CN109328348B - Service authentication method, system and related equipment - Google Patents
Service authentication method, system and related equipment Download PDFInfo
- Publication number
- CN109328348B CN109328348B CN201680087076.XA CN201680087076A CN109328348B CN 109328348 B CN109328348 B CN 109328348B CN 201680087076 A CN201680087076 A CN 201680087076A CN 109328348 B CN109328348 B CN 109328348B
- Authority
- CN
- China
- Prior art keywords
- service
- user
- mobile terminal
- authenticated
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
Abstract
A service authentication method, a system and related equipment are provided, wherein the service authentication method comprises the following steps: the mobile terminal determines a service to be authenticated triggered by a user, acquires first biological characteristic information input by the user aiming at the service to be authenticated, generates first key information by using a key generation algorithm corresponding to the service to be authenticated and the first biological characteristic information, sends an authentication request carrying user identification information aiming at the service to be authenticated to a service server, receives a response of the authentication request sent by the service server, obtains a first verification result according to the first key information and the response of the authentication request, sends the first verification result to the service server, enables the service server to acquire second biological characteristic information corresponding to the user identification information from a biological characteristic information management server, and authenticates the service to be authenticated according to the second biological characteristic information, the response of the authentication request and the first verification result. The method can realize safe and strong-universality service authentication.
Description
Technical Field
The present invention relates to the field of biometric authentication technologies, and in particular, to a method, a system, and a related device for service authentication.
Background
In recent years, biometric authentication technology has been rapidly developed, and is increasingly applied to mobile terminals such as smart phones and tablet computers, for example, biometric information such as fingerprints, faces and irises is used for authentication of services such as login and payment, including fingerprint unlocking, fingerprint payment and face recognition. However, in the above-mentioned service authentication scheme, the mobile terminal mostly stores the biometric information of the user, such as the fingerprint, the face, and the iris, in the security chip, and the biometric information may be cracked violently, so that the security is poor. In addition, the different service authentication schemes are different, and are limited in specific application scenarios, so that the universality of the schemes is poor. Therefore, how to provide a service authentication scheme with high security and universality becomes a problem to be solved urgently.
Disclosure of Invention
The embodiment of the invention discloses a service authentication method, a system and related equipment, which are used for realizing safe and strong-universality service authentication.
The first aspect of the embodiment of the invention discloses a service authentication method, which is applied to an open wireless access system, wherein the system comprises a service server, a biological characteristic information management server and a mobile terminal, and the method comprises the following steps:
the mobile terminal determines a service to be authenticated triggered by a user, generates first key information by using a key generation algorithm corresponding to the service to be authenticated and first biological characteristic information input by the user for the service to be authenticated, and sends an authentication request for the service to be authenticated to a service server, wherein the authentication request carries identification information of the user, such as one or more of a user name, a mailbox, a mobile phone number, an employee number, an identity card number and the like, the mobile terminal receives a response of the authentication request sent by the service server, specifically, a random number, and obtains a first verification result according to the first key information and the response of the authentication request.
The mobile terminal sends a first verification result to the service server, so that the service server can acquire second biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server, and generates a second verification result according to the second biological characteristic information and the response of the authentication request, the service to be authenticated is authenticated by using the first verification result and the second verification result, visibly, the biological characteristic information is uniformly stored and managed by the biological characteristic information management server, the mobile terminal side does not store the biological characteristic information, when the service authentication is performed, the mobile terminal side generates a verification result according to the biological characteristic information input by the user, the service server side also generates a verification result according to the biological characteristic information acquired from the biological characteristic information management server, and the service server can determine whether the service authentication passes or not by judging whether the two verification results are matched, so that the safe and strong-universality service authentication can be realized.
Optionally, corresponding service security levels are preset for different services, the types and/or the amounts of the biometric information required to be input by the user may be different for different service security levels, and the specific manner for the mobile terminal to obtain the first biometric information input by the user may be: the mobile terminal determines the service security level of the service to be authenticated, outputs the input prompt of the biological characteristic information corresponding to the service security level of the service to be authenticated, further acquires the first biological characteristic information input by the user in response to the input prompt, distinguishes the service security levels of different services, and further improves the security of service authentication by requiring the user to input the biological characteristic information of corresponding types and/or quantities.
Optionally, for different users, the mobile terminal may be adapted to different initialization interfaces after being powered on, the initialization interfaces show services that can be used by the user, the mobile terminal may prompt the user to input specified types of biometric information before entering an interface corresponding to the user, acquire third biometric information input by the user, generate second key information by using a preset key generation algorithm and the third biometric information, send a user permission level acquisition request to the service server to acquire a user permission level of the current user, where the user permission level acquisition request carries identification information of the user, such as one or more of a user name, a mailbox, a mobile phone number, an employee number, an identity number, and the like.
The mobile terminal receives a response of the user permission level acquisition request sent by the service server, specifically, the response may be a random number, obtains a second verification result according to the second key information and the response of the user permission level acquisition request, and sends the second verification result to the service server, so that the service server acquires fourth biometric information corresponding to the identification information of the user from the biometric information management server, and acquires the user permission level corresponding to the identification information of the user under the condition that the second verification result is verified according to the fourth biometric information and the response of the user permission level acquisition request.
The mobile terminal receives the user permission levels sent by the service server, outputs an initialization interface corresponding to the user according to the user permission levels, and the initialization interface displays services available to the user, so that the user can select the services to be authenticated from the services available to the user, divides the user permission levels, can adapt different initialization interfaces for different users, and displays the services available to the different users to the user.
Optionally, the mobile terminal receives an authentication result of the service to be authenticated, which is sent by the service server, and when the authentication result is that the authentication passes, may generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information, may encrypt data of the service to be authenticated by using the encryption key information, and send the encrypted data of the service to be authenticated to the service server, so as to instruct the service server to decrypt the encrypted data of the service to be authenticated by using the second biometric information, thereby conveniently implementing encryption and decryption of the data of the service to be authenticated.
The second aspect of the embodiment of the invention discloses a service authentication method, which is applied to an open wireless access system, wherein the system comprises a service server, a biological characteristic information management server and a mobile terminal, and the method comprises the following steps:
the service server receives an authentication request which is sent by the mobile terminal and aims at the service to be authenticated, the authentication request carries identification information of a user, and a response of the authentication request is sent to the mobile terminal, so that the mobile terminal can obtain a first verification result according to the first key information and the response of the authentication request, and the first key information is generated by the mobile terminal by using a key generation algorithm corresponding to the service to be authenticated and first biological characteristic information input by the user.
The service server receives a first verification result sent by the mobile terminal, acquires second biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server, acquires a second verification result according to the second biological characteristic information and the response of the authentication request, and determines that the service to be authenticated passes the authentication under the condition that the first verification result is matched with the second verification result.
Optionally, the implementation manner of the service server obtaining the second biometric information corresponding to the identification information of the user from the biometric information management server may be: the service server sends a biological characteristic information acquisition request to the biological characteristic information management server, wherein the biological characteristic information acquisition request carries the identification information of the user and the identification information of the service server, so that the biological characteristic information management server inquires second biological characteristic information corresponding to the identification information of the user and the identification information of the service server.
And the business server receives the second biological characteristic information sent by the biological characteristic information management server.
Optionally, for different users, the mobile terminal may be adapted to different initialization interfaces after being powered on, the initialization interfaces display services that can be used by the users, the service server receives a user permission level acquisition request sent by the mobile terminal when detecting an initialization operation input by the user, the user permission level acquisition request carries identification information of the user, and sends a response of the user permission level acquisition request to the mobile terminal, so that the mobile terminal obtains a third verification result according to the second key information and the response of the user permission level acquisition request, and the second key information is generated by the mobile terminal using a preset key generation algorithm and fourth biometric information input by the user.
The service server receives a third verification result sent by the mobile terminal, acquires third biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server, acquires a fourth verification result according to the third biological characteristic information and the response of the user permission level acquisition request, acquires a user permission level corresponding to the identification information of the user under the condition that the third verification result is matched with the fourth verification result, and sends the user permission level to the mobile terminal, so that the mobile terminal can output an initialization interface corresponding to the user according to the user permission level to display services available to the user, the user can select the service to be authenticated from the services available to the user, the user is divided into the user permission levels, different initialization interfaces can be adapted to different users to display the services available to the different users to the user, a flexible and personalized mobile terminal use mode is provided, the same mobile terminal can be independently used by different users, and no influence is generated among different users.
Optionally, the service server sends the authentication result that the service to be authenticated passes the authentication to the mobile terminal when the first authentication result matches the second authentication result, so that the mobile terminal generates the encryption key information by using the encryption key generation algorithm corresponding to the service to be authenticated and the first key information, and the service server receives the data of the service to be authenticated, which is sent by the mobile terminal and encrypted by using the encryption key information, and can decrypt the encrypted data of the service to be authenticated by using the second biometric information, thereby conveniently encrypting and decrypting the data of the service to be authenticated.
The third aspect of the embodiment of the present invention discloses a mobile terminal, which is applied to an open wireless access system, wherein the system comprises a service server, a biometric information management server and a mobile terminal, and the mobile terminal comprises:
and the determining module is used for determining the service to be authenticated triggered by the user.
The acquisition module is used for acquiring first biological characteristic information input by a user aiming at the service to be authenticated.
And the processing module is used for generating first key information by using a key generation algorithm corresponding to the service to be authenticated and the first biological characteristic information.
And the sending module is used for sending an authentication request aiming at the service to be authenticated to the service server, wherein the authentication request carries the identification information of the user.
And the receiving module is used for receiving the response of the authentication request sent by the service server.
And the processing module is further used for obtaining a first verification result according to the first key information and the response of the authentication request.
The sending module is further configured to send a first verification result to the service server to instruct the service server to obtain second biometric information corresponding to the identification information of the user from the biometric information management server, so that the service server authenticates a service to be authenticated according to the second biometric information, the response of the authentication request, and the first verification result, and thus, the biometric information is uniformly stored and managed by the biometric information management server, and the mobile terminal side does not store the biometric information.
