CN203243360U - Identity registration system - Google Patents
Identity registration system Download PDFInfo
- Publication number
- CN203243360U CN203243360U CN 201320261554 CN201320261554U CN203243360U CN 203243360 U CN203243360 U CN 203243360U CN 201320261554 CN201320261554 CN 201320261554 CN 201320261554 U CN201320261554 U CN 201320261554U CN 203243360 U CN203243360 U CN 203243360U
- Authority
- CN
- China
- Prior art keywords
- information
- personal authentication
- certificate server
- authentication apparatus
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn - After Issue
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The utility model relates to an identity registration system. The system comprises a personal authentication device held by a user, an authentication server held by an authentication party, and a set of authentication contents RD including content information RC and biometric information RB; wherein pre-agreed symmetric confidential information SK is provided between the personal authentication device and the authentication server. The personal authentication device comprises an acquisition unit, a processing unit, a communication unit and a storage unit. The authentication server at least comprises a communication unit, a processing unit and a storage unit. The acquisition unit, the communication unit and the storage unit of the personal authentication device are connected to the processing unit of the personal authentication device individually. The communication unit and the storage unit of the authentication server are connected to the processing unit of the authentication server individually. The personal authentication device is in connection and communication with the authentication server through their processing units. The system provided by the utility model effectively integrates an authentication factor, biologic characteristics of a user, with other authentication factors, and thus improves the security and ease of use of multi-factor authentication technology.
Description
Technical field
The utility model relates to the computer safety information technical field, particularly relates to computer identity authentication techniques field.
Background technology
Authentication process, and closely-related transaction control are that authentication main body (normally service provider) authenticates certified main body (normally user), confirm the process of identity, ownership and affiliated right etc.From most basic level, the information that to be the authentication main body submit to certified main body is the process of certain affirmation in addition, that is to say the process that the authentication main body is approved the information of these submissions.In principle, the information of submitting to being classified, is exactly the so-called authentication factor.What the first authentication factor i.e. " knowing ", is that certified main body possesses that certain is special, is difficult for the knowledge known for other people, certain password normally, password etc.What the second authentication factor i.e. " having ", is that certified main body has certain concrete object, and foremost example is exactly historical tiger-shaped tally issued to generals as imperial authorization for loop movement in ancient China, and uses at present a lot of tokens, seal and smart card (such as credit card etc.) etc.The third authentication factor i.e. " biological characteristic that the user has ", and is distinctive on the individual physiological, for example vocal print, fingerprint, eyeprint, vein pattern, face line or behavioural characteristic etc.
Early stage identity identifying technology is that above-mentioned three kinds of factors are used separately, and the identity identifying technology that is used alone the authentication factor is called as the single-factor authentication.In fact, present most applications that Here it is is such as the login password of diverse network account number.But the single-factor authentication is quite dangerous, for the purpose of improving safety, need to use simultaneously the two or more factors, is called the multiple-factor authentication.
But there is following deficiency in multiple-factor certificate scheme of the prior art: if that is exactly not have good systems approach, cost is just higher, uses and also can owe convenient.Particularly the corresponding a lot of service provider of each user (certified main body) (authentication main body) if there is not suitable method, is difficult to multiple-factor authentication popularization is opened.
The applicant has proposed application for a patent for invention " identity recognition method for computer system " on 06 27th, 2011, this Patent Application Publication a kind of scheme of double factor authentication.This technical scheme is so that what double factor authentication (knows, what has) can carry out easily, but integrate the biological characteristic that the user has owing to not have concrete method, make it to become the method for three kinds of factors unifications of complete unification, so its fail safe and ease for use or not.
The utility model content
The purpose of this utility model is in order further to improve fail safe and the ease for use of existing multiple-factor authentication techniques scheme, has proposed a kind of identity registration system.
The technical solution of the utility model is: a kind of identity registration system, it is characterized in that, comprise the personal authentication apparatus that the user holds, the certificate server that authenticating party is held, has the symmetry machine confidential information SK that makes an appointment between personal authentication apparatus and the certificate server, the set of the authentication content RD of content information RC and biological information RB;
Described personal authentication apparatus comprises at least such as lower unit:
Collecting unit is used for gathering the authentication content RD that the user inputs;
Processing unit, being used for authentication content RD resolution process is content information RC and biological information RB, is used for adopting the first default algorithm that described biological information RB, symmetry machine confidential information SK, disposable information T are calculated and produces first information B; Be used for adopting the second default algorithm that described content information RC, symmetry machine confidential information SK, disposable information T are calculated and produce the second information C, be used for adopting default algorithm that described first information B and the second information C are calculated the 3rd information M;
Communication unit, be used for the data communication between realization personal authentication apparatus and the certificate server, be used for receiving certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, be used for personal authentication apparatus the 3rd information M is sent to certificate server;
Memory cell is used for the data message that storage obtains from collecting unit, processing unit and the communication unit of stating personal authentication apparatus;
Described certificate server comprises at least such as lower unit:
Communication unit, be used for the data communication between realization personal authentication apparatus and the certificate server, be used for certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, be used for receiving the 3rd information M that personal authentication apparatus is sent to certificate server;
Processing unit is used for carrying out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained first information B and the second information C; Be used for first information B or the second information C or corresponding the first average information BRg or the second average information CRg corresponding to the second information C of first information B that decomposition computation obtains, and aforementioned information is stored in the database of certificate server, as user's log-on data W;
Memory cell is used for storage from the communication unit of certificate server and the data message of processing unit acquisition;
Above-mentioned personal authentication apparatus is smart mobile phone; Above-mentioned personal authentication apparatus has comprised the hardware identification device and has independently possessed the browser device of network function;
The collecting unit of above-mentioned personal authentication apparatus, communication unit and memory cell are connected with processing unit and are connected, the communication unit of above-mentioned certificate server is connected with processing unit with memory cell and is connected, and the communication unit that above-mentioned personal authentication apparatus is connected with certificate server separately connects communication.
The beneficial effects of the utility model are: in the verification process of technical solutions of the utility model, what the user knows, what the user has, and user's biological characteristic, all must correctly possess simultaneously, and correct the utilization, otherwise can't be by authentication.The information M of noticing is disposable, even be acquired, and also can not the reverse biological information that obtains the user.Simultaneously, certificate server can be dominated whole verification process fully, does authentication and be not only biological information by static state (this information always under the shade that may be forged).
Further, because biological characteristic must may produce by this talent of user, even under the worst case that whole log-on messages of server are all revealed, this characteristic is the user so that the assailant can not assume another's name also, therefore the damage control in minimum.This property is what present nearly all system and method all can not fine solution.
Because our system adopts very easily personal authentication apparatus, and in user's simple use procedure so that three kinds of factors unifications are used, the user again need not remember various bothersome passwords, password etc., comfort level greatly improves.
Therefore, the technical solution of the utility model is effectively integrated " biological characteristic that the user has " this authentication factor and other authentication factors, and adopt personal authentication apparatus to concentrate and gather various authentication informations, thereby further improved fail safe and the ease for use of multiple-factor authentication techniques.
Description of drawings
Fig. 1 is the hardware logic structure schematic diagram of identity registration of the present utility model system.
Fig. 2 is the more detailed hardware logic structure schematic diagram of identity registration of the present utility model system.
Fig. 3 is the flow chart of identity registration method of the present utility model.
Fig. 4 is the flow chart of identity identifying method of the present utility model.
Embodiment
Understand fully and the enforcement the technical solution of the utility model for the ease of those skilled in the art, be necessary before describing specific embodiment, the required general hardware logic structure of the utility model application, general definition and principle to be described in detail.
Fig. 1 is the hardware configuration schematic diagram of identity registration system of the present utility model and identity authorization system.As can be seen from the figure, the hardware logic structure of identity registration system of the present utility model and identity authorization system is consistent.Identity registration system and identity authorization system all comprise: personal authentication apparatus 1 and certificate server 2 also comprise the personal authentication apparatus management server 3 as inessential technical characterictic.
Personal authentication apparatus 1 of the present utility model is held by user's (being certified main body) and is used, electronic equipment normally hand-held or more easily carrying mode is such as mobile phone or panel computer with acquisition function, and personal authentication apparatus 1 must comprise the collecting unit that can gather " biological characteristic that the user has " this authentication factor.Certificate server 2 is held by service side (authentication authorization and accounting side) and is used, and general employing has communication function and enough computing capability and the hardware server of storage capacity and supporting software get final product.Personal authentication apparatus management server 3 will provide the management and service to personal authentication apparatus 1, but not relate to all service provider's services and user's confidential information fully, and personal authentication apparatus management server 3 will only provide initial help.
User's (certified main body) finishes the authentication that three factors are unified with personal authentication apparatus 1, and is not only convenient but also complete.Certificate server 2 is with the authentication of complete independently three card unifications.Even the information leakage of worst cases occurs for certificate server 2, so that user's register information flow spreads out of, other people assume another's name user's situation can not occur extremely also.
