CN113779532A - Biometric authentication method, server, user terminal, system, and medium - Google Patents

Abstract

The application discloses a biological characteristic authentication method, a server, a user terminal, a system and a medium, belonging to the field of data processing. The method comprises the following steps: receiving a service request message sent by a service provider server, wherein the service request message comprises target biological characteristic information and a target user identifier; determining a target user terminal having a corresponding relation with the target user identifier according to the target user identifier; sending a sample acquisition request message to a target user terminal, wherein the sample acquisition request message comprises a target user identifier; under the condition of obtaining the granted information use permission, receiving a sample obtaining response message sent by a target user terminal, wherein the sample obtaining response message comprises target biological characteristic sample information; and matching the target biological characteristic information with the target biological characteristic sample information to obtain a matching result. According to the embodiment of the application, the security of the private data of the user can be improved.

Description

Biometric authentication method, server, user terminal, system, and medium

Technical Field

The present application relates to the field of data processing, and in particular, to a biometric authentication method, server, user terminal, system, and medium.

Background

With the development of electronic information technology, more and more fields begin to use biometric identification technology to perform identity authentication, that is, identity authentication is performed by using the inherent biometric features of a human body through a computer.

The service providing device can collect the biological characteristics of the user, upload the biological characteristics to the remote server, and perform biological characteristic authentication based on the remote server. Biometric authentication based on a remote server requires the remote server to centrally store a large number of biometric samples of users. The biological characteristic sample of the user belongs to the privacy data of the user, a large amount of privacy data are stored in the remote server in a concentrated mode, the risk of privacy disclosure is high, and the safety of the privacy data of the user is reduced.

Disclosure of Invention

Embodiments of the present application provide a biometric authentication method, a server, a user terminal, a system, and a medium, which can improve security of private data of a user.

In a first aspect, an embodiment of the present application provides a biometric authentication method, which is applied to an authentication server, and the method includes: receiving a service request message sent by a service provider server, wherein the service request message comprises target biological characteristic information and a target user identifier, the target biological characteristic information comprises biological characteristic information of a target user, and the target user identifier comprises a user identifier of the target user; determining a target user terminal which has a corresponding relation with the target user identifier according to the target user identifier, wherein the target user terminal has a safe execution environment, target biological characteristic sample information is stored in the safe execution environment, and the target biological characteristic sample information comprises biological characteristic sample information of a target user; sending a sample acquisition request message to a target user terminal, wherein the sample acquisition request message comprises a target user identifier; under the condition of obtaining the granted information use permission, receiving a sample obtaining response message sent by a target user terminal, wherein the sample obtaining response message comprises target biological characteristic sample information; and matching the target biological characteristic information with the target biological characteristic sample information to obtain a matching result.

In a second aspect, an embodiment of the present application provides a biometric authentication method, which is applied to a user terminal, where the user terminal has a secure execution environment, target biometric sample information is stored in the secure execution environment, and the target biometric sample information includes biometric sample information of a target user, and the method includes: receiving a sample acquisition request message sent by an authentication server, wherein the sample acquisition request message is generated by the authentication server according to a received service request message, the service request message comprises target biological characteristic information and a target user identifier, the sample acquisition request message comprises the target user identifier, the target biological characteristic information comprises biological characteristic information of a target user, and the target user identifier comprises a user identifier of the target user; and under the condition that the target user identification and the user terminal have the corresponding relation and the authentication server acquires the information use permission, sending a sample acquisition response message to the authentication server, wherein the sample acquisition response message comprises target biological characteristic sample information, so that the authentication server matches the target biological characteristic information with the target biological characteristic sample information to obtain a matching result.

In a third aspect, an embodiment of the present application provides an authentication server, including: the receiving module is used for receiving a service request message sent by the service provider server, wherein the service request message comprises target biological characteristic information and a target user identifier, the target biological characteristic information comprises biological characteristic information of a target user, and the target user identifier comprises a user identifier of the target user; the determining module is used for determining a target user terminal which has a corresponding relation with a target user identifier according to the target user identifier, the target user terminal has a safe execution environment, target biological characteristic sample information is stored in the safe execution environment, and the target biological characteristic sample information comprises biological characteristic sample information of a target user; the sending module is used for sending a sample obtaining request message to the target user terminal, wherein the sample obtaining request message comprises a target user identifier; the receiving module is also used for receiving a sample acquisition response message sent by the target user terminal under the condition of acquiring the granted information use permission, wherein the sample acquisition response message comprises target biological characteristic sample information; and the matching module is used for matching the target biological characteristic information with the target biological characteristic sample information to obtain a matching result.

In a fourth aspect, an embodiment of the present application provides a user terminal, where the user terminal has a secure execution environment, where target biometric sample information is stored in the secure execution environment, where the target biometric sample information includes biometric sample information of a target user, and the user terminal includes: the receiving module is used for receiving a sample acquisition request message sent by the authentication server, wherein the sample acquisition request message is generated by the authentication server according to the received service request message, the service request message comprises target biological characteristic information and a target user identifier, the sample acquisition request message comprises the target user identifier, the target biological characteristic information comprises biological characteristic information of a target user, and the target user identifier comprises a user identifier of the target user; and the sending module is used for sending a sample obtaining response message to the authentication server under the condition that the target user identifier and the user terminal have the corresponding relation and the authentication server obtains the information use permission, wherein the sample obtaining response message comprises the target biological characteristic sample information, so that the authentication server matches the target biological characteristic information with the target biological characteristic sample information to obtain a matching result.

In a fifth aspect, an embodiment of the present application provides an authentication server, including: a processor and a memory storing computer program instructions; the processor, when executing the computer program instructions, implements the biometric authentication method of the first aspect.

In a sixth aspect, an embodiment of the present application provides a user terminal, including: a processor and a memory storing computer program instructions; the processor, when executing the computer program instructions, implements the biometric authentication method of the second aspect.

In a seventh aspect, an embodiment of the present application provides a biometric authentication system, including the authentication server of the fifth aspect and the user terminal of the sixth aspect.

In an eighth aspect, embodiments of the present application provide a computer-readable storage medium, on which computer program instructions are stored, which, when executed by a processor, implement the biometric authentication method of the first aspect or the biometric authentication method of the second aspect.

Embodiments of the present application provide a biometric authentication method, server, user terminal, system, and medium, where the authentication server may determine, according to a received service request message sent by a service provider server, a target user terminal corresponding to a target user identifier in the service request message. The target user terminal stores target biological characteristic sample information. The authentication server requests the target user terminal for target biological characteristic sample information through the sample acquisition request message so as to match the target biological characteristic sample information with the target biological characteristic information in the service request message to obtain a matching result and finish authentication by using biological characteristics. Under the condition that the biological characteristic authentication is needed, the authentication server requests target biological characteristic sample information from the user terminal to perform the biological characteristic authentication, so that the authentication server is prevented from storing the biological characteristic sample information of a large number of users, the risk of privacy disclosure caused by centralized storage of the biological characteristic sample information of the large number of users is eliminated, and the safety of the privacy data of the users is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic diagram of an example of an application scenario of a biometric authentication method provided in an embodiment of the present application;

fig. 2 is a schematic diagram of another example of an application scenario of a biometric authentication method provided in an embodiment of the present application;

FIG. 3 is a flow chart of an embodiment of a biometric authentication method provided in the first aspect of the present application;

FIG. 4 is a flow chart of another embodiment of a biometric authentication method provided in the first aspect of the present application;

FIG. 5 is a flow chart of yet another embodiment of a biometric authentication method provided in the first aspect of the present application;

FIG. 6 is a flow chart of yet another embodiment of a biometric authentication method provided in the first aspect of the present application;

FIG. 7 is a flow chart of yet another embodiment of a biometric authentication method provided in the first aspect of the present application;

FIG. 8 is a flow diagram of one embodiment of a biometric authentication method provided in the second aspect of the present application;

FIG. 9 is a flow chart of another embodiment of a biometric authentication method provided in the second aspect of the present application;

FIG. 10 is a flow chart of yet another embodiment of a biometric authentication method provided in the second aspect of the present application;

fig. 11 is a flowchart of an example of a registration process in biometric authentication according to an embodiment of the present application;

fig. 12 is a flowchart of an example of an authentication process in biometric authentication provided in an embodiment of the present application;

fig. 13 is a flowchart of another example of an authentication process in biometric authentication provided in an embodiment of the present application;

fig. 14 is a schematic structural diagram of an embodiment of an authentication server according to a third aspect of the present application;

fig. 15 is a schematic structural diagram of another embodiment of an authentication server according to a third aspect of the present application;

fig. 16 is a schematic structural diagram of a further embodiment of an authentication server according to the third aspect of the present application;

fig. 17 is a schematic structural diagram of a further embodiment of an authentication server according to a third aspect of the present application;

fig. 18 is a schematic structural diagram of an embodiment of a user terminal according to a fourth aspect of the present application;

fig. 19 is a schematic structural diagram of another embodiment of a user terminal according to a fourth aspect of the present application;

fig. 20 is a schematic structural diagram of a user terminal according to a further embodiment of the present application in a fourth aspect;

fig. 21 is a schematic structural diagram of an embodiment of an authentication server according to a fifth aspect of the present application;

fig. 22 is a schematic structural diagram of an embodiment of a user terminal according to a sixth aspect of the present application.