Optionally, the obtaining module may include an obtaining unit and an output unit, wherein:
and the obtaining unit is used for obtaining the service security level corresponding to the service to be authenticated.
And the output unit is used for outputting the input prompt of the biological characteristic information corresponding to the service safety level.
The acquisition unit is further used for acquiring first biological characteristic information input by a user in response to the input prompt, and the safety of service authentication can be further improved by distinguishing service safety levels of different services and requiring the user to input biological characteristic information of corresponding types and/or quantities.
Optionally, the mobile terminal further includes an output module, wherein:
and the acquisition module is also used for acquiring the user permission level of the user from the service server.
And the output module is used for outputting the initialization interface corresponding to the user according to the user permission level, and the initialization interface corresponding to the user displays the services available to the user.
The determining module is specifically used for determining services to be authenticated triggered by a user from services available to the user, dividing user permission levels for the user, adapting different initialization interfaces for different users to display the services available to the different users to the user, providing a flexible and personalized mobile terminal using mode, and realizing that the same mobile terminal can be independently used by different users without mutual influence.
Optionally, the receiving module is further configured to receive an authentication result of the service to be authenticated, sent by the service server.
And the processing module is also used for generating encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication result is that the service passes the authentication.
And the processing module is also used for encrypting the data of the service to be authenticated by utilizing the encryption key information.
And the sending module is further used for sending the encrypted data of the service to be authenticated to the service server so as to instruct the service server to decrypt the encrypted data of the service to be authenticated by using the second biological characteristic information.
The fourth aspect of the embodiments of the present invention discloses a service server, which is applied to an open wireless access system, the system includes a service server, a biometric information management server and a mobile terminal, the service server includes:
and the receiving module is used for receiving an authentication request aiming at the service to be authenticated, which is sent by the mobile terminal, wherein the authentication request carries the identification information of the user.
And the sending module is used for sending a response to the authentication request to the mobile terminal so as to indicate the mobile terminal to obtain a first verification result according to the first key information and the response of the authentication request, wherein the first key information is generated by the mobile terminal by using a key generation algorithm corresponding to the service to be authenticated and the first biological characteristic information input by the user.
The receiving module is further used for receiving the first verification result sent by the mobile terminal.
And the acquisition module is used for acquiring a second biological characteristic information processing module corresponding to the identification information of the user from the biological characteristic information management server and obtaining a second verification result according to the second biological characteristic information and the response of the authentication request.
The authentication module is used for authenticating the service to be authenticated according to the first authentication result and the second authentication result, and determining that the service to be authenticated passes the authentication under the condition that the first authentication result is matched with the second authentication result.
Optionally, the obtaining module includes:
and the sending unit is used for sending a biological characteristic information obtaining request to the biological characteristic information management server, wherein the biological characteristic information obtaining request carries the identification information of the user and the identification information of the service server so as to indicate the biological characteristic information management server to inquire second biological characteristic information corresponding to the identification information of the user and the identification information of the service server.
And the receiving unit is used for receiving the second biological characteristic information sent by the biological characteristic information management server.
Optionally, the receiving module is further configured to receive a user permission level obtaining request sent by the mobile terminal when detecting an initialization operation input by the user, where the user permission level obtaining request carries identification information of the user.
The obtaining module is further used for obtaining third biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server.
And the processing module is further used for determining the user authority level corresponding to the identification information of the user according to the third biological characteristic information.
The sending module is further used for sending the user permission levels to the mobile terminal so as to indicate the mobile terminal to output an initialization interface corresponding to the user according to the user permission levels, the initialization interface corresponding to the user displays services available to the user, the service to be authenticated is a service selected by the user from the services available to the user, the user permission levels are divided for the user, different initialization interfaces can be adapted to different users so as to display the services available to the different users to the user, a flexible and personalized mobile terminal using mode is provided, the same mobile terminal can be independently used by different users, and influence cannot be generated between the different initialization interfaces.
Optionally, the sending module is further configured to send an authentication result of the service to be authenticated to the mobile terminal, where the authentication result is used to instruct the mobile terminal to generate the encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication passes.
And the receiving module is also used for receiving the data of the service to be authenticated, which is sent by the mobile terminal and encrypted by using the encryption key information.
The processing module is further configured to decrypt the encrypted data of the service to be authenticated by using the second biometric information, so that the data of the service to be authenticated is encrypted and decrypted conveniently.
The fifth aspect of the embodiments of the present invention discloses a mobile terminal, which is applied to an open wireless access system, the system includes a service server, a biometric information management server and a mobile terminal, the mobile terminal includes: the processor, the biometric authentication chip, the transceiver and the memory are connected through a bus, the memory stores executable program codes, the transceiver is controlled by the processor to transmit and receive messages, and the biometric authentication chip and the processor are used for calling the executable program codes to execute the service authentication method described in any one of the first aspect.
The sixth aspect of the present invention discloses a service server, which is applied to an open wireless access system, and the system includes a service server, a biometric information management server, and a mobile terminal, and the service server includes: a processor, a transceiver and a memory, wherein the processor, the transceiver and the memory are connected through a bus, the memory stores executable program codes, the transceiver is controlled by the processor to transmit and receive messages, and the processor is used for calling the executable program codes to execute the service authentication method described in any one of the second aspect.
A seventh aspect of the present invention discloses a service authentication system, including: a biometric information management server for storing biometric information and providing a query service of the biometric information to the service server, the mobile terminal described in any of the above third aspects, and the service server described in any of the above fifth aspects.
In the embodiment of the invention, a mobile terminal determines a service to be authenticated triggered by a user, generates first key information by using a key generation algorithm corresponding to the service to be authenticated and first biological characteristic information input by the user, sends an authentication request aiming at the service to be authenticated, which carries identification information of the user, receives a response of the authentication request sent by a service server, obtains a first verification result according to the first key information and the response of the authentication request, and sends the first verification result to the service server, so that the service server obtains second biological characteristic information corresponding to the identification information of the user from a biological characteristic information management server, and the service server authenticates the service to be authenticated according to the second biological characteristic information, the response of the authentication request and the first verification result, thereby realizing safe and strong-universality service authentication.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
Fig. 1 is a schematic diagram of an open wireless access system according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a service authentication method disclosed in an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a mobile terminal according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a service server disclosed in the embodiment of the present invention;
fig. 5 is a schematic structural diagram of another mobile terminal disclosed in the embodiment of the present invention;
fig. 6 is a schematic structural diagram of another service server disclosed in the embodiment of the present invention;
fig. 7 is a schematic structural diagram of a service authentication system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," and "fourth," etc. in the description and claims of the invention and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus. The terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The embodiment of the invention discloses a service authentication method, a system and related equipment, which are used for realizing the rapid and safe completion of service authentication. The following are detailed below.
Fig. 1 is a schematic structural diagram of an open wireless access system according to an embodiment of the present invention. The open wireless access system described in this embodiment includes a service server, a biometric information management server, a wireless network controller, and an infrastructure service layer, where:
and the biological characteristic information management server is used for storing the biological characteristic information of the user and providing inquiry service of the biological characteristic information for legal entities such as a service server, a wireless network controller and the like.
And the service server is used for finishing a corresponding service authentication process by interacting with the biological characteristic information management server according to the service request of the mobile terminal.
A radio network controller for providing services to the outside in the form of services by separating the control capability of a radio network, comprising: storage services, real-time computing services, base station mirror services (loading and unloading of base station mirror files), virtual machine services (starting, stopping, suspending, snapshot and the like of virtual machines), base station management services, data exchange services between base stations and the like.
The infrastructure service layer is a wireless base station device formed by a general hardware platform, a wireless base station system is realized in a pure software mode, virtualization is realized on the general hardware platform through a virtualization technology, wireless base station software is stored in a wireless network controller or the base station device in a virtual machine file mode, and the wireless base station software is started in a virtual machine file loading mode.
In some possible embodiments, the business server may also be used to store the biometric information of the user for some closed application scenarios, such as inside a company or organization, i.e. the business server may simultaneously integrate the functions of the biometric information management server.
Please refer to fig. 2, which is a flowchart illustrating a service authentication method provided based on the architecture of the open wireless access system shown in fig. 1 according to an embodiment of the present invention. The service authentication method described in this embodiment includes:
201. the mobile terminal determines the service to be authenticated triggered by the user.
The mobile terminal may provide multiple services for the user to use, which may specifically include a service that needs to be authenticated and a service that does not need to be authenticated, and may store the service identifier that needs to be authenticated into the authentication service identifier list. The services to be authenticated may specifically include, but are not limited to, an account login service, a payment service, a wireless network access service, and the like.
Specifically, the user may trigger and start the target service from the available services provided by the mobile terminal according to the current requirement, and the mobile terminal queries whether the identifier of the target service exists in the authentication service identifier list, and if so, determines that the target service needs to be authenticated, and determines the target service as a task to be authenticated.
202. And the mobile terminal acquires first biological characteristic information input by the user aiming at the service to be authenticated, and generates first key information by using a key generation algorithm corresponding to the service to be authenticated and the first biological characteristic information.
The biometric information may specifically include, but is not limited to, a fingerprint, a palm print, a human face, an iris, a retina, a voice, a vein, a gait, a gene, and the like.
Specifically, the implementation manner of the mobile terminal acquiring the first biometric information input by the user for the service to be authenticated in step 202 may be:
the mobile terminal acquires a service security level corresponding to a service to be authenticated, outputs an input prompt of biological characteristic information corresponding to the service security level, and acquires first biological characteristic information input by a user in response to the input prompt.
For different types of services to be authenticated, a user may be correspondingly required to input corresponding biometric information, for example, service security levels may be divided for services, and a service with a higher service security level corresponds to the biometric information to be input, which is more precise, and the identification difficulty is higher. Of course, the higher the service security level, the more the types of biometric information that needs to be input, for example, the higher the service security level, the more two or more types of biometric information (e.g., fingerprint + iris) need to be input, and the lower the service security level, the more one type of biometric information (e.g., fingerprint) needs to be input.
