CN112995998B - Method, computer system and computer readable medium for providing secure authentication mechanism - Google Patents
Method, computer system and computer readable medium for providing secure authentication mechanism Download PDFInfo
- Publication number
- CN112995998B CN112995998B CN202011373171.0A CN202011373171A CN112995998B CN 112995998 B CN112995998 B CN 112995998B CN 202011373171 A CN202011373171 A CN 202011373171A CN 112995998 B CN112995998 B CN 112995998B
- Authority
- CN
- China
- Prior art keywords
- gateway
- terminal
- message
- data
- biometric
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The present invention relates to data processing technology, and more particularly, to a method of providing a secure authentication mechanism and a computer system and a computer-readable storage medium implementing the method. A method of providing a secure authentication mechanism according to an aspect of the invention comprises: performing first verification on the identity of the terminal; after the first verification is passed, performing second verification on the identity of the terminal based on the first identification information; after the second verification is passed, generating a second message in an encrypted form, wherein the second message comprises second identification information associated with the gateway, a biological feature vector of biological information data and service data; the server determines whether to perform the operation indicated by the traffic data based on the second identification information and the biometric vector.
Description
Technical Field
The present invention relates to data processing technology, and more particularly, to a method of providing a secure authentication mechanism, and a computer system and a computer-readable storage medium implementing the method.
Background
With the rapid development and maturation of biometric technology, biometric technology such as human face, palm vein and iris is widely adopted to provide better use experience for users.
Chinese patent application publication No. CN111599044A discloses an access control security management system based on biometric identification, which is used to implement a strict access management system for people. Chinese patent application publication No. CN111340497A discloses a palm vein financial payment management and control system based on biometrics, which binds palm vein information and other biometrics of a user with a financial account of the user, establishes a personal biometrics database and a financial database, and provides a management function of personal biometrics and financial transaction bills for the user.
However, the payment system based on the biometric identification in the prior art has low security, and the biometric characteristic can be imitated or stolen, so that a large transaction risk exists. Furthermore, the collected biometric data of the user often exists in the form of an image, and the authentication is usually performed at a cloud platform or a remote server, so that in order to meet the delay requirement, sufficient network bandwidth needs to be ensured.
In view of the above, it is desirable to provide a security authentication method and apparatus capable of solving the above problems.
Disclosure of Invention
It is an object of the present invention to provide a method, computer system and computer readable storage medium of a secure authentication mechanism enabling processing of data in applications such as payment and access management with higher security and faster speed.
A method of providing a secure authentication mechanism according to one aspect of the invention comprises the steps of:
the gateway carries out first verification on the identity of a terminal requesting to establish communication connection;
after the first verification of the terminal passes, the gateway receives a first message from the terminal, wherein the first message comprises first identification information associated with the terminal, biological information data associated with a user and business data;
the gateway carries out second verification on the identity of the terminal based on the first identification information;
after the second verification is passed, the gateway generates a second message in an encrypted form, where the second message includes second identification information associated with the gateway, a biometric vector of the biometric information data, and the service data;
the server receives the second message from the gateway; and
the server determines whether to perform an operation indicated by the business data based on the second identification information and the biometric vector.
Optionally, in the above method, the gateway is deployed at a base station of a cellular mobile network, and the step of performing the first authentication includes:
receiving a request message for establishing communication connection from the terminal, wherein the request message comprises a media access control address of the terminal; and
if the corresponding relation among the media access control address of the terminal, the media access control address of the gateway and the equipment identification of the base station conforms to the binding relation, determining that the first verification is passed,
wherein the binding relationship is established by the server when performing device registration for the terminal.
Optionally, in the above method, the first identification information is selected from a combination of one or more of the following items associated with the terminal: device identification, IP address, media access control address, and geographic location.
Optionally, in the above method, the gateway is deployed as a mobile edge computing node on a node of an access network to implement communication with the terminal, the access network including one of: a radio access network, an NB-IOT network, an eMTC network, a LoRaWAN network and a LoRa network of a 3G/4G/5G mobile communication system.
Optionally, in the above method, the second identification information is selected from a combination of one or more of the following associated with the gateway: device identification, IP address, media access control address, and geographic location.
Optionally, in the above method, the biological information data includes at least two types of: face images, fingerprint images, iris images, voice recordings, and palm vein images.
Optionally, in the foregoing method, the step of generating the second packet includes:
generating a respective biometric feature vector for each of the plurality of types of biometric information data;
packaging the second identification information, the biological characteristic vectors of various types of biological information data and the service data into a message with a set format; and
and encrypting the packaged message to generate the second message.
Optionally, in the above method, the step of encrypting the encapsulated packet is performed in a trusted environment within the gateway.
Optionally, in the method, the step of determining whether to perform the operation indicated by the service data includes:
verifying the identity of the gateway based on the second identification information;
after the gateway identity verification is passed, verifying the identity of the user based on the biological feature vector; and
and if the user passes the authentication, determining that the operation indicated by the service data is allowed to be executed.