Detailed Description

Features and exemplary embodiments of various aspects of the present application will be described in detail below, and in order to make objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are intended to be illustrative only and are not intended to be limiting. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by illustrating examples thereof.

With the development of electronic information technology, more and more fields begin to use biometric identification technology for identity authentication. For example, biometric techniques may be applied to payments, card punches, gate passes, and the like, and are not limited thereto.

The service providing device can collect the biological characteristics of the user, upload the biological characteristics to the remote server, and perform biological characteristic authentication by the remote server. For some public service providing devices, such as vending machines, the remote server needs to perform a large number of biometric authentications of the user. Therefore, the remote server needs to centrally store biometric samples of a large number of users. And the biometric sample of the user belongs to the private data of the user. A large amount of privacy data are stored in a remote server in a centralized mode, so that a large privacy leakage risk is achieved, and the safety of the privacy data of a user is reduced.

The embodiment of the application provides a biological characteristic authentication method, a server, a user terminal, a system and a medium, wherein biological characteristic sample information of a user is stored in a private terminal of the user, namely the user terminal, and under the condition that the biological characteristic authentication is needed, the biological characteristic sample information can be requested to the user terminal by an authentication server through interaction between a service provider server and the authentication server, so that the biological characteristic authentication is carried out, the condition that the authentication server stores the biological characteristic sample information of a large number of users is avoided, the privacy leakage risk caused by centralized storage of the biological characteristic sample information of the large number of users is eliminated, and the safety of privacy data of the users is improved.

In some cases, an application scenario of the biometric authentication method provided by the embodiment of the present application may relate to a service providing device, a service provider server, an authentication server, and a user terminal. Fig. 1 is a schematic diagram of an example of an application scenario of a biometric authentication method according to an embodiment of the present application. As shown in fig. 1, the service providing apparatus 11 may communicably interact with the service provider server 12. The service provider server 12 may communicatively interact with an authentication server 13. The authentication server 13 may communicatively interact with the user terminal 14.

The service providing apparatus 11 may be a common device that provides a service. For example, the service providing device 11 may include a vending machine, a transit gate, a card punch, etc., and is not limited thereto. The service providing apparatus 11 may be installed with a service program. For example, the service program may include a payment program, a trip program, a card punch program, and the like, but is not limited thereto. The service providing device 11 may interact with the service provider server 12 in response to user input to the service program.

The service provider server 12 may be a server corresponding to the service providing device 11, and the kind of the service provider server 12 is not limited herein.

The authentication server 13 is a server for performing biometric authentication, and the type and number of the authentication servers 13 are not limited herein. In some examples, the authentication server 13 in the embodiments of the present application may have a secure execution environment. For convenience of illustration, the Secure Execution Environment in the authentication server 13 may be implemented as a Trusted Execution Environment (TEE) and/or a Secure Element (SE), and the like, and is not limited herein.

User terminal 14 may be a terminal device that is private to the user. For example, the user terminal 11 may include, but is not limited to, a mobile phone, a tablet computer, a computer, and the like. The user terminal 14 in the embodiment of the present application has a secure execution environment. For ease of illustration, the secure execution environment in the user terminal 14 may be implemented as a TEE and/or SE, etc., and is not limited thereto.

In some examples, the service provider server 12 and the authentication server 13 may belong to the same system, for example, the functions of the provider server 12 and the authentication server 13 may be integrated and implemented by the same server or servers, and the specific architectures of the provider server 12 and the authentication server 13 are not limited herein.

In other cases, an application scenario of the biometric authentication method provided by the embodiment of the present application may relate to a user terminal, a service provider server, and an authentication server. Fig. 2 is a schematic diagram of another example of an application scenario of the biometric authentication method provided in the embodiment of the present application. As shown in fig. 2, user terminal 21 may communicably interact with service provider server 22. The service provider server 22 may communicatively interact with an authentication server 23. The authentication server 23 may communicatively interact with the user terminal 21.

In this example, the user terminal 21 may be a terminal device private to the user. For example, the user terminal 21 may include, but is not limited to, a mobile phone, a tablet computer, a computer, and the like. The user terminal 21 may be installed with a service program. For example, the service program may include a payment program, a trip program, a card punch program, and the like, but is not limited thereto. The user terminal 21 may interact with the service provider server 22 in response to user input to the service program.

The service provider server 22 may be a server corresponding to a service program installed in the user terminal 21, and the kind of the service provider server 22 is not limited herein.

The authentication server 23 is a server for performing biometric authentication, and the type and number of the authentication servers 23 are not limited herein.

In some examples, the service provider server 22 and the authentication server 23 may belong to the same system, for example, the functions of the provider server 22 and the authentication server 23 may be integrated and implemented by the same server or servers, and the specific architectures of the provider server 22 and the authentication server 23 are not limited herein.

The biometric authentication method, server, user terminal, system, and medium provided in the embodiments of the present application are described below.

The first aspect of the present application provides a biometric authentication method, which can be applied to an authentication server, and the description of the authentication server can refer to the above example, which is not described herein again. Fig. 3 is a flowchart of an embodiment of a biometric authentication method provided in the first aspect of the present application. As shown in fig. 3, the biometric authentication method may include steps S301 to S305.

In step S301, a service request message transmitted by a service provider server is received.

The service request message may be transmitted by the service provider server in response to a request message of the service providing apparatus or the user terminal. The service request message is used to request biometric authentication from an authentication server. The service request message includes target biometric information and a target user identification. The target biometric information includes biometric information of the target user. The target biometric information may be biometric information that is collected by the service providing device or the user terminal and transmitted to the service provider server. The target user identification comprises a user identification of the target user, and the target user can be identified. For example, the user identifier may include, but is not limited to, a user ID, a user registration name, a user handset, a user mailbox, a user identification number, and the like.

In some examples, the biometric information may include a biometric and/or a first feature value. The biometric features may include, but are not limited to, a human face, a fingerprint, an iris, a voiceprint, etc. The first characteristic value is a characteristic value calculated according to the biological characteristics and can represent the biological characteristics.

In step S302, a target user terminal having a corresponding relationship with the target user identifier is determined according to the target user identifier.

The target user terminal has a secure execution environment. The specific content of the secure execution environment can be referred to the related description in the above embodiments, and is not limited herein.

The target user terminal is a user terminal having a corresponding relationship with the target user identifier, and the target user terminal can be regarded as a private terminal device of the target user. The authentication server may store a correspondence between the user identifier and the user terminal. Specifically, the correspondence between the user identifier and the user terminal may be implemented as a correspondence between the user identifier and a user terminal identifier, and the user terminal identifier may identify the user terminal. The corresponding relationship between the user identifier and the user terminal may be stored in a common Execution Environment such as Rich Execution Environment (REE) in the target user terminal device, or may be stored in a secure Execution Environment, which is not limited herein.

Target biological characteristic sample information is stored in the safe execution environment of the target user terminal. The target biometric sample information includes biometric sample information of the target user. The biometric sample information is reference biometric information used as user authentication. In some examples, the biometric sample information may include the biometric sample and/or the second feature value. The biometric samples may include, but are not limited to, face samples, fingerprint samples, iris samples, voice print samples, and the like. The second characteristic value is a characteristic value calculated according to the biological characteristic sample and can characterize the biological characteristic sample.

In step S303, a sample acquisition request message is sent to the target user terminal.

The authentication server does not store target biometric sample information. The authentication server may obtain the target biometric sample information from the target user terminal by sending a sample obtaining request message to the target user terminal.

The sample acquisition request message is used for requesting target biological characteristic sample information from the target user terminal. The sample acquisition request message may include a target user identification. The target user identifier in the sample acquisition request message enables the target user terminal to determine whether the target user corresponding to the target user identifier is a registered user of the target user terminal.

In step S304, when the granted information usage right is acquired, a sample acquisition response message sent by the target user terminal is received.

The acquired information usage right expression allows the target user terminal to feed back target biological characteristic sample information to the authentication server. The target user terminal can feed back the target biological characteristic sample information to the authentication server through the sample acquisition response message. I.e. the sample acquisition response message comprises target biometric sample information.

In step S305, the target biometric information and the target biometric sample information are matched, and a matching result is obtained.

The target biological characteristic sample information can be obtained from the received sample obtaining response message, and the target biological characteristic information and the target biological characteristic sample information are matched to obtain a matching result. Further, step S305 may also be executed in the secure execution environment of the authentication server, that is, the target biometric sample information may be obtained from the received sample obtaining response message in the secure execution environment of the authentication server, and the target biometric sample information may be matched in the secure execution environment of the authentication server, so as to obtain a matching result.

The target biological characteristic information and the target biological characteristic sample information are matched in the safe execution environment of the authentication server, so that the safety of the matching process can be ensured, the target biological characteristic information is prevented from being leaked, and the safety of the target biological characteristic information is improved.

And matching the target biological characteristic information with the target biological characteristic sample information, specifically comparing the target biological characteristic information with the target biological characteristic sample information. The matching result may include a matching success or a matching failure. The successful matching is the successful authentication, and the failed matching is the failed authentication. And under the condition that the target biological characteristic information is consistent with the target biological characteristic sample information, the matching result is successful. And under the condition that the target biological characteristic information is inconsistent with the target biological characteristic sample information, the matching result is matching failure. The consistency may specifically mean that the similarity between multiple comparison objects exceeds the same determination threshold, and the same determination threshold may be set according to a scene or a requirement, which is not limited herein. For example, the same determination threshold is 97%.

In this embodiment of the present application, the authentication server may determine, according to the received service request message sent by the service provider server, a target user terminal corresponding to a target user identifier in the service request message. The target user terminal stores target biological characteristic sample information. The authentication server requests the target user terminal for target biological characteristic sample information through the sample acquisition request message so as to match the target biological characteristic sample information with the target biological characteristic information in the service request message to obtain a matching result and finish authentication by using biological characteristics. Under the condition that the biological characteristic authentication is needed, the authentication server requests target biological characteristic sample information from the user terminal to perform the biological characteristic authentication, so that the authentication server is prevented from storing the biological characteristic sample information of a large number of users, the risk of privacy disclosure caused by centralized storage of the biological characteristic sample information of the large number of users is eliminated, and the safety of the privacy data of the users is improved.

Moreover, the authentication server is a remote server with respect to the user terminal, thereby realizing remote biometric authentication capable of ensuring security of user privacy data.

In the above-described embodiment, the authentication server is capable of acquiring the target biometric sample information from the target user terminal according to the target user identifier on the premise that the target user is registered in the authentication server. The authentication server may receive a registration message transmitted by the target user terminal. The registration message is used for registering the target user at the authentication server. The registration message includes a target user identity and a target user terminal identity. The target user terminal identification is the terminal identification of the target user terminal. The terminal identifier may identify the user terminal, and the type of the terminal identifier is not limited herein. For example, the terminal identification may include a terminal ID, a terminal device serial number, a terminal network address, i.e., a terminal IP address, and the like. The authentication server can establish the corresponding relation between the target user identification and the target user terminal identification, namely the corresponding relation between the target user identification and the target user terminal is established, so that the target user terminal can be determined according to the corresponding relation between the target user identification and the target user terminal identification under the condition that the target user carries out biological feature authentication.

In the embodiment of the application, in order to further improve the security of the biometric sample information, in the process of transmitting the target biometric sample information between the target user terminal and the authentication server, the target biometric sample information is encrypted target biometric sample information, so that the target biometric sample information is prevented from being leaked in transmission. Fig. 4 is a flowchart of another embodiment of the biometric authentication method provided in the first aspect of the present application. Fig. 4 is different from fig. 3 in that the biometric authentication method shown in fig. 4 may further include steps S306 to S310.

In step S306, a registration message sent by the target user terminal is received.

The registration message may also include a first user key. The first user key is generated by the target user terminal for the target user. The first user keys corresponding to different users are different. The target user terminal may transmit the first user key to the authentication server through a registration message. The authentication server stores a first user key. In some examples, after the authentication server receives the first user key, the first user key may be stored in a secure execution environment of the authentication server, which improves the security of the first user key.

The target user terminal may also generate a second user key paired with the first user key. In some examples, the first user key generated for the target user may be a public key and the second user key generated for the target user may be a private key.

In step S307, a password generation function is invoked, a first random number is generated, and a target work key corresponding to a target user is generated according to the first random number.

Specifically, a random number generator may be provided in the authentication server, and the random number generator may generate different random numbers for different users. The random number generator generates a first random number for a target user. A target work key corresponding to the target user may be generated using a password generation algorithm based on the first random number. The target work key can be used for encrypting and decrypting target biological characteristic sample information.

The random number generator may be provided in a secure execution environment of the authentication server, and the generation of the target work key may also be performed in the secure execution environment of the authentication server. The generation of the target working key is carried out in the safe execution environment of the authentication server, so that the target working key can be prevented from being leaked, and the safety of the target working key and the information encrypted and decrypted by using the target working key is ensured.

In step S308, the target work key is encrypted by using the first user key stored in the authentication server, so as to obtain a second ciphertext.

In step S309, the second ciphertext is sent to the target user terminal, so that the target user terminal decrypts the second ciphertext by using the second user key paired with the first user key to obtain the target work key.

The first user key may be used to encrypt the target work key. The first user key and the second user key are both generated by the target user terminal. And encrypting the target work key through the first user key so as to ensure the safety of the target work key between the authentication server and the target user terminal.

In step S310, the first ciphertext is decrypted using the target work key to obtain a first plaintext.

The authentication server stores a target work key. The sample acquiring response message in the above embodiment includes the first ciphertext. The first ciphertext includes the target biometric sample information encrypted with the target work key. Namely, the target user terminal encrypts the target biological characteristic sample information by using the target work key to obtain a first ciphertext. The target work key may be a symmetric key, i.e. both encryption and decryption utilize the target work key.

The authentication server receives the sample acquisition response message, can acquire the first ciphertext from the sample acquisition response message, and decrypts the first ciphertext by using the target working key to obtain the first plaintext. The first plain text includes the target biometric sample information.

In some examples, the target work key may be stored in a secure execution environment of the authentication server, and the decryption process may be performed in the secure execution environment of the authentication server, so that leakage of the target biometric sample information can be avoided, and security of the target biometric sample information can be improved.

In some examples, the information usage right obtained by the authentication server in the above embodiments may be obtained by authorization information sent by the target user terminal to the authentication server. That is, the authentication server may receive the authorization message sent by the target user terminal. The authorization message includes authorization information. The authorization information is used for representing the information use authority which is granted to the authentication server by the target user. The information use authority is specifically the authority that the authentication server can acquire the target biological characteristic sample information from the target user terminal. Namely, the authentication server has the information use authority granted by the target user, and can acquire the target biological characteristic sample information from the target user terminal. In some examples, if the authentication server has information usage rights granted by the target user to store the acquired target biometric sample information, the authentication server may also store the target biometric sample information acquired from the target user terminal. In some cases, if the authentication server stores the target biometric sample information, the target biometric sample information may be stored in a secure execution environment of the authentication server to ensure the security of the target biometric sample information.

In the embodiment of the present application, a timing relationship between the step of sending the authorization message to the authentication server by the target user terminal and other steps is not limited. The target user terminal can send authorization information to the authentication server when needing to grant the information use authority of the authentication server.

For example, the authorization message may comprise a registration message, i.e. the authorization message may be implemented as a registration message. The registration message is sent by the target user terminal before the authentication server receives the service request message sent by the service provider server. The registration message is used for registering the target user at the authentication server. The target user terminal can grant information use authority to the authentication server when the target user registers in the authentication server.

As another example, the authorization message is sent by the target user terminal after the authentication server sends the sample acquisition request message to the target user terminal. That is, after the authentication server sends the sample acquisition request message to the target user terminal, the target user terminal may send a prompt message to prompt the target user whether to grant the authentication server information usage right. And under the condition that the target user terminal receives the input of the information use permission granted to the authentication server by the target user, the target user terminal sends an authorization message to the authentication server. The target user terminal may send an authorization message to the authentication server before sending the sample acquisition response message to the authentication server, i.e. the authentication server may receive the authorization message before receiving the sample acquisition response message. Or, the authorization message may include a sample acquisition response message, that is, the authorization message may be implemented as a sample acquisition response message, and the authentication server receives the sample acquisition response message, and may acquire the authorization message and the target biometric sample information together.

In some examples, the authorization information may include one or more of: the effective authorization times, the effective authorization duration and the effective authorization service provider server.

The authorization validity times characterize the number of times the authentication server can use the target biometric sample information for matching. The valid authorization times may be set according to the operation of the target user, or may be set according to a default value of the terminal of the target user, which is not limited herein. The authentication server receives the authorization message and can store the authorization valid times in the authorization message. The number of times the authorization stored by the authentication server is valid decreases as the authentication server matches using the target biometric sample information. When the number of authorized validity times is reduced to 0, the authentication server will not be able to use the target biometric sample information or obtain the target biometric sample information from the target user terminal. In some examples, the authentication server deletes the target biometric sample information when the authorization validity number decreases to 0.

The authorization validity duration characterizes a duration that the authentication server can use the target biometric sample information for matching. The authentication server receives the authorization message and can store the authorization effective duration in the authorization message. The authorization validity period stored by the authentication server decreases over time. When the authorization validity period is reduced to 0, the authentication server will not be able to use the target biometric sample information or obtain the target biometric sample information from the target user terminal. In some examples, the authentication server deletes the target biometric sample information when the authorization validity period decreases to 0.

The authorized valid service provider server characterizes the service provider server as the originator of the service request message for which biometric authentication is allowed. If the service provider server sending the service request message belongs to a server authorized to be represented by a valid service provider server, the authentication server can acquire target biometric sample information from the target user terminal and can use the target biometric sample information for matching. If the service provider server sending the service request message does not belong to a server authorized to be represented by a valid service provider server, the authentication server cannot use the target biometric sample information for matching or cannot acquire the target biometric sample information from the target user terminal.

In some embodiments, the authentication server may also store the target biometric sample information if the authentication server has the information usage rights in the above embodiments. Fig. 5 is a flowchart of a biometric authentication method according to a further embodiment of the first aspect of the present application. Fig. 5 is different from fig. 3 in that the biometric authentication method shown in fig. 5 may further include step S311 and step S312.

In step S311, in the case where the authentication server has the information use authority, the target biometric sample information is stored.

In some examples, the target biometric sample information may be stored in a secure execution environment of the authentication server.

For specific contents of the information usage right and the authorization information, reference may be made to the related description in the above embodiments, and details are not repeated herein.

In step S312, when the information usage right possessed by the authentication server is valid, the target biometric information and the target biometric sample information stored in the authentication server are matched to obtain a matching result.

If the authentication server has the information use authority, the target biological characteristic sample information can be stored in the authentication server under the condition that the target biological characteristic sample information is acquired from the target user terminal for the first time. When matching, the target biological characteristic information can be directly matched with the target biological characteristic sample information stored in the authentication server, so that the step of repeatedly requesting the target biological characteristic sample information from the target user terminal is omitted, and the flow of biological characteristic authentication is simplified.

In some examples, the target biometric sample information may be stored in a secure execution environment of the authentication server.

In some embodiments, to further avoid the centralized storage of biometric information of a large number of users in the authentication server, the biometric information and the biometric sample information involved in the matching may be purged after each matching. Fig. 6 is a flowchart of a biometric authentication method according to a further embodiment of the first aspect of the present application. Fig. 6 is different from fig. 3 in that the biometric authentication method shown in fig. 5 may further include step S313.

In step S313, the target biometric information and the target biometric sample information in the authentication server are cleared.

After the target biological characteristic information is matched with the target biological characteristic sample information, the target biological characteristic information and the target biological characteristic sample information in the memory of the authentication server are removed, so that the risk that the target biological characteristic information and the target biological characteristic sample information are leaked is reduced, and the safety of private data of a user is improved.

In the above embodiment, after obtaining the matching result, the matching result may be sent to the service provider server to cause the service provider server to determine whether to provide the service based on the matching result. Specifically, if the matching result is successful, the service provider server provides service; and the matching result is that the matching fails, and the service provider server does not provide the service.

In some examples, the biometric authentication method in the embodiments of the present application may be applied in a payment scenario. Correspondingly, the service request message comprises a payment service request message, and the matching result can be used to indicate whether the service provider server performs payment for the target user. If the matching result is successful, the service provider server executes payment of the target user; and if the matching result is that the matching fails, the service provider server ends the payment of the target user, namely refusing to continue the payment of the target user.

In other examples, the biometric authentication method in the embodiments of the present application may be applied in a card-punching scenario. Correspondingly, the service request message comprises a card punching service request message, and the matching result can be used for indicating whether the service provider server records the card punching record of the target user. If the matching result is successful, the service provider server records the card punching record of the target user; and the matching result is matching failure, and the service provider server cannot record the card punching record of the target user.

In still other examples, the biometric authentication method in the embodiments of the present application may be applied in gate traffic scenarios. Correspondingly, the service request message comprises a pass service request message, and the matching result can be used for indicating whether the service provider server control gate is opened or not. If the matching result is successful, the server of the service provider controls the gate to be opened to allow the passage; and if the matching result is that the matching fails, the server of the service provider controls the gate to be closed and refuses to pass.

The application of the biometric authentication method in other scenarios in the embodiments of the present application may refer to the application in the above scenario, and a detailed description thereof is omitted here.

In some embodiments, the target biometric sample information and/or the target user identifier corresponding to the target user terminal may be updated, and correspondingly, the information stored in the authentication server may need to be updated accordingly. Fig. 7 is a flowchart of a biometric authentication method according to a further embodiment of the first aspect of the present application. Fig. 7 is different from fig. 3 in that the biometric authentication method shown in fig. 7 may further include step S314 and step S315.

In step S314, in the case where the target biometric sample information and/or the target user identification stored in the secure execution environment is updated, a registration update message transmitted by the target user terminal is received.

The registration update message comprises the first subscriber identity and the target subscriber terminal identity. The first user identification comprises an updated target user identification or an un-updated target user identification. Specifically, in the case where the target biometric sample information stored in the secure execution environment of the target user terminal is updated, but the target user identifier stored in the secure execution environment of the target user terminal is not updated, the first user identifier includes the target user identifier that is not updated. And under the condition that the target user identification stored in the safe execution environment of the target user terminal is updated, the first user identification comprises the updated target user identification.

In step S315, the corresponding relationship between the target user identifier and the target user terminal identifier is updated to the corresponding relationship between the first user identifier and the target user terminal identifier.

Specifically, in the case where the target biometric sample information stored in the secure execution environment of the target user terminal is updated but the target user identifier stored in the secure execution environment of the target user terminal is not updated, the correspondence between the target user identifier and the target user terminal identifier is the same before and after the update. Under the condition that the target user identification stored in the safe execution environment of the target user terminal is updated, the corresponding relation between the target user identification and the target user terminal identification is different before and after the update.

After the update is completed, if a service request sent by the service provider server is received again, the steps in the biometric authentication method in the above embodiment are executed, so that the target user terminal corresponding to the updated target user identifier can be determined, and the updated target biometric sample information stored in the secure execution environment of the target user terminal can also be acquired and subjected to relevant matching.

In some examples, the target work key, the first user key, the second user key, the authorization information, and the like in the foregoing embodiments may be updated periodically, and the step of updating may refer to the description of generation and transmission of the target work key, the first user key, the second user key, the authorization information, and the like in the foregoing embodiments, which is not described herein again.

The second aspect of the present application further provides a biometric authentication method, which is applied to a user terminal and corresponds to the biometric authentication method in the first aspect. The user terminal here corresponds to the target user terminal in the above-described embodiment. Target biological characteristic sample information is stored in a safe execution environment in the user terminal. The target biometric sample information includes biometric sample information of the target user. Fig. 8 is a flowchart of an embodiment of a biometric authentication method provided in the second aspect of the present application. As shown in fig. 8, the biometric authentication method may include step S401 and step S402.

In step S401, a sample acquisition request message sent by the authentication server is received.

The sample acquisition request message is generated by the authentication server from the received service request message. The service request message includes target biometric information and a target user identification. The sample acquisition request message includes a target user identification. The target biometric information includes biometric information of the target user. The target user identification comprises a user identification of the target user.

For specific contents of the sample acquisition request message, the target biometric information, the target user identifier, and the like, reference may be made to the relevant description in the above embodiments, and details are not repeated here.

In some examples, the biometric information includes a biometric and/or a first feature value. The first feature value is a feature value calculated from the biometric information. For the details of the biometric information, the biometric characteristic, the first feature value, etc., reference may be made to the relevant description in the above embodiments, and details are not repeated here.

In step S402, when it is determined that the target user identifier and the user terminal have a corresponding relationship and the authentication server obtains the information usage right, a sample obtaining response message is sent to the authentication server, so that the authentication server matches the target biometric information and the target biometric sample information to obtain a matching result.

The target user identification has a corresponding relation with the user terminal and indicates that the target user registers in the authentication server by using the user terminal. Specifically, the user terminal stores a user identification of a user registered with the authentication server on the user terminal. Whether the target user identification and the user terminal have the corresponding relation can be determined by comparing whether the user identification stored in the user terminal is consistent with the target user identification. The user identification stored by the user terminal is consistent with the target user identification, and the target user identification has a corresponding relation with the user terminal; the user identification stored by the user terminal is inconsistent with the target user identification, and the target user identification does not have a corresponding relation with the user terminal.

In some examples, the biometric sample information includes a biometric sample and/or a second feature value. The second feature value is a feature value calculated from the biometric sample. For specific contents of the biological characteristic sample information, the biological characteristic sample, the second characteristic value, and the like, reference may be made to the relevant description in the above embodiments, and details are not repeated herein.

The authentication server acquires the information use authority, which indicates that the authentication server has the authority to acquire the target biological characteristic sample information from the user terminal.

The sample acquisition response message includes target biometric sample information. The user terminal stores the corresponding relation between the biological characteristic sample information and the user identification. Under the condition that the target user identification is determined to have the corresponding relation with the user terminal and the authentication server obtains the information use permission, the user terminal can inquire and obtain target biological characteristic sample information corresponding to the target user identification according to the corresponding relation between the biological characteristic sample information and the user identification, and sends the target biological characteristic sample information to the authentication server through the sample obtaining response message.

In the embodiment of the application, the user terminal receives a sample acquisition request message sent by the authentication server. The authentication server requests the user terminal for target biometric sample information stored in the user terminal through the sample acquisition request message. And under the condition that the target user identification in the sample acquisition request message has a corresponding relation with the user terminal and the authentication server acquires the information use permission, the user terminal sends the target biological characteristic sample information requested by the authentication server to the authentication server through the sample acquisition response message so as to match the target biological characteristic sample information with the target biological characteristic information in the service request message at the authentication server to obtain a matching result and finish the authentication by using biological characteristics. Under the condition that the biological characteristic authentication is needed, the authentication server requests target biological characteristic sample information from the user terminal to perform the biological characteristic authentication, so that the authentication server is prevented from storing the biological characteristic sample information of a large number of users, the risk of privacy disclosure caused by centralized storage of the biological characteristic sample information of the large number of users is eliminated, and the safety of the privacy data of the users is improved.

In the above-described embodiment, the target user needs to be registered in the authentication server before the authentication server performs matching related to the biometric information of the target user. Specifically, the user terminal may receive a registration input, which may specifically be an operation of an application program in the user terminal by the target user, and is not limited herein. In response to the registration input, the user terminal sends a registration message to the authentication server to cause the authentication server to establish a correspondence between the target user identity and the target user terminal identity. The registration message includes a target user identity and a target user terminal identity. The target user terminal identification is the terminal identification of the target user terminal. For specific content of registration, reference may be made to relevant descriptions in the above embodiments, and details are not described herein again.

In the embodiment of the application, in order to further improve the security of the biometric sample information, in the process of transmitting the target biometric sample information between the user terminal and the authentication server, the target biometric sample information is encrypted target biometric sample information, and the target biometric sample information is prevented from being leaked in transmission. Fig. 9 is a flowchart of another embodiment of a biometric authentication method provided in the second aspect of the present application. Fig. 9 is different from fig. 8 in that the biometric authentication method shown in fig. 9 may further include steps S403 to S409.

In step S403, a password generation function in the secure execution environment is invoked, a second random number is generated in the secure execution environment, and a pair of a first user key and a second user key is generated from the second random number.

In particular, a random number generator may be provided in a secure execution environment of the user terminal, and the random number generator may generate different random numbers for different users. The random number generator generates a second random number for the target user. From the second random number, a pair of a first user key and a second user key corresponding to the target user may be generated using a password generation algorithm. In some examples, the first user key may be a public key and the second user key may be a private key.

The generation of the first user key and the second user key is carried out in a safe execution environment of the user terminal, so that the target working key can be prevented from being leaked, and the safety of the first user key, the second user key and information encrypted and decrypted by using the first user key and the second user key is ensured.

In step S404, a registration message is sent to the authentication server.

The registration message may also include a first user key. Through the registration message, the user terminal may transmit the first user key to the authentication server.

In step S405, the second ciphertext transmitted by the authentication server is received.

And the second ciphertext is obtained by encrypting the target working key by the authentication server by using the first user key. And the authentication server transmits the target work key to the user terminal through the second ciphertext.

For specific contents of the target working key, the second ciphertext and the like, reference may be made to the relevant description of the above embodiments, which is not described herein again.

In step S406, in the secure execution environment, the second ciphertext is decrypted by using the second user key paired with the first user key stored in the secure execution environment, so as to obtain a second plaintext.

And the second user key is generated and stored in the safe execution environment of the user terminal. And decrypting the second ciphertext in the secure execution environment of the user terminal, so that the risk that the target work key obtained by decryption is leaked can be reduced.

The second plaintext includes the target work key, and the user terminal can obtain the target work key from the second plaintext.

In step S407, the target work key is stored in the secure execution environment.

The target work key is used for encrypting target biological characteristic sample information. In order to facilitate the encryption of the target biological characteristic sample information in the subsequent process, the target working key is stored in the safe execution environment of the user terminal, and the target working key is prevented from being transmitted between the user terminal and the authentication server for multiple times.

In step S408, in the secure execution environment, the target biometric sample information is encrypted by using the target work key stored in the secure execution environment, so as to obtain a first ciphertext.

In step S409, a sample acquisition response message is generated based on the first ciphertext.

The sample acquisition response message includes the first ciphertext. And the user terminal transmits the first ciphertext to the authentication server through the sample acquisition response message.

The encryption and decryption processes are carried out in a safe execution environment of the user terminal, so that the target biological characteristic sample information and each secret key can be prevented from being leaked, and the safety of data such as the target biological characteristic sample information is improved.

In some examples, the user terminal may grant the authentication server information usage right through an authorization message. The user terminal may send an authorization message to the authentication server. The authorization message comprises authorization information, and the authorization information is used for representing the information use authority which is granted to the authentication server by the target user. For specific contents of the authorization information, the information usage right, and the like, reference may be made to the relevant description in the above embodiments, and details are not repeated herein.

In the embodiment of the present application, a timing relationship between the step of sending the authorization message to the authentication server by the target user terminal and other steps is not limited. The target user terminal can send authorization information to the authentication server when needing to grant the information use authority of the authentication server.

For example, the authorization message comprises a registration message, i.e. the authorization message may be implemented as a registration message. The registration message is transmitted before the user terminal receives the sample acquisition request message transmitted by the authentication server, so that the authentication server can receive the authorization information before transmitting the sample acquisition request message.

As another example, the authorization message is sent after the user terminal receives the sample acquisition request message sent by the authentication server. After receiving the sample acquisition request message, the user terminal sends an authorization message to the authentication server, and specific contents may refer to relevant descriptions in the above embodiments, which are not described herein again.

In some examples, the authorization information includes one or more of: the effective authorization times, the effective authorization duration and the effective authorization service provider server.

For specific contents of the authorization information, the authorization validity times, the authorization validity duration, the authorization validity service provider server, and the like, reference may be made to the relevant description in the above embodiments, and details are not repeated here.

In some embodiments, the target biometric sample information and/or the target user identification corresponding to the user terminal may be updated, and correspondingly, the information stored in the authentication server may need to be updated accordingly. Fig. 10 is a flowchart of a biometric authentication method according to a further embodiment of the second aspect of the present application. Fig. 10 is different from fig. 8 in that the biometric authentication method shown in fig. 10 may further include step S410 and step S411.

In step S410, the target user identification and/or the target biometric sample information stored in the secure execution environment is updated in response to the registration update input.

The registration update input may specifically be an input by a user. And under the condition that the user of the user terminal changes or needs to update the target biological characteristic sample information, updating the target user identification and/or the target biological characteristic sample information stored in the safe execution environment of the user terminal through the registration updating input.

In step S411, a registration update message is transmitted to the authentication server.

The updating of the user terminal is consistent with the updating requirement of the authentication server, and the user terminal can make the authentication server perform related updating through the registration updating message.

The registration update message comprises the first subscriber identity and the target subscriber terminal identity. The first user identification comprises an updated target user identification or an un-updated target user identification. For specific contents of the registration update message, the first user identifier, and the like, reference may be made to relevant descriptions in the foregoing embodiments, and details are not described herein again.

For ease of understanding, the registration flow and the authentication flow in the biometric authentication are described below by two examples, respectively.

Fig. 11 is a flowchart of an example of a registration process in biometric authentication according to an embodiment of the present application. As shown in fig. 11, the registration process may include steps S501 to S507.

In step S501, the user terminal receives a biometric registration input of a target user.

In step S502, the user terminal acquires biometric information of the target user as target biometric sample information and stores the target biometric sample information in a secure execution environment of the user terminal.

In step S503, the user terminal generates a first user key, a second user key, and a target user identifier, and obtains the target user terminal identifier.

In step S504, the user terminal transmits a registration message to the authentication server. The registration message may include a first user key, a target user identification, a target user terminal identification, and the like.

In step S505, the authentication server establishes a corresponding relationship between the target user identifier and the target terminal identifier, generates a target work key, and encrypts the target work key using the first user key to generate a second ciphertext.

In step S506, the authentication server transmits the second ciphertext to the user terminal.

In step S507, the user terminal decrypts the second ciphertext using the second user key to obtain a target work key, and stores the target work key in the secure execution environment of the authentication server.

The specific contents of the steps S501 to S507 can refer to the related descriptions in the above embodiments, and are not repeated herein.

Fig. 12 is a flowchart of an example of an authentication process in biometric authentication according to an embodiment of the present application. The authentication process shown in fig. 12 is described by taking an authentication process in a payment process as an example, and the payment server is the service provider server in the above embodiment. As shown in fig. 12, the authentication flow may include steps S601 to S617.

In step S601, the payment service apparatus receives a payment service input.

In step S602, the payment service device acquires biometric information of the user as target biometric information, and acquires a user identifier of the user as a target user identifier.

In step S603, the payment service apparatus transmits target biometric information, target user identification, payment information, and the like to the payment server.

In step S604, the payment server transmits a service request message to the authentication server. The service request message may include target biometric information and a target user identification, etc.

In step S605, the authentication server determines the target user terminal according to the target user identifier.

In step S606, the authentication server transmits a sample acquisition request message to the target user terminal.

In step S607, the target ue determines whether the target ue in the sample acquiring request message is consistent with the ue registered in the target ue.

In step S608, if the two are consistent, the target user terminal displays an authorization interface.

In step S609, the target user terminal receives an authorization operation of the user on the authorization interface, and acquires an information usage right.

In step S610, the target user terminal encrypts the target biometric sample information by using the target work key to obtain a first ciphertext.

In step S611, the target user terminal transmits a sample acquisition response message to the authentication server. The sample acquisition response message may include the first ciphertext, the target user identifier, the target user terminal identifier, and the like.

In step S612, the authentication server decrypts the first ciphertext using the target working key, so as to obtain the target biometric sample information.

In step S613, the authentication server determines target biometric information corresponding to the target user identification using the target user identification.

In step S614, the authentication server matches the target biometric information with the target biometric sample information, and obtains a matching result.

In step S615, the authentication server transmits the matching result to the payment server.

In step S616, if the matching result indicates that the matching is successful, the payment server executes the payment.

And if the matching result indicates that the matching fails, the payment server stops payment.

In step S617, the payment server feeds back the payment result to the payment service apparatus.

The specific contents of the steps S601 to S617 can refer to the relevant descriptions in the above embodiments, and are not described herein again.

In some embodiments, the matching of the biometric information may also be performed by the user terminal, as illustrated by way of example below. Fig. 13 is a flowchart of another example of an authentication process in biometric authentication provided in an embodiment of the present application. In this example, the matching of the target biometric information with the target biometric sample information may be performed by the user terminal. As shown in fig. 13, the authentication process may include steps S701 to S717.

In step S701, the payment service apparatus receives a payment service input.

In step S702, the payment service device acquires biometric information of the user as target biometric information, and acquires a user identifier of the user as a target user identifier.

In step S703, the payment service apparatus transmits target biometric information, a target user identification, payment information, and the like to the payment server.

In step S704, the payment server transmits a service request message to the authentication server. The service request message may include target biometric information and a target user identification, etc.

In step S705, the authentication server encrypts the target biometric information using the target working key to obtain a third ciphertext, and randomly generates data to be signed.

In step S706, the authentication server determines the target user terminal according to the target user identifier.

In step S707, the authentication server transmits a matching request message to the target user terminal. The matching request message may include the third ciphertext, the target user identifier, the data to be signed, and the like.

In step S708, the authentication server clears the target biometric information.

In step S709, the target ue determines whether the target ue in the sample acquiring request message is consistent with the ue registered in the target ue.

In step S710, if the third ciphertext is consistent with the target working key, the target user terminal decrypts the third ciphertext to obtain the target biometric information.

In step S711, the target user terminal matches the target biometric information with the target biometric sample information to obtain a matching result.

In step S712, if the matching result indicates that the matching is successful, the target user terminal signs the data to be signed by using the second user key, so as to obtain the signature data.

In step S713, the target user terminal transmits the signature data to the authentication server.

In step S714, the authentication server verifies the signature data using the first user key.

In step S715, if the verification passes, the authentication server sends an authentication pass message to the payment server.

In step S716, the payment server performs payment in response to the authentication pass message.

In step S717, the payment server feeds back the payment result to the payment service apparatus.

The processes of encryption, decryption, matching and the like can be performed in a secure execution environment of the authentication server or a secure execution environment of the user terminal, so as to ensure the security of the private data of the user. Some specific contents in the steps S701 to S717 may refer to the related descriptions in the above embodiments, and are not repeated herein.

The third aspect of the present application also provides an authentication server corresponding to the biometric authentication method in the first aspect. Fig. 14 is a schematic structural diagram of an authentication server according to a third aspect of the present application. As shown in fig. 14, the authentication server 800 may include a receiving module 801, a determining module 802, a transmitting module 803, and a matching module 804.

The receiving module 801 may be configured to receive a service request message sent by a service provider server.

The service request message includes target biometric information and a target user identification. The target biometric information includes biometric information of the target user. The target user identification comprises a user identification of the target user.

In some examples, the biometric information includes a biometric and/or a first feature value. The first feature value is a feature value calculated from the biometric information.

The determining module 802 may be configured to determine, according to the target user identifier, a target user terminal having a corresponding relationship with the target user identifier.

The target user terminal is provided with a safe execution environment, and target biological characteristic sample information is stored in the safe execution environment. The target biometric sample information includes biometric sample information of the target user.

The sending module 803 may be configured to send a sample acquisition request message to the target user terminal.

The sample acquisition request message includes a target user identification.

The receiving module 802 may also be configured to receive a sample acquisition response message sent by the target user terminal when the granted information usage right is acquired.

The sample acquisition response message includes target biometric sample information.

In some examples, the biometric sample information includes a biometric sample and/or a second feature value. The second feature value is a feature value calculated from the biometric sample.

The matching module 804 may be configured to match the target biometric information with the target biometric sample information to obtain a matching result.

In this embodiment of the present application, the authentication server may determine, according to the received service request message sent by the service provider server, a target user terminal corresponding to a target user identifier in the service request message. The target user terminal stores target biological characteristic sample information. The authentication server requests the target user terminal for target biological characteristic sample information through the sample acquisition request message so as to match the target biological characteristic sample information with the target biological characteristic information in the service request message to obtain a matching result and finish authentication by using biological characteristics. Under the condition that the biological characteristic authentication is needed, the authentication server requests target biological characteristic sample information from the user terminal to perform the biological characteristic authentication, so that the authentication server is prevented from storing the biological characteristic sample information of a large number of users, the risk of privacy disclosure caused by centralized storage of the biological characteristic sample information of the large number of users is eliminated, and the safety of the privacy data of the users is improved.

Moreover, the authentication server is a remote server with respect to the user terminal, thereby realizing remote biometric authentication capable of ensuring security of user privacy data.

Fig. 15 is a schematic structural diagram of another embodiment of an authentication server according to the third aspect of the present application. Fig. 15 is different from fig. 14 in that the authentication server 800 shown in fig. 15 may further include a key generation module 805, a processing module 806, an encryption module 807, and a decryption module 808.

The key generation module 805 may be configured to generate a first random number, and generate a target work key corresponding to a target user according to the first random number.

The receiving module 802 may also be configured to receive a registration message sent by a target user terminal.

The registration message includes a target user identity and a target user terminal identity. The target user terminal identification is the terminal identification of the target user terminal.

In some examples, the registration message may also include the first user key. The first user key is generated by the target user terminal for the target user.

The processing module 806 may be configured to establish a correspondence between the target user identifier and the target user terminal identifier.

The encryption module 807 may be configured to encrypt the target working key with the first user key stored in the authentication server to obtain a second ciphertext.

The sending module 803 may also be configured to send the second ciphertext to the target user terminal, so that the target user terminal decrypts the second ciphertext by using the second user key paired with the first user key to obtain the target working key.

The decryption module 808 may be configured to decrypt the first ciphertext using the target working key to obtain a first plaintext.

The target work key may be stored in a secure execution environment of the authentication server. The sample acquisition response message includes the first ciphertext. The first ciphertext includes the target biometric sample information encrypted with the target work key. The first plain text includes the target biometric sample information.

Fig. 16 is a schematic structural diagram of an authentication server according to a further embodiment of the third aspect of the present application. Fig. 16 differs from fig. 14 in that the authentication server shown in fig. 16 further includes a clearing module 809.

The clearing module 809 may be used to clear the target biometric information and the target biometric sample information in the authentication server.

Fig. 17 is a schematic structural diagram of a further embodiment of an authentication server according to the third aspect of the present application. Fig. 17 is different from fig. 14 in that the authentication server shown in fig. 17 may further include a storage control module 810.

In some embodiments, the receiving module 802 may be further configured to receive an authorization message sent by the target user terminal, where the authorization message includes authorization information, and the authorization information is used to characterize an information usage right granted to the authentication server by the target user

In some examples, the authorization message comprises a registration message sent by the target user terminal before the authentication server receives the service request message sent by the service provider server.

In other examples, the authorization message is sent by the target user terminal after the authentication server sends the sample acquisition request message to the target user terminal.

Specifically, the authorization information may include one or more of the following items: the effective authorization times, the effective authorization duration and the effective authorization service provider server.

The storage control module 810 may be configured to store the target biometric sample information in a case where the authentication server has an information use authority.

The matching module 804 may be further configured to match the target biometric information with the target biometric sample information stored in the authentication server to obtain a matching result, when the information usage right possessed by the authentication server is valid.

In some embodiments, the sending module 803 may be further configured to send the matching result to the service provider server, so that the service provider server determines whether to provide the service based on the matching result.

In some examples, the service request message comprises a payment service request message. The matching result is used to indicate whether the service provider server performs payment for the target user.

In some embodiments, the receiving module 802 may be further configured to receive a registration update message sent by the target user terminal in case the target biometric sample information and/or the target user identity stored in the secure execution environment of the target user terminal is updated.

The registration update message comprises the first subscriber identity and the target subscriber terminal identity. The first user identification comprises an updated target user identification or an un-updated target user identification.

The processing module 806 may be further configured to update the corresponding relationship between the target user identifier and the target user terminal identifier to the corresponding relationship between the first user identifier and the target user terminal identifier.

The fourth aspect of the present application further provides a user terminal corresponding to the biometric authentication method in the second aspect. The user terminal has a secure execution environment. Target biological characteristic sample information is stored in a safe execution environment of the user terminal. The target biometric sample information includes biometric sample information of the target user. Fig. 18 is a schematic structural diagram of an embodiment of a user terminal according to a fourth aspect of the present application. As shown in fig. 18, the user terminal 900 may include a receiving module 901 and a transmitting module 902.

The receiving module 901 may be configured to receive a sample obtaining request message sent by an authentication server.

The sample acquisition request message is generated by the authentication server from the received service request message. The service request message includes target biometric information and a target user identification. The sample acquisition request message includes a target user identification. The target biometric information includes biometric information of the target user. The target user identification comprises a user identification of the target user. In some examples, the authentication server may have a secure execution environment.

In some examples, the biometric information includes a biometric and/or a first feature value. The first feature value is a feature value calculated from the biometric information.

The sending module 902 may be configured to send a sample obtaining response message to the authentication server when it is determined that the target user identifier and the user terminal have a corresponding relationship and the authentication server obtains the information use permission, so that the authentication server matches the target biometric information and the target biometric sample information to obtain a matching result.

The sample acquisition response message includes target biometric sample information.

In some examples, the biometric sample information includes a biometric sample and/or a second feature value. The second feature value is a feature value calculated from the biometric sample.

In the embodiment of the application, the user terminal receives a sample acquisition request message sent by the authentication server. The authentication server requests the user terminal for target biometric sample information stored in the user terminal through the sample acquisition request message. And under the condition that the target user identification in the sample acquisition request message has a corresponding relation with the user terminal and the authentication server acquires the information use permission, the user terminal sends the target biological characteristic sample information requested by the authentication server to the authentication server through the sample acquisition response message so as to match the target biological characteristic sample information with the target biological characteristic information in the service request message at the authentication server to obtain a matching result and finish the authentication by using biological characteristics. Under the condition that the biological characteristic authentication is needed, the authentication server requests target biological characteristic sample information from the user terminal to perform the biological characteristic authentication, so that the authentication server is prevented from storing the biological characteristic sample information of a large number of users, the risk of privacy disclosure caused by centralized storage of the biological characteristic sample information of the large number of users is eliminated, and the safety of the privacy data of the users is improved.

In some embodiments, the sending module 902 may further be configured to send, in response to the registration input, a registration message to the authentication server, so that the authentication server establishes a correspondence between the target user identifier and the target user terminal identifier.

The registration message includes a target user identity and a target user terminal identity. The target user terminal identification is the terminal identification of the target user terminal.

Fig. 19 is a schematic structural diagram of another embodiment of a user terminal according to a fourth aspect of the present application. Fig. 19 is different from fig. 18 in that the user terminal 900 shown in fig. 19 may further include a key generation module 903, a decryption module 904, a storage control module 905, an encryption module 906, and a message generation module 907.

The key generation module 903 may be configured to generate a second random number in a secure execution environment of the user terminal, and generate a pair of a first user key and a second user key according to the second random number.

In some examples, the registration message further includes the first user key.

The receiving module 901 may further be configured to receive a second ciphertext sent by the authentication server, where the second ciphertext is obtained by encrypting the target work key by using the first user key by the authentication server.

The decryption module 904 may be configured to decrypt the second ciphertext with a second user key paired with the first user key stored in the secure execution environment of the user terminal to obtain a second plaintext.

The second plaintext includes the destination working key.

The storage control module 905 may be used to store the target work key in the secure execution environment of the user terminal.

The encryption module 906 may be configured to encrypt the target biometric sample information by using a target working key stored in the secure execution environment of the user terminal, so as to obtain a first ciphertext.

The message generating module 907 may be configured to generate a sample obtaining response message according to the first ciphertext.

The sample acquisition response message includes the first ciphertext.

In some embodiments, the sending module 902 described above may also be configured to send an authorization message to the authentication server.

The authorization message includes authorization information. The authorization information is used for representing the information use authority which is granted to the authentication server by the target user.

In some examples, the authorization message comprises a registration message sent before the user terminal receives the sample acquisition request message sent by the authentication server.

In other examples, the authorization message is sent after the user terminal receives the sample acquisition request message sent by the authentication server.

Specifically, the authorization information includes one or more of the following items: the effective authorization times, the effective authorization duration and the effective authorization service provider server.

Fig. 20 is a schematic structural diagram of a user terminal according to a further embodiment of the fourth aspect of the present application. Fig. 20 differs from fig. 18 in that the user terminal 900 shown in fig. 20 may further include an update module 908.

The update module 908 may be operable to update the target user identification and/or the target biometric sample information stored in the secure execution environment of the user terminal in response to a registration update input.

The sending module 902 is further configured to send a registration update message to the authentication server.

The registration update message comprises the first subscriber identity and the target subscriber terminal identity. The first user identification comprises an updated target user identification or an un-updated target user identification.

The fifth aspect of the present application further provides an authentication server. Fig. 21 is a schematic structural diagram of an authentication server according to a fifth aspect of the present application. As shown in fig. 21, the authentication server 1000 includes a memory 1001, a processor 1002, and a computer program stored on the memory 1001 and executable on the processor 1002.

In one example, the processor 1002 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.

Memory 1001 may include Read-Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media devices, optical storage media devices, flash Memory devices, electrical, optical, or other physical/tangible Memory storage devices. Thus, in general, the memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., a memory device) encoded with software comprising computer-executable instructions and when the software is executed (e.g., by one or more processors), it is operable to perform the operations described with reference to the biometric authentication method applied to the authentication server in accordance with embodiments of the present application.

The processor 1002 runs a computer program corresponding to the executable program code by reading the executable program code stored in the memory 1001 for implementing the biometric authentication method applied to the authentication server in the above-described embodiments.

In one example, authentication server 1000 may also include a communication interface 1003 and a bus 1004. As shown in fig. 21, the memory 1001, the processor 1002, and the communication interface 1003 are connected to each other via a bus 1004 to complete mutual communication.

The communication interface 1003 is mainly used for implementing communication between modules, apparatuses, units and/or devices in this embodiment. Input devices and/or output devices may also be accessed through communication interface 1003.

Bus 1004 comprises hardware, software, or both to couple the components of authentication server 1000 to each other. By way of example, and not limitation, Bus 1004 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) Bus, an InfiniBand interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a Micro Channel Architecture (MCA) Bus, a Peripheral Component Interconnect (PCI) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Standards Association Local Bus (VLB) Bus, or other suitable Bus, or a combination of two or more of these. Bus 1004 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.

The sixth aspect of the present application further provides a user terminal. Fig. 22 is a schematic structural diagram of an embodiment of a user terminal according to a sixth aspect of the present application. As shown in fig. 22, the user terminal 1100 comprises a memory 1101, a processor 1102 and a computer program stored on the memory 1101 and executable on the processor 1102.

In one example, the processor 1102 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.

The Memory 1101 may include Read-Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media devices, optical storage media devices, flash Memory devices, electrical, optical, or other physical/tangible Memory storage devices. Thus, in general, the memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., a memory device) encoded with software comprising computer-executable instructions and when the software is executed (e.g., by one or more processors), it is operable to perform the operations described with reference to the biometric authentication method applied to the user terminal in accordance with embodiments of the present application.

The processor 1102 runs a computer program corresponding to the executable program code by reading the executable program code stored in the memory 1101 for implementing the biometric authentication method applied to the user terminal in the above-described embodiment.

In one example, user terminal 1100 can also include a communication interface 1103 and a bus 1104. As shown in fig. 22, the memory 1101, the processor 1102, and the communication interface 1103 are connected to each other via a bus 1104, and communicate with each other.

The communication interface 1103 is mainly used for implementing communication between modules, apparatuses, units and/or devices in this embodiment of the present application. Input devices and/or output devices can also be accessed through communication interface 1103.

Bus 1104 comprises hardware, software, or both coupling the components of user terminal 1100 to each other. By way of example, and not limitation, Bus 1104 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a HyperTransport (HT) interconnect, an Industry Standard Architecture (ISA) Bus, an InfiniBand interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a Micro Channel Architecture (MCA) Bus, a Peripheral Component Interconnect (PCI) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Standards Association Local Bus (VLB) Bus, or other suitable Bus, or a combination of two or more of these. Bus 1104 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.

A seventh aspect of the present application provides a biometric authentication system, where the biometric authentication system may include the authentication server and the user terminal in the foregoing embodiments, and specific contents may refer to relevant descriptions in the foregoing embodiments, and are not described herein again.

In some examples, the biometric authentication system may further include a service provider server, a service providing device, and the like in the foregoing embodiments, and specific contents may refer to relevant descriptions in the foregoing embodiments and are not described herein again.

An eighth aspect of the present application provides a computer-readable storage medium, where computer program instructions are stored on the computer-readable storage medium, and when the computer program instructions are executed by a processor, the biometric authentication method of the first aspect or the biometric authentication method of the second aspect in the foregoing embodiments can be implemented, and the same technical effects can be achieved, and are not repeated here to avoid repetition. The computer-readable storage medium may include a non-transitory computer-readable storage medium, such as a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like, which is not limited herein.

It should be clear that the embodiments in this specification are described in a progressive manner, and the same or similar parts in the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. For embodiments of the authentication server, the user terminal, the system, and the computer-readable storage medium, reference may be made to the description of the method embodiments for relevant points. The present application is not limited to the particular steps and structures described above and shown in the drawings. Those skilled in the art may make various changes, modifications and additions or change the order between the steps after appreciating the spirit of the present application. Also, a detailed description of known process techniques is omitted herein for the sake of brevity.

Aspects of the present application are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware for performing the specified functions or acts, or combinations of special purpose hardware and computer instructions.

It will be appreciated by persons skilled in the art that the above embodiments are illustrative and not restrictive. Different features which are present in different embodiments may be combined to advantage. Other variations to the disclosed embodiments can be understood and effected by those skilled in the art upon studying the drawings, the specification, and the claims. In the claims, the term "comprising" does not exclude other means or steps; the word "a" or "an" does not exclude a plurality; the terms "first" and "second" are used to denote a name and not to denote any particular order. Any reference signs in the claims shall not be construed as limiting the scope. The functions of the various parts appearing in the claims may be implemented by a single hardware or software module. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims (30)

1. A biometric authentication method applied to an authentication server, the method comprising:

receiving a service request message sent by a service provider server, wherein the service request message comprises target biological characteristic information and a target user identifier, the target biological characteristic information comprises biological characteristic information of a target user, and the target user identifier comprises a user identifier of the target user;

determining a target user terminal which has a corresponding relation with the target user identifier according to the target user identifier, wherein the target user terminal has a safe execution environment, target biological characteristic sample information is stored in the safe execution environment, and the target biological characteristic sample information comprises biological characteristic sample information of the target user;

sending a sample acquisition request message to the target user terminal, wherein the sample acquisition request message comprises the target user identifier;

under the condition of obtaining the granted information use permission, receiving a sample obtaining response message sent by the target user terminal, wherein the sample obtaining response message comprises the target biological characteristic sample information;

and matching the target biological characteristic information with the target biological characteristic sample information to obtain a matching result.

2. The method according to claim 1, wherein the sample acquisition response message includes a first ciphertext including the target biometric sample information encrypted with a target work key, the authentication server storing the target work key;

before the matching the target biometric information and the biometric sample information of the target user, further comprising:

and decrypting the first ciphertext by using the target working key to obtain a first plaintext, wherein the first plaintext comprises the target biological characteristic sample information.

3. The method of claim 2, further comprising, prior to said receiving the service request message sent by the service provider server:

and calling a password generation function, generating a first random number, and generating the target work key corresponding to the target user according to the first random number.

4. The method of claim 2, further comprising, prior to said receiving the service request message sent by the service provider server:

receiving a registration message sent by the target user terminal, wherein the registration message comprises a target user identifier and a target user terminal identifier, and the target user terminal identifier is a terminal identifier of the target user terminal;

and establishing a corresponding relation between the target user identification and the target user terminal identification.

5. The method of claim 4, wherein the registration message further comprises a first user key, the first user key being generated by the target user terminal for the target user;

before the receiving the service request message sent by the service provider server, the method further includes:

encrypting the target working key by using the first user key stored by the authentication server to obtain a second ciphertext;

and sending the second ciphertext to the target user terminal so that the target user terminal decrypts the second ciphertext by using a second user key paired with the first user key to obtain the target working key.

6. The method of claim 1, further comprising, after said obtaining the matching result:

and clearing the target biological characteristic information and the target biological characteristic sample information in the authentication server.

7. The method of claim 1, further comprising:

and receiving an authorization message sent by the target user terminal, wherein the authorization message comprises authorization information, and the authorization information is used for representing the information use permission granted to the authentication server by the target user.

8. The method of claim 7,

the authorization message comprises a registration message, which is sent by the target user terminal before the authentication server receives the service request message sent by the service provider server;

alternatively, the first and second electrodes may be,

the authorization message is sent by the target user terminal after the authentication server sends a sample acquisition request message to the target user terminal.

9. The method of claim 7, wherein the authorization information comprises one or more of:

the effective authorization times, the effective authorization duration and the effective authorization service provider server.

10. The method of claim 1, further comprising:

storing the target biometric sample information in the case where the authentication server has the information use authority;

and under the condition that the information use authority of the authentication server is valid, matching the target biological characteristic information with the target biological characteristic sample information stored in the authentication server to obtain a matching result.

11. The method of claim 1, further comprising, after said obtaining the matching result:

transmitting the matching result to the service provider server to cause the service provider server to determine whether to provide a service based on the matching result.

12. The method of claim 1,

the service request message includes a payment service request message, and the matching result is used to indicate whether the service provider server performs payment for the target user.

13. The method of claim 1, further comprising:

receiving a registration update message sent by the target user terminal under the condition that the target biometric sample information and/or the target user identifier stored in the secure execution environment are updated, wherein the registration update message comprises a first user identifier and the target user terminal identifier, and the first user identifier comprises the updated target user identifier or the target user identifier which is not updated;

and updating the corresponding relation between the target user identification and the target user terminal identification into the corresponding relation between the first user identification and the target user terminal identification.

14. The method according to any one of claims 1 to 13,

the biological characteristic information comprises biological characteristics and/or a first characteristic value, and the first characteristic value is a characteristic value calculated according to the biological characteristic information;

the biological characteristic sample information comprises a biological characteristic sample and/or a second characteristic value, and the second characteristic value is a characteristic value calculated according to the biological characteristic sample.

15. A biometric authentication method applied to a user terminal having a secure execution environment in which target biometric sample information is stored, the target biometric sample information including biometric sample information of a target user, the method comprising:

receiving a sample acquisition request message sent by an authentication server, wherein the sample acquisition request message is generated by the authentication server according to a received service request message, the service request message comprises target biological characteristic information and a target user identifier, the sample acquisition request message comprises the target user identifier, the target biological characteristic information comprises biological characteristic information of a target user, and the target user identifier comprises a user identifier of the target user;

and under the condition that the target user identification is determined to have a corresponding relation with the user terminal and the authentication server acquires information use permission, sending a sample acquisition response message to the authentication server, wherein the sample acquisition response message comprises the target biological characteristic sample information, so that the authentication server matches the target biological characteristic information with the target biological characteristic sample information to obtain a matching result.

16. The method according to claim 15, further comprising, before said sending a sample acquisition response message to said authentication server:

in the secure execution environment, encrypting the target biological characteristic sample information by using a target working key stored in the secure execution environment to obtain a first ciphertext;

and generating the sample acquisition response message according to the first ciphertext, wherein the sample acquisition response message comprises the first ciphertext.

17. The method according to claim 16, wherein before said receiving the sample acquisition request message sent by the authentication server, further comprising:

receiving a second ciphertext sent by the authentication server, wherein the second ciphertext is obtained by encrypting the target working key by the authentication server by using a first user key;

in the secure execution environment, decrypting the second ciphertext by using a second user key paired with the first user key stored in the secure execution environment to obtain a second plaintext, wherein the second plaintext comprises the target working key;

storing the target work key in the secure execution environment.

18. The method according to claim 16, wherein before said receiving the sample acquisition request message sent by the authentication server, further comprising:

responding to registration input, and sending a registration message to the authentication server, wherein the registration message comprises the target user identifier and a target user terminal identifier, and the target user terminal identifier is a terminal identifier of the target user terminal, so that the authentication server establishes a corresponding relationship between the target user identifier and the target user terminal identifier.

19. The method of claim 18, wherein the registration message further comprises a first user key;

before the sending the registration message to the authentication server, further comprising:

and calling a password generation function in the secure execution environment, generating a second random number in the secure execution environment, and generating the paired first user key and second user key according to the second random number.

20. The method of claim 15, further comprising:

and sending an authorization message to the authentication server, wherein the authorization message comprises authorization information, and the authorization information is used for representing the information use permission granted to the authentication server by the target user.

21. The method of claim 20,

the authorization message comprises a registration message, and the registration message is sent before the user terminal receives a sample acquisition request message sent by the authentication server;

alternatively, the first and second electrodes may be,

the authorization message is sent after the user terminal receives the sample acquisition request message sent by the authentication server.

22. The method of claim 20, wherein the authorization information comprises one or more of:

the effective authorization times, the effective authorization duration and the effective authorization service provider server.

23. The method of claim 15, further comprising:

updating the target user identification and/or the target biometric sample information stored in the secure execution environment in response to a registration update input;

and sending a registration update message to the authentication server, wherein the registration update message comprises a first user identifier and the target user terminal identifier, and the first user identifier comprises the updated target user identifier or the target user identifier which is not updated.

24. The method according to any one of claims 15 to 23,

the biological characteristic information comprises biological characteristics and/or a first characteristic value, and the first characteristic value is a characteristic value calculated according to the biological characteristic information;

the biological characteristic sample information comprises a biological characteristic sample and/or a second characteristic value, and the second characteristic value is a characteristic value calculated according to the biological characteristic sample.

25. An authentication server, comprising:

a receiving module, configured to receive a service request message sent by a service provider server, where the service request message includes target biometric information and a target user identifier, the target biometric information includes biometric information of a target user, and the target user identifier includes a user identifier of the target user;

a determining module, configured to determine, according to the target user identifier, a target user terminal having a corresponding relationship with the target user identifier, where the target user terminal has a secure execution environment, and target biometric sample information is stored in the secure execution environment, and the target biometric sample information includes biometric sample information of the target user;

a sending module, configured to send a sample acquisition request message to the target user terminal, where the sample acquisition request message includes the target user identifier;

the receiving module is further configured to receive a sample acquisition response message sent by the target user terminal under the condition that the granted information usage right is acquired, where the sample acquisition response message includes the target biological feature sample information;

and the matching module is used for matching the target biological characteristic information with the target biological characteristic sample information to obtain a matching result.

26. A user terminal having a secure execution environment in which target biometric sample information is stored, the target biometric sample information comprising biometric sample information of a target user, the user terminal comprising:

a receiving module, configured to receive a sample acquisition request message sent by an authentication server, where the sample acquisition request message is generated by the authentication server according to a received service request message, the service request message includes target biometric information and a target user identifier, the sample acquisition request message includes the target user identifier, the target biometric information includes biometric information of a target user, and the target user identifier includes a user identifier of the target user;

and the sending module is used for sending a sample obtaining response message to the authentication server under the condition that the target user identifier and the user terminal have the corresponding relation and the authentication server obtains the information use permission, wherein the sample obtaining response message comprises the target biological characteristic sample information, so that the authentication server matches the target biological characteristic information with the target biological characteristic sample information to obtain a matching result.

27. An authentication server, comprising: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, implements a biometric authentication method as claimed in any one of claims 1 to 14.

28. A user terminal, comprising: a processor and a memory storing computer program instructions;

the processor, when executing the computer program instructions, implements a biometric authentication method as claimed in any one of claims 15 to 24.

29. A biometric authentication system comprising an authentication server according to claim 27 and a user terminal according to claim 28.

30. A computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the biometric authentication method of any one of claims 1 to 24.

Images