CN111382409A - Identity authentication method and device for protecting privacy - Google Patents

Identity authentication method and device for protecting privacy Download PDF

Info

Publication number
CN111382409A
CN111382409A CN202010198198.4A CN202010198198A CN111382409A CN 111382409 A CN111382409 A CN 111382409A CN 202010198198 A CN202010198198 A CN 202010198198A CN 111382409 A CN111382409 A CN 111382409A
Authority
CN
China
Prior art keywords
encryption
library file
encrypted
user
features
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010198198.4A
Other languages
Chinese (zh)
Inventor
王立彬
李亮
郑丹丹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202010198198.4A priority Critical patent/CN111382409A/en
Publication of CN111382409A publication Critical patent/CN111382409A/en
Priority to PCT/CN2021/074244 priority patent/WO2021184974A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The embodiment of the specification provides an identity authentication method and device for protecting privacy. And encrypting the biological characteristics of the user to be authenticated by using the private encryption key to obtain the encryption characteristics. And decrypting the encrypted library file to obtain an original library file. And for the original library file, decrypting each encrypted record once by using a second decryption key corresponding to the second encryption key to obtain each encrypted record after decryption once. And comparing the encryption characteristics with each encryption record subjected to one-time decryption, and if the encryption characteristics are matched with any encryption record subjected to one-time decryption, passing the identity authentication of the user to be authenticated. Thus, identity authentication can be performed while privacy protection is performed on the biometric features of the user.

Description

Identity authentication method and device for protecting privacy
Technical Field
One or more embodiments of the present disclosure relate to the field of computer technologies, and in particular, to an identity authentication method and apparatus for protecting privacy.
Background
With the continuous development of internet technology, more and more users choose to operate on web pages and obtain various services provided by service providers. In order to avoid the account of the legal user being intercepted by the illegal user, the service provider needs to authenticate the identity of the current user before providing various services for the user.
The existing identity authentication method can be executed at a server side or directly at a client side. When executed directly at the client, its authentication process may be as follows: the client acquires the biological characteristics (such as human face characteristics, fingerprint characteristics or iris characteristics) of the user, compares the acquired biological characteristics with the pre-stored biological characteristics, and determines whether the identity authentication of the user passes or not based on the comparison result. However, the biometric features stored in the client are at risk of theft, so that the existing identity authentication method performed by the client cannot achieve privacy protection of the biometric features of the user.
Therefore, it is desirable to provide an identity authentication method to improve the security of the user's biometric features.
Disclosure of Invention
One or more embodiments of the present specification describe an identity authentication method and apparatus for protecting privacy, which can improve the security of a biometric feature of a user.
In a first aspect, an identity authentication method for protecting privacy is provided, including:
acquiring the biological characteristics of a user to be authenticated;
encrypting the biological characteristics of the user to be authenticated by using the private encryption key to obtain encryption characteristics;
decrypting the encrypted library file to obtain the original library file;
for the original library file, carrying out primary decryption on each encrypted record by using a second decryption key corresponding to the second encryption key to obtain each encrypted record subjected to primary decryption;
and comparing the encryption characteristics with each encryption record subjected to one-time decryption, and if the encryption characteristics are matched with any encryption record subjected to one-time decryption, passing the identity authentication of the user to be authenticated.
In a second aspect, an identity authentication method for protecting privacy is provided, including:
acquiring the biological characteristics of a current user;
encrypting the biological characteristics by using a private encryption key to obtain the encryption characteristics of the current user;
using a second encryption key to encrypt the encryption characteristics of the current user for the second time to obtain an encryption record of the current user;
outputting the encrypted record of the current user to a corresponding original library file;
when the number of encryption records in the original library file reaches a threshold value, encrypting the original library file to obtain an encrypted library file;
and sending the encrypted library file to a client so that the client can realize the identity authentication of the user to be authenticated by comparing each encrypted record subjected to one-time decryption with the encryption characteristics of the user to be authenticated after decrypting the encrypted library file.
In a third aspect, an identity authentication apparatus for protecting privacy is provided, including:
an acquisition unit configured to acquire a biometric feature of a user to be authenticated;
the encryption unit is used for encrypting the biological characteristics of the user to be authenticated, which are acquired by the acquisition unit, by using the private encryption key to obtain encryption characteristics;
the decryption unit is used for decrypting the encrypted library file to obtain the original library file;
the decryption unit is further configured to, for the original library file, perform primary decryption on each encrypted record in the original library file by using a second decryption key corresponding to the second encryption key, so as to obtain each encrypted record subjected to the primary decryption;
and the comparison unit is used for comparing the encryption characteristics obtained by the encryption unit with the encryption records obtained by the decryption unit and subjected to one-time decryption, and if the encryption characteristics are matched with any one encryption record subjected to one-time decryption, the identity authentication of the user to be authenticated is passed.
In a fourth aspect, an identity authentication apparatus for protecting privacy is provided, including:
an acquisition unit configured to acquire a biometric feature of a current user;
the encryption unit is used for encrypting the biological characteristics acquired by the acquisition unit by using a private encryption key to obtain the encryption characteristics of the current user;
the encryption unit is further configured to perform secondary encryption on the encryption characteristics of the current user by using a second encryption key to obtain an encryption record of the current user;
the output unit is used for outputting the encrypted record of the current user obtained by the encryption unit to a corresponding original library file;
the encryption unit is further configured to encrypt the original library file when the number of encryption records in the original library file reaches a threshold value, so as to obtain an encrypted library file;
and the sending unit is used for sending the encrypted library file obtained by the encryption unit to a client so that the client can realize the identity authentication of the user to be authenticated by comparing each encrypted record subjected to one-time decryption with the encryption characteristics of the user to be authenticated after decrypting the encrypted library file.
In a fifth aspect, there is provided a computer storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect or the method of the second aspect.
In a sixth aspect, there is provided a computing device comprising a memory having stored therein executable code, and a processor which, when executing the executable code, implements the method of the first aspect or the method of the second aspect.
In the identity authentication method and apparatus for protecting privacy provided in one or more embodiments of the present specification, when authenticating an identity of a user to be authenticated, a private encryption key is first used to encrypt a biometric feature of the user to be authenticated, so as to obtain an encrypted feature. And then, decrypting the encrypted library file stored in advance by the client, and decrypting each encrypted record in the original library file once to obtain the biological characteristics of each user encrypted by using the private encryption key only. And comparing the encrypted features with the biological features of the users encrypted only by using the private encryption key, and determining whether the identity authentication of the user to be authenticated passes or not based on the comparison result. According to the scheme, the comparison method of the encrypted domain data is adopted when the identity of the user is authenticated, so that the safety of the biological characteristics of the user can be effectively improved. In addition, even if the biological characteristics of the user are stolen, the prestored biological characteristics of the user can be forced to be invalid by changing the private encryption key, so that fraudulent behaviors can be effectively avoided, and the user experience can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of an identity authentication method for protecting privacy provided in the present specification;
FIG. 2 is a flowchart of a privacy-preserving identity authentication method provided by an embodiment of the present specification;
FIG. 3 is a flowchart of a privacy-preserving identity authentication method according to another embodiment of the present disclosure;
FIG. 4 is a schematic diagram of an identity authentication device for protecting privacy according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of an identity authentication apparatus for protecting privacy according to another embodiment of the present disclosure.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
Before describing the solution provided in the present specification, the inventive concept of the present solution will be explained below.
As previously mentioned, existing identity authentication methods performed by clients risk the biometric of the user being stolen. In order to improve the security of the biometric features of the user, the applicant of the present application considers replacing the direct comparison of the original data with the comparison of the encrypted domain data when authenticating the identity of the user. The specific implementation mode is as follows:
firstly, the server side generates an encrypted library file and sends the encrypted library file to the client side. The encrypted library file is obtained by encrypting the original library file. The original library file is recorded with a plurality of encrypted records, wherein each encrypted record is obtained by encrypting the biological characteristics of a user for the first time by using a private encryption key and then encrypting the biological characteristics of the user for the second time by using a second encryption key.
Then, in the process of authenticating the identity of the user to be authenticated, the client side firstly acquires the biological characteristics of the user to be authenticated. And encrypting the biological characteristics of the user to be authenticated by using the private encryption key to obtain the encryption characteristics. And then, decrypting the encrypted library file to obtain the original library file. And for the original library file, decrypting each encrypted record once by using a second decryption key corresponding to the second encryption key to obtain each encrypted record after decryption once. And comparing the encryption characteristics with each encryption record subjected to one-time decryption, and if the encryption characteristics are matched with any encryption record subjected to one-time decryption, passing the identity authentication of the user to be authenticated.
The present invention has been made in view of the above-mentioned problems, and it is an object of the present invention to provide a novel and improved method for manufacturing a display device.
Fig. 1 is a schematic view of an application scenario of an identity authentication method for protecting privacy provided in this specification. In fig. 1, the server may obtain a biometric feature of the user, and sequentially perform encryption, encoding, secondary encryption, and other processing on the obtained biometric feature to obtain an encrypted record. And then, the server side can output the encrypted record to the original library file. When the number of the encryption records in the original library file reaches a threshold value, the server side can encrypt the original library file and can issue the encrypted library file to the client side. After receiving the encrypted library file, the client can decrypt the encrypted library file and decrypt each encrypted record in the decrypted original library file once. And then, comparing each encrypted record subjected to one-time decryption with the encrypted characteristics of the user to be authenticated to realize the identity authentication of the user to be authenticated.
The process of generating the encrypted library file by the server in fig. 1 is described in detail below with reference to fig. 2.
Fig. 2 is a flowchart of an identity authentication method for protecting privacy according to an embodiment of the present disclosure. The execution subject of the method can be the server side in fig. 1. As shown in fig. 2, the method may specifically include:
step 202, obtaining the biological characteristics of the current user.
For example, the biometric feature of the current user may be obtained when the user registers for a member. The biometric features herein may include physiological features and behavioral features. Wherein the physiological characteristic may include at least one of: face features, fingerprint features, iris features, and the like. The behavior feature may include at least one of a sound feature and a gait feature.
Taking the biometric feature as the face feature, the acquiring process may be: the server receives the face image acquired by the client through an acquisition module (such as a camera). Then, the face image can be input into a feature extraction model to obtain the face features. The feature extraction model is provided at the server, which may include, but is not limited to, SURF, SIFT, ORB, FAST, and Harris feature point detection algorithms.
It should be understood that the above description is only for the description of the acquisition process of the human face features, and when the biometric features are fingerprint features, the above acquisition module may be a fingerprint sensor. The corresponding fingerprint feature obtaining process may be: and the server receives the initial fingerprint information acquired by the client through the fingerprint sensor. Thereafter, a predetermined operation (e.g., averaging) may be performed on the acquired initial fingerprint information to obtain the fingerprint characteristics.
And step 204, encrypting the acquired biological characteristics by using the private encryption key to obtain the encryption characteristics of the current user.
It should be noted that, the encryption algorithm used by the server in encrypting may be a predefined encryption algorithm, for example, expanding the encrypted data to a specified number of bits. But may be any public encryption algorithm such as the elgamal algorithm. The premise is that the encryption algorithm needs to be negotiated by the server and the client in advance. In addition, when the server performs encryption, a corresponding parameter (i.e., a private encryption key) may be generated for the encryption algorithm, so that the server performs encryption by using the negotiated encryption algorithm and the corresponding private encryption key. In this specification, the above parameters are referred to as private encryption keys because the private encryption keys do not have corresponding decryption keys.
It can be understood that the private encryption key generated by the server for the above encryption algorithm is secret and not disclosed to the outside.
Optionally, for the encryption feature, the server may use an encoding algorithm to encode the encryption feature to obtain an encoding result. In one example, the encoding algorithm may be a base64 algorithm or the like. It will be appreciated that by performing this encoding step, the storage space occupied by the encryption feature can be conserved.
And step 206, performing secondary encryption on the encryption characteristics of the current user by using the second encryption key to obtain the encryption record of the current user.
For the encryption characteristics or the coding result of the encryption characteristics, the server side can encrypt the encryption characteristics for the second time to obtain the encryption record of the user. The encryption algorithm used when the server performs the second encryption may be any public encryption algorithm, such as the elgamal algorithm. The encryption algorithm used in the secondary encryption may also be negotiated by the server and the client in advance. Similarly, when performing the secondary encryption, the server may generate a corresponding parameter (i.e., a second encryption key) for the encryption algorithm, so that the server performs the secondary encryption by using the negotiated encryption algorithm and the corresponding second encryption key. It should be noted that the second encryption key corresponds to the second decryption key.
And step 208, outputting the encrypted record of the current user to the corresponding original library file.
And step 210, encrypting the original library file when the number of the encrypted records in the original library file reaches a threshold value to obtain an encrypted library file.
After obtaining the encrypted record of the user, the server may output the encrypted record of the user to the corresponding original library file. The original library file may be generated in advance by the server. And then, judging whether the number of the encrypted records in the original library file reaches a threshold value, if so, encrypting the original library file to obtain an encrypted library file.
It should be noted that the encryption algorithm used for encrypting the original library file may be any public encryption algorithm that is negotiated in advance by the server and the client. In addition, when the server encrypts the original library file, the server may generate a corresponding parameter (hereinafter referred to as a database encryption key) for the encryption algorithm, so that the server encrypts the original library file by using the negotiated encryption algorithm and the database encryption key. The database encryption key corresponds to the database decryption key.
It should be noted that, in practical applications, the number of generated encrypted library files may be multiple.
Step 212, sending the encrypted library file to the client, so that the client can perform identity authentication on the user to be authenticated by comparing each encrypted record subjected to one-time decryption with the encrypted feature of the user to be authenticated after decrypting the encrypted library file.
It can be seen from the above that, in the embodiment of the present specification, the biometric characteristic of the user issued by the server to the client is encrypted in multiple layers, so that the security of the biometric characteristic of the user can be effectively improved by the scheme.
The following describes the authentication process of the user based on the encrypted library file issued by the server.
Fig. 3 is a flowchart of an identity authentication method for protecting privacy according to another embodiment of the present disclosure. The execution subject of the method may be the client in fig. 1. As shown in fig. 3, the method may specifically include:
step 302, obtaining the biological characteristics of the user to be authenticated.
For example, the biometric feature of the user to be authenticated may be acquired when the user to be authenticated requests a certain service (e.g., a payment service) from the client. The biometric features herein may include physiological features and behavioral features. Wherein the physiological characteristic may include at least one of: face features, fingerprint features, iris features, and the like. The behavior feature may include at least one of a sound feature and a gait feature.
Taking the biometric feature as the face feature, the acquiring process may be: the client acquires the face image of the user to be authenticated through an acquisition module (such as a camera). Then, the face image can be input into a feature extraction model to obtain the face features. The feature extraction model is provided at the client, which may include, but is not limited to, SURF, SIFT, ORB, FAST, and Harris feature point detection algorithms.
It should be understood that the above description is only for the description of the acquisition process of the human face features, and when the biometric features are fingerprint features, the above acquisition module may be a fingerprint sensor. The corresponding fingerprint feature obtaining process may be: the client collects initial fingerprint information of a user to be authenticated through the fingerprint sensor. Thereafter, a predetermined operation (e.g., averaging) may be performed on the acquired initial fingerprint information to obtain the fingerprint characteristics.
And step 304, encrypting the biological characteristics of the user to be authenticated by using the private encryption key to obtain the encryption characteristics.
The private encryption key is a private encryption key used by the server to encrypt the biometric feature of the user once, and the encryption algorithm used here is also a predefined encryption algorithm or any public encryption algorithm used by the server to encrypt once. That is, the encryption algorithm and private encryption key used in this step are the same as those in step 204.
And step 306, decrypting the encrypted library file to obtain an original library file.
It should be understood that when the number of the encrypted library files is multiple, each encrypted library file may be read to the memory and decrypted sequentially. Thereafter, steps 308-310 are performed for each original library file resulting from the decryption.
In step 306, the key used for decrypting the encrypted library file is the database decryption key, which may be generated by the server when generating a corresponding database encryption key for the encryption algorithm of the original library file. Taking the example that the encryption algorithm is the elgamal algorithm, since the corresponding decryption algorithm is the elgamal algorithm, when the database encryption key is generated, the database decryption key corresponding to the database encryption key can be generated at the same time.
And step 308, for the original library file, once decrypting each encrypted record by using a second decryption key corresponding to the second encryption key to obtain each encrypted record subjected to once decryption.
The second decryption key may be generated when the server generates a corresponding second encryption key for an encryption algorithm used in the second encryption. Taking the example that the encryption algorithm is the elgamal algorithm, since the corresponding decryption algorithm is the elgamal algorithm, when the second encryption key is generated, the second decryption key corresponding to the second encryption key can be generated at the same time.
It should be noted that, when the server does not execute the encoding step, each encrypted record subjected to one-time decryption is the encryption characteristic of each user after the server uses the private encryption key to encrypt the biometric features of the plurality of users once. When the server side further executes the encoding step, after the server side obtains each encrypted record subjected to one-time decryption, the server side can decode each encrypted record based on a decoding algorithm corresponding to the encoding algorithm, so that each decoded encrypted record is obtained. And each decoded encrypted record is the encryption characteristic of each user after the server side uses the private encryption key to encrypt the biological characteristics of the plurality of users once.
It should be noted that, in practical applications, the execution order of the steps 302 to 304 and the execution order of the steps 306 to 308 may also be interchanged, or may also be executed in parallel, and this specification does not limit this.
And 310, comparing the encryption characteristics of the user to be authenticated with each encrypted record subjected to one-time decryption, and if the encryption characteristics are matched with any encrypted record subjected to one-time decryption, passing the identity authentication of the user to be authenticated.
In one example, the step of aligning specifically may include: and sequentially calculating the similarity between the encryption characteristics of the user to be authenticated and each encrypted record subjected to one-time decryption. The similarity here may include, but is not limited to, cosine similarity, euclidean distance, manhattan distance, pearson correlation coefficient, and the like. If the similarity between the encrypted record and any encrypted record subjected to one-time decryption is greater than the threshold value, the encrypted feature of the user to be authenticated can be considered to be matched with the encrypted record subjected to one-time decryption, and therefore the identity authentication of the user to be authenticated is passed.
From the above, it can be seen that, in the embodiments of the present specification, when the identity of the user to be authenticated is authenticated, a comparison method of encrypted domain data is adopted, so that the original biological features of the user can be prevented from being stored at the client, and thus, the security of the biological features of the user can be effectively improved. In addition, the scheme adopts the comparison method of the encrypted domain data, so that when the biological characteristics of the user are stolen, the prestored biological characteristics of the user can be forced to be invalid by changing the private encryption key. Under the condition that the pre-stored biological characteristics of the user are invalid, the comparison process fails, so that fraudulent behaviors can be effectively avoided, and the user experience can be improved.
Corresponding to the above identity authentication method for protecting privacy, an embodiment of the present specification further provides an identity authentication device for protecting privacy, where the device is disposed at a client. The client here maintains an encrypted library file, which is obtained by encrypting the original library file. The original library file is recorded with a plurality of encrypted records, wherein each encrypted record is obtained by encrypting the biological characteristics of a user for one time by using a private encryption key at least and then encrypting the biological characteristics of the user for the second time by using a second encryption key. As shown in fig. 4, the apparatus may include:
an obtaining unit 402, configured to obtain a biometric feature of a user to be authenticated.
The biometric features herein may include physiological features and behavioral features. Wherein the physiological characteristic may include at least one of: face features, fingerprint features, iris features, and the like. The behavior characteristics may include sound characteristics, gait characteristics, and the like.
The encrypting unit 404 is configured to encrypt the biometric characteristic of the user to be authenticated, acquired by the acquiring unit 402, by using the private encryption key, to obtain an encrypted characteristic.
And the decryption unit 406 is configured to decrypt the encrypted library file to obtain an original library file.
The decryption unit 406 is further configured to, for the original library file, perform primary decryption on each encrypted record in the original library file by using a second decryption key corresponding to the second encryption key, to obtain each encrypted record subjected to the primary decryption.
A comparing unit 408, configured to compare the encryption characteristics obtained by the encrypting unit 404 with each encrypted record obtained by the decrypting unit 406 after one-time decryption, and if the encryption characteristics are matched with any encrypted record after one-time decryption, the identity authentication of the user to be authenticated passes.
The functions of each functional module of the device in the above embodiments of the present description may be implemented through each step of the above method embodiments, and therefore, a specific working process of the device provided in one embodiment of the present description is not repeated herein.
The identity authentication device for protecting privacy provided by one embodiment of the present specification can effectively improve the security of the biometric features of the user.
Corresponding to the above identity authentication method for protecting privacy, an embodiment of the present specification further provides an identity authentication device for protecting privacy, where the device is disposed at a server. As shown in fig. 5, the apparatus may include:
an obtaining unit 502 is configured to obtain a biometric feature of a current user.
The biometric features herein may include physiological features and behavioral features. Wherein the physiological characteristic may include at least one of: face features, fingerprint features, iris features, and the like. The behavior characteristics may include sound characteristics, gait characteristics, and the like.
An encrypting unit 504, configured to encrypt the biometric characteristic obtained by the obtaining unit 502 by using the private encryption key, so as to obtain an encryption characteristic of the current user.
The encrypting unit 504 is further configured to perform secondary encryption on the encryption feature of the current user by using the second encryption key, so as to obtain an encryption record of the current user.
An output unit 506, configured to output the encrypted record of the current user obtained by the encryption unit 504 to a corresponding original library file.
The encrypting unit 504 is further configured to encrypt the original library file when the number of the encryption records in the original library file reaches a threshold value, so as to obtain an encrypted library file.
A sending unit 508, configured to send the encrypted library file obtained by the encrypting unit 504 to the client, so that the client, after decrypting the encrypted library file, compares each encrypted record that is subjected to one decryption with the encryption feature of the user to be authenticated to implement identity authentication of the user to be authenticated.
Optionally, the apparatus may further include:
and the encoding unit (not shown in the figure) is used for encoding the encryption characteristics of the current user according to an encoding algorithm to obtain an encoding result.
The encryption unit 504 may specifically be configured to:
and using the second encryption key to encrypt the encoding result for the second time to obtain the encryption record of the current user.
The functions of each functional module of the device in the above embodiments of the present description may be implemented through each step of the above method embodiments, and therefore, a specific working process of the device provided in one embodiment of the present description is not repeated herein.
The identity authentication device for protecting privacy provided by one embodiment of the present specification can effectively improve the security of the biometric features of the user.
In another aspect, embodiments of the present specification provide a computer-readable storage medium having stored thereon a computer program, which, when executed in a computer, causes the computer to perform the method shown in fig. 2 or fig. 3.
In another aspect, embodiments of the present description provide a computing device comprising a memory having stored therein executable code, and a processor that, when executing the executable code, implements the method shown in fig. 2 or fig. 3.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or may be embodied in software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a server. Of course, the processor and the storage medium may reside as discrete components in a server.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above-mentioned embodiments, objects, technical solutions and advantages of the present specification are further described in detail, it should be understood that the above-mentioned embodiments are only specific embodiments of the present specification, and are not intended to limit the scope of the present specification, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present specification should be included in the scope of the present specification.

Claims (12)

1. An identity authentication method for protecting privacy is executed by a client; the client maintains an encrypted library file, and the encrypted library file is obtained by encrypting an original library file; the original library file is recorded with a plurality of encrypted records, wherein each encrypted record is obtained by encrypting the biological characteristics of a user for the first time by using a private encryption key at least and then encrypting the biological characteristics of the user for the second time by using a second encryption key; the method comprises the following steps:
acquiring the biological characteristics of a user to be authenticated;
encrypting the biological characteristics of the user to be authenticated by using the private encryption key to obtain encryption characteristics;
decrypting the encrypted library file to obtain the original library file;
for the original library file, carrying out primary decryption on each encrypted record by using a second decryption key corresponding to the second encryption key to obtain each encrypted record subjected to primary decryption;
and comparing the encryption characteristics with each encryption record subjected to one-time decryption, and if the encryption characteristics are matched with any encryption record subjected to one-time decryption, passing the identity authentication of the user to be authenticated.
2. The method of claim 1, the biometric features comprising physiological features and behavioral features; the physiological characteristics include at least one of: face features, fingerprint features, and iris features; the behavioral characteristics include at least one of voice characteristics and gait characteristics.
3. An identity authentication method for protecting privacy is executed by a server; the method comprises the following steps:
acquiring the biological characteristics of a current user;
encrypting the biological characteristics by using a private encryption key to obtain the encryption characteristics of the current user;
using a second encryption key to encrypt the encryption characteristics of the current user for the second time to obtain an encryption record of the current user;
outputting the encrypted record of the current user to a corresponding original library file;
when the number of encryption records in the original library file reaches a threshold value, encrypting the original library file to obtain an encrypted library file;
and sending the encrypted library file to a client so that the client can realize the identity authentication of the user to be authenticated by comparing each encrypted record subjected to one-time decryption with the encryption characteristics of the user to be authenticated after decrypting the encrypted library file.
4. The method of claim 3, further comprising, prior to said twice encrypting the encryption characteristic of the current user using the second encryption key:
according to an encoding algorithm, encoding the encryption characteristics of the current user to obtain an encoding result;
the second encrypting is performed on the encryption characteristics of the current user by using the second encryption key, and the second encrypting comprises the following steps:
and using the second encryption secret key to encrypt the encoding result for the second time to obtain the encryption record of the current user.
5. The method of claim 3 or 4, the biometric features comprising physiological and behavioral features; the physiological characteristics include at least one of: face features, fingerprint features, and iris features; the behavioral characteristics include at least one of voice characteristics and gait characteristics.
6. An identity authentication device for protecting privacy is arranged at a client; the client maintains an encrypted library file, and the encrypted library file is obtained by encrypting an original library file; the original library file is recorded with a plurality of encrypted records, wherein each encrypted record is obtained by encrypting the biological characteristics of a user for the first time by using a private encryption key at least and then encrypting the biological characteristics of the user for the second time by using a second encryption key; the device comprises:
an acquisition unit configured to acquire a biometric feature of a user to be authenticated;
the encryption unit is used for encrypting the biological characteristics of the user to be authenticated, which are acquired by the acquisition unit, by using the private encryption key to obtain encryption characteristics;
the decryption unit is used for decrypting the encrypted library file to obtain the original library file;
the decryption unit is further configured to, for the original library file, perform primary decryption on each encrypted record in the original library file by using a second decryption key corresponding to the second encryption key, so as to obtain each encrypted record subjected to the primary decryption;
and the comparison unit is used for comparing the encryption characteristics obtained by the encryption unit with the encryption records obtained by the decryption unit and subjected to one-time decryption, and if the encryption characteristics are matched with any one encryption record subjected to one-time decryption, the identity authentication of the user to be authenticated is passed.
7. The apparatus of claim 6, the biometric features comprising physiological features and behavioral features; the physiological characteristics include at least one of: face features, fingerprint features, and iris features; the behavioral characteristics include at least one of voice characteristics and gait characteristics.
8. An identity authentication device for protecting privacy is arranged at a server side; the device comprises:
an acquisition unit configured to acquire a biometric feature of a current user;
the encryption unit is used for encrypting the biological characteristics acquired by the acquisition unit by using a private encryption key to obtain the encryption characteristics of the current user;
the encryption unit is further configured to perform secondary encryption on the encryption characteristics of the current user by using a second encryption key to obtain an encryption record of the current user;
the output unit is used for outputting the encrypted record of the current user obtained by the encryption unit to a corresponding original library file;
the encryption unit is further configured to encrypt the original library file when the number of encryption records in the original library file reaches a threshold value, so as to obtain an encrypted library file;
and the sending unit is used for sending the encrypted library file obtained by the encryption unit to a client so that the client can realize the identity authentication of the user to be authenticated by comparing each encrypted record subjected to one-time decryption with the encryption characteristics of the user to be authenticated after decrypting the encrypted library file.
9. The apparatus of claim 8, further comprising:
the encoding unit is used for encoding the encryption characteristics of the current user according to an encoding algorithm to obtain an encoding result;
the encryption unit is specifically configured to:
and using the second encryption secret key to encrypt the encoding result for the second time to obtain the encryption record of the current user.
10. The apparatus of claim 8 or 9, the biometric features comprising physiological and behavioral features; the physiological characteristics include at least one of: face features, fingerprint features, and iris features; the behavioral characteristics include at least one of voice characteristics and gait characteristics.
11. A computer-readable storage medium, having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-2 or the method of any of claims 3-5.
12. A computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the method of any of claims 1-2 or the method of claims 3-5.
CN202010198198.4A 2020-03-19 2020-03-19 Identity authentication method and device for protecting privacy Pending CN111382409A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010198198.4A CN111382409A (en) 2020-03-19 2020-03-19 Identity authentication method and device for protecting privacy
PCT/CN2021/074244 WO2021184974A1 (en) 2020-03-19 2021-01-28 Identity authentication method for privacy protection, and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010198198.4A CN111382409A (en) 2020-03-19 2020-03-19 Identity authentication method and device for protecting privacy

Publications (1)

Publication Number Publication Date
CN111382409A true CN111382409A (en) 2020-07-07

Family

ID=71217350

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010198198.4A Pending CN111382409A (en) 2020-03-19 2020-03-19 Identity authentication method and device for protecting privacy

Country Status (2)

Country Link
CN (1) CN111382409A (en)
WO (1) WO2021184974A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112000940A (en) * 2020-09-11 2020-11-27 支付宝(杭州)信息技术有限公司 User identification method, device and equipment under privacy protection
CN112948795A (en) * 2021-02-19 2021-06-11 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy
WO2021184974A1 (en) * 2020-03-19 2021-09-23 支付宝(杭州)信息技术有限公司 Identity authentication method for privacy protection, and apparatus

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104285236A (en) * 2012-03-23 2015-01-14 电子部品研究院 System and method for security of data communication having biometrics
CN105227537A (en) * 2014-06-16 2016-01-06 华为技术有限公司 Method for authenticating user identity, terminal and service end
CN106612259A (en) * 2015-10-26 2017-05-03 阿里巴巴集团控股有限公司 Identity recognition method and device, service information processing method and device and biological feature information processing method and device
CN107305660A (en) * 2016-04-24 2017-10-31 汪风珍 A kind of mobile phone financial trade method and mobile phone are double to put bank card
CN107707528A (en) * 2017-09-04 2018-02-16 北京京东尚科信息技术有限公司 A kind of method and apparatus of user profile isolation
CN109086014A (en) * 2018-08-22 2018-12-25 上海纳孚通信设备技术有限公司 The method and system of document secure printing are realized using biological identification technology
CN109815666A (en) * 2018-12-26 2019-05-28 航天信息股份有限公司 Identity identifying method, device, storage medium and electronic equipment based on FIDO agreement
CN110287670A (en) * 2019-06-26 2019-09-27 北京芯安微电子技术有限公司 A kind of biological information and identity information correlating method, system and equipment
CN110858249A (en) * 2018-08-24 2020-03-03 中移(杭州)信息技术有限公司 Database file encryption method, database file decryption method and related devices

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101984576B (en) * 2010-10-22 2012-07-04 北京工业大学 Method and system for authenticating anonymous identity based on face encryption
CN110119608A (en) * 2014-03-27 2019-08-13 阿里巴巴集团控股有限公司 A kind of biological information processing method, biological information store method and device
CN108965222B (en) * 2017-12-08 2021-12-07 普华云创科技(北京)有限公司 Identity authentication method, system and computer readable storage medium
CN111382409A (en) * 2020-03-19 2020-07-07 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104285236A (en) * 2012-03-23 2015-01-14 电子部品研究院 System and method for security of data communication having biometrics
CN105227537A (en) * 2014-06-16 2016-01-06 华为技术有限公司 Method for authenticating user identity, terminal and service end
CN106612259A (en) * 2015-10-26 2017-05-03 阿里巴巴集团控股有限公司 Identity recognition method and device, service information processing method and device and biological feature information processing method and device
CN107305660A (en) * 2016-04-24 2017-10-31 汪风珍 A kind of mobile phone financial trade method and mobile phone are double to put bank card
CN107707528A (en) * 2017-09-04 2018-02-16 北京京东尚科信息技术有限公司 A kind of method and apparatus of user profile isolation
CN109086014A (en) * 2018-08-22 2018-12-25 上海纳孚通信设备技术有限公司 The method and system of document secure printing are realized using biological identification technology
CN110858249A (en) * 2018-08-24 2020-03-03 中移(杭州)信息技术有限公司 Database file encryption method, database file decryption method and related devices
CN109815666A (en) * 2018-12-26 2019-05-28 航天信息股份有限公司 Identity identifying method, device, storage medium and electronic equipment based on FIDO agreement
CN110287670A (en) * 2019-06-26 2019-09-27 北京芯安微电子技术有限公司 A kind of biological information and identity information correlating method, system and equipment

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021184974A1 (en) * 2020-03-19 2021-09-23 支付宝(杭州)信息技术有限公司 Identity authentication method for privacy protection, and apparatus
CN112000940A (en) * 2020-09-11 2020-11-27 支付宝(杭州)信息技术有限公司 User identification method, device and equipment under privacy protection
CN112948795A (en) * 2021-02-19 2021-06-11 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy
CN112948795B (en) * 2021-02-19 2022-04-12 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy

Also Published As

Publication number Publication date
WO2021184974A1 (en) 2021-09-23

Similar Documents

Publication Publication Date Title
JP4938678B2 (en) Secure calculation of similarity measures
Morampudi et al. Privacy-preserving iris authentication using fully homomorphic encryption
JP5537032B2 (en) Secure threshold decryption protocol calculation
Gomez-Barrero et al. Privacy-preserving comparison of variable-length data with application to biometric template protection
WO2021184974A1 (en) Identity authentication method for privacy protection, and apparatus
JP4929136B2 (en) Biometric authentication method, apparatus and system
JP2017076839A (en) Encryption processing method, encryption processing apparatus, and encryption processing program
JP2012044670A (en) User authentication method based on utilization of biometric identification techniques, and related architecture
JP2010039890A (en) Authentication terminal, authentication server, authentication system, authentication method and authentication program
CN112948795B (en) Identity authentication method and device for protecting privacy
JP7259868B2 (en) system and client
CN111614467B (en) System backdoor defense method and device, computer equipment and storage medium
Gomez-Barrero et al. Implementation of fixed-length template protection based on homomorphic encryption with application to signature biometrics
Labati et al. Biometric privacy protection: guidelines and technologies
Punithavathi et al. Partial DCT-based cancelable biometric authentication with security and privacy preservation for IoT applications
CN112800477A (en) Data encryption and decryption system and method based on biological characteristic value
Failla et al. Esketch: a privacy-preserving fuzzy commitment scheme for authentication using encrypted biometrics
Suresh et al. Two-factor-based RSA key generation from fingerprint biometrics and password for secure communication
CN114547589A (en) Privacy-protecting user registration and user authentication method and device
JP6151627B2 (en) Biometric authentication system, biometric authentication method, and computer program
Neha et al. An efficient biometric based remote user authentication technique for multi-server environment
JP6389110B2 (en) Biometric authentication system, secure element, terminal device, biometric authentication method, and computer program
Han et al. Biometric-Kerberos authentication scheme for secure mobile computing services
Al-Saidi et al. Password authentication based on fractal coding scheme
Abidin et al. Uncoupling biometrics from templates for secure and privacy-preserving authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40032839

Country of ref document: HK

RJ01 Rejection of invention patent application after publication

Application publication date: 20200707

RJ01 Rejection of invention patent application after publication