Specifically, the mobile terminal may locally store a correspondence table of "service-service security level-biometric information to be input", acquire a service security level of a service to be authenticated, which is to be triggered by a user, from the correspondence table, query biometric information corresponding to the service security level from the correspondence table, output an input prompt of the biometric information corresponding to the service security level, and acquire first biometric information input by the user in response to the input prompt. Of course, after determining the service to be authenticated to be triggered by the user, the mobile terminal may also query the service server corresponding to the service to be authenticated for the service security level of the service to be authenticated and the biometric information that needs to be input by the user, so as to output an input prompt of the biometric information and obtain the first biometric information input by the user in response to the input prompt.
It should be noted that, the mobile terminal does not locally store the biometric information of the user, and the biometric information of the user can be effectively prevented from being stolen.
The mobile terminal may locally store a plurality of key generation algorithms suitable for different service flows, for example, a key generation algorithm required for flows such as mobile communication network access and communication encryption, a key generation algorithm required for flows such as logging in a payment application APP or performing payment by using the payment APP, a key generation algorithm required for an interface initialization flow corresponding to a user on the mobile terminal, and the like. If the newly added service flow exists, the mobile terminal can newly add and store a corresponding key generation algorithm.
Specifically, the mobile terminal generates corresponding key information (i.e., first key information) by using a locally stored key generation algorithm and first biometric information, which are required by the service to be authenticated and correspond to the service.
203. And the mobile terminal sends an authentication request aiming at the service to be authenticated to a service server, wherein the authentication request carries the identification information of the user.
Before using the mobile terminal and the services on the mobile terminal, the user needs to go to a designated institution or a network point in advance to perform corresponding registration operation, and during the registration operation, according to the difference of the services, the designated institution or the network point submits the identification information and the biological characteristic information of the corresponding user to a biological characteristic information management server, and the biological characteristic information management server stores a corresponding relation table of 'identification information of service-user-biological characteristic information' and biological characteristic information of the registered user corresponding to different services. The identification information of the user can be one or more of a user name, a mailbox, a mobile phone number, an employee number, an identity card number and the like.
204. And the service server receives the authentication request sent by the mobile terminal and generates a response of the authentication request.
205. And the service server sends a response of the authentication request to the mobile terminal.
206. And the mobile terminal receives a response of the authentication request sent by the service server and obtains a first verification result according to the first key information and the response of the authentication request.
Specifically, the mobile terminal sends an authentication request for the service to be authenticated to a service server corresponding to the service to be authenticated, after receiving the authentication request sent by the mobile terminal, the service server generates a response to the authentication request, which may be a random number RAND specifically, and after receiving the response to the authentication request, the mobile terminal obtains a verification result SRES (i.e., a first verification result) according to the previously generated first key information and the response to the authentication request by using an applicable algorithm.
207. And the mobile terminal sends the first verification result to the service server.
208. And the service server receives the first verification result sent by the mobile terminal.
209. And the service server acquires second biological characteristic information corresponding to the identification information of the user from a biological characteristic information management server.
In a specific implementation, the service server sends a biometric information acquisition request to the biometric information management server, the biometric information acquisition request carries identification information of the user and identification information of the service server (or currently-performed service information), and the biometric information management server queries second biometric information corresponding to the identification information of the user under the currently-performed service from a correspondence table of "identification information of the service-user-biometric information", and returns the second biometric information to the service server.
In some possible embodiments, in order to ensure the security of the biometric information stored by the biometric information management server, when the business server requests the biometric information management server for the biometric information, the biometric information management server may not directly return the biometric information to the business server, but only return the main characteristic of the biometric information (e.g., the characteristic value of the biometric information) to the business server, so as to prevent the business server from maliciously stealing the biometric information of the user, thereby fully ensuring the security and reliability of the business authentication.
210. And the service server obtains a second verification result according to the second biological characteristic information and the response of the authentication request, authenticates the service to be authenticated according to the first verification result and the second verification result, and determines that the service to be authenticated passes the authentication under the condition that the first verification result is matched with the second verification result.
Specifically, after the service server acquires the second biometric information from the biometric information management server, the service server may use a key generation algorithm (i.e., a key generation algorithm corresponding to the service to be authenticated) that is the same as that of the mobile terminal, generate key information according to the second biometric information, and further obtain a second verification result according to the key information and a response of the authentication request by using an appropriate algorithm, and if the first verification result obtained by the mobile terminal is matched with the second verification result obtained by the service server, the service server may determine that the user is a valid user, and the service to be authenticated passes authentication, and allow the mobile terminal to perform a service process of the service to be authenticated; otherwise, the service server determines that the user is an illegal user and the authentication of the service to be authenticated is not passed.
In some feasible embodiments, the biometric information management server may also directly store a correspondence table of "service-user identification information-key information" and key information of registered users corresponding to different services, where the key information is generated by the biometric information management server according to the biometric information corresponding to the service and the user identification information by using a key generation algorithm required by the service, so that the service server may directly obtain the key information required by the corresponding service from the biometric information management server, and a step of locally generating the key information at the service server side is omitted, so that a verification result may be obtained according to the key information obtained from the biometric information management server and a response of the authentication request, and the authentication speed may be increased.
211. And the service server sends the authentication result of the service to be authenticated to the mobile terminal.
The service server sends an authentication result to the mobile terminal to inform the mobile terminal whether the authentication for the service to be authenticated passes or not.
In some possible embodiments, before performing step 201, the following steps may also be performed:
s30, the mobile terminal sends a user authority level acquisition request to the service server when detecting the initialization operation input by the user, wherein the user authority level acquisition request carries the identification information of the user.
The service server may be a server dedicated to initializing an interface on the mobile terminal. After the mobile terminal is started, when the user is prompted to input the specified type of biological characteristic information before entering an interface corresponding to the user, the user can also be prompted to input identification information of the user, and the identification information of the user can be specifically one or more of a user name, a mailbox, a mobile phone number, an employee number, an identity card number and the like.
Specifically, the user may input an initialization operation by means of a gesture, a voice control, pressing a designated key, and the like, and the mobile terminal obtains fourth biometric information input by the user and generates second key information by using a preset key generation algorithm and the fourth biometric information.
The mobile terminal can be adapted to different initialization interfaces after being started up for different users, the initialization interfaces show services which can be used by the users, and the services can be distinguished specifically through user permission levels, the higher the user permission level is, the more the types of the services can be used, or the more comprehensive the contents can be used by the same service, for example, for the same APP, the user with the lower user permission level can only use the limited functions, and the user with the higher user permission level can use all the functions.
Specifically, after the mobile terminal is powered on, the user may be prompted to input biometric information of a specified type, such as a fingerprint, or alternatively a fingerprint or a face, before entering an interface corresponding to the user, and fourth biometric information input by the user is acquired, and then a preset key generation algorithm stored in the mobile terminal and the fourth biometric information are used to generate corresponding key information (i.e., second key information).
The preset key generation algorithm may be a key generation algorithm that is specially used for an interface initialization process corresponding to a user.
S31, the service server receives the user authority level acquisition request and generates a response of the user authority level acquisition request.
And S32, the service server sends a response of the user permission level acquisition request to the mobile terminal.
S33, the mobile terminal receives the response of the user permission level acquisition request sent by the service server, and obtains a third verification result according to the second key information and the response of the user permission level acquisition request.
Specifically, the mobile terminal sends a user permission level acquisition request to the service server to acquire the permission level of the current user, after receiving the user permission level acquisition request sent by the mobile terminal, the service server generates a response to the user permission level acquisition request, which may specifically be a random number RAND, and the mobile terminal obtains an authentication result SRES (i.e., a third authentication result) according to the second key information and the response to the user permission level acquisition request by using an applicable algorithm.
And S34, the mobile terminal sends the third verification result to the service server.
And S35, the service server receives the third verification result sent by the mobile terminal.
S36, the service server acquires third biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server, and acquires a fourth verification result according to the third biological characteristic information and the response of the user permission level acquisition request.
In a specific implementation, the service server sends the identification information of the user and the currently performed service information (i.e., interface initialization corresponding to the user) to the biometric information management server, the biometric information management server queries third biometric information corresponding to the identification information of the user under the currently performed service, after the service server obtains the third biometric information from the biometric information management server, the service server can generate key information according to the third biometric information by using a key generation algorithm (i.e., the preset key generation algorithm) that is the same as that of the mobile terminal, and then obtains a fourth verification result by using an applicable algorithm according to the key information and a response of the user permission level acquisition request.
And S37, the service server acquires the user permission level corresponding to the identification information of the user under the condition that the third verification result is matched with the fourth verification result, and sends the user permission level to the mobile terminal.
And S38, the mobile terminal outputs an initialization interface corresponding to the user according to the user permission level, and the initialization interface corresponding to the user displays services available to the user.
Specifically, if the third verification result obtained at the mobile terminal side matches the fourth verification result obtained at the service server side, the service server may determine that the user is a valid user, obtain a corresponding user permission level according to the identification information of the user, and send the user permission level to the mobile terminal.
The mobile terminal can store a corresponding relation table of user permission level-available service, after acquiring the user permission level from a service server, the mobile terminal can determine the service available to the user according to the corresponding relation table of the user permission level-available service, the service available to the user is displayed by outputting an initialization interface corresponding to the user, the user can select the service to be authenticated from the service available to the user, the same mobile terminal can be independently used by different users, and the service to be authenticated cannot be influenced.
For example, the correspondence table of "user permission level-available service" may be as shown in table 1 below:
| user permission level | 1 | 2 | 3 |
| Available services | APP1 | APP1、APP2 | APP1、APP2、APP3 |
TABLE 1
Wherein, total 3 user permission levels in table 1, the numerical value is bigger the permission level is higher, suppose that mobile terminal is last to install 3 APPs altogether (i.e. APP1, APP2, APP 3), user permission level is 1 can only use wherein 1 APP (i.e. APP 1), user permission level is 2 user can use wherein 2 APPs (i.e. APP1, APP 2), user permission level is 3 user can use whole 3 APPs, mobile terminal can select to show usable APP (i.e. the business) of current user only at initialization interface, suppose that current user's user permission level is 2, then show APP1 and APP2 application icon at initialization interface can. Certainly, the mobile terminal may select to display all APPs on the initialization interface, and if the current user has no use permission for a certain APP, the current user may prompt that no operation permission exists when trying to use the APP, or an application icon of the APP for which the current user has no use permission is changed into gray to distinguish the APPs that can be used by the current user.