Optionally, in the above method, the step of verifying the identity of the user comprises;
comparing the biological feature vector of each type of biological information data with a pre-stored feature template associated with the user to obtain a matching score of the type of biological information data;
fusing the matching scores of the various types of biological information data to obtain an evaluation score; and
comparing the evaluation score to a threshold score to determine whether the user's authentication passed.
Alternatively, in the above method, the matching scores of the various types of biological information data are fused to obtain the evaluation score using one of the following algorithms: an anchored min-max normalization algorithm, a support vector machine algorithm and a unitary distance algorithm based on the change of overlapping extrema.
Optionally, in the above method, the operation is related to payment or access management.
Optionally, in the above method, further comprising:
the gateway encrypts the biological characteristic information data;
transmitting the encrypted biometric information data to the server; and
and deleting the biological information data at the gateway.
A computer system for providing a secure authentication mechanism according to another aspect of the present invention comprises a gateway and a server, wherein the gateway is configured to:
performing first verification on the identity of a terminal requesting to establish communication connection;
receiving a first message from a terminal, performing second verification on the identity of the terminal based on the first identification information, and generating a second message in an encrypted form after the second verification is passed, wherein the first message comprises first identification information associated with the terminal, biological information data associated with a user and service data, and the second message comprises second identification information associated with the gateway, a biological feature vector of the biological information data and the service data; and
the server is configured to:
receiving the second packet from the gateway, and determining whether to perform an operation indicated by the traffic data based on the second identification information and the biometric vector.
A computer-readable storage medium according to a further aspect of the invention, has stored thereon a computer program, wherein the program, when executed by a processor, performs a method as described above.
In one or more embodiments of the invention, various types of biological information data are fused in a matching layer, and the fused matching evaluation result is judged, so that the stability, accuracy and safety of biological characteristic payment are improved; in addition, aiming at the problems of low biological identification speed, high payment delay, poor user experience and the like, a safe payment gateway is introduced to the base station side to sink the biological feature identification algorithm originally deployed at the server end (cloud end) to the edge computing node, so that the verification time is shortened; in addition, aiming at the potential safety hazard of the sensitive data during the public network transmission, the sensitive information (such as transaction data and biological characteristics) sent to the payment service platform is encrypted by using a safety unit (SE safety chip) arranged in the safety payment gateway, so that the safety of data transmission is improved; moreover, a safety authentication mechanism is realized through multiple identity verifications, and the reliability and the credibility of the safety authentication are greatly improved.
Drawings
The above and/or other aspects and advantages of the present invention will become more apparent and more readily appreciated from the following description of the various aspects of the invention taken in conjunction with the accompanying drawings, in which like or similar elements are represented by like reference numerals. The drawings comprise:
FIG. 1 is a schematic diagram of a computer system providing a secure authentication mechanism, according to one embodiment of the invention.
Fig. 2 is a block diagram of a payment terminal according to another embodiment of the present invention.
Fig. 3 is a block diagram of a secure payment gateway, in accordance with another embodiment of the present invention.
Fig. 4 is a block diagram of a payment service platform according to another embodiment of the present invention.
Fig. 5 is a flow diagram of a method for providing a secure authentication mechanism according to another embodiment of the invention.
Fig. 6 is a flow chart of a method of verifying a user's identity in accordance with another embodiment of the present invention.
Detailed Description
The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. This invention may, however, be embodied in different forms and should not be construed as limited to the embodiments set forth herein. The embodiments described above are intended to provide a full and complete disclosure of the invention, and to convey the scope of the invention more fully to those skilled in the art.
In the present specification, words such as "comprise" and "comprises" mean that, in addition to elements and steps directly and unequivocally stated in the specification and claims, the technical solution of the present invention does not exclude other elements and steps not directly or unequivocally stated.
Terms such as "first" and "second" do not denote an order of the elements in time, space, size, etc., but rather are used to distinguish one element from another.
In the present specification, the term "bioinformatic data" broadly refers to data characterizing a biology that can distinguish one individual from another, and has various types, including, for example, but not limited to, a face image, a fingerprint image, an iris image, a voice recording, a palm vein image, and the like.
In this specification, the term "identification information" broadly refers to electronic information capable of distinguishing one device from another, including, for example and without limitation, a device identification, an IP address assigned to the device, a media access control address of the device, a geographic location where the device is located, and the like, and may also be, for example, a combination of these items.
In one or more embodiments of the invention, the secure authentication mechanism is implemented through multiple identity verifications. Specifically, when a terminal (e.g., a payment terminal such as a POS machine and a vending machine or an access control system) accesses a computer system, the terminal is authenticated to determine whether access is permitted; after the access, the identity of the terminal uploading the message is authenticated again; after the identity authentication of the terminal uploading the message passes, the gateway encrypts and uploads the biological characteristics (extracted from biological information data provided by the terminal) and the service data together with the identification information thereof to the server; at the server, the identity of the gateway is first verified, and then, after the gateway identity verification is passed, the identity of the associated user (e.g., an authorized user or owner of the payment terminal) is authenticated according to the biometric features, and relevant operations (e.g., operations related to payment and access management) are performed after it is determined that the user identity verification is passed.
In the above-described multiple authentication process, the reliability and credibility of security authentication can be improved by making the discrimination data used have weak correlation with each other. For example, when the method is used for authentication of whether access is allowed, the data is judged to be the corresponding relation between the media access control address of the terminal, the media access control address of the gateway and the equipment identifier of the base station; when the identity of the terminal uploading the message is verified, judging that the data is the combination of the equipment identifier, the IP address, the media access control address and the geographic position of the terminal; when the identity of the gateway is verified, judging that the data is the combination of the equipment identifier, the IP address, the media access control address and the geographic position of the gateway; when the biometric information data has a plurality of types, each type of biometric information data has a respective corresponding biometric feature vector.
In one or more embodiments of the invention, a computer system that provides a secure authentication mechanism includes a server and a gateway. The multiple identity authentication is not completely completed by a single entity, but the gateway and the server respectively complete different identity authentication tasks. Specifically, the gateway is responsible for authentication of whether access is allowed or not and authentication of a terminal uploading a message, and the server is responsible for authentication of the gateway and authentication of a user. In addition, the extraction of the biometric features required for user authentication is also done at the gateway. In such a "distributed" manner, the gateway acts as a preliminary "filter" and can prevent data processing requests that can be determined as illegitimate with only a small amount of computing resources (e.g., a terminal that sends a request is not a registered terminal, a request is sent at a geographical location that is defined when a terminal is not registered, etc.), thereby reducing the processing load of the server. In addition, for user authentication, the gateway also shares part of the task (extraction of biological features), which not only reduces the load of the server, but also saves the network bandwidth.
Preferably, the gateway is deployed as a Mobile Edge Computing (MEC) node on a node of the access network, such as a base station in a 3G/4G/5G system, to enable communication with the terminal. Optionally, the access network comprises one of: a radio access network of a 3G/4G/5G system, an NB-IOT network, an eMTC network, a LoRaWAN network and a LoRa network.
In one or more embodiments of the invention, the biometric information data used for user authentication may contain a plurality of types (e.g., at least two types). By introducing various types of biological information data, the reliability and credibility of identity authentication can be improved. The biometric features extracted from each type of biometric information data may be represented in the form of a biometric feature vector that may be compared to a feature template associated with the user to derive a corresponding match score. The matching scores of the biometric vectors of the various types of biometric information are fused to obtain an evaluation score, which can be regarded as a measure of the overall matching degree of the biometric features. Preferably, an anchor min-max normalization algorithm based on the variation of overlapping extrema may be used to calculate a normalized score for each matching score during the fusion process, and derive an evaluation score from the normalized scores. For the anchored min-max normalization algorithm Based on the variation of the overlap extremes, see W.Kabir et al, "Multi-Biometric System Based on feed and Score levels fusion", IEEE Access, vol.7, pp.59437-59450, may 2019. This document is incorporated herein by reference in its entirety.
The inventor of the invention finds that more accurate identification precision and faster identification speed can be obtained by performing weighted fusion on the highest matching score and the lowest matching score by using an anchoring minimum-maximum normalization algorithm based on the change of the overlapping extreme values.
FIG. 1 is a schematic diagram of a computer system providing a secure authentication mechanism according to one embodiment of the invention. Illustratively, it is assumed here that the computer processing system is used for payment transactions.
As shown in fig. 1, the computer system 10 includes a payment service platform 110 composed of a plurality of servers and a plurality of gateways 121 to 12n. It is noted that the number of servers shown here is merely exemplary, and that a situation involving only one server is also possible.
Referring to fig. 1, in the present embodiment, gateways 121 to 12n are secure payment gateways, which are deployed as mobile edge computing nodes at base stations 211 to 21n of a radio access network of a 3G/4G/5G mobile communication system, and can access the internet via a core network of the mobile communication system, thereby implementing communication with a server of the payment service platform 110. On the other hand, the payment terminals 311 to 31n can access the radio access network through the base station, thereby realizing communication with the gateways 121 to 12n.
Fig. 2 is a block diagram of a payment terminal according to another embodiment of the present invention. As shown in fig. 2, the payment terminal 20 includes a biometric information data collection unit 210, a registration unit 220, a communication unit 230, and a location unit 240. The biometric information data acquisition unit 210 is configured to acquire various biometric information data of the user including, but not limited to, a human face image, a palm vein image, an iris image, a fingerprint image, a voice recording, and the like. The registration unit 220 is configured to cooperate with the payment service platform 110 to complete registration of the payment terminal 20 with the payment service platform 110. The communication unit 230 is configured to communicate with the secure payment gateway, and may be equipped with communication modules based on various protocols according to application needs, for example, including but not limited to 3G, 4G, 5G, NB-IoT, eMTC, loRa, and the like. The positioning unit 240 is configured to obtain a real-time position of the payment terminal, which may be implemented by using a satellite navigation chip (e.g., a GPS chip, a beidou navigation chip, etc.).
It is to be noted that the above-mentioned units of the payment terminal are mainly functionally divided, and these functional units may be implemented by physically separate hardware entities (such as an image sensor, a sound recorder, a satellite navigation chip, etc.), or by means of multiple software modules running on the same hardware entity (such as a processor).
Fig. 3 is a block diagram of a secure payment gateway, in accordance with another embodiment of the present invention. The secure payment gateway shown in fig. 3 may be applied to the computer system shown in fig. 1.
As shown in fig. 3, the secure payment gateway 30 includes a biometric extraction unit 310, a security unit 320, and a payment terminal management unit 330. The biometric feature extraction unit 310 includes a plurality of biometric feature extraction algorithm modules, each configured to extract a biometric feature from a corresponding type of biometric information data using a respective algorithm, thereby generating a corresponding biometric feature vector. The security unit 320 is configured to provide a trusted environment in which communication messages between the secure payment gateway and the payment platform are encrypted/decrypted to ensure security of the service data while propagating through the public network, and includes a processor and a memory independent of other units of the secure payment gateway, and the independent processor and the memory are implemented by a security chip. The payment terminal management unit 330 is configured to manage information of the payment terminal (including, but not limited to, a device ID of the payment terminal, a geographical location (e.g., latitude and longitude data), a MAC address of the payment terminal, an IP address of the payment terminal).
It should be noted that the above-mentioned units of the payment terminal are mainly functionally divided, and these units may be implemented by physically separate hardware entities (e.g. a secure chip), or by means of multiple software modules (various biometric extraction algorithm modules) running on the same hardware entity (e.g. a processor).
Fig. 4 is a block diagram of a payment service platform according to another embodiment of the present invention. The payment service platform shown in fig. 4 may be applied to the computer system shown in fig. 1.
As shown in fig. 4, the payment service platform 40 includes a registration two-dimensional code generation unit 410, a user information management unit 420, a biometric data management unit 430, a payment gateway management unit 440, a transaction data management unit 450, a decision unit 460, and a payment unit 470. The registration two-dimensional code generating unit 410 is configured to generate a bound two-dimensional code for a payment terminal when the payment terminal is registered at a payment service platform. The user information management unit 420 is configured to manage registration information of a user and an associated payment account. The biometric data management unit 430 is configured to manage biometric information data provided at the time of user registration and a biometric vector extracted based on the biometric information data (hereinafter, the biometric vector extracted based on the registered biometric information data is referred to as a biometric vector template). The payment gateway management unit 440 is configured to manage identification information (e.g., device identification, IP address, media access control address, and geographical location) of the secure payment gateway and identification information (e.g., device identification, IP address, media access control address, and geographical location provided at the time of registration) of its subordinate payment terminals, and may perform addition and deletion operations on a white list of payment terminals provided to the secure payment gateway. The transaction data management unit 450 is configured to store transaction data of a management user, each of which includes, but is not limited to, a user ID, a commodity ID, a transaction time, a payment amount, a payment bank card, a bound payment account, biometric information data and extracted biometric feature vector used at the time of payment, a device ID of the MEC secure payment gateway, a device ID of the payment terminal, and the like. The decision unit 460 is configured to compare the biometric vector associated with the user provided by the secure payment gateway with the biometric vector template of the user provided at enrollment time to determine whether the authentication of the user passed. Optionally, the decision unit 460 compares the biometric vectors of different types of biometric information data associated with the user with the corresponding biometric vector templates, thereby obtaining corresponding matching scores; then, obtaining fused evaluation scores from the matching scores through a multilayer fusion strategy; finally, the evaluation score is compared with a threshold score to determine whether the user's authentication passed. The payment unit 470 is configured to perform a corresponding operation according to the determination result of the decision unit 460. For example, when the user identity is verified, the payment unit continues the subsequent operations of the payment flow, and when the user identity is not verified, the payment unit 470 terminates the payment flow and returns the determination result to the secure payment gateway.
It should be noted that the above-mentioned units of the payment terminal are mainly functionally divided, and these units may be implemented by physically separate hardware entities (e.g. different servers), or by means of multiple software modules running on the same hardware entity (e.g. multiple software modules running on the same server).
Fig. 5 is a flow diagram of a method for providing a secure authentication mechanism according to another embodiment of the invention. In the following description, the method steps are used for payment business processes and implemented by the computer system shown in FIG. 1, by way of example but not necessarily.
As shown in fig. 5, in step 501, the secure payment gateway (e.g. 121 in fig. 1) receives a request message for establishing a communication connection from the payment terminal 312 from the associated base station 211.
Illustratively, upon registering the payment terminal with the payment service platform 110, the payment terminal 312 may provide a media access control address and a deployment area associated therewith (i.e., a location at which the payment terminal is located when used. In the case of FIG. 1, the deployment area corresponds to a cell or base station of the mobile communication system). The payment service platform 110 establishes a binding relationship between the media access control address of the payment terminal 312, the device identifier of the base station 211 corresponding to the deployment area, and the media access control address of the secure payment gateway 121 located at the base station. Optionally, the payment services platform 110 will provide the secure payment gateway 121 with a list or white list of payment terminals through which access to the computer processing system is allowed.
In the situation shown in fig. 1, when the payment terminal 312 is powered on, the communication unit 230 included therein will search for signals of surrounding base stations and initiate a request message for establishing a communication connection to the base station 211, the request message including the mac address of the payment terminal. The base station 211 forwards the request message to the secure payment gateway 121.
Then, step 502 is entered, the secure payment gateway 121 determines, according to the media access control address in the request message, whether the payment terminal 312 is in a white list (i.e., determines whether a correspondence between the media access control address of the payment terminal, the media access control address of the gateway, and the device identifier of the base station conforms to a binding relationship), if so, step 503 is entered, otherwise, step 504 is entered.
At step 503, the secure payment gateway 121 instructs the base station 211 to allow the payment terminal 312 to access the mobile communication system. In step 504, the secure payment gateway 121 instructs the base station 211 to deny the payment terminal 312 access to the mobile communication system.
The method flow shown in fig. 5 proceeds to step 505 after step 503, where the secure payment gateway 121 receives the payment application message from the payment terminal 312 via the base station 211. In this embodiment, the payment application message includes identification information associated with the payment terminal 312 (e.g., at least one of a device identifier, an IP address, a media access control address, and a geographic location of the payment terminal 312), biometric information data associated with a user (e.g., an authorized user of the payment terminal 312), and transaction data (e.g., a merchandise ID, a transaction time, a payment amount, a payment bank card, a bound payment account, etc.).
Then, in step 506, the secure payment gateway 121 verifies the identity of the payment terminal 312 based on the identification information contained in the payment application message. For example, the payment terminal management unit 330 of the secure payment gateway may determine whether the relationship between the device identifier, the IP address, the media access control address, and the geographic location in the identifier information matches the binding relationship of the above four information items established for the payment service platform 110 when registering in the payment terminal 312, and if not, step 507 is performed; if there is a match, step 508 is entered.
In step 507, the payment device management unit 330 of the secure payment gateway generates a message of payment failure and transmits the message to the payment terminal 312 via the base station 211. Optionally, in step 507, the payment device management unit 330 also records the payment terminal 312 as an illegal device.
At step 508, the secure payment gateway 121 extracts the corresponding biometric feature from the biometric information data contained in the payment application message. Optionally, the biometric feature is represented in vector form. When the biological information data contains a plurality of types, the extraction results are a plurality of biological feature vectors. For example, the biometric extraction unit 310 of the payment gateway unit 121 may extract biometric features expressed in the form of vectors from each type of biometric information data using a corresponding feature extraction algorithm.
Then, in step 509, the secure payment gateway 121 encapsulates the identification information associated with the secure payment gateway, the biometric vector extracted in step 508, and the transaction data in the payment application message into a message with a set format. The message encapsulation operation may be performed by the payment terminal management unit 330 in the secure payment gateway. Preferably, the above identification information may be a combination of one or more of the items of information associated with the secure payment gateway: device identification, IP address, media access control address, and geographic location.
Then, in step 510, the secure payment gateway 121 encrypts the message encapsulated in step 509 to generate a payment processing message, and sends the encrypted message to the payment service platform 110. Preferably, the cryptographic operations are done in a trusted environment of secure payment gateway 121 (e.g., may be done in secure element 320 in fig. 3). Illustratively, examples of algorithms for encryption include, but are not limited to, the SM2, SM3, SM4 algorithms.
Step 511 is entered after step 510. In this step, the payment service platform 110 receives a payment processing message from the secure payment gateway 121. Then, in step 512, the payment service platform 110 processes the payment processing packet. The specific processing will be described in detail below with reference to fig. 6.
If the payment service platform 110 both verifies the secure payment gateway and verifies the user, step 513 is entered. In this step, a corresponding payment operation is performed by the payment unit 470 of the payment service platform.
Step 514 is entered after step 513. In this step, the security unit 320 of the secure payment gateway encrypts the locally stored biometric information data. Illustratively, examples of algorithms for encryption include, but are not limited to, the SM2, SM3, SM4 algorithms.
Then, proceeding to step 515, the secure payment gateway 121 sends the encrypted biometric information data to the payment service platform 110.
Proceeding to step 516, the secure payment gateway 121 deletes the locally stored biometric data.
It is noted that steps 514-516 are optional steps that may be advantageous to reduce the risk of leakage of sensitive information.
Fig. 6 is a flow chart of a method of verifying a user's identity in accordance with another embodiment of the present invention. The method flow shown in fig. 6 may be used for the method shown in fig. 5.
As shown in fig. 6, at step 601, the payment service platform 110 verifies the identity of the secure payment gateway 121 based on the identification information contained in the payment processing message. For example, the device management unit 440 in the payment service platform 110 may determine whether the relationship among the device identifier, the IP address, the media access control address, and the geographic location in the identifier information matches the binding relationship of the four information items pre-established by the payment service platform 110, and if not, step 602 is performed; if there is a match, step 603 is entered.
In step 602, the payment gateway managing unit 440 of the payment service platform generates a message of payment failure and returns the message to the secure payment gateway 121. Optionally, in step 602, the payment gateway management unit 440 also records the secure payment gateway 121 as an illegal device.
At step 603, the biometric data management unit 430 of the payment service platform 110 may compare each biometric vector in the payment processing message with a corresponding feature template associated with the user (the feature template may be stored in the user information management unit 420 of the payment service platform, for example) to obtain a matching score for each type of biometric data.
Subsequently, proceeding to step 604, the biometric data management unit 430 performs fusion processing on the matching scores of the various types of biometric information to obtain an evaluation score. Preferably, an anchor min-max normalization algorithm based on the change of the overlap extremum, a support vector machine algorithm, a unitary distance algorithm, and the like can be adopted as the fusion algorithm.
Next, in step 605, the decision unit 460 of the payment service platform 110 compares the evaluation score obtained in step 604 with a preset threshold, and if the former is greater than the latter, determines that the user's authentication is passed, so step 513 in fig. 5 is entered, otherwise, step 606 is entered.
In step 606, the payment gateway managing unit 430 of the payment service platform generates a message of payment failure and returns the message to the secure payment gateway 121. Optionally, in step 606, the payment gateway managing unit 440 also records the user as a non-registered user.
According to another aspect of the present invention, there is also provided a computer-readable storage medium, on which a computer program is stored which, when executed by a processor, may implement the method of providing a secure authentication mechanism described above with the aid of fig. 1-5.
The embodiments and examples set forth herein are presented to best explain the embodiments in accordance with the present technology and its particular application and to thereby enable those skilled in the art to make and utilize the invention. Those skilled in the art, however, will recognize that the foregoing description and examples have been presented for the purpose of illustration and example only. The description as set forth is not intended to cover all aspects of the invention or to limit the invention to the precise form disclosed.
In view of the foregoing, the scope of the present disclosure is to be determined by the following claims.
Claims (27)
1. A method for providing a secure authentication mechanism, comprising the steps of:
the gateway carries out first verification on the identity of a terminal requesting to establish communication connection;
after the first verification of the terminal passes, the gateway receives a first message from the terminal, wherein the first message comprises first identification information associated with the terminal, biological information data associated with a user and business data;
the gateway carries out second verification on the identity of the terminal based on the first identification information;
after the second verification is passed, the gateway generates a second message in an encrypted form, where the second message includes second identification information associated with the gateway, a biometric vector of the biometric information data, and the service data;
the server receives the second message from the gateway; and
the server determines whether to perform an operation indicated by the service data based on the second identification information and the biometric vector,
wherein the step of performing the first verification comprises:
receiving a request message for establishing communication connection from the terminal, wherein the request message comprises a media access control address of the terminal; and
if the corresponding relation among the media access control address of the terminal, the media access control address of the gateway and the equipment identification of the base station conforms to the binding relation, determining that the first verification is passed,
wherein the first identification information is selected from a combination of one or more of the following associated with the terminal: device identification, IP address, and geographic location.
2. The method of claim 1, wherein the gateway is deployed at a base station of a cellular mobile network, the binding relationship being established by the server at device registration for the terminal.
3. The method of claim 1, wherein the first identification information further comprises a media access control address associated with the terminal.
4. The method of claim 1, wherein the gateway is deployed as a mobile edge computing node on a node of an access network to enable communication with the terminal, the access network comprising one of: a radio access network, an NB-IOT network, an eMTC network, a LoRaWAN network and a LoRa network of a 3G/4G/5G mobile communication system.
5. The method of claim 4, wherein the second identifying information is selected from a combination of one or more of the following associated with the gateway: device identification, IP address, media access control address, and geographic location.
6. The method of claim 1, wherein the biometric information data includes at least two types of: face images, fingerprint images, iris images, voice recordings, and palm vein images.
7. The method of claim 6, wherein generating the second message comprises:
generating a respective biometric feature vector for each of the plurality of types of biometric information data;
packaging the second identification information, the biological characteristic vectors of various types of biological information data and the service data into a message with a set format; and
and encrypting the packaged message to generate the second message.
8. The method of claim 7, wherein the step of encrypting the encapsulated message is performed in a trusted environment within the gateway.
9. The method of claim 7, wherein the determining whether to perform the operation indicated by the traffic data comprises:
verifying the identity of the gateway based on the second identification information;
after the gateway identity verification is passed, verifying the identity of the user based on the biological feature vector; and
and if the identity of the user passes the verification, determining that the operation indicated by the service data is allowed to be executed.
10. The method of claim 9, wherein the step of verifying the identity of the user comprises;
comparing the biological feature vector of each type of biological information data with a pre-stored feature template associated with the user to obtain a matching score of the type of biological information data;
fusing the matching scores of the various types of biological information data to obtain an evaluation score; and
comparing the evaluation score to a threshold score to determine whether the user's authentication passed.
11. The method of claim 10, wherein the matching scores of the various types of biological information data are fused to obtain the evaluation score using one of the following algorithms: an anchored min-max normalization algorithm, a support vector machine algorithm and a unitary distance algorithm based on the change of overlapping extrema.
12. The method of claim 1, wherein the operation relates to payment or access management.
13. The method of claim 1, further comprising:
the gateway encrypts the biological information data;
transmitting the encrypted biometric information data to the server; and
deleting the biometric information data at the gateway.
14. A computer system providing a secure authentication mechanism, comprising a gateway and a server, wherein the gateway is configured to:
performing first verification on the identity of a terminal requesting to establish communication connection;
receiving a first message from a terminal, wherein the first message comprises first identification information associated with the terminal, biological information data associated with a user and business data;
performing second verification on the identity of the terminal based on the first identification information, and generating a second message in an encrypted form after the second verification is passed, wherein the second message comprises second identification information associated with the gateway, a biological feature vector of the biological information data, and the service data; and
the server is configured to:
receiving the second packet from the gateway and determining whether to perform an operation indicated by the traffic data based on the second identification information and the biometric vector,
wherein the gateway is configured to perform a first authentication in the following manner:
receiving a request message for establishing communication connection from the terminal, wherein the request message comprises a media access control address of the terminal; and
if the corresponding relation among the media access control address of the terminal, the media access control address of the gateway and the equipment identification of the base station conforms to the binding relation, determining that the first verification is passed,
wherein the first identification information is selected from a combination of one or more of the following associated with the terminal: device identification, IP address, and geographic location.
15. The computer system of claim 14, wherein the gateway is deployed at a base station of a cellular mobile network, the binding relationship being established by the server at device registration for the terminal.
16. The computer system of claim 14, wherein the first identification information further comprises a media access control address associated with the terminal.
17. The computer system of claim 14, wherein the gateway is deployed as a mobile edge computing node on a node of an access network to enable communication with the terminal, the access network comprising one of: a radio access network, an NB-IOT network, an eMTC network, a LoRaWAN network and a LoRa network of a 3G/4G/5G mobile communication system.
18. The computer system of claim 14, wherein the second identifying information is selected from a combination of one or more of the following associated with the gateway: device identification, IP address, media access control address, and geographic location.
19. The computer system of claim 14, wherein the biometric data includes at least two types of: face images, fingerprint images, iris images, voice recordings, and palm vein images.
20. The computer system of claim 19, wherein the gateway is configured to generate the second message as follows:
generating a respective biometric feature vector for each of the plurality of types of biometric information data;
packaging the second identification information, the biological characteristic vectors of various types of biological information data and the service data into a message with a set format; and
and encrypting the packaged message to generate the second message.
21. The computer system of claim 20, wherein the gateway comprises a processing circuit comprising a first processing module and a second processing module that are physically separated, the first processing module configured to provide a trusted environment and comprising a first processor and a first memory, the first memory containing instructions executable by the first processor to complete encryption of an encapsulated message.
22. The computer system of claim 20, wherein the server determines whether to perform the operation indicated by the traffic data by:
verifying the identity of the gateway based on the second identification information;
after the gateway identity verification is passed, verifying the identity of the user based on the biological feature vector; and
and if the user passes the authentication, determining that the operation indicated by the service data is allowed to be executed.
23. The computer system of claim 22, wherein the server is configured to verify the user identity in the following manner;
comparing the biological feature vector of each type of biological information data with a pre-stored feature template associated with the user to obtain a matching score of the type of biological information data;
fusing matching scores of various types of biological information data to obtain an evaluation score; and
comparing the evaluation score to a threshold score to determine whether the user's authentication passed.
24. The computer system of claim 23, wherein the matching scores of the various types of biometric data are fused to obtain the evaluation score using one of the following algorithms: an anchoring minimum-maximum normalization algorithm based on the change of overlapping extreme values, a support vector machine algorithm and a unitary distance algorithm.
25. The computer system of claim 14, wherein the operation relates to payment or access management.
26. The computer system of claim 21, wherein the gateway is further configured to:
encrypting the biological information data;
transmitting the encrypted biometric information data to the server; and
and deleting the biological information data at the gateway.
27. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011373171.0A CN112995998B (en) | 2020-11-30 | 2020-11-30 | Method, computer system and computer readable medium for providing secure authentication mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011373171.0A CN112995998B (en) | 2020-11-30 | 2020-11-30 | Method, computer system and computer readable medium for providing secure authentication mechanism |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112995998A CN112995998A (en) | 2021-06-18 |
| CN112995998B true CN112995998B (en) | 2023-02-21 |
Family
ID=76344843
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011373171.0A Active CN112995998B (en) | 2020-11-30 | 2020-11-30 | Method, computer system and computer readable medium for providing secure authentication mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112995998B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113537966A (en) * | 2021-07-19 | 2021-10-22 | 大唐网络有限公司 | Transaction method, device and system based on 5G |
| CN113762975A (en) * | 2021-08-11 | 2021-12-07 | 上海市信息网络有限公司 | Flow fingerprint-based identity recognition method, system, equipment and storage medium |
| CN114039755B (en) * | 2021-10-29 | 2024-03-22 | 中国银联股份有限公司 | Authority control method and device, electronic equipment and storage medium |
| CN117499050A (en) * | 2023-11-09 | 2024-02-02 | 广西北投声远科技股份公司 | Cloud signature method and system based on encryption technology |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105516054A (en) * | 2014-09-22 | 2016-04-20 | 阿里巴巴集团控股有限公司 | User authentication method and user authentication device |
| CN110933603A (en) * | 2019-09-04 | 2020-03-27 | 中国银联股份有限公司 | Identity authentication method and identity authentication system based on biological characteristics |
| CN111177676A (en) * | 2018-11-12 | 2020-05-19 | 群光电子股份有限公司 | Verification system, verification method, and non-transitory computer-readable recording medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9350716B2 (en) * | 2007-03-20 | 2016-05-24 | At&T Intellectual Property I, Lp | System and method for authentication of a communication device |
| US10042993B2 (en) * | 2010-11-02 | 2018-08-07 | Homayoon Beigi | Access control through multifactor authentication with multimodal biometrics |
| CN105938526A (en) * | 2016-03-07 | 2016-09-14 | 李明 | Identity authentication method and system |
| CN107040922B (en) * | 2016-05-05 | 2019-11-26 | 腾讯科技(深圳)有限公司 | Wireless network connecting method, apparatus and system |
| CN110830333B (en) * | 2018-08-09 | 2022-09-13 | 中兴通讯股份有限公司 | Intelligent household equipment access authentication method, device, gateway and storage medium |
-
2020
- 2020-11-30 CN CN202011373171.0A patent/CN112995998B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105516054A (en) * | 2014-09-22 | 2016-04-20 | 阿里巴巴集团控股有限公司 | User authentication method and user authentication device |
| CN111177676A (en) * | 2018-11-12 | 2020-05-19 | 群光电子股份有限公司 | Verification system, verification method, and non-transitory computer-readable recording medium |
| CN110933603A (en) * | 2019-09-04 | 2020-03-27 | 中国银联股份有限公司 | Identity authentication method and identity authentication system based on biological characteristics |
Non-Patent Citations (1)
| Title |
|---|
| 生物特征识别系统的多模态和多生物特征融合的研究;裴伦鹏;《现代信息科技》;20180525;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112995998A (en) | 2021-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112995998B (en) | Method, computer system and computer readable medium for providing secure authentication mechanism | |
| CN107294900B (en) | Identity registration method and device based on biological characteristics | |
| AU2017242765C1 (en) | Method and device for registering biometric identity and authenticating biometric identity | |
| CN107679861B (en) | Resource transfer method, fund payment method, device and electronic equipment | |
| KR102139548B1 (en) | System and method for decentralized identifier based on face recognition | |
| US7360248B1 (en) | Methods and apparatus for verifying the identity of a user requesting access using location information | |
| CN109711133A (en) | Authentication method, device and the server of identity information | |
| CN100525177C (en) | Access authentication system, equipment and method for world wide web | |
| US20060206723A1 (en) | Method and system for integrated authentication using biometrics | |
| WO2021021373A1 (en) | Self-sovereign identity systems and methods for identification documents | |
| JP7204016B2 (en) | IDENTIFICATION METHOD AND ITS IDENTIFICATION AUTHENTICATION SYSTEM BASED ON BIOLOGICAL FEATURES | |
| JP6134371B1 (en) | User information management apparatus, user information management method, and user information management program | |
| JP2022511547A (en) | Communication network nodes, methods, and mobile devices | |
| CN111669408A (en) | Identity registration and authentication method and device | |
| US20210272124A1 (en) | Camera device enabled identification and disambiguation system and method | |
| CN110086799B (en) | Identity verification method and device | |
| US9306749B2 (en) | Method of biometric authentication, corresponding authentication system and program | |
| KR20220028836A (en) | Method for driver's license authentication service using decentralized identifier based on blockchain networks and user device executing driver's license authentication service | |
| EP1411475A1 (en) | System and method of communication including first and second access point | |
| US10805285B2 (en) | Apparatus and method for authentication based on cognitive information | |
| US20200334430A1 (en) | Self-sovereign identity systems and methods for identification documents | |
| KR20220048997A (en) | Integrated authentication system for distributed identity platforms | |
| US20160342996A1 (en) | Two-factor authentication method | |
| CN107104922B (en) | Method and device for authority management and resource control | |
| EP4199418B1 (en) | Local attribute verification using a computing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |