Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Example 1
Embodiment 1 provides an authorization method, and a flowchart of a specific implementation of the authorization method is shown in fig. 1, and includes the following main steps:
step 11, receiving the biometric information to be identified.
Wherein the biometric information to be identified may be transmitted by the user terminal through the relay device.
The biometric information to be recognized is obtained by encrypting the first biometric information according to the specific information and the encryption method.
And step 12, encrypting the stored second biological characteristic information according to the specific information and the encryption method to obtain the registered biological characteristic information.
In embodiment 1, the first biometric information and the second biometric information may be, but are not limited to, fingerprint feature information, palm print feature information, face feature information, iris feature information, eye print feature information, or the like. The first biometric information and the second biometric information may be of the same type or of different types.
And step 13, determining the similarity between the biological characteristic information to be identified and the registered biological characteristic information, and granting the relay device the authority matched with the registered biological characteristic information when the similarity meets a preset condition.
In general, the biometric information may be a vector. So that the similarity between different biometric information can be measured by the value of the euclidean distance between them. Alternatively, hamming distance or aggregate distance may also be used to measure the similarity between different biometric vectors. Alternatively, a Support Vector Machine (SVM) may be used to train a similarity score model in advance, and then determine the similarity value between different biometric vectors by model scoring. The similarity satisfying the specific operation execution condition may mean that the value of the similarity is greater than a similarity threshold.
Further, the specific information described above may include, but is not limited to, at least one of a random string, a terminal unique identifier, and a user key. The random character string may be randomly generated by the server 12, or may be randomly generated by the user terminal 13 or the relay device 11; the terminal unique identifier generally refers to the unique identifier of the user terminal 13 shown in fig. 1, taking a Mobile phone as an example of the user terminal, the unique identifier of the Mobile phone may be, but is not limited to, an International Mobile Equipment Identity (IMEI) of the Mobile phone, an International Mobile Subscriber Identity (IMSI), a model of a Central Processing Unit (CPU), a Media Access Control (MAC) address, an identifier of an operating system, and/or version information of the operating system; the user key may be a character string input by the user, for example, the user may input the character string into the user terminal, and the user terminal may transmit the character string through the relay device.
To more clearly illustrate the authorization method provided in example 1, the following describes in detail a specific implementation of step 12:
when the second biometric information is a set of biometric vectors, a specific implementation manner of step 12 may include: and according to the specific information and the encryption method, carrying out irreversible encryption operation on at least one element included in the biological feature vectors forming the set to obtain the registered biological feature information. The irreversible encryption operation may be, but is not limited to, an encryption algorithm including a modulo operation.
The following describes an implementation flow of step 12 in different implementation scenarios by taking different implementation scenarios as examples.
A first implementation scenario: the biometric vector comprises a first element and a second element; and the first element is used for representing the abscissa of the biological detail characteristic information in a two-dimensional space where the image is located, and the second element is used for representing the ordinate of the biological detail characteristic information in the two-dimensional space.
In a first implementation scenario, performing an irreversible encryption operation on at least one element included in the biometric vector according to the specific information and the encryption method may include: according to the specific information and the encryption method, the first element and the second element included in each biometric vector constituting the second biometric information are respectively subjected to irreversible encryption operation.
Specifically, when the specific information is a random character string, a terminal unique identifier, and a user key, respectively performing irreversible encryption operations on a first element and a second element included in each biometric vector constituting the second biometric information according to the specific information and an encryption method may include the following sub-steps:
the first substep: and carrying out encryption calculation on an information set consisting of the random character string, the terminal unique identifier and the user key by using an encryption algorithm 1 to obtain a security information set 1.
The encryption Algorithm 1 may be an encryption Algorithm using a cryptographic Hash function, such as a Secure Hash Algorithm (SHA).
And a second substep: and carrying out encryption processing on the security information set 1 again by using an encryption algorithm 2 to obtain the security information set 1 after encryption processing.
The encryption algorithm 2 may also be an encryption algorithm using a cryptographic hash function, such as SHA.
And a third substep: performing the following operation respectively for each biometric vector included in the second biometric information: and respectively converting a first element and a second element in the biological characteristic vector according to the encrypted security information set 1, the height value and the width value of the image and a coordinate conversion algorithm to obtain a converted first element and a converted second element.
The coordinate transformation algorithm used in the third substep can further refer to embodiment 3 described later, and is not described herein again.
In the first implementation scenario, if the biometric vector forming the second biometric information further includes a third element, and the third element is used to represent the feature pattern identifier of the biometric feature information, the process of performing the irreversible encryption operation on at least one element included in the biometric vector according to the specific information and the encryption method may further include: and respectively carrying out encryption operation on third elements included by each biological feature vector forming the second biological feature information according to the total number of the feature patterns and the feature pattern identification conversion algorithm to obtain encrypted third elements.
The total number of the feature patterns is the total number of the feature patterns of the counted biological detail feature information which can be identified, and the total number of the feature patterns can be obtained by training image samples comprising the biological detail feature information. The feature pattern identifier conversion algorithm may further refer to embodiment 3 described later, and will not be described herein.
In a first implementation scenario, in addition to the above-described encryption operation on the third element, other reversible or irreversible encryption operations may be performed on the third element.
In the first implementation scenario, if the biometric vector forming the second biometric information further includes a fourth element, and the fourth element is used to indicate a deflection angle of coordinates of the biometric information in the two-dimensional space of the image with respect to a specified reference in the two-dimensional space, the irreversible encryption operation may further be performed on at least one element included in the biometric vector according to the specific information and the encryption method: and respectively carrying out encryption operation on fourth elements included in each biological feature vector forming the second biological feature information according to the specific information and the encryption method to obtain the encrypted fourth elements.
Specifically, when the specific information is a random character string, a terminal unique identifier, and a user key, the process of performing an encryption operation on a fourth element included in each biometric vector constituting the second biometric information may include the following sub-steps:
the first substep: and carrying out encryption calculation on an information set consisting of the random character string, the terminal unique identifier and the user key by using an encryption algorithm 3 to obtain a security information set 2.
The encryption algorithm 3 may adopt an encryption algorithm of a cryptographic hash function, such as SHA.
And a second substep: and (4) carrying out encryption processing on the security information set 2 again by using an encryption algorithm 4 to obtain the security information set 2 after encryption processing.
The encryption algorithm 4 may also be an encryption algorithm using a cryptographic hash function, such as SHA.
And a third substep: performing the following operation respectively for each biometric vector included in the second biometric information: and converting the fourth element in the biological characteristic vector according to the deflection angle conversion algorithm and the encrypted security information set 2 to obtain the converted fourth element.
The algorithm for converting the deflection angle used in the third sub-step can further refer to embodiment 3, which is not described herein again.
In the first implementation scenario, if the biometric vector constituting the second biometric information includes a fifth element (indicating a combination) in addition to the first element and the second element described above, and the combination is a combination of a deflection angle of coordinates of the biometric feature information in the two-dimensional space of the image with respect to a specified reference object in the two-dimensional space and a feature pattern indication of the biometric feature information, the process of performing the irreversible encryption operation on at least one element included in the biometric vector may further include:
and according to the combination identifier conversion algorithm and the combination number determined by training the image sample, respectively carrying out encryption operation on the third elements included by each biological characteristic vector forming the second biological characteristic information to obtain encrypted third elements. The combination identifier conversion algorithm mentioned here can further refer to the following formula [2] in embodiment 3, and is not described herein again.
The combination number is the combination number of the deflection angle of the coordinate of the different biological detail characteristic information in the two-dimensional space with respect to the specified reference object in the two-dimensional space and the characteristic pattern identifier of the different biological detail characteristic information. The image may be an image including biometric feature information. The two-dimensional space may be a two-dimensional space in which an image including biological detail feature information is located.
In a first implementation scenario, in addition to the above-described encryption operation, other reversible or irreversible encryption operations may be performed on the fifth element.
Second implementation scenario: the biometric vector includes only the third element described above.
In a second implementation scenario, according to the specific information and the encryption method, the specific implementation manner of performing irreversible encryption operation on at least one element included in the biometric vector forming the second biometric information to obtain the registered biometric information may include: and according to the specific information and the encryption method, respectively carrying out irreversible encryption operation on the third elements in the biological characteristic vectors forming the second biological characteristic information to obtain encrypted third elements.
The third implementation scenario: the biometric vector includes the third element and the fourth element described above.
In a third implementation scenario, according to the specific information and the encryption method, the specific implementation manner of performing irreversible encryption operation on at least one element included in the biometric vector forming the second biometric information to obtain the registered biometric information may include: and according to the specific information and the encryption method, respectively carrying out irreversible encryption operation on the third element and the fourth element in each biological characteristic vector forming the second biological characteristic information to obtain an encrypted third element. Or, only the third element in each biometric vector may be subjected to irreversible encryption operation, so as to obtain an encrypted third element; alternatively, only the fourth element in each biometric vector may be subjected to irreversible encryption operation, so as to obtain an encrypted fourth element.
Other implementation scenarios are not listed in example 1. It will be appreciated by those skilled in the art that other implementations of step 12 are possible depending on the particular information content, the encryption algorithm used, the number of times the encryption algorithm is used, etc. However, the specific information and the encryption method are all the lower level schemes that can be covered by step 12, as long as the irreversible encryption operation is performed on at least one element included in the biometric vector constituting the second biometric information.
Optionally, in order to enhance the security of the registered biometric information, a hash point may be further added to the registered biometric information to hide the biometric information.
Step 13 is further described in detail below:
if the biometric features to be recognized are all hidden by using the hash points in embodiment 1, the similarity between the biometric feature information to be recognized and the registered biometric feature information may be determined in the following manner:
first, a specific number of pieces of information satisfying a first specific condition may be deleted from biometric information to be recognized; and deleting a specific number of pieces of information satisfying the second specific condition from the registered biometric information. Wherein the specific number is the number of hash points added to the biometric information to be identified; the first specific condition is "identical to any one of information included in the registered biometric information"; the second specific condition is "the same as any information included in the biometric information to be recognized".
Then, the similarity between the biometric information to be recognized after the deletion of the certain number of pieces of information and the registered biometric information after the deletion of the certain number of pieces of information is determined again.
The deletion of the same information of the registered biometric information and the biometric information to be recognized is advantageous in that it is possible to avoid the influence on the accuracy of the value of the similarity between the biometric information to be recognized and the registered biometric information due to the presence of the hash point.
As can be seen from the above description of embodiment 1, since the biometric information to be recognized forwarded by the relay device is the biometric information subjected to the encryption processing, even if the biometric information to be recognized is leaked in the forwarding process, the leaked biometric information to be recognized is difficult to crack, so that the security of the biometric information transmitted in the authorization process is improved.
The execution subject of the method provided in embodiment 1 may be a device such as a server on the network side. The steps 11 to 13 may be performed by the same device, or may be performed by different devices.
Example 2
Embodiment 2 provides a method for sending biometric information, and a flowchart of a specific implementation of the method is shown in fig. 2, and includes the following steps:
step 21, obtaining biological characteristic information;
step 22, according to the specific information and the encryption method, encrypting the obtained biological characteristic information to obtain the encrypted biological characteristic information; .
The specific implementation process of step 22 is similar to the implementation process of generating the registered biometric information in embodiment 1, and is not described herein again.
And step 23, sending the encrypted biological characteristic information.
In embodiment 2, the biometric information is transmitted after being encrypted, instead of directly transmitting the obtained original biometric information, thereby increasing the difficulty in deciphering the transmitted biometric information. By adopting the method provided by the embodiment 2 of the present application, even if the sent encrypted biometric information is intercepted, the interceptor cannot obtain the original biometric information before encryption processing according to the encrypted biometric information because the interceptor cannot know the specific encryption processing mode of the biometric information, thereby ensuring the security of the sent biometric information.
It should be noted that all execution subjects of the steps of the method provided in embodiment 2 may be the same terminal, or different terminals may also be used as execution subjects of the method. For example, the execution subject of step 21 and step 22 may be terminal 1, and the execution subject of step 23 may be terminal 2; for another example, the execution subject of step 21 may be terminal 1, and the execution subjects of steps 22 and 23 may be terminal 2; and so on.
Example 3
By adopting the prior art, after extracting the biological feature (such as fingerprint feature, palm print feature, face feature, iris feature, eye print feature and the like) information existing in the image, corresponding biological feature information, namely a multi-dimensional biological feature vector set, can be obtained.
Specifically, taking fingerprint features as an example, after processing an image by using a fingerprint feature identification and extraction method, a plurality of fingerprint feature codes can be obtained, and the fingerprint feature codes can form a four-dimensional fingerprint feature vector set or can be converted into the four-dimensional fingerprint feature vector set. The first two elements (i.e. the first two dimensions) of the four-dimensional fingerprint feature vector comprised by the set of four-dimensional fingerprint feature vectors are typically used to represent: coordinates of the fingerprint detail characteristic information in a two-dimensional space where the image is located; the third element (i.e. the third dimension) of the four-dimensional fingerprint feature vector is generally used to describe the feature pattern identification of the fingerprint minutiae feature information; the fourth element (i.e. the fourth dimension) of the four-dimensional fingerprint feature vector is used to describe the deflection angle of the coordinates of the fingerprint minutiae feature information in the two-dimensional space with respect to the specified coordinate point (and/or coordinate axis) in the two-dimensional space, for example, the deflection angle with respect to the origin of the two-dimensional space in the clockwise direction and in the reverse direction, as shown in fig. 3.
Some of the nouns in the above description are explained as follows:
the fingerprint detail characteristic information refers to characteristic information of lines forming a fingerprint;
the characteristic pattern of the minutiae characteristic information refers to a characteristic pattern of lines constituting a fingerprint, such as a bar line type, an arc line type, a wave line type, a skip line type, a spiral line type, and the like. In embodiment 3, it is assumed that the feature pattern of the fingerprint minutiae feature information that can be currently recognized is m in number, and thus the range of the feature pattern identification may be [1,m ].
Similar to the generation mode of the fingerprint feature vector set, after other biometric information in the image is identified by adopting a biometric identification method, a corresponding biometric vector set can also be obtained.
In practical applications, the number of elements (i.e. dimensions) included in the multi-dimensional biometric vector set may be influenced by the biometric type to which the biometric feature information to be described by the elements in the set belongs, the feature recognition and extraction method used in generating the set, or the description manner of the elements in the set on the biometric feature information, so that the dimensions of the set may be more than four dimensions. However, whatever the number of dimensions of the set, the information represented by the elements comprised by the set can be basically divided into three parts: the biological detail feature information includes, for convenience of description, coordinates in a two-dimensional space in which an image including the biological detail feature information is located (hereinafter, the two-dimensional space in which the image including the biological detail feature information is located is simply referred to as "two-dimensional space in which the image is located", for convenience of description), a feature pattern identification of the biological detail feature information, and a deflection angle of coordinates in the two-dimensional space in which the biological detail feature information is located with respect to a specified coordinate point (and/or coordinate axis) in the two-dimensional space.
Based on the above description, embodiment 3 of the present application will be described in detail below.
The embodiment 3 of the application provides an authorization method based on a multi-dimensional biometric vector set. The information respectively represented by each multi-dimensional biometric vector in the multi-dimensional biometric vector set at least includes the three parts described above.
For the convenience of clear description of the method provided in embodiment 3 of the present application, the following description will use an image provided by a user and including palm print feature information as an example, and describe how to extract biological feature information of the image to obtain a four-dimensional palm print feature vector set, how to perform specific conversion on the four-dimensional palm print feature vector set, hide the four-dimensional palm print feature vector set obtained after the conversion by using a hash point, and how to identify and compare palm print feature information provided again by the user based on the hidden multi-dimensional palm print feature vector set. The method can also be used for processing other biological characteristic information besides the palm print characteristic information, such as fingerprint characteristic information, iris characteristic information, face characteristic information, gait characteristic information and the like.
Please refer to fig. 4a and 4b. Fig. 4a is a schematic view of an implementation scenario of an authorization method based on a multi-dimensional biometric vector set according to embodiment 3 of the present application, where devices in the implementation scenario mainly include a server, a relay device, and a user terminal; fig. 4b is a schematic flowchart of a specific implementation of the authorization method based on the multi-dimensional biometric vector set according to embodiment 3 of the present application, where the method mainly includes two parts, namely an enrollment process and an authorization process. The registration process includes a step 41, and the authorization process includes steps 42 to 417. The steps shown in fig. 4 are explained in detail below:
in step 41, the server obtains biometric information registered in the server.
Before a user completes authorization of a service by using an authorization method based on a multi-dimensional biometric vector set, the account and the biometric information of the user need to be registered at a server. The specific registration process may be completed based on a connection established between the user terminal and the server, for example, the user terminal sends its own account information (generally including a user name and a password) and the collected user characteristic information to the server through a wired or wireless connection established between the user terminal and the server; or, the user can also provide the account information and the user characteristic information of the user to the server at a website specially transacting the biological characteristic information registration service, thereby completing the registration of the biological characteristic information. Wherein, the account information provided to the server is used for the subsequent authentication of the user identity; on the other hand, the user characteristic information and the corresponding user characteristic information can be stored in the server, so that the subsequent server can search and call the corresponding user characteristic information according to the account information provided again by the user terminal.
Taking the fingerprint characteristic information as an example, a user can acquire fingerprints by using a USB fingerprint acquirer installed in the user terminal or connected to the user terminal under the guidance of a client installed in the user terminal and used for guiding the user to shoot the fingerprints, so that the user terminal obtains an image including the fingerprint characteristic information. The user terminal may collect the fingerprint of itself only once, or may collect the fingerprint for multiple times (for example, three times). In example 3, it is assumed that the length of each image obtained islAll height ish。
Suppose that the user performs three fingerprint acquisitions to obtain a corresponding size ofl×hThe user terminal can adopt a fingerprint feature information identification and extraction method preset in the user terminal to realize the extraction of the fingerprint feature information in the images, so that a four-dimensional fingerprint feature vector set consisting of k four-dimensional fingerprint feature vectors is obtained. In embodiment 3, k represents the number of pieces of fingerprint minutiae feature information recognized from the three images by the fingerprint feature information recognition and extraction method, and the size of the pieces of fingerprint minutiae feature information is generally dozens or even hundreds, and the number is often related to the fingerprint feature recognition and extraction method. For convenience of description, the resulting four-dimensional set of minutiae vectors may be represented as C = { (for example { (2) { (1) } in the following mannera 11 ,…,a 41 ),(a 12 ,…,a 42 )…,(a 1k ,…,a 4k )},a ij (i∈[1,4],j∈[1,k]) Representing the elements that make up the four-dimensional fingerprint feature vector. Each four-dimensional fingerprint feature vector in C satisfies: the first two dimensions represent coordinates of the minutiae characteristic information of a certain fingerprint in a two-dimensional space where a corresponding image is located; the third dimension is used for describing the characteristic pattern identification of the fingerprint detail characteristic information; the fourth dimension is used for describing the deflection angle of the coordinates of the fingerprint minutiae information in the two-dimensional space where the corresponding image is located relative to the specified coordinate point (and/or coordinate axis) in the two-dimensional space. In embodiment 3, it is assumed that the feature pattern identification of the fingerprint minutiae feature information is in the range of [1,m]。
After obtaining the biometric information of the user, the server may encrypt and store the obtained biometric information, and send a message for completion of the biometric information registration to the user terminal. The encryption method for the biometric information can be, but is not limited to, various file encryption methods in the prior art.
When the user terminal applies for authorization for a service (e.g., a payment service) to the server, the user terminal sends an authorization application to the relay device, step 42.
The authorization application may include an identifier of a service requested to be authorized by the user terminal.
And step 43, the relay device sends the authorization application sent by the user terminal to the server.
And step 44, after receiving the authorization application sent by the relay device, the server generates random character strings A and B and sends A and B to the relay device.
Wherein, a and B may be generated randomly or based on some specific information. For example, a may be generated based on a user account entered by a user, and B may be generated based on a unique identifier of the user terminal. Specifically, after receiving a user account "cherry" sent by a user terminal, the server may add a random character after the character string of "cherry" to generate a; similarly, B may be generated by forming a string based on the unique identity of the user terminal and appending a random character to the string. Taking the user terminal as a mobile phone as an example, the unique identifier of the mobile phone may be, but is not limited to, an IMEI, an IMSI, a model number of a CPU, an MAC address, an identifier of an operating system and/or version information of the operating system of the mobile phone.
Wherein, the length of A and B can be 512 bits.
Step 45, the relay equipment sends A and B to the user terminal by using wired connection or near field wireless communication connection between the relay equipment and the user terminal;
and step 46, after the user terminal receives the A and the B, acquiring the biological characteristic information of the user.
It should be noted that, in order to correspond to the description manner of embodiment 1, the biometric information described in step 46 may be referred to as first biometric information, and the biometric information described in step 41 may be referred to as second biometric information.
In step 46, in order to collect the first biometric information, a biometric information collector may be built in the user terminal, or a biometric information collector may be externally connected. Taking the fingerprint characteristic information as an example, the user terminal can be externally connected with a USB fingerprint collector to collect the fingerprint characteristic information; alternatively, a fingerprint sensor may be disposed in the user terminal to collect fingerprint characteristic information. Taking the fingerprint characteristic information and the eye print characteristic information as an example, the user terminal may be externally connected to or internally provided with a camera to collect the fingerprint characteristic information and the eye print characteristic information. In addition, a client for guiding the user to collect the biological characteristic information can be installed in the user terminal.
In embodiment 3, it is assumed that the collected first feature information can be represented as C 1 ={(α 11 ,…, α 41 ),(α 12 ,…, α 42 )…,(α 1k ,…, α 4k )},α ij (i∈[1,4],j∈[1,k])。
And step 47, the user terminal performs confusion processing on the collected first biological characteristic information.
In particular, the user terminal may benefit from a set C of four-dimensional fingerprint feature vectors obtained for the user terminal 1 Each element in the four-dimensional fingerprint feature vectors in (1) is subjected to obfuscation processing, wherein a or B may be utilized when performing obfuscation processing on some elements.
The method for performing obfuscation processing on each element in the four-dimensional fingerprint feature vector may include the following sub-steps:
the first substep: and performing confusion processing on elements of the feature pattern identifiers used for describing the fingerprint detail feature information in the four-dimensional fingerprint feature vector.
With C 1 Four-dimensional fingerprint of feature vector (c)α 11 ,…,α 41 ) For example, the above-mentioned element for describing the feature pattern identification of the minutiae feature information of the fingerprint is generally the third dimension in the four-dimensional fingerprint feature vector, i.e. the third dimensionα 31 。
As previously noted, the fingerprint feature information in embodiment 3 may have m feature patterns in total, and when each feature pattern is assigned a unique identifier in the range of 1~m without repetition,α 31 the interval in which the identification of the described feature pattern is [1,m ]]. In example 3, the following may be adoptedFormula [1 ]]To pairα 31 Performing obfuscation to obtain corresponding obfuscated elementsα’ 31 :
α’ 31 =m+1-α 31 [1]
And a second substep: and performing confusion processing on the fourth dimension in the four-dimensional fingerprint feature vector.
Wherein, the fourth dimension in the four-dimensional fingerprint feature vector is used for describing: the deflection angle of the coordinate of the fingerprint minutiae information in the two-dimensional space of the corresponding image relative to a specified coordinate point (and/or coordinate axis) in the two-dimensional space.
Still at C 1 Four-dimensional fingerprint of feature vector (c)α 11 ,…,α 41 ) For example, in the second substep, SHA-1 may be used to encrypt B, so as to obtain a string r with a length of 160bits, and then the following formula [2] may be used]To (a)α 11 ,…,α 41 ) In (1)α 41 Performing obfuscation to obtain corresponding obfuscated elementsα’ 41 :
α’ 41 =α 41 +(r mod 360) [2]
And a third substep: and performing confusion processing on the first dimension and the second dimension in the four-dimensional fingerprint feature vector respectively.
In particular, with C 1 Four-dimensional fingerprint of feature vector (c)α 11 ,…,α 41 ) For example, the implementation process of substep three may be as follows:
firstly, an SHA-1 is used for encrypting A to obtain a character string q with the length of 160bits, and q is divided into 5 parts equally, and the length of each part is 32bits. These 5 parts may be labeled a, b, c, d, e, respectively.
Then, a rotation center point coordinate (x, y) is calculated according to the following formula [3], and a rotation angle v is calculated according to the formula [4 ]:
v=c mod 360 [4]
finally, the process is repeated with (x, y) is the coordinate of the center of the circle, andα 11 ,…,α 41 ) Coordinates represented by the first dimension and the second dimension of (a)α 11 ,α 21 ) Rotate v in a clockwise direction with respect to (x, y) to obtainα 11 ,α 21 ) Corresponding new coordinate (x)’,y’). Further, the following formula [5 ] is adopted]For new coordinate (x)’,y’) Performing offset processing to obtain a pairα 11 ,α 21 ) Obtained after performing obfuscation treatment (α’ 11 ,α’ 21 ):
By executing the substeps one to three, the four-dimensional fingerprint feature vector(s) can be realizedα 11 ,…,α 41 ) The elements in the four-dimensional fingerprint feature vector are respectively subjected to confusion processing to obtain corresponding confusion results, namely the confused four-dimensional fingerprint feature vector (a)α’ 11 ,α’ 21 ,α’ 31 ,α’ 41 )。
For four-dimensional fingerprint feature vector set C 1 And performing similar processing on each four-dimensional fingerprint feature vector to obtain a mixed four-dimensional fingerprint feature vector set D, which is also called a mixed set result D.
It should be noted that SHA is a series of cryptographic hash functions designed by the national security agency and promulgated by the national institute of standards and technology. The first member of the family formally known as SHA was published in 1993. However, people now give it an informal name SHA-0 to avoid confusion with its successors. Two years later, SHA-1, the first successor to SHA-0, issued. In addition to SHA-1, there are four additional variants of SHA-0, namely SHA-224, SHA-256, SHA-384, and SHA-512 (these variants are also referred to as SHA-2). Since the encryption of a string by SHA-512 is a mature prior art, the details of this part will not be described in detail in example 3.
And step 48, the user terminal obtains the hash point template.
The hash point template is a set composed of a plurality of multi-dimensional biometric vectors, and when the set is added to the biometric vector set, the information in the biometric vector set can be covered. Each multi-dimensional biometric vector included in the hash point template may be referred to as a hash point. The hash point template may be generated by the user terminal or may be generated by the server and transmitted to the user terminal.
The hash point template may be generated randomly, but corresponding to the set of biometric vectors to which the hash point template is to be added, the dimensions of the generated hash points generally satisfy: equal to the dimensions of the vectors in the set of biometric vectors.
And 49, adding the obtained hash point template to the confused four-dimensional fingerprint feature vector set D by the user terminal to obtain a hidden four-dimensional fingerprint feature vector set E.
The hash point template and D are both sets formed by four-dimensional vectors, and adding the hash point template Q to D is equivalent to generating a larger four-dimensional vector set E. The number of the four-dimensional vectors included in E is the sum of the number k of the four-dimensional fingerprint feature vectors included in D and the number of the hash points included in Q.
E is the aforementioned biometric information to be recognized.
Step 410, the user terminal sends E to the relay device using the wired connection or the near field wireless communication connection between the user terminal and the relay device.
In step 411, the relay device sends E to the server.
It is worth noting that in example 3, the hashed four template is usedSince the dimension fingerprint vector set D is hidden, even if the security of the user terminal is destroyed and the four-dimensional fingerprint vector set E with D hidden therein is revealed, the destructor cannot know the generation method of the hash point template, so that it is still difficult to analyze D from E. Furthermore, D is a set C of four-dimensional fingerprint feature vectors by using the random character string A, the random character string B, the SHA-512 and the like 1 The method is obtained by performing obfuscation processing, so that even though a breaker can analyze D, it is difficult for the breaker to completely collect parameters for performing obfuscation processing, and thus obtaining the most original multi-dimensional fingerprint feature vector set C according to D cannot be achieved 1 . It can be seen that, with the method in embodiment 3, the multidimensional fingerprint feature vector set C can be perfectly ensured 1 The security of (2) effectively avoids the privacy information of the user from being revealed.
In step 412, after receiving E, the server performs obfuscation processing on the stored second biometric information.
Specifically, the server may perform obfuscation processing on each element in the saved second biometric information, that is, each four-dimensional fingerprint feature vector in the four-dimensional fingerprint feature vector set C, by using a and B.
Since the way of performing the obfuscation processing on each element in each four-dimensional fingerprint feature vector in step 412 is similar to that in step 47, the description is omitted.
In embodiment 3, it can be assumed that a result of the confusion set obtained by performing the confusion processing on C is D 1 。
Step 413, the server adds the hash point template to the obfuscated set resulting in D 1 And obtaining a hidden four-dimensional fingerprint feature vector set F, wherein the F is a four-dimensional fingerprint feature vector set comprising k four-dimensional fingerprint feature vectors.
In step 414, the server determines the value of the similarity between F and E stored in the user terminal.
In the embodiment of the present application, the value of the similarity between F and E may be expressed by the value of the euclidean distance between F and E. Wherein the Euclidean distance value between F and E means that F comprises a single oneThe euclidean distance between the feature vector and the single feature vector included in E, or the euclidean distance between F and E may also be an average of values of the euclidean distances between a plurality of feature vectors included in F and a plurality of feature vectors included in E. For example, F includes feature vectorsθ 1 Feature vectors included with Eθ 2 Has a Euclidean distance value ofλ 1 F feature vectors of inclusionβ 1 Feature vectors included with Eβ 2 Has a Euclidean distance value ofλ 2 F feature vector ofγ 1 Feature vectors included with Eγ 2 Has a Euclidean distance value ofλ 3 The Euclidean distance between F and E may have a value of: (A) ((B))λ 1 +λ 2 +λ 3 )/3。
Optionally, after the feature vectors included in F and E are sorted according to a certain vector sorting rule, the euclidean distance between a single feature vector included in F and a single feature vector included in E and located at the same arrangement position as the single feature vector is determined. The vector ordering rule mentioned here may be, for example: identifying the sequence from big to small according to the characteristic pattern represented by the third dimension in the vector; or in order of small to large deflection angles represented by the fourth dimension in the vector, and so on.
In the embodiment of the present application, hamming distance or set distance may also be used to measure the similarity between F and E. Or, an SVM is adopted to train a similarity scoring model in advance, and then the similarity value between F and E is determined in a mode of model scoring.
It should be noted that, both E and F include the same hash point template, and before determining the value of the similarity between E and F, the identical vectors included in E and F may be filtered, and after the number of the filtered vectors is equal to the number of the hash points, the operation of determining the value of the similarity between E and F is performed. The advantage of filtering the hash points is that it is avoided that the accuracy of the determined value of the similarity between E and F is affected by the presence of the hash points.
Step 415, the user terminal determines whether to authorize the service according to the similarity value between F and E.
Specifically, if the user terminal determines that the euclidean distance between F and E is smaller than a certain distance threshold, it indicates that "registered fingerprint feature information" and "fingerprint feature information to be authenticated" are from the same user, so as to execute step 416; if the user terminal determines that the euclidean distance between F and E is not less than the distance threshold, it indicates that the "registered fingerprint feature information" and the "fingerprint feature information to be authenticated" are not from the same user, and step 417 is executed.
The distance threshold may be obtained by training biometric information of a plurality of users. For example, the magnitude of the distance threshold can be determined by calculating the value of the euclidean distance between fingerprint feature vectors different from each other, each of which is composed of a plurality of pieces of fingerprint feature information of the same user.
Step 416, an authorization success notification message is sent to the relay device, and the process ends.
Wherein, the authorization success notification message may include an identifier of the service requested by the user terminal to be authorized.
Step 417, sending an authorization failure notification message to the relay device, and ending the process.
Wherein, the authorization failure notification message may include an identifier of the service requested by the user terminal to be authorized.
As can be seen from steps 41 to 417, by using the authorization method based on the multi-dimensional biometric vector set provided in embodiment 3 of the present application, authorization of an authorized service requested by a user by using biometric information can be achieved on the premise of ensuring security of the multi-dimensional biometric vector set.
Example 4
Embodiment 4 provides an authorization apparatus to improve the security of the biometric information transmitted by the authorization process. The specific structural diagram of the device is shown in fig. 5, and the device includes an information receiving unit 51, an encryption unit 52, a similarity determining unit 53 and an authorization unit 54. The introduction to each functional unit is as follows:
an information receiving unit 51 for receiving biometric information to be recognized.
The biometric information to be identified is sent by the user terminal through the relay device, and is obtained by encrypting the first biometric information according to the specific information and the encryption method.
And an encryption unit 52 configured to encrypt the stored second biometric information according to the specific information and the encryption method to obtain the registered biometric information.
A similarity determination unit 53 for determining a similarity between the biometric information to be recognized received by the information receiving unit 51 and the registered biometric information obtained by the encryption unit 52.
An authorizing unit 54 configured to grant the right matching the registered biometric information to the relay device when the similarity determined by the similarity determining unit 53 satisfies a predetermined condition.
Optionally, when the second biometric information is a set formed by biometric vectors, the encryption unit 52 may be specifically configured to perform an irreversible encryption operation on at least one element included in the biometric vectors according to the specific information and the encryption method, so as to obtain the registered biometric information.
Specifically, if the biometric vector includes a first element and a second element, and the first element is used to represent an abscissa of the biometric feature information in a two-dimensional space where the image is located, and the second element is used to represent an ordinate of the biometric feature information in the two-dimensional space, the encryption unit 52 may specifically include a first encryption subunit. The first encryption subunit is configured to perform, according to the specific information and the encryption method, irreversible encryption operations on a first element and a second element included in each of the biometric vectors constituting the second biometric information, respectively.
If the biological feature vector comprises a first element, a second element and a third element, and the third element is used for representing the feature pattern identification of the biological detail feature information; the encryption unit 52 may also include a second encryption subunit. The second encryption subunit is configured to perform encryption operation on third elements included in each biometric vector constituting the second biometric information according to the total number of the feature patterns and the feature pattern identification conversion algorithm, to obtain encrypted third elements. Wherein, the total number of the characteristic patterns is the total number of the characteristic patterns of the counted biological detail characteristic information which can be identified.
If the biometric vector includes a fourth element along with the first element and the second element, and the fourth element is used to represent the deflection angle of the coordinates of the biometric feature information in the two-dimensional space of the image relative to the specified reference object in the two-dimensional space, the encryption unit 52 may further include a third encryption subunit. The third encryption subunit is configured to perform encryption operation on fourth elements included in each biometric vector constituting the second biometric information according to the specific information and the encryption method, respectively, to obtain encrypted fourth elements.
Optionally, if the biometric vector includes a fifth element along with the first element and the second element, and the fifth element is used to represent a combined identifier, where the combined identifier is a combination of a deflection angle of the coordinates of the biometric feature information in the two-dimensional space of the image relative to a specified reference in the two-dimensional space and a feature pattern identifier of the biometric feature information, the encryption unit 52 may further include a fourth encryption subunit. The fourth encryption subunit is configured to perform encryption operation on fifth elements included in each biometric vector constituting the second biometric information respectively according to a combination identifier conversion algorithm and a combination number determined by training the image sample, so as to obtain encrypted fifth elements. The combination number is the combination number of the deflection angle of the coordinate of different biological detail characteristic information in the two-dimensional space relative to the specified reference object and the characteristic pattern identification of the different biological detail characteristic information.
Optionally, a hash point may be added to the registered biometric information.
Optionally, corresponding to an implementation manner of the function of the similarity determining unit 53, the similarity determining unit 53 may be divided into the following functional sub-units, including:
an information deleting subunit operable to delete a specific number of pieces of information satisfying a first specific condition from the biometric information to be identified; deleting a specific number of pieces of information satisfying a second specific condition from the registered biometric information; a similarity determining subunit operable to determine a similarity between the biometric information to be identified after the deletion of the certain number of pieces of information and the registered biometric information after the deletion of the certain number of pieces of information. Wherein the specific number is the number of hash points added in the biometric information to be identified. The first specific condition is the same as any one of the information included in the registered biometric information; the second specific condition is the same as any one of the information included in the biometric information to be recognized.
Optionally, the specific information may include a random string, a terminal unique identifier, or a user key.
By adopting the authorization device provided by the embodiment 4 of the application, the security of the transmitted biological characteristic information in the authorization process can be ensured.
Example 5
Embodiment 5 provides a biometric information transmission apparatus, a specific structural schematic diagram of which is shown in fig. 6, and which includes the following main functional units:
an information obtaining unit 61 for obtaining biometric information.
An encryption unit 62 for encrypting the biometric information obtained by the information obtaining unit 61 according to the specific information and the encryption method to obtain the encrypted biometric information.
An information transmitting unit 63 for transmitting the encrypted biometric information obtained by the encryption unit 62.
The implementation of the function of the encryption unit 62 described in embodiment 5 is similar to that of the encryption unit 52 described in embodiment 4, and is not described herein again.
With the device provided in embodiment 5, the biometric information is encrypted and then transmitted, so that the security of the transmitted encrypted biometric information can be ensured.
Example 6
Embodiment 6 provides a biometric information transmission apparatus, a schematic diagram of a specific structure of which is shown in fig. 7, including the following functional entities:
and the signal collector 71 is used for obtaining the biological characteristic information.
And the processor 72 is configured to encrypt the biometric information obtained by the signal collector 71 according to the specific information and the encryption method to obtain encrypted biometric information.
And a signal transmitter 73 for transmitting the encrypted biometric information obtained by the processor 72.
Optionally, the way of encrypting the biometric information obtained by the signal collector 71 by the processor 72 according to the specific information and the encryption algorithm is similar to the functional implementation of the encryption unit 52 described in embodiment 4, and is not described herein again.
With the device according to embodiment 6, the biometric information is encrypted and transmitted, so that the security of the transmitted encrypted biometric information can be ensured.
Example 7
Embodiment 7 provides an authorization apparatus to improve the security of biometric information transmitted by an authorization process. The specific structure of the device is schematically shown in fig. 8, and includes a signal receiver 81 and a processor 82, and the functions of them are described as follows:
the signal receiver 81 is configured to receive biometric information to be identified. The biometric information to be identified is sent by the user terminal through the relay device, and is obtained by encrypting the first biometric information according to the specific information and the encryption method.
A processor 82, configured to perform encryption processing on the stored second biometric information according to the specific information and the encryption method to obtain registered biometric information; the similarity between the registered biometric information and the biometric information to be recognized received by the signal receiver 81 is determined, and when the similarity satisfies a predetermined condition, the right matching the registered biometric information is granted to the relay apparatus.
The way of encrypting the stored second biometric information according to the specific information and the encryption method by the processor 82 in embodiment 7 is similar to the functional implementation of the encryption unit 52 described in embodiment 4, and is not described herein again.
By adopting the authorization device provided by the embodiment 4 of the application, the security of the transmitted biological characteristic information in the authorization process can be ensured.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.