In some feasible embodiments, the correspondence table of "user permission level-available service" may also be stored at the service server side, that is, after the service server obtains the user permission level corresponding to the identification information of the user, the service available to the user is queried according to the correspondence table of "user permission level-available service", and then the service list available to the user (including the available service identification) is sent to the mobile terminal.
In some possible embodiments, after step 211 is performed, the following steps are also performed:
s40, when the authentication result is that the authentication is passed, the mobile terminal generates encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information.
S41, the mobile terminal encrypts the data of the service to be authenticated by using the encryption key information and sends the encrypted data of the service to be authenticated to the service server.
And S42, the service server receives the data of the service to be authenticated, which is sent by the mobile terminal and encrypted by using the encryption key information, and decrypts the encrypted data of the service to be authenticated by using the second biological characteristic information.
Specifically, when the authentication result returned by the service server is that the authentication is passed, the mobile terminal may perform a service process of a service to be authenticated with the service server, and may perform an encryption operation on data (for example, communication service data) in the service process to be authenticated, for example, the mobile terminal may generate an encryption key using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information, and then encrypt data in the service process to be authenticated using the encryption key, and the service server may generate a decryption key according to the second biometric information (or corresponding key information) acquired from the biometric information management server using a decryption key generation algorithm corresponding to the service to be authenticated, and decrypt the data of the service to be authenticated encrypted by the mobile terminal using the decryption key.
For another example, taking the Mobile terminal as the Mobile communication network access authentication, the service server may be an operator server, at this time, the user opens a Mobile communication network connection switch of the Mobile terminal, the Mobile terminal prompts the user to input corresponding biometric information (for example, a human face), after the human face input by the user is obtained, the human face information is converted into Key information by using a Key generation algorithm corresponding to the access authentication, for example, an International Mobile Subscriber identity Number (IMSI), an authentication Key (Ki), and the like, the Mobile terminal starts an access authentication procedure with the operator server by sending an authentication request to the operator server, the operator server returns a random Number d generated in real time to the Mobile terminal, and the Mobile terminal calculates an authentication result SRES (marked as the first SRES) by using an algorithm related to the access authentication (for example, an A3 algorithm) according to the random Number returned by the operator server and the Key information such as the IMSI and Ki obtained before.
When a user accesses the network and applies for a mobile phone number, the user can register in a designated organization or a website of an operator, the face information of the user is uploaded to a biological characteristic information management server, the biological characteristic information management server can establish a corresponding relation table of mobile communication network access-user identification information-face, and the face information is stored, the identification information of the user can be a mobile phone number or an identity card number preferentially, if the identification information of the user is the mobile phone number, the biological characteristic information management server establishes the corresponding relation table of mobile communication network access-mobile phone number-face, before or after the user inputs the face, the mobile phone number can be input, an authentication request carries the mobile phone number input by the user, the operator server obtains corresponding information from the biological characteristic information management server by using the mobile phone number, calculates a face authentication result (marked as a second SRES) by using an A3 algorithm and the like according to the face information and the random number RAND, the operator server compares whether the first SRES is consistent with the second SRES, if the SRES is consistent, the user is determined to be a legal user, if the user is not, the mobile communication network access is determined, the SRES is determined, and the mobile communication is rejected.
Further, if the operator server determines that the user is a valid user and allows access to the mobile communication network, the mobile terminal may calculate an encryption key Kc from key information such as Ki using a certain communication encryption algorithm (e.g., A8 algorithm) to encrypt communication data transmitted to the operator server using Kc, and the operator server may generate a decryption key from face information acquired from the biometric information management server and a related algorithm to decrypt the encrypted communication data, thereby securely and reliably completing encryption and decryption of the communication data. Therefore, the mobile communication network access authentication performed through the biometric information can replace the existing Subscriber Identity Module (SIM) card, that is, the mobile terminal can access the mobile communication network for surfing the internet, making a call, sending a short message and the like after the biometric information authentication is passed without installing the SIM card at present.
For another example, taking the example that the user opens the bank APP on the mobile terminal, the service server may be a bank server, when the mobile terminal detects that the user starts the bank APP, the mobile terminal prompts the user to input corresponding biometric information (e.g., iris), after obtaining the iris input by the user, the iris information is converted into key information by using a key generation algorithm corresponding to the banking service, the key information includes private key information for encryption and decryption, and the like, and the mobile terminal sends an authentication request to the bank server to start an authentication process.
Wherein, when the user is in account, the user needs to register in the designated organization or network of the bank, and uploads the iris information of the user to the biological characteristic information management server, the biological characteristic information management server can establish a corresponding relation table of 'banking business-user identification information-iris' and stores the iris information, the identification information of the user can be a mobile phone number or an identity card number preferentially, if the identification information of the user is the identity card number, the biological characteristic information management server establishes the corresponding relation table of 'banking business-identity card number-iris', the user can also input the identity card number before or after inputting the iris, the authentication request carries the identity card number input by the user, the bank server obtains corresponding iris information from the biological characteristic information management server by using the identity card number, and can return a response of an authentication request to the mobile terminal at the moment, wherein the response comprises a random number RAND generated in real time and a HASH of the random number, the random number and the HASH of the random number are encrypted by a public key, the mobile terminal calculates the HASH of the random number and solves the HASH of the random number included in the response of the authentication request by using a private key, and if the HASH of the random number calculated by the mobile terminal is the same as the HASH of the random number solved by using the private key, the mobile terminal can confirm that the identity of the bank server is legal.
Further, the mobile terminal calculates a verification result SRES (marked as a first SRES) and a corresponding HASH according to a random number included in the response of the authentication request and key information obtained by iris information conversion by using an algorithm agreed between the mobile terminal and the bank server, encrypts the verification result SRES and the HASH with a private key, and sends the verification result SRES and the HASH to the bank server. The bank server calculates a verification result (marked as a second SRES) and a corresponding HASH HASH according to the iris information acquired from the biological characteristic information management server and a random number included in the response of the authentication request by using the appointed algorithm, after decryption is carried out by using the public key, if the HASH HASH sent by the verification mobile terminal is the same as the HASH HASH calculated by the bank server, the bank server compares whether the first SRES is consistent with the second SRES, if so, the bank server determines that the user is a legal user, the bank APP is allowed to be started and operated by the user, and if not, the user is determined to be an illegal user, and the bank APP is refused to be started and/or operated by the user.
In the embodiment of the invention, a mobile terminal determines a service to be authenticated triggered by a user, first key information is generated by using a key generation algorithm corresponding to the service to be authenticated and first biological characteristic information input by the user, an authentication request aiming at the service to be authenticated is sent to a service server, the authentication request carries identification information of the user, the service server generates a response of the authentication request and sends a response of the authentication request to the mobile terminal, the mobile terminal obtains a first verification result according to the first key information and the response of the authentication request and sends the first verification result to the service server, the service server determines that the user is legal by obtaining second biological characteristic information corresponding to the identification information of the user from a biological characteristic information management server and obtains a second verification result according to the second biological characteristic information and the response of the authentication request, if the first verification result is matched with the second verification result, the service server determines that the authentication result of the service to be authenticated is passed, and if the first verification result is matched with the second verification result, the service server determines that the authentication result of the user is not illegal to be authenticated. It can be seen that, by submitting the biometric information to the biometric information management server for unified storage and management, and the mobile terminal side does not store the biometric information, when performing the service authentication, the mobile terminal side generates a verification result according to the biometric information input by the user latest, the service server side also generates a verification result according to the biometric information obtained from the biometric information management server, and the service server can determine whether the service authentication passes by judging whether the two verification results are matched, thereby realizing the service authentication with safety and strong versatility.
Please refer to fig. 3, which is a schematic structural diagram of a mobile terminal according to an embodiment of the present invention based on the architecture of the open wireless access system shown in fig. 1. The mobile terminal described in this embodiment includes:
a determining module 301, configured to determine a service to be authenticated triggered by a user.
An obtaining module 302, configured to obtain first biometric information input by the user for the service to be authenticated.
The processing module 303 is configured to generate first key information by using a key generation algorithm corresponding to a service to be authenticated and the first biometric characteristic information.
A sending module 304, configured to send an authentication request for the service to be authenticated to the service server, where the authentication request carries identification information of the user.
A receiving module 305, configured to receive a response to the authentication request sent by the service server.
The processing module 303 is further configured to obtain a first verification result according to the first key information and the response of the authentication request.
The sending module 304 is further configured to send the first verification result to the service server to instruct the service server to obtain, from the biometric information management server, second biometric information corresponding to the identification information of the user, so that the service server authenticates the service to be authenticated according to the second biometric information, the response of the authentication request, and the first verification result.
In some possible embodiments, the obtaining module 302 includes a obtaining unit 3020 and an output unit 3021, wherein:
the obtaining unit 3020 is configured to obtain a service security level corresponding to the service to be authenticated.
The output unit 3021 is configured to output an input prompt of the biometric information corresponding to the service security level.
The acquiring unit 3020 is further configured to acquire first biometric information input by the user in response to the input prompt.
In some possible embodiments, the mobile terminal further comprises an output module 306, wherein:
the obtaining module 302 is further configured to obtain the user permission level of the user from the service server.
The output module 306 is configured to output an initialization interface corresponding to the user according to the user permission level, where the initialization interface corresponding to the user shows services that can be used by the user.
The determining module 301 is specifically configured to determine a service to be authenticated, which is triggered by the user from services that can be used by the user.
In some possible embodiments, the receiving module 305 is further configured to receive an authentication result of the service to be authenticated, sent by the service server.
The processing module 303 is further configured to generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication result is that the authentication passes.
The processing module 303 is further configured to encrypt the data of the service to be authenticated by using the encryption key information.
The sending module 304 is further configured to send the encrypted data of the service to be authenticated to the service server, so as to instruct the service server to decrypt the encrypted data of the service to be authenticated by using the second biometric information.
It can be understood that the functions of each functional module of the mobile terminal in this embodiment may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the relevant description of the foregoing method embodiment, which is not described herein again.
In the embodiment of the invention, a mobile terminal determines a service to be authenticated triggered by a user, generates first key information by using a key generation algorithm corresponding to the service to be authenticated and first biological characteristic information input by the user, sends an authentication request for the service to be authenticated, which carries identification information of the user, receives a response of the authentication request sent by the service server, obtains a first verification result according to the first key information and the response of the authentication request, and sends the first verification result to the service server to instruct the service server to obtain second biological characteristic information corresponding to the identification information of the user from a biological characteristic information management server, and authenticates the service to be authenticated according to the second biological characteristic information, the response of the authentication request and the first verification result. It can be seen that, by submitting the biological characteristic information to the biological characteristic information management server for unified storage and management, and the mobile terminal side does not store the biological characteristic information, when performing service authentication, the mobile terminal side generates a verification result according to the biological characteristic information input by the user latest, the service server side also generates a verification result according to the biological characteristic information acquired from the biological characteristic information management server, and the service server can determine whether the service authentication passes through by judging whether the two verification results are matched, thereby realizing safe and strong-universality service authentication.
Please refer to fig. 4, which is a schematic structural diagram of a service server provided based on the architecture of the open wireless access system shown in fig. 1 according to an embodiment of the present invention. The service server described in this embodiment includes:
a receiving module 401, configured to receive an authentication request for a service to be authenticated, where the authentication request carries identification information of a user, and the authentication request is sent by the mobile terminal.
A sending module 402, configured to send a response to the authentication request to the mobile terminal, so as to indicate that the mobile terminal obtains a first verification result according to first key information and the response to the authentication request, where the first key information is generated by the mobile terminal using a key generation algorithm corresponding to the service to be authenticated and the first biometric information input by the user.
The receiving module 401 is further configured to receive the first verification result sent by the mobile terminal.
An obtaining module 403, configured to obtain, from the biometric information management server, second biometric information corresponding to the identification information of the user.
A processing module 404, configured to obtain a second verification result according to the second biometric information and the response of the authentication request.
And an authentication module 405, configured to authenticate the service to be authenticated according to the first verification result and the second verification result, and determine that the service to be authenticated passes the authentication when the first verification result matches the second verification result.
In some possible embodiments, the obtaining module 403 includes:
a sending unit 4030, configured to send a biometric information acquisition request to the biometric information management server, where the biometric information acquisition request carries the identification information of the user and the identification information of the service server, so as to instruct the biometric information management server to query the identification information of the user and second biometric information corresponding to the identification information of the service server.
A receiving unit 4031, configured to receive the second biometric information sent by the biometric information management server.
In some possible embodiments, the receiving module 401 is further configured to receive a user permission level obtaining request sent by the mobile terminal when detecting an initialization operation input by the user, where the user permission level obtaining request carries identification information of the user.
The obtaining module 403 is further configured to obtain, from the biometric information management server, third biometric information corresponding to the identification information of the user.
The processing module 404 is further configured to determine, according to the third biological feature information, a user permission level corresponding to the identification information of the user.
The sending module 402 is further configured to send the user permission level to the mobile terminal, so as to instruct the mobile terminal to output an initialization interface corresponding to the user according to the user permission level, where the initialization interface corresponding to the user shows services that can be used by the user.
In a specific implementation, the receiving module 401 receives a user permission level obtaining request sent by the mobile terminal, where the user permission level obtaining request carries identification information of a user, and the sending module 402 sends a response of the user permission level obtaining request to the mobile terminal, so that the mobile terminal obtains a third verification result according to the second key information and the response of the user permission level obtaining request, where the second key information is generated by the mobile terminal using a preset key generation algorithm and fourth biometric information input by the user. The receiving module 401 receives a third verification result sent by the mobile terminal, the obtaining module 403 obtains third biometric feature information corresponding to the identification information of the user from the biometric feature information management server, the processing module 404 obtains a fourth verification result according to the third biometric feature information and a response of the user permission level obtaining request, the obtaining module 403 obtains a user permission level corresponding to the identification information of the user under the condition that the third verification result is matched with the fourth verification result, the sending module 402 sends the user permission level to the mobile terminal, so that the mobile terminal outputs an initialization interface corresponding to the user according to the user permission level, the initialization interface corresponding to the user displays services available to the user, and the service to be authenticated is triggered from the available services by the user.
In some possible embodiments, the sending module 402 is further configured to send, to the mobile terminal, an authentication result of the service to be authenticated, where the authentication result is used to instruct the mobile terminal to generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication passes.
The receiving module 401 is further configured to receive the data of the service to be authenticated, which is sent by the mobile terminal and encrypted by using the encryption key information.
The processing module 404 is further configured to decrypt the encrypted data of the service to be authenticated by using the second biometric information.
It can be understood that the functions of each functional module and unit of the service server in this embodiment may be specifically implemented according to the method in the foregoing method embodiment, and the specific implementation process may refer to the relevant description of the foregoing method embodiment, which is not described herein again.
In the embodiment of the invention, a service server determines a service to be authenticated triggered by a user, receives an authentication request aiming at the service to be authenticated, which is sent by a mobile terminal, wherein the authentication request carries identification information of the user, generates a response of the authentication request, and sends the response of the authentication request to the mobile terminal so as to indicate the mobile terminal to obtain a first verification result according to first secret key information and the response of the authentication request. The service server receives the first verification result sent by the mobile terminal, acquires second biological characteristic information corresponding to the identification information of the user from a biological characteristic information management server, further obtains a second verification result according to the second biological characteristic information and the response of the authentication request, and determines that the service to be authenticated passes the authentication under the condition that the first verification result is matched with the second verification result. It can be seen that, by submitting the biological characteristic information to the biological characteristic information management server for unified storage and management, and the mobile terminal side does not store the biological characteristic information, when performing service authentication, the mobile terminal side generates a verification result according to the biological characteristic information input by the user latest, the service server side also generates a verification result according to the biological characteristic information acquired from the biological characteristic information management server, and the service server can determine whether the service authentication passes through by judging whether the two verification results are matched, thereby realizing safe and strong-universality service authentication.
Please refer to fig. 5, which is a schematic structural diagram of another mobile terminal according to an embodiment of the present invention based on the architecture of the open wireless access system shown in fig. 1. The mobile terminal described in this embodiment includes: the biometric authentication system includes a Transceiver 501, a processor 502, a memory 503, an output device 504, an input device 505, a sensor 506, and a biometric authentication chip 507, wherein the processor 502 is connected to the Transceiver (Transceiver) 501, the output device 504, the input device 505, the sensor 506, and the biometric authentication chip 507 through a bus.
The transceiver 501 may be a radio frequency Receiver or a radio frequency chip, and is configured to receive and transmit a signal 509 through an antenna 508, and specifically, the transceiver 501 may include a transmit channel (TX) and a Receiver (RX) integrated together. The Processor 502 may be specifically a baseband Processor, a baseband chip, a Digital Signal Processor (DSP), or a System On Chip (SOC) including a baseband Processor and an application Processor. The memory 503 is a memory device of the mobile terminal, and stores programs and data. It is understood that the memory 503 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory; optionally, at least one memory device located remotely from the processor 502.
The output device 504 may include a display. The input device 505 may be a touch panel, a microphone, or the like, and the touch panel includes a touch screen, or the like. The sensor 506 specifically includes a sensor for collecting biometric information such as fingerprints, palm prints, human faces, irises, retinas, voices, veins, gait, genes, and the like, for example, a fingerprint sensor, an image sensor, and the like. The biometric authentication chip 507 is used for storing a plurality of key generation algorithms suitable for different business processes, for example, a key generation algorithm required for processes such as mobile communication network access and communication encryption, a key generation algorithm required for processes such as logging in a payment application APP or performing payment by using the payment APP, a key generation algorithm required for an interface initialization process corresponding to a user on a mobile terminal, and the like. Of course, the various key generation algorithms described above may also be stored in the memory 503.
The biometric authentication chip 507 may be integrated into the processor 502, and the processor 502 may execute the related functions of the biometric authentication chip 507.
The memory 503 is used for storing a set of program codes, and the biometric authentication chip 507 and the processor 502 call the program codes stored in the memory 503 to perform the following operations:
a processor 502, configured to determine a service to be authenticated triggered by a user.
And the biometric authentication chip 507 is configured to acquire first biometric information input by the user for the service to be authenticated.
The biometric authentication chip 507 is further configured to generate first key information by using a key generation algorithm corresponding to a service to be authenticated and the first biometric information.
The transceiver 501 is configured to send an authentication request for the service to be authenticated to a service server, where the authentication request carries identification information of the user.
The transceiver 501 is further configured to receive a response to the authentication request sent by the service server.
The biometric authentication chip 507 is further configured to obtain a first verification result according to the first key information and the response of the authentication request.
The transceiver 501 is further configured to send the first verification result to the service server to instruct the service server to obtain, from a biometric information management server, second biometric information corresponding to the identification information of the user, so that the service server authenticates the service to be authenticated according to the second biometric information, the response of the authentication request, and the first verification result.
In some possible embodiments, the specific way for the biometric authentication chip 507 to obtain the first biometric information input by the user for the service to be authenticated is as follows:
and acquiring a service security level corresponding to the service to be authenticated.
And outputting an input prompt of the biological characteristic information corresponding to the service safety level.
And acquiring first biological characteristic information input by the user in response to the input prompt.
In some of the possible embodiments of the present invention,
the processor 502 is further configured to obtain the user permission level of the user from the service server through the transceiver 501.
And the output device 504 is configured to output an initialization interface corresponding to the user according to the user permission level, where the initialization interface corresponding to the user shows services that can be used by the user.
The processor 502 is specifically configured to determine a service to be authenticated, triggered by the user from services that can be used by the user.
In some possible embodiments, the transceiver 501 is further configured to receive an authentication result of the service to be authenticated, sent by the service server.
The biometric authentication chip 507 is further configured to generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication result is that the authentication passes.
The biometric authentication chip 507 is further configured to encrypt the data of the service to be authenticated by using the encryption key information.
The transceiver 501 is further configured to send the encrypted data of the service to be authenticated to the service server, so as to instruct the service server to decrypt the encrypted data of the service to be authenticated by using the second biometric information.
In specific implementation, the transceiver 501, the processor 502, the memory 503, the output device 504, the sensor 506, and the biometric authentication chip 507 described in the embodiment of the present invention may execute the implementation of the mobile terminal described in an embodiment of the service authentication method provided in the embodiment of the present invention, and may also execute the implementation of the mobile terminal described in the first embodiment of the mobile terminal provided in the embodiment of the present invention, which is not described again here.
In the embodiment of the invention, a mobile terminal determines a service to be authenticated triggered by a user, generates first key information by using a key generation algorithm corresponding to the service to be authenticated and first biological characteristic information input by the user, sends an authentication request for the service to be authenticated, which carries identification information of the user, receives a response of the authentication request sent by the service server, obtains a first verification result according to the first key information and the response of the authentication request, and sends the first verification result to the service server to instruct the service server to obtain second biological characteristic information corresponding to the identification information of the user from a biological characteristic information management server, and authenticates the service to be authenticated according to the second biological characteristic information, the response of the authentication request and the first verification result. It can be seen that, by submitting the biological characteristic information to the biological characteristic information management server for unified storage and management, and the mobile terminal side does not store the biological characteristic information, when performing service authentication, the mobile terminal side generates a verification result according to the biological characteristic information input by the user latest, the service server side also generates a verification result according to the biological characteristic information acquired from the biological characteristic information management server, and the service server can determine whether the service authentication passes through by judging whether the two verification results are matched, thereby realizing safe and strong-universality service authentication.
Fig. 6 is a schematic structural diagram of another service server provided based on the architecture of the open wireless access system shown in fig. 1 according to an embodiment of the present invention. The service server described in this embodiment includes: a transceiver 601, a processor 602 and a memory 603, wherein the processor 602 is connected to the transceiver 601 and the memory 603 through a bus.
The transceiver 601 may be specifically a radio frequency chip, and includes a transmission path for transmitting a signal 605 through an antenna 604. The processor 602 may specifically be a baseband processor, a baseband chip, a DSP, or an SOC including the baseband processor and an application processor.
The memory 603 is configured to store a set of program codes, and the processor 602 is configured to call the program codes stored in the memory 603, and perform the following operations:
the transceiver 601 is configured to receive an authentication request for a service to be authenticated, where the authentication request carries identification information of a user and is sent by a mobile terminal.
The transceiver 601 is further configured to send a response to the authentication request to the mobile terminal, so as to indicate that the mobile terminal obtains a first verification result according to first key information and the response to the authentication request, where the first key information is generated by the mobile terminal using a key generation algorithm corresponding to the service to be authenticated and the first biometric information input by the user.
The transceiver 601 is further configured to receive the first verification result sent by the mobile terminal.
A processor 602, configured to obtain, from a biometric information management server, second biometric information corresponding to the identification information of the user.
The processor 602 is further configured to obtain a second verification result according to the second biometric information and the response of the authentication request.
The processor 602 is further configured to authenticate the service to be authenticated according to the first verification result and the second verification result, and determine that the service to be authenticated passes authentication when the first verification result matches the second verification result.
In some possible embodiments, the processor 602 is specifically configured to:
sending a biometric information acquisition request to a biometric information management server through the transceiver 601, where the biometric information acquisition request carries the identification information of the user and the identification information of the service server, so as to instruct the biometric information management server to query the identification information of the user and second biometric information corresponding to the identification information of the service server.
The second biometric information transmitted by the biometric information management server is received through the transceiver 601.
In some possible embodiments, the transceiver 601 is further configured to receive a user permission level obtaining request sent by the mobile terminal when detecting an initialization operation input by the user, where the user permission level obtaining request carries identification information of the user.
The processor 602 is further configured to obtain, through the transceiver 601, third biometric information corresponding to the identification information of the user from the biometric information management server.
The processor 602 is further configured to determine, according to the third biometric information, a user permission level corresponding to the identification information of the user.
The transceiver 601 is further configured to send the user permission level to the mobile terminal, so as to instruct the mobile terminal to output an initialization interface corresponding to the user according to the user permission level, where the initialization interface corresponding to the user shows services that can be used by the user.
In the specific implementation, the transceiver 601 receives a user permission level acquisition request sent by the mobile terminal, the user permission level acquisition request carries identification information of a user, the transceiver 601 sends a response of the user permission level acquisition request to the mobile terminal, so that the mobile terminal obtains a third verification result according to the second key information and the response of the user permission level acquisition request, and the second key information is generated by the mobile terminal by using a preset key generation algorithm and fourth biometric information input by the user. The transceiver 601 receives a third verification result sent by the mobile terminal, the processor 602 obtains third biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server through the transceiver 601, a fourth verification result is obtained according to the third biological characteristic information and a response of the user permission level obtaining request, the processor 602 obtains a user permission level corresponding to the identification information of the user under the condition that the third verification result is matched with the fourth verification result, the user permission level is sent to the mobile terminal through the transceiver 601, the mobile terminal is enabled to output an initialization interface corresponding to the user according to the user permission level, the initialization interface corresponding to the user displays services available to the user, and the service to be authenticated is triggered from the available services by the user.
In some possible embodiments, the transceiver 601 is further configured to send an authentication result of the service to be authenticated to the mobile terminal, where the authentication result is used to instruct the mobile terminal to generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication passes.
The transceiver 601 is further configured to receive data of the service to be authenticated, sent by the mobile terminal and encrypted by using the encryption key information.
The processor 602 is further configured to decrypt the encrypted data of the service to be authenticated by using the second biometric information.
In specific implementation, the transceiver 601, the processor 602, and the memory 603 described in this embodiment of the present invention may execute an implementation manner described in an embodiment of a service authentication method provided in this embodiment of the present invention, and may also execute an implementation manner of a service server described in a first embodiment of a service server provided in this embodiment of the present invention, which is not described herein again.
In the embodiment of the invention, a service server receives an authentication request aiming at a service to be authenticated, which is sent by a mobile terminal, the authentication request carries identification information of a user, a response of the authentication request is generated, and the response of the authentication request is sent to the mobile terminal so as to indicate the mobile terminal to obtain a first verification result according to first key information and the response of the authentication request. The service server receives the first verification result sent by the mobile terminal, acquires second biological characteristic information corresponding to the identification information of the user from a biological characteristic information management server, further acquires a second verification result according to the second biological characteristic information and the response of the authentication request, and determines that the service to be authenticated passes the authentication under the condition that the first verification result is matched with the second verification result. It can be seen that, by submitting the biological characteristic information to the biological characteristic information management server for unified storage and management, and the mobile terminal side does not store the biological characteristic information, when performing service authentication, the mobile terminal side generates a verification result according to the biological characteristic information input by the user latest, the service server side also generates a verification result according to the biological characteristic information acquired from the biological characteristic information management server, and the service server can determine whether the service authentication passes through by judging whether the two verification results are matched, thereby realizing safe and strong-universality service authentication.
Please refer to fig. 7, which is a schematic structural diagram of a service authentication system provided based on the architecture of the open wireless access system shown in fig. 1 according to an embodiment of the present invention. The service authentication system described in this embodiment includes: a biometric information management server 701, a mobile terminal 702, and a service server 703, wherein:
the biometric information management server 701 is configured to store biometric information and provide a query service of the biometric information to the service server 703.
The mobile terminal 702 is configured to determine a service to be authenticated triggered by a user.
The mobile terminal 702 is configured to acquire first biometric feature information input by the user for the service to be authenticated, and generate first key information by using a key generation algorithm corresponding to the service to be authenticated and the first biometric feature information.
The mobile terminal 702 is further configured to send an authentication request for the service to be authenticated to a service server, where the authentication request carries the identification information of the user.
The service server 703 is configured to receive the authentication request sent by the mobile terminal, and generate a response to the authentication request.
The service server 703 is further configured to send a response to the authentication request to the mobile terminal.
The mobile terminal 702 is further configured to receive a response to the authentication request sent by the service server, and obtain a first verification result according to the first key information and the response to the authentication request.
The mobile terminal 702 is further configured to send the first verification result to the service server.
The service server 703 is further configured to receive the first verification result sent by the mobile terminal.
The service server 703 is further configured to obtain second biometric information corresponding to the identification information of the user from the biometric information management server 701, obtain a second verification result according to the second biometric information and the response of the authentication request, authenticate the service to be authenticated according to the first verification result and the second verification result, and determine that the service to be authenticated passes authentication when the first verification result matches the second verification result.
The service server 703 is further configured to send an authentication result of the service to be authenticated to the mobile terminal.
In some possible embodiments, the mobile terminal 702 is further configured to obtain a service security level corresponding to a service to be authenticated, output an input prompt of biometric information corresponding to the service security level, and obtain first biometric information input by a user in response to the input prompt.
In some possible embodiments, the mobile terminal 702 is further configured to obtain fourth biometric information input by the user when the initialization operation input by the user is detected, and generate second key information by using a preset key generation algorithm and the fourth biometric information.
The mobile terminal 702 is further configured to send a user permission level obtaining request to the service server, where the user permission level obtaining request carries identification information of the user.
The service server 703 is further configured to receive the user permission level acquisition request sent by the mobile terminal, and generate a response to the user permission level acquisition request.
The service server 703 is further configured to send a response to the user permission level obtaining request to the mobile terminal.
The mobile terminal 702 is further configured to receive a response of the user permission level obtaining request sent by the service server, and obtain a third verification result according to the second key information and the response of the user permission level obtaining request.
The mobile terminal 702 is further configured to send the third verification result to the service server.
The service server 703 is further configured to receive the third verification result sent by the mobile terminal.
The service server 703 is further configured to obtain third biometric information corresponding to the identification information of the user from the biometric information management server 701, and obtain a fourth verification result according to the third biometric information and the response of the user permission level obtaining request.
The service server 703 is further configured to obtain a user permission level corresponding to the identification information of the user when the third verification result is matched with the fourth verification result, and send the user permission level to the mobile terminal.
The mobile terminal 702 is further configured to output an initialization interface corresponding to the user according to the user permission level, where the initialization interface corresponding to the user shows services that can be used by the user.
In some possible embodiments, the mobile terminal 702 is further configured to generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication result is that the authentication passes.
The mobile terminal 702 is further configured to encrypt the data of the service to be authenticated by using the encryption key information, and send the encrypted data of the service to be authenticated to the service server.
The service server 703 is further configured to receive the data of the service to be authenticated, which is sent by the mobile terminal and encrypted by using the encryption key information, generate decryption key information according to the second biometric information, and decrypt the encrypted data of the service to be authenticated by using the decryption key information.
In the embodiment of the invention, a mobile terminal determines a service to be authenticated triggered by a user, first key information is generated by using a key generation algorithm corresponding to the service to be authenticated and first biological characteristic information input by the user, an authentication request aiming at the service to be authenticated is sent to a service server, the authentication request carries identification information of the user, the service server generates a response of the authentication request and sends a response of the authentication request to the mobile terminal, the mobile terminal obtains a first verification result according to the first key information and the response of the authentication request and sends the first verification result to the service server, the service server obtains second biological characteristic information corresponding to the identification information of the user from a biological characteristic information management server and obtains a second verification result according to the second biological characteristic information and the response of the authentication request, if the first verification result is matched with the second verification result, the service server determines that the user is legal, the authentication result of the service to be authenticated is passed, and if the first verification result is matched with the second verification result, the service server determines that the authentication result of the user is not illegal, and the authentication result of the service to be authenticated is not passed. It can be seen that, by submitting the biological characteristic information to the biological characteristic information management server for unified storage and management, and the mobile terminal side does not store the biological characteristic information, when performing service authentication, the mobile terminal side generates a verification result according to the biological characteristic information input by the user latest, the service server side also generates a verification result according to the biological characteristic information acquired from the biological characteristic information management server, and the service server can determine whether the service authentication passes through by judging whether the two verification results are matched, thereby realizing safe and strong-universality service authentication.
It should be noted that, for simplicity of description, the above-mentioned embodiments of the method are described as a series of acts or combinations, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
The service authentication method, system and related devices provided by the embodiments of the present invention are described in detail above, and the principle and implementation of the present invention are explained in this document by applying specific embodiments, and the description of the embodiments above is only used to help understanding the method and core ideas of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (15)
1. A service authentication method is characterized in that the method is applied to an open wireless access system, the system comprises a service server corresponding to a service to be authenticated, a biological characteristic information management server and a mobile terminal, and the method comprises the following steps:
the mobile terminal determines a service to be authenticated triggered by a user;
the mobile terminal acquires first biological characteristic information input by the user aiming at the service to be authenticated, and generates first key information by using a key generation algorithm corresponding to the service to be authenticated and the first biological characteristic information;
the mobile terminal sends an authentication request aiming at the service to be authenticated to the service server, wherein the authentication request carries the identification information of the user; the identification information of the user comprises one or more of a user name, a mailbox, a mobile phone number, an employee number and an identity card number;
the mobile terminal receives a response to the authentication request sent by the service server, and obtains a first verification result according to the first key information and the response of the authentication request;
the mobile terminal sends the first verification result to the service server to instruct the service server to acquire second biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server, so that the service server authenticates the service to be authenticated according to the second biological characteristic information, the response of the authentication request and the first verification result;
the mobile terminal receives the authentication result of the service to be authenticated sent by the service server;
when the authentication result is that the authentication is passed, the mobile terminal generates encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information;
and the mobile terminal encrypts the data of the service to be authenticated by using the encryption key information and sends the encrypted data of the service to be authenticated to the service server so as to instruct the service server to decrypt the encrypted data of the service to be authenticated by using the second biological characteristic information.
2. The method according to claim 1, wherein the mobile terminal obtains the first biometric information input by the user for the service to be authenticated, and the method comprises:
the mobile terminal acquires a service security level corresponding to the service to be authenticated;
the mobile terminal outputs an input prompt of the biological characteristic information corresponding to the service security level;
and the mobile terminal acquires first biological characteristic information input by the user in response to the input prompt.
3. The method according to claim 1 or 2, wherein before the mobile terminal determines the service to be authenticated triggered by the user, the method further comprises:
the mobile terminal acquires the user authority level of the user from the service server;
the mobile terminal outputs an initialization interface corresponding to the user according to the user permission level, wherein the initialization interface corresponding to the user displays services available to the user;
the method for determining the service to be authenticated triggered by the user by the mobile terminal includes:
the mobile terminal determines the service to be authenticated triggered by the user from the services available to the user.
4. A service authentication method is applied to an open wireless access system, the system comprises a service server, a biological characteristic information management server and a mobile terminal, and the method comprises the following steps:
the service server receives an authentication request aiming at a service to be authenticated, which is sent by the mobile terminal, wherein the authentication request carries identification information of a user; the identification information of the user comprises one or more of a user name, a mailbox, a mobile phone number, an employee number and an identity card number;
the service server sends a response to the authentication request to the mobile terminal to indicate that the mobile terminal obtains a first verification result according to first key information and the response to the authentication request, wherein the first key information is generated by the mobile terminal by using a key generation algorithm corresponding to the service to be authenticated and first biological characteristic information input by the user for the service to be authenticated;
the service server receives the first verification result sent by the mobile terminal;
the service server acquires second biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server;
the service server obtains a second verification result according to the second biological characteristic information and the response of the authentication request;
the service server authenticates the service to be authenticated according to the first verification result and the second verification result, and determines that the service to be authenticated passes the authentication under the condition that the first verification result is matched with the second verification result;
the service server sends an authentication result of the service to be authenticated to the mobile terminal, and the authentication result is used for indicating the mobile terminal to generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication passes;
the service server receives the data of the service to be authenticated, which is sent by the mobile terminal and encrypted by using the encryption key information;
and the service server generates decryption key information according to the second biological characteristic information, and decrypts the encrypted data of the service to be authenticated by using the decryption key information.
5. The method according to claim 4, wherein the obtaining, by the service server, the second biometric information corresponding to the identification information of the user from the biometric information management server includes:
the service server sends a biological characteristic information acquisition request to the biological characteristic information management server, wherein the biological characteristic information acquisition request carries the identification information of the user and the identification information of the service server so as to indicate the biological characteristic information management server to inquire the identification information of the user and second biological characteristic information corresponding to the identification information of the service server;
and the business server receives the second biological characteristic information sent by the biological characteristic information management server.
6. The method according to claim 4 or 5, wherein before the service server receives the authentication request for the service to be authenticated sent by the mobile terminal, the method further comprises:
the service server receives a user permission level acquisition request sent by the mobile terminal when detecting the initialization operation input by the user, wherein the user permission level acquisition request carries identification information of the user;
the business server acquires third biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server, and determines a user permission level corresponding to the identification information of the user according to the third biological characteristic information;
and the service server sends the user permission level to the mobile terminal to indicate the mobile terminal to output an initialization interface corresponding to the user according to the user permission level, wherein the initialization interface corresponding to the user shows services available to the user.
7. A mobile terminal applied to an open wireless access system, the system comprising a service server, a biometric information management server, and the mobile terminal, the mobile terminal comprising:
the determining module is used for determining the service to be authenticated triggered by the user;
the acquisition module is used for acquiring first biological characteristic information input by the user aiming at the service to be authenticated;
the processing module is used for generating first key information by using a key generation algorithm corresponding to a service to be authenticated and the first biological characteristic information;
a sending module, configured to send an authentication request for the service to be authenticated to the service server, where the authentication request carries identification information of the user;
a receiving module, configured to receive a response to the authentication request sent by the service server;
the processing module is further configured to obtain a first verification result according to the first key information and the response of the authentication request;
the sending module is further configured to send the first verification result to the service server to instruct the service server to obtain, from the biometric information management server, second biometric information corresponding to the identification information of the user, so that the service server authenticates the service to be authenticated according to the second biometric information, the response of the authentication request, and the first verification result;
the receiving module is further configured to receive an authentication result of the service to be authenticated, which is sent by the service server;
the processing module is further configured to generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication result is that the authentication passes;
the processing module is further configured to encrypt the data of the service to be authenticated by using the encryption key information;
the sending module is further configured to send the encrypted data of the service to be authenticated to the service server, so as to instruct the service server to decrypt the encrypted data of the service to be authenticated by using the second biometric information.
8. The mobile terminal of claim 7, wherein the obtaining module comprises an obtaining unit and an output unit, wherein:
the acquiring unit is used for acquiring a service security level corresponding to the service to be authenticated;
the output unit is used for outputting an input prompt of the biological characteristic information corresponding to the service security level;
the acquisition unit is further used for acquiring first biological characteristic information input by the user in response to the input prompt.
9. The mobile terminal according to claim 7 or 8, characterized in that the mobile terminal further comprises an output module, wherein:
the obtaining module is further configured to obtain a user permission level of the user from the service server;
the output module is used for outputting an initialization interface corresponding to the user according to the user permission level, wherein the initialization interface corresponding to the user displays services available to the user;
the determining module is specifically configured to determine a service to be authenticated, which is triggered by the user from services that can be used by the user.
10. A service server, which is applied to an open wireless access system including the service server, a biometric information management server, and a mobile terminal, the service server comprising:
a receiving module, configured to receive an authentication request for a service to be authenticated, where the authentication request carries identification information of a user, and the authentication request is sent by the mobile terminal;
a sending module, configured to send a response to the authentication request to the mobile terminal, so as to instruct the mobile terminal to obtain a first verification result according to first key information and the response to the authentication request, where the first key information is generated by the mobile terminal by using a key generation algorithm corresponding to the service to be authenticated and first biometric information input by the user;
the receiving module is further configured to receive the first verification result sent by the mobile terminal;
the acquisition module is used for acquiring second biological characteristic information corresponding to the identification information of the user from the biological characteristic information management server;
the processing module is used for obtaining a second verification result according to the second biological characteristic information and the response of the authentication request;
the authentication module is used for authenticating the service to be authenticated according to the first verification result and the second verification result and determining that the service to be authenticated passes the authentication under the condition that the first verification result is matched with the second verification result;
the sending module is further configured to send an authentication result of the service to be authenticated to the mobile terminal, where the authentication result is used to instruct the mobile terminal to generate encryption key information by using an encryption key generation algorithm corresponding to the service to be authenticated and the first key information when the authentication passes;
the receiving module is further configured to receive the data of the service to be authenticated, which is sent by the mobile terminal and encrypted by using the encryption key information;
the processing module is further configured to decrypt the encrypted data of the service to be authenticated by using the second biometric information.
11. The service server of claim 10, wherein the obtaining module comprises:
a sending unit, configured to send a biometric information obtaining request to the biometric information management server, where the biometric information obtaining request carries identification information of the user and identification information of the service server, so as to instruct the biometric information management server to query second biometric information corresponding to the identification information of the user and the identification information of the service server;
a receiving unit, configured to receive the second biometric information sent by the biometric information management server.
12. Traffic server according to claim 10 or 11,
the receiving module is further configured to receive a user permission level obtaining request sent by the mobile terminal when the initialization operation input by the user is detected, where the user permission level obtaining request carries identification information of the user;
the acquiring module is further configured to acquire third biometric information corresponding to the identification information of the user from the biometric information management server;
the processing module is further configured to determine a user permission level corresponding to the identification information of the user according to the third biological characteristic information;
the sending module is further configured to send the user permission level to the mobile terminal to instruct the mobile terminal to output an initialization interface corresponding to the user according to the user permission level, where the initialization interface corresponding to the user shows services available to the user.
13. A mobile terminal applied to an open wireless access system, the system comprising a service server, a biometric information management server, and the mobile terminal, the mobile terminal comprising: a processor, a biometric authentication chip, a transceiver and a memory, wherein the processor, the biometric authentication chip, the transceiver and the memory are connected by a bus, the memory stores executable program code, the transceiver is controlled by the processor for transmitting and receiving messages, the biometric authentication chip and the processor are used for calling the executable program code and executing the service authentication method according to any one of claims 1 to 3.
14. A service server applied to an open wireless access system, the system comprising the service server, a biometric information management server, and a mobile terminal, the service server comprising: a processor, a transceiver and a memory, the processor, the transceiver and the memory being connected by a bus, the memory storing executable program code, the transceiver being controlled by the processor for transceiving messages, the processor being configured to invoke the executable program code to perform the service authentication method according to any one of claims 4 to 6.
15. A service authentication system, comprising: a biometric information management server for storing biometric information and providing an inquiry service of the biometric information to the service server, a mobile terminal according to any one of claims 7 to 9, and a service server according to any one of claims 10 to 12.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2016/101118 WO2018058544A1 (en) | 2016-09-30 | 2016-09-30 | Service authentication method, system, and related devices |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109328348A CN109328348A (en) | 2019-02-12 |
| CN109328348B true CN109328348B (en) | 2023-03-03 |
Family
ID=61763228
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201680087076.XA Active CN109328348B (en) | 2016-09-30 | 2016-09-30 | Service authentication method, system and related equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109328348B (en) |
| WO (1) | WO2018058544A1 (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102596874B1 (en) * | 2018-05-31 | 2023-11-02 | 삼성전자주식회사 | System for performing service using biometric information and control method thereof |
| CN109034816A (en) * | 2018-06-08 | 2018-12-18 | 平安科技(深圳)有限公司 | User information verification method, device, computer equipment and storage medium |
| CN111327573B (en) * | 2018-12-14 | 2022-12-02 | 英业达科技有限公司 | Device and method for maintaining log-in state record to transfer data |
| CN110750766B (en) * | 2019-10-12 | 2022-11-04 | 深圳平安医疗健康科技服务有限公司 | Authority verification method, device, computer equipment and storage medium |
| CN110830264B (en) * | 2019-11-06 | 2022-11-29 | 北京一砂信息技术有限公司 | Service data verification method, server, client and readable storage medium |
| CN110889679A (en) * | 2019-12-09 | 2020-03-17 | 苏州盛世达企业管理服务有限公司 | Enterprise digital management method and device |
| CN111176710B (en) * | 2019-12-30 | 2023-10-03 | 宁波视睿迪光电有限公司 | Operation method of terminal software management system and terminal software management system |
| CN113076533B (en) * | 2020-01-03 | 2023-09-05 | 中国移动通信集团广东有限公司 | Service processing method and device |
| CN111581624B (en) * | 2020-05-18 | 2023-06-20 | 中科美络科技股份有限公司 | Intelligent terminal user identity authentication method |
| CN111835713B (en) * | 2020-06-01 | 2023-09-15 | 视联动力信息技术股份有限公司 | Security authentication method, device and storage medium |
| CN112257041A (en) * | 2020-10-19 | 2021-01-22 | 当家移动绿色互联网技术集团有限公司 | Item control method and device and electronic equipment |
| CN112398824B (en) * | 2020-11-03 | 2021-12-14 | 珠海格力电器股份有限公司 | Authority verification method, storage medium and electronic equipment |
| CN113268285B (en) * | 2021-06-08 | 2024-02-02 | 上海云从企业发展有限公司 | Service processing method, system, medium and equipment based on service platform |
| CN113806725B (en) * | 2021-11-17 | 2022-02-25 | 北京翰凌科技有限公司 | Financial business data cloud interaction method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101001144A (en) * | 2006-01-13 | 2007-07-18 | 华为技术有限公司 | Method for implementing authentication by entity authentication centre |
| CN101098232A (en) * | 2007-07-12 | 2008-01-02 | 兰州大学 | Dynamic password and multiple biological characteristics combined identification authenticating method |
| CN102916968A (en) * | 2012-10-29 | 2013-02-06 | 北京天诚盛业科技有限公司 | Identity authentication method, identity authentication server and identity authentication device |
| CN105553926A (en) * | 2015-06-30 | 2016-05-04 | 宇龙计算机通信科技(深圳)有限公司 | Authentication method, server, and terminal |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1151629C (en) * | 2001-02-28 | 2004-05-26 | 黎明网络有限公司 | High-security multi-class data transmission method |
| CN1933395B (en) * | 2005-09-15 | 2010-05-05 | 华为技术有限公司 | Business service body, and consultation method, system and apparatus for providing interbody communication key |
| CN105376220B (en) * | 2011-11-30 | 2019-09-17 | 阿里巴巴集团控股有限公司 | A kind of service implementation method, system and server |
| CN103905400B (en) * | 2012-12-27 | 2017-06-23 | 中国移动通信集团公司 | A kind of service authentication method, apparatus and system |
| CN105578384B (en) * | 2015-05-28 | 2018-12-25 | 宇龙计算机通信科技(深圳)有限公司 | A kind of business information storage method and device |
| CN105141427B (en) * | 2015-08-18 | 2018-09-14 | 广州密码科技有限公司 | A kind of login authentication method, apparatus and system based on Application on Voiceprint Recognition |
| CN105933280B (en) * | 2016-03-15 | 2019-01-08 | 天地融科技股份有限公司 | Identity identifying method and system |
-
2016
- 2016-09-30 WO PCT/CN2016/101118 patent/WO2018058544A1/en active Application Filing
- 2016-09-30 CN CN201680087076.XA patent/CN109328348B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101001144A (en) * | 2006-01-13 | 2007-07-18 | 华为技术有限公司 | Method for implementing authentication by entity authentication centre |
| CN101098232A (en) * | 2007-07-12 | 2008-01-02 | 兰州大学 | Dynamic password and multiple biological characteristics combined identification authenticating method |
| CN102916968A (en) * | 2012-10-29 | 2013-02-06 | 北京天诚盛业科技有限公司 | Identity authentication method, identity authentication server and identity authentication device |
| CN105553926A (en) * | 2015-06-30 | 2016-05-04 | 宇龙计算机通信科技(深圳)有限公司 | Authentication method, server, and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109328348A (en) | 2019-02-12 |
| WO2018058544A1 (en) | 2018-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109328348B (en) | Service authentication method, system and related equipment | |
| CN106657152B (en) | Authentication method, server and access control device | |
| TWI667585B (en) | Method and device for safety authentication based on biological characteristics | |
| CN112771826B (en) | Application program login method, application program login device and mobile terminal | |
| US10205711B2 (en) | Multi-user strong authentication token | |
| CN106612259B (en) | Identity recognition, business processing and biological characteristic information processing method and equipment | |
| CN103401880B (en) | The system and method that a kind of industrial control network logs in automatically | |
| CN112559993B (en) | Identity authentication method, device and system and electronic equipment | |
| CN111431719A (en) | Mobile terminal password protection module, mobile terminal and password protection method | |
| CN107733652B (en) | Unlocking method and system for shared vehicle and vehicle lock | |
| EP2978162B1 (en) | Anti-counterfeiting verification method, device and system | |
| CN107864124B (en) | Terminal information security protection method, terminal and Bluetooth lock | |
| US9465974B2 (en) | Electronic device providing downloading of enrollment finger biometric data via short-range wireless communication | |
| CN105577619B (en) | Client login method, client and system | |
| TW201729562A (en) | Server, mobile terminal, and internet real name authentication system and method | |
| CN101944216A (en) | Two-factor online transaction safety authentication method and system | |
| CN111800273A (en) | Information processing method, electronic device, and storage medium | |
| US20150016697A1 (en) | Finger biometric sensor data synchronization via a cloud computing device and related methods | |
| Theuermann et al. | Mobile-only solution for server-based qualified electronic signatures | |
| US9465818B2 (en) | Finger biometric sensor data synchronization via a cloud computing device and related methods | |
| US20220247555A1 (en) | Method for securing an execution of a local application and corresponding first and second user device and system | |
| KR100858146B1 (en) | Method for personal authentication using mobile and subscriber identify module and device thereof | |
| EP2985712A1 (en) | Application encryption processing method, apparatus, and terminal | |
| US11003744B2 (en) | Method and system for securing bank account access | |
| CN103745364A (en) | Scan code differential scanning-based anti-fake method and scan code differential scanning method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |