template data.

It is described to include the step of the first fingerprint template fragment is extracted in the security domain in a possible design：

Legitimacy verifies are carried out to the application in the security domain；

When the application is by the legitimacy verifies, the first fingerprint mould is extracted from the file system of the security domain Plate segment.

It is described according to the first fingerprint template fragment and the second fingerprint template fragment in a possible design The step of carrying out fingerprint authentication to the target fingerprint data includes：

According to it is default split rule by the first fingerprint template fragment and the second fingerprint template fragment combination into Fingerprint template data；

Matched with the target fingerprint data using the fingerprint template data；

When the fingerprint template data are with target fingerprint Data Matching success, fingerprint authentication success is judged；

When the fingerprint template data fail with the target fingerprint Data Matching, fingerprint authentication failure is judged.

In a possible design, it is described according to it is default split rule by the first fingerprint template fragment with it is described The step of second fingerprint template fragment combination is into fingerprint template data include：

Generate a fingerprint base plate；

First position, the second of the second fingerprint template fragment of the first fingerprint template fragment are determined respectively Put；

The first fingerprint template fragment and described is respectively written into the first position of the fingerprint base plate and the second place Second fingerprint template fragment, obtains fingerprint template data.

The target fingerprint data are split into first object fingerprint fragment and the second target according to the default rule that splits Fingerprint fragment；

Matched with the first object fingerprint fragment using the first fingerprint template fragment；

Matched with the second target fingerprint fragment using the second fingerprint template fragment；

When the first fingerprint template fragment and the first object fingerprint fragment and the second fingerprint template fragment with During the second target fingerprint fragment match success, fingerprint authentication success is judged；

When the first fingerprint template fragment and the first object fingerprint fragment and/or the second fingerprint template fragment When failing with the second target fingerprint fragment match, fingerprint authentication failure is judged.

It is described regular by the target fingerprint according to default fractionation in the security domain in a possible design The step of data split into first object fingerprint fragment and the second target fingerprint fragment includes：

Determine the first position of the first fingerprint template fragment and the second place of the second fingerprint template fragment；

First object fingerprint fragment and second are extracted respectively in the first position of the target fingerprint data and the second place Target fingerprint fragment.

In a possible design, also include：

The result of the fingerprint authentication is returned into the security domain in the safety chip；

The non-secure domains are switched to from the security domain；

The result of the fingerprint authentication is returned into the application in the non-secure domains.

In a possible design, also include：

Fingerprint typing request collection fingerprint template data in the non-secure domains according to application；

The security domain is switched to from the non-secure domains；

By the fingerprint template data is activation to the safety chip in the security domain；

The fingerprint template data are split into the first fingerprint mould according to the default rule that splits in the safety chip Plate segment and the second fingerprint template fragment, and the second fingerprint template fragment is returned into the security domain.

It is described regular by the fingerprint mould according to default fractionation in the safety chip in a possible design The step of plate data split into the first fingerprint template fragment and the second fingerprint template fragment includes：

The first fingerprint template fragment is extracted from the first position in the fingerprint template data；

The second fingerprint template fragment is extracted from the second place in the fingerprint template data.

Second aspect, the embodiment of the invention provides a kind of fingerprint verifying apparatus, using in the terminal, the movement There are mutually isolated non-secure domains and security domain, the security domain accesses safety chip in terminal；

Described device includes：

Checking request processing module, refers to for the fingerprint authentication request collection target according to application in the non-secure domains Line data；

First security domain handover module, for switching to the security domain from the non-secure domains；

Fingerprint template fragments for transport module, for extracting the first fingerprint template fragment in the security domain, by described One fingerprint template fragment and the target fingerprint data is activation are to the safety chip；

Fingerprint authentication module, for extracting the second fingerprint template fragment in the safety chip, refers to according to described first Line template segments carry out fingerprint authentication with the second fingerprint template fragment to the target fingerprint data；The first fingerprint mould Plate segment belongs to same fingerprint template data with the second fingerprint template fragment.

In a possible design, the fingerprint template fragments for transport module includes：

Legitimacy verifies submodule, for carrying out legitimacy verifies to the application in the security domain；

Fingerprint template snippet extraction submodule, for when the application is by the legitimacy verifies, from the safety The first fingerprint template fragment is extracted in the file system in domain.

In a possible design, the fingerprint authentication module includes：

Fingerprint combination submodule, for regular by the first fingerprint template fragment and described second according to default fractionation Fingerprint template fragment combination is into fingerprint template data；

Template matches submodule, for being matched with the target fingerprint data using the fingerprint template data；

First decision sub-module, for when the fingerprint template data are with target fingerprint Data Matching success, sentencing Determine fingerprint authentication success；

Second decision sub-module, for when the fingerprint template data fail with the target fingerprint Data Matching, sentencing Determine fingerprint authentication failure.

In a possible design, the fingerprint combination submodule includes：

Base plate generation unit, for generating a fingerprint base plate；

Template position determining unit, first position, described second for determining the first fingerprint template fragment respectively The second place of fingerprint template fragment；

Base plate write data unit, for being respectively written into described first in the first position of the fingerprint base plate and the second place Fingerprint template fragment and the second fingerprint template fragment, obtain fingerprint template data.

In a possible design, the fingerprint authentication module includes：

Target fingerprint splits submodule, for the target fingerprint data to be split into first according to the default rule that splits Target fingerprint fragment and the second target fingerprint fragment；

First fragment matched sub-block, for using the first fingerprint template fragment and the first object fingerprint fragment Matched；

Second fragment match submodule, for using the second fingerprint template fragment and the second target fingerprint fragment Matched；

3rd decision sub-module, in the first fingerprint template fragment and the first object fingerprint fragment and institute When stating the second fingerprint template fragment with the second target fingerprint fragment match success, fingerprint authentication success is judged；

4th decision sub-module, in the first fingerprint template fragment and the first object fingerprint fragment and/or When the second fingerprint template fragment fails with the second target fingerprint fragment match, fingerprint authentication failure is judged.

In a possible design, the target fingerprint splits submodule to be included：

Fragment position determination unit, for the first position for determining the first fingerprint template fragment and second fingerprint The second place of template segments；

Target fingerprint snippet extraction unit, for being carried respectively in the first position of the target fingerprint data and the second place Take first object fingerprint fragment and the second target fingerprint fragment.

In a possible design, also include：

First result returns to module, for the result of the fingerprint authentication to be returned into the safety in the safety chip Domain；

Non-secure domains handover module, for switching to the non-secure domains from the security domain；

Second result returns to module, for the result of the fingerprint authentication to be returned into described answering in the non-secure domains With.

In a possible design, also include：

Typing request processing module, for the fingerprint typing request collection fingerprint mould in the non-secure domains according to application Plate data；

Second security domain handover module, for switching to the security domain from the non-secure domains；

Fingerprint template data transmission module, in the security domain by the fingerprint template data is activation to the peace Full chip；

Fingerprint template splits module, for regular by the fingerprint template according to default fractionation in the safety chip Data split into the first fingerprint template fragment and the second fingerprint template fragment, and the second fingerprint template fragment are returned described Security domain.

In a possible design, the fingerprint template splits module to be included：

First template segments extracting sub-module, for extracting the first fingerprint from the first position in the fingerprint template data Template segments；

Second template segments extracting sub-module, for extracting the second fingerprint from the second place in the fingerprint template data Template segments.

The third aspect, the embodiment of the invention provides a kind of mobile terminal, including processor and memory；

The memory is used to store the program for supporting the fingerprint authentication method described in execution；

The processor is configurable for performing the program stored in the memory.

Fourth aspect, the embodiment of the invention provides a kind of computer-readable storage medium, for saving as above-mentioned mobile terminal Computer software instructions used, it includes the program for performing above-mentioned aspect designed by mobile terminal.

The embodiment of the present invention applies TrustZone and safety chip simultaneously in mobile terminal, in the safe kernel of TrustZone Middle operation security domain, non-secure domains are run in non-security core, and safety chip is accessed by security domain, by a complete fingerprint mould Plate data are split as the first fingerprint template fragment and the second fingerprint template fragment, and the first fingerprint template piece is stored in a secure domain Section, stores the second fingerprint template fragment in safety chip, on the one hand, build insecure area, place of safety in the terminal Domain, the Layered Security framework of safety chip, if hacker wants to crack mobile terminal, obtain fingerprint template data, it is necessary to simultaneously Safety zone and safety chip are cracked, and the safe class of safety chip can reach EAL5+, the program that can be effective against is cracked And physical attacks, and configurable self-destruction mechanism, can effectively prevent hacker's from cracking behavior, substantially increase fingerprint template data Security, on the other hand, due to the fingerprint template data that the second fingerprint template fragment is part, reduces the volume of data, protects Card safety chip can be stored.

The aspects of the invention or other aspects can more straightforwards in the following description.

Brief description of the drawings

By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings：

Fig. 1 shows the structured flowchart of mobile terminal according to an embodiment of the invention；

Fig. 2 shows the structural representation that safety chip is intervened in TrustZone according to an embodiment of the invention；

Fig. 3 A and Fig. 3 B show the fractionation exemplary plot of fingerprint template data according to an embodiment of the invention；

Fig. 4 shows the structured flowchart of mobile terminal in accordance with another embodiment of the present invention；

The step of Fig. 5 shows fingerprint authentication method according to an embodiment of the invention flow chart；

The step of Fig. 6 shows fingerprint authentication method in accordance with another embodiment of the present invention flow chart；

Fig. 7 shows the structured flowchart of fingerprint verifying apparatus according to an embodiment of the invention；

Fig. 8 shows the structured flowchart of fingerprint verifying apparatus in accordance with another embodiment of the present invention；And

Fig. 9 shows the block diagram of the part-structure of the mobile phone related to mobile terminal provided in an embodiment of the present invention.

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.

Reference picture 1, shows the structured flowchart of mobile terminal according to an embodiment of the invention.

The mobile terminal can configure master chip, and the master chip can be the integrated circuit of pre-customized module, such as SoC (System on Chip) chip etc., generally has following one or more conventional components：

1st, Logic Core

Logic Core includes processor 110 (as being based on ARM's (Advanced RISC Machines, risc microcontroller) CPU (Central Processing Unit, central processing unit)), clock circuit, timer, interrupt control unit, serial parallel connect Mouth, other ancillary equipment, I/O (in/out port, input/output) ports and for various IP (Internet Protocol, the agreement interconnected between network) adhesive logic between core etc..

2nd, memory core

Memory core includes the memories such as volatile, non-volatile and Cache (speed buffering).

3rd, core is simulated

Simulation core includes ADC (Analog-to-digital converte, analog-digital converter), DAC (Digital To analog converter, digital analog converter), PLL (PhaseLockedLoop, phase locking bolt loop) and some Analog circuit used in high speed circuit.

In embodiments of the present invention, in addition to above-mentioned conventional component, safe core is can be configured with master chip Piece 120, such as by the chip of CC EAL5+ ranks.

Safety chip 120 is trusted console module, is a device that can independently carry out key generation, encryption and decryption, interior Portion possesses independent memory cell, logic computing unit, can store key and characteristic (such as the second fingerprint template fragment), is Mobile terminal provides encryption and Security Authentication Service, and logical calculated service (such as fingerprint authentication service), with safety chip 120 Characteristic is encrypted, key is stored in hardware, stolen data cannot be decrypted, so as to protect business privacy sum According to safety.

Safety chip 120 can be by SPI (Serial Peripheral Interface, Serial Peripheral Interface (SPI)) or I2C Modes such as (buses of Inter-Integrated Circuit, connection microcontroller and its ancillary equipment) enters row data communication Transmission.

In embodiments of the present invention, mobile terminal application TrustZone, TrustZone are a skills for software and hardware combining Art, hardware provides code-insulated technology, and software provides basic security service and interface, and the security system to mobile terminal is carried out Extension, (this threat is except from Malware, black workshop, going back for various specific threats that strick precaution mobile terminal can suffer from Possible from the holder of mobile terminal).

On the framework of processor 110, the processor core of each physics can provide two virtual cores, and one is safe kernel 111 (Secure), another is non-safe kernel 112 (Non-secure, NS).

Security domain 1111 is run in safe kernel 111, non-secure domains 1121 are run in non-security core 112.

As shown in Fig. 2 in TrustZone, the hardware and software resource of master chip 100 is divided into the He of security domain 1111 In non-secure domains 1112.

According to the demand of application, TrustZone can by the internal memory and peripheral hardware of Security Extensions to other levels of system, Processor can be code to internal memory and peripheral hardware access be sent in AXI bus systems.

Each read/write channel both increases an extra control signal in AXI buses：

AWPROT[1]：Bus write transactions control signal --- low level writes things for safety, and high level writes thing for non-security Thing.

ARPROT[1]：Bus reads things control signal --- and low level reads things for safety, and high level is non-security reading thing Thing.

Address space controller (TZASC) is the main equipment of AXI buses, and memory address space can be divided one with it is Segment space, safety, non-security is configured to by operating in the software of safer world by the memory headroom of row, and TZASC is prevented Non-security things access safety memory headroom.

The use of the slave unit subregion that the first purpose of TZASC is AXI is several safety means, prevents non-security things from accessing Safety means.The DMC of ARM does not support to create security domain, non-secure domains in itself, is required connect on TZASC for this.

Storage adapter (TZMA) is the main equipment of AXI buses, and ram in slice (random access are divided with it Memory, random access memory), the security interval of ROM (Read Only Memory, read-only storage).

Because APB (Advanced Peripheral Bus, peripheral bus) bus does not have AXI buses to have TrustZone to pacify , it is necessary to APB-to-AXI bridges are responsible for, peripheral hardware is still connected with APB for the control signal of total correlation, on APB-to-AXI bridges have TZPCDECPORT signal inputs, determined with it configuration peripheral hardware be it is safe, it is non-security, can prevent non-security things from visiting Ask peripheral hardware.

TZPCDECPORT input signals can statically be set when master chip (such as SoC chip) is designed, it is also possible to pass through Protect controller (TZPC) to be programmed TrustZone, dynamically set when program is run, that is to say, that can by TZPC Dynamic configuration peripheral hardware be it is safe, it is non-security.

Additionally, cache and internal memory are in order to support trustzone security strategies, it is necessary to do a little extensions.

The tag (label) of cache both increases NS (security bit), the safe condition for identifying this line, NS=0 this A line is in a safe condition, and this line of NS=1 is in non-secure states.

The TLB (Translation Lookaside Buffer, bypass conversion buffered table) of MMU (MMU) Tag (label) increase NSTID, function is as NS.

Therefore, sent control signals in AXI buses when equipment proposes read-write things request to bus, AXI buses Can the domain that is presently according to this signal and processor 110 judge read and write, and prevents non-secure process/equipment read-write safety Equipment.

Allow that safe kernel 111 accesses all resources, and AMBA3AXI bus systems may insure security domain 1111 Resource will not be accessed by non-security core 112, therefore, non-security core 112 is typically only capable of accessing the resource of non-secure domains 1121.

Furthermore, non-secure domains 1121 can receive the access of general memory, ancillary equipment, and security domain 1111 The isolation of security domain 1111 can be realized for the secure accessing of safe storage ancillary equipment (such as safety chip 120).

In embodiments of the present invention, safe kernel 111 can be with access safety chip 120, the inaccessible of non-secure domains 1121 peace Full chip 120, therefore, security domain 1111 accesses safety chip 120, and non-secure domains 1121 not can access safety chip 120.

In embodiments of the present invention, the first fingerprint template fragment is stored in security domain 1111, as in security domain 1111 The first fingerprint template fragment is stored in FTS file system.

The second fingerprint template fragment is stored in safety chip 120, such as the second fingerprint template fragment can be in encryption Store afterwards in the RAM of safety.

Wherein, the first fingerprint template fragment belongs to same fingerprint template data, i.e., first with the second fingerprint template fragment Fingerprint template fragment and the second fingerprint template fragment are not a complete fingerprint template data, but a complete fingerprint Partial data in template data, also, the first fingerprint template fragment can constitute one completely with the second fingerprint template fragment Fingerprint template data.

In one example, fingerprint template data 310 as shown in Figure 3A, the data in the left side of dotted line 220 are the first finger Line template segments 311, the data on the right side of dotted line 220 are the second fingerprint template fragment 312.

In another example, fingerprint template data 310 as shown in Figure 3 B, the data outside circular 330 are the first fingerprint Template segments 313, the data in circular 330 are the second fingerprint template fragment 314.

Certainly, above-mentioned first fingerprint template fragment is intended only as example with the second fingerprint template fragment, is implementing the present invention During embodiment, other the first fingerprint template fragments and the second fingerprint template fragment can be set according to actual conditions, the present invention is real Example is applied not to be any limitation as this.In addition, in addition to above-mentioned first fingerprint template fragment and the second fingerprint template fragment, this area skill Art personnel can also according to actual needs using other first fingerprint template fragments and the second fingerprint template fragment, and the present invention is implemented Example is not also any limitation as to this.

It should be noted that because the volume of fingerprint template data is general than larger, and the memory space of safety chip 120 It is limited, therefore, the volume of the first fingerprint template fragment can be more than the volume of the second fingerprint template fragment, by the of small volume Two fingerprint template fragments are stored into safety chip 120.

Certainly, the volume of the first fingerprint template fragment might be less that or equal to the volume of the second fingerprint template fragment, sheet Inventive embodiments are not any limitation as to this.

In traditional scheme, if applying TrustZone in the terminal, fingerprint template data are all that full storage exists In FTS file system in TrustZone, safe class is EAL2, and hacker can crack the side with physical attacks using program Formula, is readily available the fingerprint template data of user.

In some schemes, also attempt to use safety chip store fingerprint template data, but, with fingerprint sensor to High accuracy develops, and the volume of fingerprint template data is increasing, and the space of safety chip is limited, it is more difficult to the fingerprint that storage is completed Template data.

Reference picture 4, shows the structured flowchart of mobile terminal in accordance with another embodiment of the present invention.

The mobile terminal configuration has processor 410 and safety chip 420.

Processor 410 provides virtual safe kernel 411 and non-security core 412.

Security domain 4111 is run in safe kernel 411, non-secure domains 4121 are run in non-security core 412, wherein, safety Domain 4111 can access safety chip 420.

The first fingerprint template fragment is stored in security domain 4111, the second fingerprint template piece is stored in safety chip 420 Section, wherein, the first fingerprint template fragment belongs to same fingerprint template data with the second fingerprint template fragment.

In embodiments of the present invention, the function monitor (Monitor) 430 in security domain 4111, in non-secure domains 4121 Middle operation applies 440.

Monitor (Monitor) 430 can be used for switching to security domain 4111 from non-secure domains 4121, or, from safety Domain 4111 switches to non-secure domains 4121.

In implementing, the application 440 of non-secure domains 4121 can be instructed or by hardware anomalies mechanism using SMC The mode such as a subset enter into monitor (Monitor) 430, it is also possible to configure IRQ (Interrupt Request, in Disconnected request), FIQ (Fast Interrupt Request, fast interrupt requests), it is outside data abort (data abort), outer Portion prefetch abort (prefetching termination) etc. enters into monitor (Monitor) 430 extremely.

Monitor (Monitor) 430 preserves the context of non-secure domains 4121, subsequently into the franchise mould of security domain 4111 Formula, subsequently enters the user model of security domain 4111, performs corresponding security service.

Here the user model and privileged mode of security domain 4111 are separated, because the execution ring generally in privileged mode Border is system level, and the security service of user model is application level, and both suppliers are typically different.

That is, the performing environment of security domain 4111 will manage the service and application of user model, and provided to them DLL.

In TrustZone, the coprocessor CP15 of processor 410 has individual secure configuration registers (SCR), the register Have individual NS (security bit), this NS domain indicated residing for processor 410.

If NS=0, processor 410 is in security domain 4111, if NS=1, processor 410 is in non-secure domains 4121, monitor (Monitor) 430 is by changing the NS switching for realizing security domain 4111 and non-secure domains 4121.

The security domain 4111 of processor 410 is unrelated with the application model and privileged mode of processor 410, that is to say, that application Non-secure domains 4121, either user model or privileged mode are operated in, non-secure domains 4121 are all belonging to.Conversely, safety The application program in domain 4111 also has application model and privileged mode.

Security domain 4111 and non-secure domains 4121 have application and privileged mode, and the authority that each pattern has is different , NS can only be running in the application change that security domain 4111 is in privileged mode, and processor 410 is in non-secure domains 4121 SCR registers can not be accessed.

When security service is completed, monitor (Monitor) 430 can change NS of SCR, recover non-secure domains 4121 Context.

Certainly, operating in the application of security domain 4111 also has the right of NS, SCR registers of change, it is also possible to change SCR NS, recover the context of non-secure domains 4121, the embodiment of the present invention is not any limitation as to this.

In embodiments of the present invention, fingerprint sensor 450 is configured with mobile terminal, the fingerprint sensor 440 can be used Can be independent component, installed in positions such as the front of mobile terminal, the side back sides in collection finger print data, it is also possible to It is attached in other components, such as screen.

In implementing, the fingerprint sensor 450, can Application Optics fingerprint sensing according to fingerprint imaging principle and technology Device, semicoductor capacitor sensor, semiconductor heat dependent sensor, semiconductor pressure sensor, ultrasonic sensor and radio frequency are passed Sensor etc., the embodiment of the present invention is not any limitation as to this.

Reference picture 5, flow chart the step of show fingerprint authentication method according to an embodiment of the invention specifically can be with Comprise the following steps：

Step 501, the fingerprint authentication request collection target fingerprint data in the non-secure domains according to application.

In implementing, the embodiment of the present invention can be using in the terminal, for example, mobile phone, panel computer, individual Digital assistants, wearable device (such as glasses, wrist-watch) etc..

The operating system of these mobile terminals can include Android (Android), IOS, Windows Phone, Windows Etc..

In embodiments of the present invention, there are mutually isolated non-secure domains and security domain in mobile terminal, wherein, security domain Access safety chip.

In order to strengthen the function of the operating system of mobile terminal, user installs respectively generally in the operating system of mobile terminal Application is planted, for example, immediate communication tool, browser, video player, audio player, mailbox client, shopping application, branch Pay application, etc..

During these applications operate in non-secure domains, can quickly be paid by fingerprint authentication, be unlocked, decrypt etc. and being grasped Make.

On the one hand, these applications can point out user in fingerprint sensor in UI (User Interface, user interface) On press finger, user can press finger according to the prompting on fingerprint sensor, and fingerprint sensor collection finger print data is made It is target fingerprint data.

Wherein, the target fingerprint data are that it is in the nature finger print data for the target of checking.

On the other hand, these applications can initiate fingerprint authentication request to the associated process in non-secure domains.

The target that associated process in non-secure domains can be gathered according to the fingerprint authentication acquisition request fingerprint sensor Finger print data.

Step 502, the security domain is switched to from the non-secure domains.

Non-secure domains can be switched to security domain by monitor (Monitor), to call related service to enter in security domain Row fingerprint authentication.

Step 503, extracts the first fingerprint template fragment in the security domain, by the first fingerprint template fragment and institute State target fingerprint data is activation to the safety chip.

In implementing, the first fingerprint template fragment belongs to same fingerprint template number with the second fingerprint template fragment According to the first fingerprint template fragment is stored in a secure domain, and the second fingerprint template fragment is stored in safety chip.

Before carrying out fingerprint authentication in a secure domain, the first fingerprint template fragment for prestoring can be extracted, and, press According to the communication protocol of safety chip, the first fingerprint template fragment is sent into safety chip.

In one embodiment of the invention, step 503 can include following sub-step：

Sub-step S11, legitimacy verifies are carried out in the security domain to the application；

Sub-step S12, when the application is by the legitimacy verifies, extracts from the file system of the security domain First fingerprint template fragment.

In embodiments of the present invention, in order to ensure the security of security domain, the fingerprint authentication for calling security domain can be taken The application of business carries out legitimacy verifies.

If the application is by legitimacy verifies, determine that the application, then can be in the file of security domain for legal application The first fingerprint template fragment is extracted in system (such as FTS), and transmission to safety chip carries out fingerprint authentication.

If the application is not by legitimacy verifies, determine that the application for illegal application, then can ignore what it sent Fingerprint authentication is asked.

In one example, legal application can be obtained ahead of time certification, authorize, and such as obtain system development business or mobile phone system The certification of Zuo Shangdeng mechanisms, mandate.

The public key that can obtain unique mark by certification, mandate is digitally signed to the application, should for identifying this Legitimacy and security.

Because public key has unique mark, therefore, when application is installed, the application can be generated only according to the public key One identity Uid, and store in a secure domain.

For the application for sending fingerprint authentication request, can be with getter progress information, the progress information of the application of nonsystematic Middle Apply Names is generally started with app to be named, behind additional numbers, the unique identities of the application can then be inquired according to numbering Mark Uid, is contrasted with storage unique identity Uid in a secure domain, if both are identical, can be determined that this should With being valid application, by legitimacy verifies, if both differ, can be determined that the application is illegal application, do not pass through Legitimacy verifies.

Certainly, above-mentioned legitimacy verifies are intended only as example, when the embodiment of the present invention is implemented, can be according to actual conditions Other legitimacy verifies are set, and the embodiment of the present invention is not any limitation as to this.In addition, in addition to above-mentioned legitimacy verifies, ability Field technique personnel can also according to actual needs use other legitimacy verifies, the embodiment of the present invention not also to be any limitation as this.

Step 504, extracts the second fingerprint template fragment in the safety chip, according to the first fingerprint template fragment Fingerprint authentication is carried out to the target fingerprint data with the second fingerprint template fragment.

In implementing, the first fingerprint template fragment belongs to same fingerprint template number with the second fingerprint template fragment According to the second fingerprint template fragment is stored in safety chip.

Related service in safety chip, can be using the first fingerprint template fragment and the second fingerprint template fragment to mesh Mark finger print data carries out fingerprint authentication, obtains corresponding result.

Furthermore, for target fingerprint data, finger-print region detection, picture quality judgement, directional diagram can be carried out Pre-processed with Frequency Estimation, image enhaucament, Fingerprint Image Binarization and refinement etc., to improve the efficiency of subsequent treatment.

After pre-processing, a line drawing on fingerprint image can be obtained, extracts special from the line drawing Reference ceases, using based on Point Pattern Matching algorithm, based on the modes such as texture pattern matching algorithm and the first fingerprint template fragment the The characteristic information of two fingerprint template fragments is compared, to judge that active user is validated user or disabled user.

In one embodiment of the invention, step 504 can include following sub-step：

Sub-step S21, according to the default rule that splits by the first fingerprint template fragment and second fingerprint template Fragment combination is into fingerprint template data；

Sub-step S22, is matched using the fingerprint template data with the target fingerprint data；

Sub-step S23, when the fingerprint template data are with target fingerprint Data Matching success, judges fingerprint authentication Success；

Sub-step S24, when the fingerprint template data fail with the target fingerprint Data Matching, judges fingerprint authentication Failure.

In embodiments of the present invention, can be according to the rule for splitting fingerprint template data, inversely by the first fingerprint template Fragment is reduced to fingerprint template data with the second fingerprint template fragment, is then matched with target fingerprint data.

If both the match is successful, it is determined that fingerprint authentication success, whereas if both it fails to match, it is determined that fingerprint Authentication failed.

In a combination examples of the embodiment of the present invention, a fingerprint base plate can be generated；The first fingerprint mould is determined respectively The first position of plate segment, the second place of the second fingerprint template fragment；In the first position of fingerprint base plate and the second place point The first fingerprint template fragment is not write and states the second fingerprint template fragment, obtain fingerprint template data.

Using this example, the data of first position in fingerprint template data can be set to the first fingerprint template fragment, For example, first position can be leftward position, the fingerprint shown in Fig. 3 B of dotted line 220 in the fingerprint template data 310 shown in Fig. 3 A Circular 330 round external position, etc. in template data 310.

The data of the second place in fingerprint template data are set to the second fingerprint template fragment, for example, the second place can Think circle in right positions, the fingerprint template data 310 shown in Fig. 3 B of dotted line 220 in the fingerprint template data 310 shown in Fig. 3 A Position, etc. in the circle of shape 330.

Certainly, the synthesis mode of above-mentioned fingerprint template data is intended only as example, when the embodiment of the present invention is implemented, can be with The synthesis mode of other fingerprint template data is set according to actual conditions, and the embodiment of the present invention is not any limitation as to this.In addition, removing Outside the synthesis mode of above-mentioned fingerprint template data, those skilled in the art can also according to actual needs use other fingerprint moulds The synthesis mode of plate data, the embodiment of the present invention is not also any limitation as to this.

Therefore, in this example, fingerprint base plate can be generated, it can be view data, such as bitmap bitmap.

In synthesis fingerprint template data, the fingerprint template data after a size being drawn in internal memory and is normalized The first fingerprint template fragment is drawn in identical fingerprint base plate, the first position on the fingerprint base plate, on the fingerprint base plate The second place draws the second fingerprint template fragment.

After synthesis fingerprint template data, fingerprint template data can be matched with target fingerprint data.

In another embodiment of the present invention, step 504 can include following sub-step：

The target fingerprint data are split into first object fingerprint fragment by sub-step S31 according to the default rule that splits With the second target fingerprint fragment；

Sub-step S32, is matched using the first fingerprint template fragment with the first object fingerprint fragment；

Sub-step S33, is matched using the second fingerprint template fragment with the second target fingerprint fragment；

Sub-step S34, when the first fingerprint template fragment and the first object fingerprint fragment and second fingerprint When template segments are with the second target fingerprint fragment match success, fingerprint authentication success is judged；

Sub-step S35, when the first fingerprint template fragment refers to the first object fingerprint fragment and/or described second When line template segments fail with the second target fingerprint fragment match, fingerprint authentication failure is judged.

In embodiments of the present invention, can be according to the rule for splitting fingerprint template data, correspondingly by target fingerprint data It is split as first object fingerprint fragment and the second target fingerprint fragment.

In one example, for fingerprint template data 310 as shown in Figure 3A, if being split as the first finger along dotted line 220 The fingerprint template fragment 312 of line template segments 311 and second, for target fingerprint data, is then referred to dotted line 220 and is torn open Point, the data in left side are first object fingerprint fragment, and the data on right side are the second target fingerprint fragment.

In another example, for fingerprint template data 310 as shown in Figure 3 B, the first fingerprint is split as along circular 330 The fingerprint template fragment 314 of template segments 313 and second, for target fingerprint data, is then referred to circular 330 and is split, Data outside circle are first object fingerprint fragment, and the data in circle are the second target fingerprint fragment.

Certainly, the fractionation mode of above-mentioned target fingerprint data is intended only as example, when the embodiment of the present invention is implemented, can be with The fractionation mode of other target fingerprint data is set according to actual conditions, and the embodiment of the present invention is not any limitation as to this.In addition, removing Outside the fractionation mode of above-mentioned target fingerprint data, those skilled in the art can also be referred to using other targets according to actual needs The fractionation mode of line data, the embodiment of the present invention is not also any limitation as to this.

Target fingerprint data are split out after first object fingerprint fragment, the second target fingerprint fragment, can respectively with One fingerprint template fragment, the second fingerprint template fragment are matched.

If the match is successful for two pairs of relations, it is determined that fingerprint authentication success, whereas if two pairs of any matchings of relation are lost Lose, it is determined that fingerprint authentication fails.

In one example of partition of the embodiment of the present invention, it may be determined that the first position of the first fingerprint template fragment and The second place of two fingerprint template fragments；First object is extracted respectively in the first position of target fingerprint data and the second place to refer to Line fragment and the second target fingerprint fragment.

Therefore, in this example, the data of first position in target fingerprint data can be set to first object fingerprint The data of the second place in target fingerprint data are set to the second target fingerprint fragment by fragment.

In oneainstance, first position, the second place can be absolute position, in order to improve the degree of accuracy of matching, the One fingerprint template fragment or the second fingerprint template fragment can set multiple, therefore, it can accordingly extract multiple first mesh Mark fingerprint fragment or the second target fingerprint fragment are matched.

In another scenario, first position, the second place can be relative position, and one is set in fingerprint template data Individual or multiple feature locations, record first position or the second place therefore, it can relative to the coordinates of targets of this feature position Feature locations are searched in target fingerprint data, if finding out feature locations, can be sat in the target relative to this feature position Mark extracts first object fingerprint fragment or the second target fingerprint fragment is matched.

Reference picture 6, flow chart the step of show fingerprint authentication method in accordance with another embodiment of the present invention, specifically may be used To comprise the following steps：

Step 601, the fingerprint typing request collection fingerprint template data in the non-secure domains according to application.

In implementing, the embodiment of the present invention can have using in the terminal, in the mobile terminal mutually every From non-secure domains and security domain, wherein, security domain access safety chip.

On the one hand, for legal user, these applications can point out the user to refer to by fingerprint sensor typing in UI Line data, user can press finger, fingerprint sensor collection finger print data, as finger according to the prompting on fingerprint sensor Line template data, subsequently to be contrasted.

Wherein, the fingerprint template data are that it is in the nature finger print data for the reference of checking.

On the other hand, these applications can initiate fingerprint typing request to the associated process in non-secure domains.

The fingerprint mould that associated process in non-secure domains can be gathered according to the fingerprint typing acquisition request fingerprint sensor Plate data.

Step 602, the security domain is switched to from the non-secure domains.

Non-secure domains can be switched to security domain by monitor (Monitor), to call related service to enter in security domain The storage of row fingerprint template data.

Step 603, by the fingerprint template data is activation to the safety chip in the security domain.

In a secure domain, can be according to the communication protocol of safety chip, by fingerprint template data is activation to safety chip.

The fingerprint template data are split into the by step 604 in the safety chip according to the default rule that splits One fingerprint template fragment and the second fingerprint template fragment, and the second fingerprint template fragment is returned into the security domain.

In safety chip, fingerprint template data can be split as the first fingerprint template piece according to certain fractionation rule Section, the second fingerprint template fragment, return to the first fingerprint template fragment security domain and store to positions such as FTS file system, with And, the second fingerprint template fragment is locally stored in safety chip.

In splitting example at one of the embodiment of the present invention, first can be extracted from the first position in fingerprint template data Fingerprint template fragment；The second fingerprint template fragment is extracted from the second place in fingerprint template data.

In this example, the first position in fingerprint template data can be split as the first fingerprint template fragment, will be referred to The second place in line template data splits the second fingerprint template fragment.

For example, fingerprint template data 310 as shown in Figure 3A, are split along dotted line 220, the data in left side are the first finger Line template segments 311, the data on right side are the second fingerprint template fragment 312.

Again for example, fingerprint template data 310 as shown in Figure 3 B, are split along circular 330, the data outside circle refer to for first Line template segments 313, the data in circle are the second fingerprint template fragment 314.

Certainly, the fractionation mode of above-mentioned fingerprint template data is intended only as example, when the embodiment of the present invention is implemented, can be with The fractionation mode of other fingerprint template data is set according to actual conditions, and the embodiment of the present invention is not any limitation as to this.In addition, removing Outside the fractionation mode of above-mentioned fingerprint template data, those skilled in the art can also according to actual needs use other fingerprint moulds The fractionation mode of plate data, the embodiment of the present invention is not also any limitation as to this.

It should be noted that fingerprint template data storage success or failure, monitor (Monitor) can be by security domain Non-secure domains are switched to, to be processed accordingly according to the result of fingerprint template data storage in the application of non-secure domains.

Step 605, the fingerprint authentication request collection target fingerprint data in the non-secure domains according to application.

Step 606, the security domain is switched to from the non-secure domains.

Step 607, extracts the first fingerprint template fragment in the security domain, by the first fingerprint template fragment and institute State target fingerprint data is activation to the safety chip.

Step 608, extracts the second fingerprint template fragment in the safety chip, according to the first fingerprint template fragment Fingerprint authentication is carried out to the target fingerprint data with the second fingerprint template fragment.

Wherein, the first fingerprint template fragment belongs to same fingerprint template data with the second fingerprint template fragment.

Step 609, the security domain is returned in the safety chip by the result of the fingerprint authentication.

Step 610, the non-secure domains are switched to from the security domain.

Step 611, the application is returned in the non-secure domains by the result of the fingerprint authentication.

After fingerprint authentication, the result of fingerprint authentication can be returned to security domain by safety chip according to its communication protocol.

Security domain can be switched to non-secure domains 510 by monitor (Monitor), so as to the application of non-secure domains according to The result of fingerprint authentication is processed accordingly.

If fingerprint authentication success, the operation such as payment, unblock, decryption can be performed.

If fingerprint authentication fails, can forbid being paid, unlock, decrypt etc. operating, and point out user fingerprints to test Card failure.

If the number of times of fingerprint authentication failure exceedes certain threshold value (such as 5 times), can carry out freezing the alarms such as account behaviour Make.

For embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but this area Technical staff should know that the embodiment of the present invention is not limited by described sequence of movement, because implementing according to the present invention Example, some steps can sequentially or simultaneously be carried out using other.Secondly, those skilled in the art should also know, specification Described in embodiment belong to preferred embodiment, necessary to the involved action not necessarily embodiment of the present invention.

Reference picture 7, shows the structured flowchart of fingerprint verifying apparatus according to an embodiment of the invention, applies in movement In terminal, there are mutually isolated non-secure domains and security domain in the mobile terminal, the security domain accesses safety chip；Institute Stating device can specifically include such as lower module：

Checking request processing module 701, for the fingerprint authentication request collection mesh in the non-secure domains according to application Mark finger print data；

First security domain handover module 702, for switching to the security domain from the non-secure domains；

Fingerprint template fragments for transport module 703, for extracting the first fingerprint template fragment in the security domain, will be described First fingerprint template fragment and the target fingerprint data is activation are to the safety chip；

Fingerprint authentication module 704, for extracting the second fingerprint template fragment in the safety chip, according to described first Fingerprint template fragment carries out fingerprint authentication with the second fingerprint template fragment to the target fingerprint data；First fingerprint Template segments belong to same fingerprint template data with the second fingerprint template fragment.

In one embodiment of the invention, the fingerprint template fragments for transport module 703 includes：

In one embodiment of the invention, the fingerprint authentication module 704 includes：

In an example of the embodiment of the present invention, the fingerprint combination submodule includes：

Base plate generation unit, for generating a fingerprint base plate；

In another embodiment of the present invention, the fingerprint authentication module 704 includes：

In an example of the embodiment of the present invention, the target fingerprint splits submodule to be included：

Reference picture 8, shows the structured flowchart of fingerprint verifying apparatus in accordance with another embodiment of the present invention, applies and is moving In dynamic terminal, there are mutually isolated non-secure domains and security domain in the mobile terminal, the security domain accesses safety chip； Described device can specifically include such as lower module：

Typing request processing module 801, refers to for the fingerprint typing request collection according to application in the non-secure domains Line template data；

Second security domain handover module 802, for switching to the security domain from the non-secure domains；

Fingerprint template data transmission module 803, in the security domain by the fingerprint template data is activation to institute State safety chip；

Fingerprint template splits module 804, for regular by the fingerprint according to default fractionation in the safety chip Template data splits into the first fingerprint template fragment and the second fingerprint template fragment, and the second fingerprint template fragment is returned The security domain.

Checking request processing module 805, for the fingerprint authentication request collection mesh in the non-secure domains according to application Mark finger print data；

First security domain handover module 806, for switching to the security domain from the non-secure domains；

Fingerprint template fragments for transport module 807, for extracting the first fingerprint template fragment in the security domain, will be described First fingerprint template fragment and the target fingerprint data is activation are to the safety chip；

Fingerprint authentication module 808, for extracting the second fingerprint template fragment in the safety chip, according to described first Fingerprint template fragment carries out fingerprint authentication with the second fingerprint template fragment to the target fingerprint data；First fingerprint Template segments belong to same fingerprint template data with the second fingerprint template fragment.

First result returns to module 809, described for returning to the result of the fingerprint authentication in the safety chip Security domain；

Non-secure domains handover module 810, for switching to the non-secure domains from the security domain；

Second result returns to module 811, described for returning to the result of the fingerprint authentication in the non-secure domains Using.

In one embodiment of the invention, the fingerprint template splits module 804 and includes：

For device embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, it is related Part is illustrated referring to the part of embodiment of the method.

The embodiment of the present invention additionally provides mobile terminal, as shown in figure 9, for convenience of description, illustrate only and the present invention The related part of embodiment, particular technique details is not disclosed, and refer to present invention method part.The terminal can be Including mobile phone, panel computer, PDA (Personal Digital Assistant, personal digital assistant), POS (Point of Sales, point-of-sale terminal), any terminal device such as vehicle-mounted computer, so that terminal is as mobile phone as an example：

Fig. 9 is illustrated that the block diagram of the part-structure of the mobile phone related to terminal provided in an embodiment of the present invention.With reference to figure 9, mobile phone includes：Radio frequency (Radio Frequency, RF) circuit 910, memory 920, input block 930, display unit 940, Sensor 950, voicefrequency circuit 960, Wireless Fidelity (wireless fidelity, WiFi) module 970, processor 980, power supply 990 and the grade part of safety chip 991.It will be understood by those skilled in the art that the handset structure shown in Fig. 9 do not constitute it is right The restriction of mobile phone, can include part more more or less than diagram, or combine some parts, or different part cloth Put.

Each component parts of mobile phone is specifically introduced with reference to Fig. 9：

RF circuits 910 can be used to receiving and sending messages or communication process in, the reception and transmission of signal, especially, by base station After downlink information is received, processed to processor 980；In addition, up data is activation will be designed to base station.Generally, RF circuits 910 Including but not limited to antenna, at least one amplifier, transceiver, coupler, low-noise amplifier (Low Noise Amplifier, LNA), duplexer etc..Additionally, RF circuits 910 can also be communicated by radio communication with network and other equipment. Above-mentioned radio communication can use any communication standard or agreement, including but not limited to global system for mobile communications (Global System of Mobile communication, GSM), general packet radio service (General Packet Radio Service, GPRS), CDMA (Code Division Multiple Access, CDMA), WCDMA (Wideband Code Division Multiple Access, WCDMA), Long Term Evolution (Long TermEvolution, LTE), Email, Short Message Service (Short Messaging Service, SMS) etc..

Memory 920 can be used to store software program and module, and processor 980 is by running storage in memory 920 Software program and module, so as to perform various function application and the data processing of mobile phone.Memory 920 can mainly include Storing program area and storage data field, wherein, the application journey that storing program area can be needed for storage program area, at least one function Sequence (such as sound-playing function, image player function etc.) etc.；Storage data field can be stored and use what is created according to mobile phone Data (such as voice data, phone directory etc.) etc..Additionally, memory 920 can include high-speed random access memory, can be with Including nonvolatile memory, for example, at least one disk memory, flush memory device or other volatile solid-states Part.

Input block 930 can be used to receive the numeral or character information of input, and produce with the user of mobile phone set with And the relevant key signals input of function control.Specifically, input block 930 may include that contact panel 931 and other inputs set Standby 932.Contact panel 931, also referred to as touch-screen, user can be collected thereon or neighbouring touch operation (such as user uses The operation of any suitable object such as finger, stylus or annex on contact panel 931 or near contact panel 931), and root Corresponding attachment means are driven according to formula set in advance.Optionally, contact panel 931 may include touch detecting apparatus and touch Two parts of controller.Wherein, touch detecting apparatus detect the touch orientation of user, and detect the signal that touch operation brings, Transmit a signal to touch controller；Touch controller receives touch information from touch detecting apparatus, and is converted into touching Point coordinates, then give processor 980, and the order sent of receiving processor 980 and can be performed.Furthermore, it is possible to using electricity The polytypes such as resistive, condenser type, infrared ray and surface acoustic wave realize contact panel 931.Except contact panel 931, input Unit 930 can also include other input equipments 932.Specifically, other input equipments 932 can include but is not limited to secondary or physical bond One or more in disk, function key (such as volume control button, switch key etc.), trace ball, mouse, action bars etc..

Display unit 940 can be used for show by user input information or be supplied to user information and mobile phone it is various Menu.Display unit 940 may include display panel 941, optionally, can use liquid crystal display (Liquid Crystal Display, LCD), the form such as Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED) it is aobvious to configure Show panel 941.Further, contact panel 931 can cover display panel 941, when contact panel 931 detect it is thereon or attached After near touch operation, processor 980 is sent to determine the type of touch event, with preprocessor 980 according to touch event Type corresponding visual output is provided on display panel 941.Although in fig .9, contact panel 931 and display panel 941 It is input and the input function that mobile phone is realized as two independent parts, but in some embodiments it is possible to by touch-control Panel 931 and display panel 941 be integrated and input that realize mobile phone and output function.

Mobile phone may also include at least one sensor 950, such as fingerprint sensor, optical sensor, motion sensor and Other sensors.Specifically, fingerprint sensor can be used to gather finger print data, and optical sensor may include ambient light sensor and connect Nearly sensor, wherein, ambient light sensor can adjust the brightness of display panel 941 according to the light and shade of ambient light, close to biography Sensor can close display panel 941 and/or backlight when mobile phone is moved in one's ear.As one kind of motion sensor, accelerometer The size of (generally three axles) acceleration, can detect that size and the side of gravity in the detectable all directions of sensor when static To, can be used for recognize mobile phone attitude application (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating), Vibration identification Correlation function (such as pedometer, percussion) etc.；It is the gyroscope that be can also configure as mobile phone, barometer, hygrometer, thermometer, red The other sensors such as outside line sensor, will not be repeated here.

Voicefrequency circuit 960, loudspeaker 961, microphone 962 can provide the COBBAIF between user and mobile phone.Audio-frequency electric Electric signal after the voice data conversion that road 960 will can receive, is transferred to loudspeaker 961, and sound is converted to by loudspeaker 961 Signal output；On the other hand, the voice signal of collection is converted to electric signal by microphone 962, is turned after being received by voicefrequency circuit 960 It is changed to voice data, then after voice data output processor 980 is processed, through RF circuits 910 to be sent to such as another mobile phone, Or export to memory 920 so as to further treatment voice data.

WiFi belongs to short range wireless transmission technology, and mobile phone can help user's transceiver electronicses postal by WiFi module 970 Part, browse webpage and access streaming video etc., it has provided the user wireless broadband internet and has accessed.Although Fig. 9 shows WiFi module 970, but it is understood that, it is simultaneously not belonging to must be configured into for mobile phone, can not change as needed completely Become in the essential scope of invention and omit.

Processor 980 is the control centre of mobile phone, using various interfaces and the various pieces of connection whole mobile phone, is led to Cross operation or perform software program of the storage in memory 920 and/or module, and call storage in memory 920 Data, perform the various functions and processing data of mobile phone, so as to carry out integral monitoring to mobile phone.Optionally, processor 980 can be wrapped Include one or more processing units；Preferably, processor 980 can integrated application processor and modem processor, wherein, should Operating system, user interface and application program etc. are mainly processed with processor, modem processor mainly processes radio communication. It is understood that above-mentioned modem processor can not also be integrated into processor 980.

Mobile phone also includes the power supply 990 (such as battery) powered to all parts, it is preferred that power supply can be by power supply pipe Reason system is logically contiguous with processor 980, so as to realize management charging, electric discharge and power managed by power-supply management system Etc. function.

Although not shown, mobile phone can also will not be repeated here including camera, bluetooth module etc..

In embodiments of the present invention, have using in the terminal, in the mobile terminal mutually isolated non-security Domain and security domain, the security domain access safety chip；Processor 980 included by the terminal also has following functions：

The security domain is switched to from the non-secure domains；

Alternatively, the processor 980 included by the terminal also has following functions：

Matched with the target fingerprint data using the fingerprint template data；

Generate a fingerprint base plate；

The non-secure domains are switched to from the security domain；

The security domain is switched to from the non-secure domains；

It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.

In several embodiments provided by the present invention, it should be understood that disclosed system, apparatus and method can be with Realize by another way.For example, device embodiment described above is only schematical, for example, the unit Divide, only a kind of division of logic function there can be other dividing mode when actually realizing, for example multiple units or component Can combine or be desirably integrated into another system, or some features can be ignored, or do not perform.It is another, it is shown or The coupling each other for discussing or direct-coupling or communication connection can be the indirect couplings of device or unit by some interfaces Close or communicate to connect, can be electrical, mechanical or other forms.

The unit that is illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit The part for showing can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be according to the actual needs selected to realize the mesh of this embodiment scheme 's.

In addition, during each functional unit in each embodiment of the invention can be integrated in a processing unit, it is also possible to It is that unit is individually physically present, it is also possible to which two or more units are integrated in a unit.Above-mentioned integrated list Unit can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.

One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can Completed with instructing the hardware of correlation by program, the program can be stored in a computer-readable recording medium, storage Medium can include：Read-only storage (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD etc..

One of ordinary skill in the art will appreciate that all or part of step in realizing above-described embodiment method can be The hardware of correlation is instructed to complete by program, described program can be stored in a kind of computer-readable recording medium, on It can be read-only storage, disk or CD etc. to state the storage medium mentioned.

A kind of mobile terminal provided by the present invention is described in detail above, for the general technology people of this area Member, according to the thought of the embodiment of the present invention, will change in specific embodiments and applications, in sum, This specification content should not be construed as limiting the invention.

The embodiment of the invention discloses A1, a kind of fingerprint authentication method, using in the terminal, in the mobile terminal With mutually isolated non-secure domains and security domain, the security domain accesses safety chip；

Methods described includes：

The security domain is switched to from the non-secure domains；

A2, the method as described in A1, it is described to include the step of the first fingerprint template fragment is extracted in the security domain：

A3, the method as described in A1, it is described according to the first fingerprint template fragment and the second fingerprint template fragment The step of carrying out fingerprint authentication to the target fingerprint data includes：

Matched with the target fingerprint data using the fingerprint template data；

A4, the method as described in A3, it is described according to it is default split rule by the first fingerprint template fragment with it is described The step of second fingerprint template fragment combination is into fingerprint template data include：

Generate a fingerprint base plate；

A5, the method as described in A1, it is described according to the first fingerprint template fragment and the second fingerprint template fragment The step of carrying out fingerprint authentication to the target fingerprint data includes：

A6, the method as described in A5, it is described regular by the target fingerprint according to default fractionation in the security domain The step of data split into first object fingerprint fragment and the second target fingerprint fragment includes：

A7, the method as described in any one of A1-A6, also include：

The non-secure domains are switched to from the security domain；

A8, the method as described in any one of A1-A6, also include：

The security domain is switched to from the non-secure domains；

A9, the method as described in A8, it is described regular by the fingerprint mould according to default fractionation in the safety chip The step of plate data split into the first fingerprint template fragment and the second fingerprint template fragment includes：

It is described mobile whole using in the terminal the embodiment of the invention also discloses B10, a kind of fingerprint verifying apparatus There are mutually isolated non-secure domains and security domain, the security domain accesses safety chip in end；

Described device includes：

B11, the device as described in B10, the fingerprint template fragments for transport module include：

B12, the device as described in B10, the fingerprint authentication module include：

B13, the device as described in B12, the fingerprint combination submodule include：

Base plate generation unit, for generating a fingerprint base plate；

B14, the device as described in B10, the fingerprint authentication module include：

B15, the device as described in B14, the target fingerprint splits submodule to be included：

B16, the device as described in any one of B10-B15, also include：

B17, the device as described in any one of B10-B15, also include：

B18, the device as described in B17, the fingerprint template splits module to be included：

The embodiment of the invention also discloses C19, a kind of mobile terminal, including processor and memory；

The memory is used to store the program for supporting to perform the fingerprint authentication method described in A1 to A9；

The processor is configurable for performing the program stored in the memory.

Claims

1. a kind of fingerprint authentication method, it is characterised in that application has mutually isolated in the terminal, in the mobile terminal Non-secure domains and security domain, the security domain accesses safety chip；

Methods described includes：

The security domain is switched to from the non-secure domains；

The first fingerprint template fragment is extracted in the security domain, by the first fingerprint template fragment and the target fingerprint number According to transmission to the safety chip；

The second fingerprint template fragment is extracted in the safety chip, is referred to described second according to the first fingerprint template fragment Line template segments carry out fingerprint authentication to the target fingerprint data；The first fingerprint template fragment and the second fingerprint mould Plate segment belongs to same fingerprint template data.

2. the method for claim 1, it is characterised in that described that the first fingerprint template fragment is extracted in the security domain The step of include：

When the application is by the legitimacy verifies, the first fingerprint template piece is extracted from the file system of the security domain Section.

3. the method for claim 1, it is characterised in that described according to the first fingerprint template fragment and described second The step of fingerprint template fragment carries out fingerprint authentication to the target fingerprint data includes：

According to the default rule that splits by the first fingerprint template fragment and the second fingerprint template fragment combination into fingerprint Template data；

Matched with the target fingerprint data using the fingerprint template data；

4. method as claimed in claim 3, it is characterised in that it is described according to the default rule that splits by the first fingerprint mould Plate segment with the second fingerprint template fragment combination into fingerprint template data the step of include：

Generate a fingerprint base plate；

First position, the second place of the second fingerprint template fragment of the first fingerprint template fragment are determined respectively；

The first fingerprint template fragment and described second are respectively written into the first position of the fingerprint base plate and the second place Fingerprint template fragment, obtains fingerprint template data.

5. the method for claim 1, it is characterised in that described according to the first fingerprint template fragment and described second The step of fingerprint template fragment carries out fingerprint authentication to the target fingerprint data includes：

The target fingerprint data are split into first object fingerprint fragment and the second target fingerprint according to the default rule that splits Fragment；

When the first fingerprint template fragment and the first object fingerprint fragment and the second fingerprint template fragment with it is described During the success of the second target fingerprint fragment match, fingerprint authentication success is judged；

When the first fingerprint template fragment and the first object fingerprint fragment and/or the second fingerprint template fragment and institute When stating the failure of the second target fingerprint fragment match, fingerprint authentication failure is judged.

6. method as claimed in claim 5, it is characterised in that it is described will according to the default rule that splits in the security domain The step of target fingerprint data split into first object fingerprint fragment and the second target fingerprint fragment includes：

First object fingerprint fragment and the second target are extracted respectively in the first position of the target fingerprint data and the second place Fingerprint fragment.

7. the method as described in claim any one of 1-6, it is characterised in that also include：

The non-secure domains are switched to from the security domain；

8. the method as described in claim any one of 1-6, it is characterised in that also include：

The security domain is switched to from the non-secure domains；

The fingerprint template data are split into the first fingerprint template piece according to the default rule that splits in the safety chip Section and the second fingerprint template fragment, and the second fingerprint template fragment is returned into the security domain.

9. a kind of fingerprint verifying apparatus, it is characterised in that application has mutually isolated in the terminal, in the mobile terminal Non-secure domains and security domain, the security domain accesses safety chip；

Described device includes：

Checking request processing module, for the fingerprint authentication request collection target fingerprint number in the non-secure domains according to application According to；

Fingerprint template fragments for transport module, for extracting the first fingerprint template fragment in the security domain, described first is referred to Line template segments and the target fingerprint data is activation are to the safety chip；

Fingerprint authentication module, for extracting the second fingerprint template fragment in the safety chip, according to the first fingerprint mould Plate segment carries out fingerprint authentication with the second fingerprint template fragment to the target fingerprint data；The first fingerprint template piece Section belongs to same fingerprint template data with the second fingerprint template fragment.

10. a kind of mobile terminal, it is characterised in that including processor and memory；

The memory is used to store the program for supporting the fingerprint authentication method described in perform claim requirement 1 to claim 8；

The processor is configurable for performing the program stored in the memory.