The basic ideas of technical solutions of the utility model are: the authentication based on biological characteristic is the information that user's (being certified main body) submits certain people's biological characteristic to, and then service side (authentication authorization and accounting side) reaches authentication by such information (perhaps information module) of storage before the comparison.This specific information based on biological characteristic, vocal print for example, fingerprint, eyeprint, vein pattern, the face line, etc., possess some advantages, for example be difficult to forge, be difficult to deny etc.But also possess simultaneously a lot of shortcomings.The utility model is with user's the various biological characteristics authentication content RD as correspondence, and authentication content RD answers content information RC and biological information RB, and content information RC can be used for " what is known " factor.Thing characteristic information R can be used for " biological characteristic " factor, and the acquisition mode of user's the corresponding authentication content RD of various biological characteristics is as follows:
Vocal print: adopt phonetic entry, usually use the microphone collection; Naturally mixing of content information RC and biological information RB, for example phonetic entry " 35 ", then content information RC is exactly 35, and biological information RB is user's vocal print feature.
Fingerprint and palmmprint: contact input, usually adopt the contact collector; Only can contain very small amount of content information RC, for example the forefinger of the right hand is as content information RC, and most of information are that biological information RB(is fingerprint or palmmprint).
Eyeprint, face line and vein pattern: the optics input, usually adopt optical collector; Do not contain content information RC fully, it is eyeprint etc. that biological information RB(is only arranged).
Behavioural characteristic (gesture, person's handwriting, typewriting vestige): usually adopt and calculate input equipment, such as keyboard, the collections such as screen; Authentication content RD is naturally mixing of content information RC and biological information RB, but biological information RB content is far fewer than vocal print, for example keyboard input " abcde ", content information RC is exactly abcde, and the biological information RB input vestige that to be the user input (namely to some statistics invariants of user's the keyboard input), the amount of information of this feature is all little usually.
Content information RC and the biological information RB of above-mentioned various biological characteristics have its purposes.If Information Monitoring comprises two kinds of information simultaneously, just better.Therefore, vocal print and behavioural characteristic will have unique advantage.And this collector of two kinds is all quite cheap, and cost is very low.
Extraction content information RC and biological information RB are very special technology from the input message of physical characteristics collecting, and this technology is not in the innovation and protection range of this patent.But we are ready to point out, although this special technology is quite highly difficult science and technology, recently the several years, good progress have been arranged.Therefore we can think, from authentication content RD corresponding to the biological characteristic of Gather and input, can extract content information RC and biological information RB, this technology is regarded as prior art and is not described in detail and launches, but its concrete scheme does not affect enforcement of the present utility model.
Those skilled in the art is to be appreciated that, the authentication content RD that the biological characteristic that the user collects by personal authentication apparatus 1 is corresponding is divided into content information RC and biological information RB after extracting, described content information RC and biological information RB can send certificate server 2 to, these information both can directly be transmitted, also can be through becoming content information RC after which floor function calculation and the corresponding average information of biological information RB transmits.
In the utility model, can repeatedly carry out forming set and the application of biological characteristic for the collection of biological characteristic.Can be collecting sample information for the data message of collector collection, all can be called for the Information Monitoring of adopting and gather set, symbol is that the data message of CJ registration and authentication usefulness is the element of CJ, but, may not use whole CJ, and only be the proper subclass of CJ, this set is called enrolled set, symbol is ZJ, is the subset (may be proper subclass) of CJ, and example is as follows:
Example 1:CJ is the fingerprint of user's all fingers, and ZJ=CJ, collecting sample are exactly the fingerprint of certain finger.
Example 2:CJ is voice set 0-99, and ZJ={10,20,30,40,50,60,70,80,90}, collecting sample are exactly the data of certain regulation voice.
Example 3:CJ is whole set of 5 letters, and ZJ=CJ, collecting sample are the character strings of inputting certain 5 letter with keyboard, abcde for example, ijkom etc.
The utility model can be implemented and be possessed so that authentication possesses the principle of higher fail safe and ease for use is:
Principle 1: biological information should directly not use.If directly use, particularly in remote authentication, directly use, just must be directly used in Internet Transmission to characteristic information, this has just made sizable potential safety hazard.If in transmission course, occur leaking, just relatively more dangerous in the later use procedure, because usually biological characteristic is expressed quite high safe confidence, with more difficult pinpointing the problems.And common biological characteristic fewer (for example everyone only can use with ten fingerprints), in case leakage appears in characteristic information, just be not so good as easy the modifications and correction such as password.Therefore directly use the potential safety hazard of biological characteristic too many.Best mode is to mix use with other modes, for example with hand-held authenticating device in symmetrical secret (being called SK) mix and use.Like this, just can guarantee the disposable code of only use in transmission course, and be code at random.And the information that registration is used only is certain expression of biological characteristic, even leak out fully under worst case, other people assume another's name user's situation can not occur extremely also.Simultaneously, because the biological information of registration usefulness is not direct biological information, but certain expression, and directly use of this expression, the biological information of user's height secret is just adequately protected.
Principle 2: should dominate authentication by the authentication main body, the use of leading biological characteristic, and be not only the biological information that authenticates main body passive receive static state.The authentication main body just possesses multiple means and deals with various potential attacks like this.
The technical solution of the utility model is based on above-mentioned two principles, and in conjunction with personal authentication's (registration) equipment 1, thereby form authentication (registration) system, and cooperate authentication (registration) method with coupling, thereby can in authentication, accomplish tight security and ease for use.
Understanding and the application of enforcement the utility model for the ease of those skilled in the art are described further the utility model below in conjunction with accompanying drawing and specific embodiment.
Embodiment 1: the biological characteristic that present embodiment adopts is vocal print, corresponding to this scheme, has comprised following technical scheme.
The scheme 1 of embodiment 1: a kind of identity registration method, as shown in Figure 3, agreement symmetry machine confidential information SK between the personal authentication apparatus that certificate server that authenticating party is held and user hold in advance, the set of the authentication content RD of content information RC and biological information RB; Personal authentication apparatus in the present embodiment is smart mobile phone, and the software on the smart mobile phone, and smart mobile phone possesses microphone and network function, and certificate server comprises hardware server and corresponding software.The process of agreement symmetry machine confidential information SK is prior art between certificate server and the personal authentication apparatus, therefore how to generate and store symmetric cryptography, is not describing in detail.
Described identity registration method comprises the steps:
S1. certificate server sends instruction and corresponding disposable information T is provided to personal authentication apparatus (smart mobile phone), the information that comprises selected authentication content RD type among the described disposable information T, personal authentication apparatus receive prompting user input authentication content RD after the instruction;
Concrete measure is: require the user to read in numeral 1234.
S2. the user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB with authentication content RD resolution process;
Concrete measure is: the user as requested, microphone to mobile phone reads in input digit 1234, after microphone collects speech input information, voice messaging is sent into the processor of smart mobile phone, processor is processed this information with software, and obtain content information (i.e. numeral 1234), and user's sound characteristic information, sound characteristic information comprises the biological informations such as fundamental tone, these information are based on individual physiological characteristic, and different people will have different information, and these information are difficult to forge (for convenience, we can claim that content information is RC, and biological information RB);
S3. personal authentication apparatus (processor of smart mobile phone) adopts the first default algorithm that described biological information RB, symmetry machine confidential information SK, disposable information T are calculated and produces first information B;
Above-mentioned first information B is the information directly related with biological information RB.
The requirement of a kind of specific algorithm of the first algorithm in this step is, even when SK and T are known, can not go out RB from the B backstepping, algorithm can change arbitrarily satisfying under the above-mentioned condition.For example a kind of from SK, T, RB produces the specific algorithm of B, be expressed as SK ⊕ RB=B, first information B is the biological information of registration usefulness in the server, here ⊕ represents hybrid algorithm, and an example of hybrid algorithm can be used HMAC_h usually, and HMAC_h is the general designation of the hash algorithm one class authentication method of being combined with the message authentication code calculation.HMAC is the abbreviation of Hash Message authentication code, the meaning is irreversible message authentication code, the hash algorithm that h representative is here selected, and hash algorithm is the general designation of the unidirectional non-reversible algorithm of a class, domesticly usually be called: hash algorithm, hashing algorithm etc.;But what be used for transmission course will not be this, but TB=(SK, T)
Wherein
Represent cryptographic algorithm, for example (Advanced Encryption Standard in the cryptography (Advanced Encryption Standard, AES) claims again the Rijndael enciphered method to the AES cryptographic algorithm, is a kind of block encryption standard that Federal Government adopts.), perhaps close algorithm of state etc.At server, can from TB, calculate B like this, then be used for registration.
S4. personal authentication apparatus adopts the second default algorithm that described content information RC, symmetry machine confidential information SK, disposable information T are calculated and produces the second information C;
Above-mentioned the second information C is the information directly related with content information RC.
The requirement of a kind of specific algorithm of the second algorithm in this step is, even when SK and T are known, can not go out RC from the C backstepping, algorithm can change arbitrarily satisfying under the above-mentioned condition.
S5. personal authentication apparatus adopts default algorithm that described first information B and the second information C are calculated the 3rd information M;
The requirement of a kind of specific algorithm of the second algorithm in this step is, M=B+C, and perhaps M=B+C+TC, TC is the encryption of T, algorithm can change arbitrarily.
Concrete measure corresponding to above-mentioned steps S3, S4 and S5 is: processor further uses information SK, T, and RC, RB further processes, acquired information M.Concrete algorithm is as follows:
A. this is a kind of in the world hybrid algorithm of general mixed information to use algorithm Hmac_sha(), to SK, RB is hmac and calculates, acquired information BRg, and then use T as key BRg to be done encryption with algorithm AES, acquired information B;
B. use algorithm Hmac_sha to SK, RC and T are hmac and calculate, acquired information C;
C. link information B and information C and obtain information M;
Those skilled in the art is to be appreciated that, although present embodiment has provided the specific algorithm Hmac_sha that calculates the 3rd information M, but do not thinking that above-mentioned steps can only adopt this specific algorithm, other can be used in above-mentioned steps any existing algorithm that data are encrypted processing.
S6. personal authentication apparatus is sent to certificate server with the 3rd information M, and described certificate server carries out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained first information B and the second information C;
Concrete measure is: smart mobile phone is sent the 3rd information M back to certificate server, and the channel that transmits information can be the channel of encrypting, and we are the recommendation encryption channel also, still, even open channel also can not damage verification process; In this step, if use transmission security key e, eM=M encrypts with e, to be used for transmission, can further strengthen the fail safe in the transmission course.At the certificate server end, recover M from eM, obtain B, C(or possible TC from M).
The second average information CRg corresponding to the first average information BRg that S7. certificate server first information B that decomposition computation is obtained or the second information C or first information B are corresponding or the second information C be as user's log-on data W, and be stored in the database of certificate server.
Concrete measure corresponding to above-mentioned steps S6 and S7 is: mobile phone is sent information M back to server, and server by utilizing M does following calculating, at first decomposes B and C, utilizes C to do preliminary identification; Then with algorithm AES B is done deciphering (T is key) and obtain BRg, BRg will be stored in the database of server, as this user's main log-on data.
The scheme 2 of embodiment 1: a kind of identity registration system, as shown in Figure 2, it is characterized in that, comprise the personal authentication apparatus that the user holds, the certificate server that authenticating party is held, has the symmetry machine confidential information SK that makes an appointment between personal authentication apparatus and the certificate server, the set of the authentication content RD of content information RC and biological information RB;
Personal authentication apparatus in the present embodiment in the present embodiment is smart mobile phone, and the software on the smart mobile phone, and smart mobile phone possesses microphone and network function, and certificate server comprises hardware server and corresponding software.
Described personal authentication apparatus comprises at least such as lower unit:
Collecting unit is used for gathering the authentication content RD that the user inputs;
In the present embodiment, authentication content RD is " user is read in numeral 1234 " in the present embodiment, and the numeral of refining from authentication content RD " 1234 " is content information RC, and the vocal print that refines from authentication content RD is biological information RB;
Processing unit, being used for authentication content RD resolution process is content information RC and biological information RB, is used for adopting the first default algorithm that described biological information RB, symmetry machine confidential information SK, disposable information T are calculated and produces first information B; Be used for adopting the second default algorithm that described content information RC, symmetry machine confidential information SK, disposable information T are calculated and produce the second information C, be used for adopting default algorithm that described first information B and the second information C are calculated the 3rd information M;
Communication unit, be used for the data communication between realization personal authentication apparatus and the certificate server, be used for receiving certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, be used for personal authentication apparatus the 3rd information M is sent to certificate server;
Memory cell is used for the data message that storage obtains from collecting unit, processing unit and the communication unit of stating personal authentication apparatus;
Described certificate server comprises at least such as lower unit:
Communication unit, be used for the data communication between realization personal authentication apparatus and the certificate server, be used for certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, be used for receiving the 3rd information M that personal authentication apparatus is sent to certificate server;
Processing unit is used for carrying out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained first information B and the second information C; Be used for first information B or the second information C or corresponding the first average information BRg or the second average information CRg corresponding to the second information C of first information B that decomposition computation obtains, and aforementioned information is stored in the database of certificate server, as user's log-on data W;
Memory cell is used for storage from the communication unit of certificate server and the data message of processing unit acquisition.
Embodiment 2: present embodiment based on hardware system identical with embodiment 1, no longer be repeated in this description.
The biological characteristic of the authentication content RD that present embodiment adopts is behavioural characteristic (gesture), to draw the circle of a regulation with thumb and forefinger specifically, smart mobile phone will collect input message (authentication authorization and accounting content RD), authentication content RD can resolve into two kinds, a kind of is content information RC, the position that namely should enclose etc., a kind of is individual's behavior characteristic information (being biological information RB), be the information such as the speed of gesture and statistical relationship, these information will be processed the input of gesture and obtained by the processor of smart mobile phone, these information are based on individual physiological characteristic and habitual feature, different people will have different information, and these information are difficult to forge.
Because the hardware system in the present embodiment is identical with embodiment 1, it is to some extent difference of authentication content RD, its processing procedure is identical with embodiment 1 with technical scheme, therefore no longer is repeated in this description based on the concrete technical scheme of identity registration method, system and the personal authentication apparatus etc. of this different authentication content.
Embodiment 3: present embodiment based on hardware system identical with embodiment 1, no longer be repeated in this description.
The biological characteristic of the authentication content RD that present embodiment adopts is fingerprint, and authentication content RD still is divided into content information RC and biological information RB, and content information is certain fingerprint, left index finger for example, and content information is fewer in the present embodiment, only has 10; Biological information RB is fingerprint, and finger print information is based on individual's physiological characteristic, and different people will have different information, and these information are difficult to forge.
Because the hardware system in the present embodiment is identical with embodiment 1, it is to some extent difference of authentication content RD, its processing procedure is identical with embodiment 1 with technical scheme, therefore no longer is repeated in this description based on the concrete technical scheme of identity registration method, system and the personal authentication apparatus etc. of this different authentication content.
Embodiment 4: present embodiment based on hardware system comprise the certificate server that authenticating party is held, the personal authentication apparatus that the user holds, personal authentication apparatus has comprised the hardware identification device and has independently possessed the browser device of network function, hardware system can be with the difference of embodiment 1 among the embodiment 1 that hardware identification device and browser device are integrated into a hardware device is personal authentication apparatus in the present embodiment, personal authentication apparatus then is separated into the browser device that two relatively independent hardware devices are the hardware identification device and independently possess network function among the embodiment 4, and the hardware identification device among the embodiment 4 is the hardware identification device (or being called token etc.) of particular design and the software of installing above; Networking in the verification process is confirmed to communicate by a browser device intermediary, and described browser device is the hardware platform with network function such as computer, the mobile phone etc. that browser software is installed.
Understanding and the application of enforcement the utility model for the ease of those skilled in the art are described further the utility model below in conjunction with accompanying drawing and specific embodiment.
The scheme 1 of embodiment 4: a kind of identity registration method, it is characterized in that, agreement symmetry machine confidential information SK between the personal authentication apparatus that certificate server that authenticating party is held and user hold in advance, the set of the authentication content RD of content information RC and biological information RB;
Described identity registration method comprises the steps:
S1. certificate server sends instruction and corresponding disposable information T is provided to personal authentication apparatus,, comprise among the described disposable information T that the information of selected authentication content RD type, personal authentication apparatus receive prompting user input authentication content RD after the instruction;
The biological characteristic of the authentication content RD that present embodiment adopts is fingerprint, and authentication content RD still is divided into content information RC and biological information RB, and content information is certain fingerprint, left index finger for example, and content information is fewer in the present embodiment, only has 10; Biological information RB is fingerprint, and finger print information is based on individual's physiological characteristic, and different people will have different information, and these information are difficult to forge.
S2. the user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB with authentication content RD resolution process;
S3. personal authentication apparatus adopts the first default algorithm that described biological information RB, symmetry machine confidential information SK, disposable information T are calculated and produces first information B;
S4. personal authentication apparatus adopts the second default algorithm that described content information RC, symmetry machine confidential information SK, disposable information T are calculated and produces the second information C;
S5. personal authentication apparatus adopts default algorithm that described first information B and the second information C are calculated the 3rd information M;
The concrete measure of step S4 and S5 is in the present embodiment: the hardware identification device in the personal authentication apparatus is further to information SK, RC, and RB further processes, acquired information M.
Concrete algorithm is as follows:
Use the hmac_sha algorithm, to SK, RB is hmac and calculates, acquired information BRg;
Use the hmac_sha algorithm, to SK, RC is hmac and calculates, acquired information C;
Link information BRg and information C and obtain information M1;
The hardware identification device is presented at information M1 on its display unit, and the user is information M1 input browser device, and then browser device is done following calculating to information:
Decompose M1, obtain BRg and C;
Then use T to be key, BRg is encrypted acquired information KBRg;
Link information KBRg and information C and obtain information M;
S6. personal authentication apparatus is sent to certificate server with the 3rd information M, and described certificate server carries out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained first information B and the second information C;
The second average information CRg corresponding to the first average information BRg that S7. certificate server first information B that decomposition computation is obtained or the second information C or first information B are corresponding or the second information C be as user's log-on data W, and be stored in the database of certificate server.
The concrete measure of step S6 and S7 is in the present embodiment: the browser device in the personal authentication apparatus is sent to certificate server with the 3rd information M, and certificate server utilizes M to do following calculating, at first obtains KBRg and C, utilizes C to do preliminary identification; Then with algorithm AES KBRg is done deciphering (T is key) and obtain BRg, BRg will be stored in the database of server, as this user's main log-on data.
The concrete measure of step S6, S7 and S8 is in the present embodiment: the browser device in the personal authentication apparatus is sent to certificate server with the 3rd information M, and certificate server utilizes M to do following calculating, at first obtains KBRg and C, utilizes C to do preliminary identification; Then with algorithm AES KBRg is done deciphering (T is key) and obtain BRg, the BRg that obtains is temporary as authentication log-on data W1, then will authenticate log-on data W1 and pre-stored log-on data W in certificate server and do the contrast coupling, thereby realize the authentication to the user.
Because only there is difference in the hardware system among the embodiment 4 with embodiment 1 on the specific implementation of personal authentication apparatus, authentication content RD and embodiment 3 are identical, therefore no longer are repeated in this description based on the concrete technical scheme of identity registration method, system and the personal authentication apparatus etc. of this different authentication content.
In numerous technical schemes among a plurality of embodiment of the utility model application, three kinds of factors are all fully used, and are indispensable.During the course, what the user knows, what the user has, and user's biological characteristic, all must correctly possess simultaneously, and correct the utilization, otherwise can't be by authentication.The information M of noticing is disposable, even be acquired, and also can not the reverse biological information that obtains the user.Simultaneously, certificate server (authentication authorization and accounting main body) can be dominated whole verification process fully, does authentication and be not only biological information by static state (this information always under the shade that may be forged).
Further, because biological characteristic must may produce by this talent of user, even under the worst case that whole log-on messages of server are all revealed, this characteristic is the user so that the assailant can not assume another's name also, therefore the damage control in minimum.So being present almost system and method, this property all can not solve.Adopt our systems approach, just can reach this target.
Because our system adopts very easily personal authentication apparatus, and in user's simple use procedure so that three kinds of factors unifications are used, the user again need not remember various bothersome passwords, password etc., comfort level greatly improves.The binding service just can be done with any service provider so that a user only needs an authenticator by our system, and cost greatly descends.High like this safe condition, user's experience so easily, system and low use cost all are that present system and method is inaccessiable so cheaply, also are that market is actively being sought.
Those of ordinary skill in the art will appreciate that embodiment described here is in order to help reader understanding's principle of the present utility model, should to be understood to that protection range of the present utility model is not limited to such special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combinations that do not break away from the utility model essence according to disclosed these technology enlightenments of the utility model, and these distortion and combination are still in protection range of the present utility model.
Claims (4)
1. identity registration system, it is characterized in that, comprise the personal authentication apparatus that the user holds, the certificate server that authenticating party is held, has the symmetry machine confidential information SK that makes an appointment between personal authentication apparatus and the certificate server, the set of the authentication content RD of content information RC and biological information RB;
Described personal authentication apparatus comprises at least such as lower unit:
Collecting unit is used for gathering the authentication content RD that the user inputs;
Processing unit, being used for authentication content RD resolution process is content information RC and biological information RB, is used for adopting the first default algorithm that described biological information RB, symmetry machine confidential information SK, disposable information T are calculated and produces first information B; Be used for adopting the second default algorithm that described content information RC, symmetry machine confidential information SK, disposable information T are calculated and produce the second information C, be used for adopting default algorithm that described first information B and the second information C are calculated the 3rd information M;
Communication unit, be used for the data communication between realization personal authentication apparatus and the certificate server, be used for receiving certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, be used for personal authentication apparatus the 3rd information M is sent to certificate server;
Memory cell is used for the data message that storage obtains from collecting unit, processing unit and the communication unit of stating personal authentication apparatus;
Described certificate server comprises at least such as lower unit:
Communication unit, be used for the data communication between realization personal authentication apparatus and the certificate server, be used for certificate server and send instruction and corresponding disposable information T is provided to personal authentication apparatus, be used for receiving the 3rd information M that personal authentication apparatus is sent to certificate server;
Processing unit is used for carrying out inverse operation according to default algorithm the 3rd information M decomposition computation is obtained first information B and the second information C; Be used for first information B or the second information C or corresponding the first average information BRg or the second average information CRg corresponding to the second information C of first information B that decomposition computation obtains, and aforementioned information is stored in the database of certificate server, as user's log-on data W;
Memory cell is used for storage from the communication unit of certificate server and the data message of processing unit acquisition;
The collecting unit of above-mentioned personal authentication apparatus, communication unit and memory cell are connected with processing unit and are connected, the communication unit of above-mentioned certificate server is connected with processing unit with memory cell and is connected, and the communication unit that above-mentioned personal authentication apparatus is connected with certificate server separately connects communication.
2. a kind of identity registration according to claim 1 system is characterized in that above-mentioned personal authentication apparatus is smart mobile phone.
3. a kind of identity registration according to claim 1 system is characterized in that above-mentioned personal authentication apparatus has comprised the hardware identification device and independently possessed the browser device of network function.
4. a kind of identity registration according to claim 3 system is characterized in that described browser device is the hardware platform with network function such as computer, the mobile phone etc. that browser software is installed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201320261554 CN203243360U (en) | 2013-05-14 | 2013-05-14 | Identity registration system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201320261554 CN203243360U (en) | 2013-05-14 | 2013-05-14 | Identity registration system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN203243360U true CN203243360U (en) | 2013-10-16 |
Family
ID=49320613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201320261554 Withdrawn - After Issue CN203243360U (en) | 2013-05-14 | 2013-05-14 | Identity registration system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN203243360U (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103248629A (en) * | 2013-05-14 | 2013-08-14 | 成都天钥科技有限公司 | Identify registering system |
| CN110177124A (en) * | 2019-06-20 | 2019-08-27 | 深圳市网心科技有限公司 | Identity identifying method and relevant device based on block chain |
-
2013
- 2013-05-14 CN CN 201320261554 patent/CN203243360U/en not_active Withdrawn - After Issue
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103248629A (en) * | 2013-05-14 | 2013-08-14 | 成都天钥科技有限公司 | Identify registering system |
| CN103248629B (en) * | 2013-05-14 | 2016-05-25 | 成都天钥科技有限公司 | Identity registration system |
| CN110177124A (en) * | 2019-06-20 | 2019-08-27 | 深圳市网心科技有限公司 | Identity identifying method and relevant device based on block chain |
| CN110177124B (en) * | 2019-06-20 | 2022-02-25 | 深圳市迅雷网络技术有限公司 | Identity authentication method based on block chain and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11855983B1 (en) | Biometric electronic signature authenticated key exchange token | |
| US10075437B1 (en) | Secure authentication of a user of a device during a session with a connected server | |
| EP3257194B1 (en) | Systems and methods for securely managing biometric data | |
| EP2648163B1 (en) | A personalized biometric identification and non-repudiation system | |
| Idrus et al. | A review on authentication methods | |
| US11764971B1 (en) | Systems and methods for biometric electronic signature agreement and intention | |
| Kim et al. | A method of risk assessment for multi-factor authentication | |
| Wei et al. | An intelligent terminal based privacy-preserving multi-modal implicit authentication protocol for internet of connected vehicles | |
| US9152779B2 (en) | Protecting codes, keys and user credentials with identity and patterns | |
| US20150082390A1 (en) | Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device | |
| CN107209821A (en) | For the method and authentication method being digitally signed to e-file | |
| CN101420301A (en) | Human face recognizing identity authentication system | |
| CN103297237B (en) | Identity registration and authentication method, system, personal authentication apparatus and certificate server | |
| CN109150535A (en) | A kind of identity identifying method, equipment, computer readable storage medium and device | |
| JPWO2003069489A1 (en) | Identification method | |
| CN103067390A (en) | User registration authentication method and system based on facial features | |
| US11405387B1 (en) | Biometric electronic signature authenticated key exchange token | |
| CN107517217A (en) | A kind of multiple-factor wireless key fill system based on fingerprint recognition | |
| CN104038509A (en) | Fingerprint authentication cloud system | |
| Papaioannou et al. | User authentication and authorization for next generation mobile passenger ID devices for land and sea border control | |
| JP2006155547A (en) | Individual authentication system, terminal device and server | |
| CN203243360U (en) | Identity registration system | |
| CN103297238B (en) | Identity authorization system | |
| CN103248629B (en) | Identity registration system | |
| CN105429986B (en) | A kind of system of genuine cyber identification verifying and secret protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| AV01 | Patent right actively abandoned |
Granted publication date: 20131016 Effective date of abandoning: 20160525 |
|
| C25 | Abandonment of patent right or utility model to avoid double patenting |