WO2016078429A1 - Identity recognition method and apparatus - Google Patents

Identity recognition method and apparatus Download PDF

Info

Publication number
WO2016078429A1
WO2016078429A1 PCT/CN2015/083458 CN2015083458W WO2016078429A1 WO 2016078429 A1 WO2016078429 A1 WO 2016078429A1 CN 2015083458 W CN2015083458 W CN 2015083458W WO 2016078429 A1 WO2016078429 A1 WO 2016078429A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
eye pattern
characteristic data
pattern characteristic
application
Prior art date
Application number
PCT/CN2015/083458
Other languages
French (fr)
Chinese (zh)
Inventor
沙爽
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016078429A1 publication Critical patent/WO2016078429A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints

Definitions

  • This paper relates to the field of data security, and in particular to a method and apparatus for identity recognition.
  • terminal devices such as smart phones.
  • Many applications need to access user data on the terminal device.
  • social applications need to access the address book
  • navigation applications need to access the location of the terminal device
  • authentication software needs to access the terminal device identifier.
  • users often don't realize that the data of the terminal device is read by the application, and it is often the case that some applications access data that is not related to itself, which provides an opportunity for data leakage.
  • the identification technology is mainly used in the industry to protect user data on terminal devices.
  • identity recognition mainly uses fingerprint mode:
  • A. Fingerprint collection method mainly through the external sliding or pressing type fingerprint acquisition device for fingerprint collection;
  • the private mode switch is provided in the setting menu. After the fingerprint verification, the private mode can be started, and then any other module is no longer subjected to fingerprint identification and verification.
  • fingerprint recognition has great reproducibility.
  • the fingerprint that the user keeps on the screen can be copied into the silicone finger sleeve, which lacks concealment. Therefore, there is a certain risk of misjudgment in the identification of the identity;
  • the related technical solution confirms the identity of the owner by identifying the fingerprint in the setting menu, thereby adopting the development processing method for all subsequent operations of the module, and does not implement the data.
  • identity verification protection in fact, it is entirely possible that the owner is not operating at this time, causing the non-owner himself to enter the highly sensitive module.
  • the present invention provides a method and apparatus for user identification to solve the technical problem of how to effectively identify legitimate users.
  • the embodiment of the present invention provides a method for identity identification, which is applicable to a terminal device, and includes:
  • the terminal device scans an eyelet of the current user when the predetermined condition is met
  • the terminal device compares the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
  • the terminal device When the comparison result is consistent, the terminal device performs subsequent operations.
  • the predetermined condition includes:
  • the predetermined application arrives at the authentication period.
  • the method further includes:
  • the terminal device When the terminal device receives the operation request or launches the application, the operation request or the application is matched with the whitelist; when the matching succeeds, the pre-stored eyeprint feature data in the terminal device is allowed to be read.
  • the predetermined condition and the pre-stored eye pattern feature data each include a plurality of, respectively, corresponding to different security levels
  • the comparing, by the terminal device, the scanned eye pattern characteristic data and the pre-stored eye pattern characteristic data in the terminal device, includes:
  • the terminal device searches for a security level corresponding to the predetermined condition that is met, and obtains the security level.
  • Corresponding pre-existing eye pattern characteristic data comparing the scanned eye pattern characteristic data with the acquired eye pattern characteristic data.
  • the embodiment of the present invention further provides an apparatus for identifying an identity, which is disposed in the terminal device, and includes:
  • a scanning module configured to scan an eyelet of a current user when a predetermined condition is met
  • the comparison module is configured to compare the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
  • Execution module set to perform subsequent operations when the comparison results are consistent.
  • the predetermined condition includes:
  • the predetermined application In the case where the predetermined application is turned on on the terminal device, the predetermined application arrives at the authentication period.
  • the device further includes:
  • a configuration module configured to configure the predetermined operation request or a predetermined application by using a whitelist; when the terminal device receives an operation request or starts an application, matching the operation request or the application with the whitelist;
  • the comparison module is allowed to read pre-stored eye pattern characteristic data in the terminal device.
  • the predetermined condition and the pre-stored eye pattern feature data each include a plurality of, respectively, corresponding to different security levels
  • Finding a security level corresponding to the predetermined condition that is met acquiring pre-stored eye pattern characteristic data corresponding to the security level; and comparing the scanned eye pattern characteristic data with the acquired eye pattern characteristic data.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the above method.
  • the embodiment of the invention designs a set of user identification mechanism based on the eye pattern, not only identifies the owner identity from the unlocking aspect, but also scans and verifies the eye pattern at any time in all other modules that wish to perform real-time user identification. Ensure that legitimate users access the specified data.
  • the embodiments of the present invention can also perform whitelist management on protected applications and data, and the availability and flexibility of the embodiments of the present invention are greatly improved, and the possibility of key data being stolen is effectively reduced.
  • FIG. 1 is a schematic flowchart diagram of a method for identity recognition according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart of one of predetermined condition conditions in an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a second predetermined condition in an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a specific implementation manner of an embodiment of the present invention.
  • FIG. 6 is a schematic flow chart of the specific implementation shown in FIG. 5;
  • FIG. 7 is a schematic diagram of an apparatus for identity recognition according to an embodiment of the present invention.
  • a method for identifying an identity, as set in the terminal device, as shown in FIG. 1, includes:
  • the terminal device scans an eyelet of the current user when the predetermined condition is met
  • the terminal device compares the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
  • the terminal device When the comparison result is consistent, the terminal device performs subsequent operations.
  • Eye pattern recognition is a technique for collecting and recognizing venous blood vessels of the human eye.
  • the blood vessels of the human body are the best biometric method because the blood vessel data collection is hidden in the human body and cannot be forgotten and cannot be copied.
  • the pre-stored eye pattern feature data may include only the owner of the owner, or may include one or more legitimate users other than the owner himself.
  • the predetermined condition may include two types:
  • the predetermined operation request may be accessing predetermined data (such as a short message, an address book, a call record, a library, and data specified in some applications), starting a predetermined application (such as social software, a file manager), and performing a predetermined operation (such as Unlocking the mobile phone, online banking payment, transfer, etc., the predetermined operation request specifically includes which can be set by the user. Scan the current user's eye pattern when a predetermined operation request is received. If it is not the owner or other legitimate user, the operation is not allowed; if it is the owner or other legitimate user, the subsequent operation is performed, that is, according to the user's operation request. The corresponding operation.
  • predetermined data such as a short message, an address book, a call record, a library, and data specified in some applications
  • a predetermined application such as social software, a file manager
  • a predetermined operation such as Unlocking the mobile phone, online banking payment, transfer, etc.
  • the predetermined operation request is to start an application that needs to verify the identity of the user, and the application is in the mobile phone, and the legitimate user only includes the owner; the example includes:
  • the application may be opened.
  • the application is not recognized when the application is launched, and any user can be allowed to open the application, but the illegal user can be prevented from accessing the pre-selected sensitive data. , concealment is better.
  • the other is to arrive at the authentication cycle with the scheduled application turned on.
  • FIG. 3 A specific example is shown in Figure 3.
  • the example is applied to a mobile phone.
  • the legal user only includes the owner.
  • the authentication period is 3 minutes.
  • the example includes:
  • 302. Determine whether to enable real-time detection; if it is enabled, perform 303, if not, perform 308, and use normally;
  • the front camera is started to scan the current user's eye pattern to obtain eye pattern characteristic data
  • the type of the predetermined application and the length of the authentication period may be set by the user.
  • the two predetermined conditions can be used independently or together.
  • the technical solution can perform real-time user identity verification when the application is started and during use, so that only legitimate users can perform certain operations, such as accessing data that needs to be kept confidential, and performing online banking. Payment, etc. This protects important data, prevents illegal operations, and ensures the security of the terminal device.
  • the right to access data can also be associated with the identity of a specific person; the identity element can be combined with the algorithm of data encryption and storage, and only the authenticated user can access the specified data to decrypt the data.
  • the identity of an unauthenticated user cannot access the data, and the plaintext of the data is even less visible.
  • the predetermined condition and the pre-stored eye pattern feature data each include a plurality of, respectively, corresponding to different security levels
  • the comparing, by the terminal device, the scanned eye pattern characteristic data and the pre-stored eye pattern characteristic data in the terminal device, includes:
  • the terminal device searches for a security level corresponding to the predetermined condition that is met, and obtains pre-stored eye pattern data corresponding to the security level; and scans the obtained eye pattern characteristic data and the acquired eye pattern The data is compared for comparison.
  • the application and user data in the mobile phone system can be hierarchically managed according to different user access identities, and different access identities are mapped to different security levels.
  • the scheme can also use the eyeprint recognition technology to verify the identity of the user.
  • the user When the user unlocks the mobile phone, the user needs to collect the eyeprint feature of the user, and if it is the same as the owner's eyeprint feature previously recorded in the mobile phone, it is recognized as the owner; If they are not the same, they are identified as non-owners, ie visitors.
  • the phone can pre-set a set of visible applications and data for such users, which can be publicly available to other owners and stored in plain text;
  • the solution is based on ARM TrustZone technology, and TrustZone(TM) technology appears in ARMv6KZ and later application core architecture. It provides a low-cost solution for adding a dedicated security core to a system-on-a-chip (SoC), and two virtual processors supported by hardware-built access control. This approach allows the application core to switch between two states (usually referred to as worlds to avoid confusion with names in other functional areas), which prevents information from leaking from more trusted core areas. Less secure areas. This kind of switching between kernel domains is usually completely unrelated to other functions of the processor, so each domain can operate independently but still use the same kernel.
  • SoC system-on-a-chip
  • the foregoing method further includes:
  • the predetermined operation request or predetermined application is configured by a white list.
  • the whitelist may be first encrypted by aes_cbc_128, and then signed by the RSA private key.
  • the RSA public key is stored in the hardware register of the terminal device, and the signed data is built in the software system of the terminal device.
  • the terminal device When the terminal device receives the predetermined operation request or starts the predetermined application, the operation request or the application is matched with the whitelist; when the matching is successful, the pre-stored eyeprint feature data in the terminal device is allowed to be read.
  • Step 1 Start the application
  • Step 2 Determine whether the whitelist needs to be checked; if not, perform step 3 to directly open the application; if necessary, perform step 4 to perform matching in the whitelist (list of eyeprint protection applications);
  • the whitelist in step four is obtained through the following process:
  • the related public key can also be saved in the normal Flash storage space, but the access in this area is shared by all applications, and there is a risk of being accessed by other applications.
  • management through whitelists can increase the scalability of the protected object list and ensure the effectiveness of management.
  • the specific implementation of the foregoing solution may be as shown in FIG. 5, in which a security module is embedded in the application client, and the security module uses the unique key of each application to sign in advance, and after the application is started, the access eye feature is involved.
  • the security module invokes the interface encapsulated by the terminal device to access the protected eye pattern data;
  • the eye pattern characteristic data can be accessed
  • the scheme saves the eyeprint feature data in a special area, and the access rights of the area are verified by the key stored in the register.
  • the storage area of the identity is physically isolated from normal data, greatly reducing the possibility of being stolen and tampered by Trojans and malicious viruses, and adding authentication measures from the access mechanism to ensure that only legitimate applications can run and access, identity
  • the correctness of the logo and the protection of data security are very meaningful.
  • an embodiment of the present invention provides an apparatus for identifying an identity, which is installed in a terminal device, and includes:
  • a scanning module configured to scan an eyelet of a current user when a predetermined condition is met
  • the comparison module is configured to compare the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
  • Execution module set to perform subsequent operations when the comparison results are consistent.
  • the predetermined condition includes:
  • the authentication period is reached.
  • the device further includes:
  • a configuration module configured to configure the predetermined operation request or a predetermined application by using a whitelist; when the terminal device receives an operation request or starts an application, matching the operation request or the application with the whitelist;
  • the comparison module is allowed to read pre-stored eye pattern characteristic data in the terminal device.
  • the predetermined condition and the pre-stored eye pattern feature data each include a plurality of, respectively, corresponding to different security levels
  • the comparison module searches for a security level corresponding to the predetermined condition that is met, and obtains the security level.
  • Corresponding pre-existing eye pattern characteristic data comparing the scanned eye pattern characteristic data with the acquired eye pattern characteristic data.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the above technical solution not only identifies the owner identity from the unlocking aspect, but also can scan and verify the eyeprint at any time in all other modules that wish to perform real-time user identification, thereby ensuring that the legitimate user accesses the specified data.
  • the above technical solution whitelists protected applications and data, improves usability and flexibility, and effectively reduces the possibility of key data being stolen.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephone Function (AREA)
  • Collating Specific Patterns (AREA)

Abstract

An identity recognition method and apparatus. The method is applicable to a terminal device, comprising: when a pre-determined condition is met, scanning, by a terminal device, eyeprints of a current user; comparing, by the terminal device, eyeprint characteristic data obtained through scanning with eyeprint characteristic data pre-stored in the terminal device; and when a comparison result is representative of consistency, executing, by the terminal device, a subsequent operation. The technical solution can ensure that valid users are effectively recognized.

Description

一种身份识别的方法和装置Method and device for identification 技术领域Technical field
本文涉及数据安全领域,尤其涉及一种身份识别的方法和装置。This paper relates to the field of data security, and in particular to a method and apparatus for identity recognition.
背景技术Background technique
智能手机等终端设备上的应用越来越多,很多应用都需要访问终端设备上的用户数据,比如社交应用需要访问通讯录、导航应用需要访问终端设备位置、鉴权类软件需要访问终端设备标识,但是往往用户并没有意识到终端设备的这些数据被应用读取,而且也常常发生某些应用访问一些与自身并无关联的数据,这就为数据泄露提供了机会。There are more and more applications on terminal devices such as smart phones. Many applications need to access user data on the terminal device. For example, social applications need to access the address book, navigation applications need to access the location of the terminal device, and authentication software needs to access the terminal device identifier. However, users often don't realize that the data of the terminal device is read by the application, and it is often the case that some applications access data that is not related to itself, which provides an opportunity for data leakage.
另外,在终端设备上,有一些数据机主只希望被本人访问,包括个人电话本、私密文件、社交应用等方面的数据,如果可以被任意用户查看,那么就很容易对机主本人的社交、工作、金钱造成威胁。In addition, on the terminal device, some data machine owners only want to be accessed by themselves, including personal phone book, private files, social applications and other aspects of the data, if it can be viewed by any user, then it is easy to socialize the owner himself Work, money and threats.
目前业内主要采用身份识别技术来保护终端设备上的用户数据,目前身份识别主要采用指纹方式:At present, the identification technology is mainly used in the industry to protect user data on terminal devices. Currently, identity recognition mainly uses fingerprint mode:
A、指纹的采集方式:主要是通过外置的滑动式或者按压式指纹采集器件进行指纹的采集;A. Fingerprint collection method: mainly through the external sliding or pressing type fingerprint acquisition device for fingerprint collection;
B、对数据访问的保护:一般是在设置菜单中提供私密模式的开关,通过指纹校验后可以启动私密模式,此后进入其它任何模块都不再进行指纹的识别验证。B. Protection of data access: Generally, the private mode switch is provided in the setting menu. After the fingerprint verification, the private mode can be started, and then any other module is no longer subjected to fingerprint identification and verification.
相关技术存在的缺点或问题:Disadvantages or problems with related technologies:
首先,指纹识别存在很大的可复制性,比如:用户在屏幕上存留的指纹,完全可以被复制成硅胶指套,缺乏隐蔽性,所以对身份的识别存在一定的误判风险;First of all, fingerprint recognition has great reproducibility. For example, the fingerprint that the user keeps on the screen can be copied into the silicone finger sleeve, which lacks concealment. Therefore, there is a certain risk of misjudgment in the identification of the identity;
其次,相关技术方案在设置菜单中通过识别指纹来确认机主的身份,从而对后续的所有模块的操作都采用开发的处理方式,并没有做到对数据的实 时身份验证保护;其实完全有可能此时并非机主在操作,就造成进入高敏感模块的非机主本人。Secondly, the related technical solution confirms the identity of the owner by identifying the fingerprint in the setting menu, thereby adopting the development processing method for all subsequent operations of the module, and does not implement the data. When the identity verification protection; in fact, it is entirely possible that the owner is not operating at this time, causing the non-owner himself to enter the highly sensitive module.
最后,相关技术的数据访问身份管理,没有白名单的机制,软件一旦发布,后续要升级都需要大版本更新,即消耗流量也浪费时间。Finally, the related art data access identity management, there is no whitelist mechanism, once the software is released, subsequent upgrades require a large version of the update, that is, the consumption of traffic is also a waste of time.
发明内容Summary of the invention
本发明提供了一套用户身份识别的方法和装置,用以解决如何有效识别合法用户的技术问题。The present invention provides a method and apparatus for user identification to solve the technical problem of how to effectively identify legitimate users.
为了解决上述问题,本发明实施例提供了一种身份识别的方法,适用于终端设备中,包括:In order to solve the above problem, the embodiment of the present invention provides a method for identity identification, which is applicable to a terminal device, and includes:
所述终端设备在符合预定条件时扫描当前用户的眼纹;The terminal device scans an eyelet of the current user when the predetermined condition is met;
所述终端设备将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对;The terminal device compares the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
比对结果为一致时,所述终端设备执行后续操作。When the comparison result is consistent, the terminal device performs subsequent operations.
可选地,所述预定条件包括:Optionally, the predetermined condition includes:
收到预定的操作请求;和/或,Receiving a predetermined operational request; and/or,
在预定应用开启的情况下,所述预定应用到达认证周期。In the case where the predetermined application is turned on, the predetermined application arrives at the authentication period.
可选地,所述的方法还包括:Optionally, the method further includes:
通过白名单配置所述预定的操作请求或预定应用,Configuring the predetermined operation request or a predetermined application by a white list,
当所述终端设备收到操作请求或启动应用时,将所述操作请求或应用与所述白名单进行匹配;匹配成功时允许读取所述终端设备中预存的眼纹特征数据。When the terminal device receives the operation request or launches the application, the operation request or the application is matched with the whitelist; when the matching succeeds, the pre-stored eyeprint feature data in the terminal device is allowed to be read.
可选地,所述预定条件及预存的眼纹特征数据均包括多个,分别对应于不同的安全等级;Optionally, the predetermined condition and the pre-stored eye pattern feature data each include a plurality of, respectively, corresponding to different security levels;
所述终端设备将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对包括:The comparing, by the terminal device, the scanned eye pattern characteristic data and the pre-stored eye pattern characteristic data in the terminal device, includes:
所述终端设备查找所满足的预定条件对应的安全等级,获取该安全等级 对应的预存的眼纹特征数据;将扫描得到的眼纹特征数据和所获取的眼纹特征数据进行比对。The terminal device searches for a security level corresponding to the predetermined condition that is met, and obtains the security level. Corresponding pre-existing eye pattern characteristic data; comparing the scanned eye pattern characteristic data with the acquired eye pattern characteristic data.
本发明实施例还提供了一种身份识别的装置,设置于终端设备中,包括:The embodiment of the present invention further provides an apparatus for identifying an identity, which is disposed in the terminal device, and includes:
扫描模块,设置为在符合预定条件时扫描当前用户的眼纹;a scanning module configured to scan an eyelet of a current user when a predetermined condition is met;
比较模块,设置为将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对;The comparison module is configured to compare the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
执行模块,设置为当比对结果为一致时执行后续操作。Execution module, set to perform subsequent operations when the comparison results are consistent.
可选地,所述预定条件包括:Optionally, the predetermined condition includes:
所述终端设备收到预定的操作请求;和/或Receiving, by the terminal device, a predetermined operation request; and/or
在所述终端设备上预定应用开启的情况下,所述预定应用到达认证周期。In the case where the predetermined application is turned on on the terminal device, the predetermined application arrives at the authentication period.
可选地,所述的装置还包括:Optionally, the device further includes:
配置模块,设置为通过白名单配置所述预定的操作请求或预定应用;当所述终端设备收到操作请求或启动应用时,将所述操作请求或应用与所述白名单进行匹配;匹配成功时允许所述比较模块读取所述终端设备中预存的眼纹特征数据。a configuration module, configured to configure the predetermined operation request or a predetermined application by using a whitelist; when the terminal device receives an operation request or starts an application, matching the operation request or the application with the whitelist; The comparison module is allowed to read pre-stored eye pattern characteristic data in the terminal device.
可选地,所述预定条件及预存的眼纹特征数据均包括多个,分别对应于不同的安全等级;Optionally, the predetermined condition and the pre-stored eye pattern feature data each include a plurality of, respectively, corresponding to different security levels;
比较模块是设置为通过如下方式实现将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对:The comparison module is configured to compare the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device by:
查找所满足的预定条件对应的安全等级,获取该安全等级对应的预存的眼纹特征数据;将扫描得到的眼纹特征数据和所获取的眼纹特征数据进行比对。Finding a security level corresponding to the predetermined condition that is met, acquiring pre-stored eye pattern characteristic data corresponding to the security level; and comparing the scanned eye pattern characteristic data with the acquired eye pattern characteristic data.
本发明实施例还提供了一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行上述的方法。 The embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the above method.
本发明实施例设计了一套基于眼纹的用户身份识别机制,不仅从解锁方面识别机主身份,而且在其他所有希望进行实时用户身份识别的模块,都可以随时进行眼纹扫描和验证,从而保证合法用户访问指定数据。The embodiment of the invention designs a set of user identification mechanism based on the eye pattern, not only identifies the owner identity from the unlocking aspect, but also scans and verifies the eye pattern at any time in all other modules that wish to perform real-time user identification. Ensure that legitimate users access the specified data.
另外,本发明实施例还可以对受保护应用和数据进行白名单管理,本发明实施例的可用性和灵活性大大提升,并且有效地降低了关键数据被窃取的可能性。In addition, the embodiments of the present invention can also perform whitelist management on protected applications and data, and the availability and flexibility of the embodiments of the present invention are greatly improved, and the possibility of key data being stolen is effectively reduced.
附图概述BRIEF abstract
图1为本发明实施例一种身份识别的方法的流程示意图;FIG. 1 is a schematic flowchart diagram of a method for identity recognition according to an embodiment of the present invention;
图2为本发明实施例中预定条件情况之一的流程示意图;2 is a schematic flow chart of one of predetermined condition conditions in an embodiment of the present invention;
图3为本发明实施例中预定条件情况之二的流程示意图;3 is a schematic flowchart of a second predetermined condition in an embodiment of the present invention;
图4为本发明实施例中白名单匹配和比对的流程示意图;4 is a schematic flowchart of whitelist matching and comparison in an embodiment of the present invention;
图5为本发明实施例一种具体实现方案的示意图;FIG. 5 is a schematic diagram of a specific implementation manner of an embodiment of the present invention; FIG.
图6为图5所示的具体实现方案中的流程示意图;6 is a schematic flow chart of the specific implementation shown in FIG. 5;
图7为本发明实施例的一种身份识别的装置示意图。FIG. 7 is a schematic diagram of an apparatus for identity recognition according to an embodiment of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
下面将结合附图及实施例对本发明的技术方案进行更详细的说明。The technical solution of the present invention will be described in more detail below with reference to the accompanying drawings and embodiments.
需要说明的是,如果不冲突,本发明实施例以及实施例中的各个特征可以相互结合,均在本发明的保护范围之内。另外,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。It should be noted that, if not conflicting, the embodiments of the present invention and the various features of the embodiments may be combined with each other, and are all within the protection scope of the present invention. Additionally, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
一种身份识别的方法,适设置为终端设备中,如图1所示,包括:A method for identifying an identity, as set in the terminal device, as shown in FIG. 1, includes:
所述终端设备在符合预定条件时扫描当前用户的眼纹;The terminal device scans an eyelet of the current user when the predetermined condition is met;
所述终端设备将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对;The terminal device compares the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
比对结果为一致时,所述终端设备执行后续操作。 When the comparison result is consistent, the terminal device performs subsequent operations.
眼纹识别是针对人体眼球的静脉血管进行采集和识别的技术。人体的血管是最佳生物识别方法,因为血管数据集藏于人体内,不可能被遗忘,也不可能被复制。预存的眼纹特征数据可以只包括机主本人的,也可以包括一个或多个除机主本人之外的合法用户的。Eye pattern recognition is a technique for collecting and recognizing venous blood vessels of the human eye. The blood vessels of the human body are the best biometric method because the blood vessel data collection is hidden in the human body and cannot be forgotten and cannot be copied. The pre-stored eye pattern feature data may include only the owner of the owner, or may include one or more legitimate users other than the owner himself.
所述预定条件可以包括两种:The predetermined condition may include two types:
一种是收到预定的操作请求。所述预定的操作请求可以是访问预定数据(比如短信、通讯录、通话记录、图库、某些应用中指定的数据)、启动预定应用(比如社交软件、文件管理器)、进行预定操作(比如解锁手机、网银支付、转账)等,预定的操作请求具体包括哪些可以由用户自行设置。当收到预定的操作请求时扫描当前用户的眼纹,如果不是机主或其它合法用户,则不允许进行操作;如果是机主或其他合法用户,执行后续操作,即按照用户的操作请求进行相应操作。One is to receive a predetermined operational request. The predetermined operation request may be accessing predetermined data (such as a short message, an address book, a call record, a library, and data specified in some applications), starting a predetermined application (such as social software, a file manager), and performing a predetermined operation (such as Unlocking the mobile phone, online banking payment, transfer, etc., the predetermined operation request specifically includes which can be set by the user. Scan the current user's eye pattern when a predetermined operation request is received. If it is not the owner or other legitimate user, the operation is not allowed; if it is the owner or other legitimate user, the subsequent operation is performed, that is, according to the user's operation request. The corresponding operation.
一个具体例子如图2所示,该例子中,预定的操作请求为启动需验证用户身份的应用,应用在手机中,合法用户仅包括机主;该例子包括:A specific example is shown in FIG. 2. In this example, the predetermined operation request is to start an application that needs to verify the identity of the user, and the application is in the mobile phone, and the legitimate user only includes the owner; the example includes:
201、启动需验证用户身份的应用;201. Start an application that needs to verify the identity of the user;
202、启动前置摄像头扫描当前用户的眼纹,得到眼纹特征数据;202, starting the front camera to scan the current user's eye pattern to obtain eye pattern characteristic data;
203、读取手机预录的机主的眼纹特征数据;203. Read the eye pattern characteristic data of the owner of the mobile phone pre-recorded;
204、比较两组眼纹特征数据是否一致;204. Compare whether the two sets of eye pattern characteristic data are consistent;
205、如果一致则识别当前用户为机主,可以打开应用;205. If the current user is identified as the owner, the application may be opened.
206、如果不一致则识别当前用户为非机主,不可以打开应用。206. If the inconsistency is, the current user is identified as a non-owner, and the application cannot be opened.
当预定的操作请求为访问某些应用中指定的数据时,在启动应用时不进行身份识别,可以允许任何用户打开应用,但可阻止非法用户访问预先选择好的敏感数据,这种方式友好性,隐蔽性比较好。When the predetermined operation request is to access the data specified in some applications, the application is not recognized when the application is launched, and any user can be allowed to open the application, but the illegal user can be prevented from accessing the pre-selected sensitive data. , concealment is better.
另一种是在预定应用开启的情况下,到达认证周期。The other is to arrive at the authentication cycle with the scheduled application turned on.
这种是实时识别用户身份模式,一旦开启则在使用应用的过程中,会定时扫描当前用户的眼纹,如果识别出是非法用户则退出当前应用;如果是机主或其它合法用户则执行后续操作,即继续运行应用,并执行用户在该应用中提出的操作请求,直到下一次认证周期到达。 This is a real-time identification of the user identity mode. Once enabled, the current user's eye pattern is scanned periodically during the application process. If the illegal user is identified, the current application is exited; if it is the owner or other legitimate user, the subsequent execution is performed. Operation, that is, continue to run the application, and perform the operation request made by the user in the application until the next authentication cycle arrives.
一个具体例子如图3所示,该例子应用在手机中,合法用户仅包括机主,认证周期为3分钟;该例子包括:A specific example is shown in Figure 3. The example is applied to a mobile phone. The legal user only includes the owner. The authentication period is 3 minutes. The example includes:
301、应用开始启动;301, the application starts to start;
302、判断是否开启实时检测;如果开启则进行303,不开启则进行308,正常使用;302. Determine whether to enable real-time detection; if it is enabled, perform 303, if not, perform 308, and use normally;
303、每隔3分钟,启动前置摄像头扫描当前用户的眼纹,得到眼纹特征数据;303. Every 3 minutes, the front camera is started to scan the current user's eye pattern to obtain eye pattern characteristic data;
304、读取手机预录的机主的眼纹特征数据;304, reading the eyeprint characteristic data of the owner of the mobile phone pre-recorded;
305、比较两组眼纹特征数据是否一致;305. Compare whether the two sets of eye pattern characteristic data are consistent;
306、如果一致则识别当前用户为机主,正常使用;306. If they are consistent, identify the current user as the owner and use normally;
307、如果不一致则识别当前用户为非机主,提示并退出当前应用。307. If it is inconsistent, identify the current user as a non-owner, prompt and exit the current application.
所述预定的应用的类型、认证周期长度,可以由用户自行设置。The type of the predetermined application and the length of the authentication period may be set by the user.
两种预定条件可以各自独立使用,也可以一起使用。The two predetermined conditions can be used independently or together.
本技术方案为了实时验证当前用户的身份,在启动应用时,以及使用过程中都可以进行实时的用户身份校验,从而保证只有合法用户可以进行某些操作,比如访问需要保密的数据、进行网银支付等。这样可以保护重要数据,防止非法操作,保证了终端设备的信息安全。In order to verify the identity of the current user in real time, the technical solution can perform real-time user identity verification when the application is started and during use, so that only legitimate users can perform certain operations, such as accessing data that needs to be kept confidential, and performing online banking. Payment, etc. This protects important data, prevents illegal operations, and ensures the security of the terminal device.
通过本方案还可以将访问数据的权限与特定人物的身份识别相关联;可以把身份识别的元素与数据加密存储的算法相结合,只有经过身份认证的用户才能访问指定的数据,才能将数据解密;而未经过身份认证的用户身份则无法访问这些数据,更加无法看到这些数据的明文。Through this scheme, the right to access data can also be associated with the identity of a specific person; the identity element can be combined with the algorithm of data encryption and storage, and only the authenticated user can access the specified data to decrypt the data. The identity of an unauthenticated user cannot access the data, and the plaintext of the data is even less visible.
可选地,所述预定条件及预存的眼纹特征数据均包括多个,分别对应于不同的安全等级;Optionally, the predetermined condition and the pre-stored eye pattern feature data each include a plurality of, respectively, corresponding to different security levels;
所述终端设备将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对包括:The comparing, by the terminal device, the scanned eye pattern characteristic data and the pre-stored eye pattern characteristic data in the terminal device, includes:
所述终端设备查找所满足的预定条件对应的安全等级,获取该安全等级对应的预存的眼纹特征数据;将扫描得到的眼纹特征数据和所获取的眼纹特 征数据进行比对。The terminal device searches for a security level corresponding to the predetermined condition that is met, and obtains pre-stored eye pattern data corresponding to the security level; and scans the obtained eye pattern characteristic data and the acquired eye pattern The data is compared for comparison.
这样可以将手机系统中的应用、用户数据,根据不同的用户访问身份进行分层次管理,并且将不同访问身份对应到不同的安全等级。In this way, the application and user data in the mobile phone system can be hierarchically managed according to different user access identities, and different access identities are mapped to different security levels.
该方案还可以采用眼纹识别技术来验证用户的身份,当用户解锁手机时,需要采集用户的眼纹特征,如果与之前预录在手机里的机主眼纹特征相同,则识别为机主;如果不相同,则识别为非机主即访客。The scheme can also use the eyeprint recognition technology to verify the identity of the user. When the user unlocks the mobile phone, the user needs to collect the eyeprint feature of the user, and if it is the same as the owner's eyeprint feature previously recorded in the mobile phone, it is recognized as the owner; If they are not the same, they are identified as non-owners, ie visitors.
对于非机主用户,手机可以预先为这类用户身份设定一套可见的应用和数据,这些数据对于机主来说是可以对其他人公开的,并且是明文保存的;For non-owner users, the phone can pre-set a set of visible applications and data for such users, which can be publicly available to other owners and stored in plain text;
对于机主,手机中的大部分应用和数据都是可见的,这些数据只有机主才能看到的。For the owner, most of the applications and data in the phone are visible, and the data is only visible to the owner.
本方案以ARM TrustZone技术作为基础,TrustZone(TM)技术出现在ARMv6KZ以及较晚期的应用核心架构中。它提供了一种低成本的方案,针对系统单芯片(SoC)内加入专属的安全核心,由硬件建构的存取控制方式支援两颗虚拟的处理器。这个方式可使得应用程式核心能够在两个状态之间切换(通常改称为领域(worlds)以避免和其他功能领域的名称混淆),在此架构下可以避免资讯从较可信的核心领域泄漏至较不安全的领域。这种内核领域之间的切换通常是与处理器其他功能完全无关联性(orthogonal),因此每个领域可以各自独立运作但却仍能使用同一颗内核。The solution is based on ARM TrustZone technology, and TrustZone(TM) technology appears in ARMv6KZ and later application core architecture. It provides a low-cost solution for adding a dedicated security core to a system-on-a-chip (SoC), and two virtual processors supported by hardware-built access control. This approach allows the application core to switch between two states (usually referred to as worlds to avoid confusion with names in other functional areas), which prevents information from leaking from more trusted core areas. Less secure areas. This kind of switching between kernel domains is usually completely unrelated to other functions of the processor, so each domain can operate independently but still use the same kernel.
可选地,上述方法还包括:Optionally, the foregoing method further includes:
通过白名单配置所述预定的操作请求或预定的应用。The predetermined operation request or predetermined application is configured by a white list.
后续如果需要对受保护的操作请求/应用进行删减或者增加,都可以通过更新白名单来达到效果,既方便又灵活。If you need to delete or increase the protected operation request/application, you can update the whitelist to achieve the effect, which is convenient and flexible.
所述白名单可以先经过aes_cbc_128加密,然后用RSA私钥签名,RSA公钥保存在终端设备的硬件寄存器中,将签名后的数据内置在终端设备的软件系统中。The whitelist may be first encrypted by aes_cbc_128, and then signed by the RSA private key. The RSA public key is stored in the hardware register of the terminal device, and the signed data is built in the software system of the terminal device.
当所述终端设备收到预定的操作请求或启动预定应用时,将所述操作请求或应用与所述白名单进行匹配;匹配成功时允许读取所述终端设备中预存的眼纹特征数据。 When the terminal device receives the predetermined operation request or starts the predetermined application, the operation request or the application is matched with the whitelist; when the matching is successful, the pre-stored eyeprint feature data in the terminal device is allowed to be read.
白名单校验和匹配的一个例子如图4所示,该例子中预定条件为启动预定的应用;包括:An example of whitelist checksum matching is shown in Figure 4, in which the predetermined condition is to initiate a predetermined application;
步骤一、启动应用;Step 1: Start the application;
步骤二、判断是否需要检验白名单;如果不用,执行步骤三,直接打开应用;如果需要,执行步骤四,在白名单(受眼纹保护应用列表)中进行匹配;Step 2: Determine whether the whitelist needs to be checked; if not, perform step 3 to directly open the application; if necessary, perform step 4 to perform matching in the whitelist (list of eyeprint protection applications);
403、判断要启动的应用是否属于受保护的应用,如果是则进入图3的流程;如果不是则正常打开应用。403. Determine whether the application to be started belongs to the protected application, and if yes, enter the process of FIG. 3; if not, open the application normally.
步骤四中的白名单通过以下流程获得:The whitelist in step four is obtained through the following process:
a、从寄存器中读取RSA公钥;a, read the RSA public key from the register;
b、用RSA公钥校验白名单数据,再用aes_cbc_128解密;b. Verify the whitelist data with the RSA public key and decrypt it with aes_cbc_128;
c、得到原始的白名单。c. Get the original whitelist.
在白名单的校验和匹配流程中,也可以将相关的公钥保存在普通的Flash存储空间,但是这个区域的访问是所有应用共用的,存在被其他应用访问的风险。In the whitelist checksum matching process, the related public key can also be saved in the normal Flash storage space, but the access in this area is shared by all applications, and there is a risk of being accessed by other applications.
对于受保护操作、应用的类别,通过白名单进行管理,既可以增加保护对象名单的可扩展性,又可以保证管理的有效性。For protected operations and application categories, management through whitelists can increase the scalability of the protected object list and ensure the effectiveness of management.
上述方案的具体实现可以如图5所示,在应用客户端中内嵌一个安全模块,这个安全模块事先使用每个应用唯一的密钥进行签名,在此应用启动后,涉及到访问眼纹特征数据时,安全模块调用终端设备封装好的接口来访问受保护的眼纹特征数据;The specific implementation of the foregoing solution may be as shown in FIG. 5, in which a security module is embedded in the application client, and the security module uses the unique key of each application to sign in advance, and after the application is started, the access eye feature is involved. When the data is used, the security module invokes the interface encapsulated by the terminal device to access the protected eye pattern data;
当应用客户端访问接口时,终端设备将对应用的身份进行验证,主要流程见图6所示,包括:When the client access interface is applied, the terminal device verifies the identity of the application. The main process is shown in Figure 6, including:
601、启动需身份识别的应用;601. Start an application that needs to be identified;
602、为每个应用指定不同的ID;从寄存器读取硬件密钥;602. Specify a different ID for each application; read a hardware key from the register;
603、为应用生成唯一的身份识别密钥;603. Generate a unique identification key for the application.
604、当应用读取机主眼纹特征数据时,判断是否为合法应用; 604. When applying the main eye pattern characteristic data of the reader, determine whether it is a legitimate application;
605、如果是则可以访问眼纹特征数据;605. If yes, the eye pattern characteristic data can be accessed;
606、如果不是则不可以访问。606. If not, it is not accessible.
由于验证用户身份的标识非常重要,该方案将眼纹特征数据保存在特殊区域,该区域的访问权限采用保存在寄存器中的密钥进行验证。身份标识的存储区域从物理上与普通数据隔离,大大降低了被木马和恶意病毒窃取和篡改的可能性,并且从访问机制上增加认证措施,保证只有合法身份的应用可以运行和访问,对身份标识的正确性和数据安全的保护都非常有意义。Since it is very important to verify the identity of the user, the scheme saves the eyeprint feature data in a special area, and the access rights of the area are verified by the key stored in the register. The storage area of the identity is physically isolated from normal data, greatly reducing the possibility of being stolen and tampered by Trojans and malicious viruses, and adding authentication measures from the access mechanism to ensure that only legitimate applications can run and access, identity The correctness of the logo and the protection of data security are very meaningful.
如图7所示,本发明实施例提供了一种身份识别的装置,设置于终端设备中,包括:As shown in FIG. 7, an embodiment of the present invention provides an apparatus for identifying an identity, which is installed in a terminal device, and includes:
扫描模块,设置为当符合预定条件时扫描当前用户的眼纹;a scanning module configured to scan an eyelet of a current user when a predetermined condition is met;
比较模块,设置为将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对;The comparison module is configured to compare the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
执行模块,设置为当比对结果为一致时执行后续操作。Execution module, set to perform subsequent operations when the comparison results are consistent.
可选地,所述预定条件包括:Optionally, the predetermined condition includes:
所述终端设备收到预定的操作请求;和/或Receiving, by the terminal device, a predetermined operation request; and/or
在所述终端设备上预定应用开启的情况下,到达认证周期。In the case where the predetermined application is turned on on the terminal device, the authentication period is reached.
可选地,所述的装置还包括:Optionally, the device further includes:
配置模块,设置为通过白名单配置所述预定的操作请求或预定应用;当所述终端设备收到操作请求或启动应用时,将所述操作请求或应用与所述白名单进行匹配;匹配成功时允许所述比较模块读取所述终端设备中预存的眼纹特征数据。a configuration module, configured to configure the predetermined operation request or a predetermined application by using a whitelist; when the terminal device receives an operation request or starts an application, matching the operation request or the application with the whitelist; The comparison module is allowed to read pre-stored eye pattern characteristic data in the terminal device.
可选地,所述预定条件及预存的眼纹特征数据均包括多个,分别对应于不同的安全等级;Optionally, the predetermined condition and the pre-stored eye pattern feature data each include a plurality of, respectively, corresponding to different security levels;
所述比较模块将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对是指:Comparing the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device by the comparing module means:
所述比较模块查找所满足的预定条件对应的安全等级,获取该安全等级 对应的预存的眼纹特征数据;将扫描得到的眼纹特征数据和所获取的眼纹特征数据进行比对。The comparison module searches for a security level corresponding to the predetermined condition that is met, and obtains the security level. Corresponding pre-existing eye pattern characteristic data; comparing the scanned eye pattern characteristic data with the acquired eye pattern characteristic data.
当然,本发明还可有其他多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明的权利要求的保护范围。The invention may, of course, be embodied in a variety of other embodiments without departing from the spirit and scope of the invention. Changes and modifications are intended to fall within the scope of the appended claims.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
上述技术方案不仅从解锁方面识别机主身份,而且在其他所有希望进行实时用户身份识别的模块,都可以随时进行眼纹扫描和验证,从而保证合法用户访问指定数据。另外,上述技术方案对受保护应用和数据进行白名单管理,提高了可用性和灵活性,并且有效地降低了关键数据被窃取的可能性。 The above technical solution not only identifies the owner identity from the unlocking aspect, but also can scan and verify the eyeprint at any time in all other modules that wish to perform real-time user identification, thereby ensuring that the legitimate user accesses the specified data. In addition, the above technical solution whitelists protected applications and data, improves usability and flexibility, and effectively reduces the possibility of key data being stolen.

Claims (9)

  1. 一种身份识别的方法,包括:A method of identification, comprising:
    所述终端设备在符合预定条件时扫描当前用户的眼纹;The terminal device scans an eyelet of the current user when the predetermined condition is met;
    所述终端设备将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对;The terminal device compares the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
    比对结果为一致时,所述终端设备执行后续操作。When the comparison result is consistent, the terminal device performs subsequent operations.
  2. 如权利要求1所述的方法,其中,所述预定条件包括:The method of claim 1 wherein said predetermined condition comprises:
    收到预定的操作请求;和/或Receiving a predetermined operational request; and/or
    在预定应用开启的情况下,所述预定应用到达认证周期。In the case where the predetermined application is turned on, the predetermined application arrives at the authentication period.
  3. 如权利要求2所述的方法,还包括:The method of claim 2 further comprising:
    通过白名单配置所述预定的操作请求或预定应用,当所述终端设备收到操作请求或启动应用时,将所述操作请求或应用与所述白名单进行匹配;匹配成功时允许读取所述终端设备中预存的眼纹特征数据。Configuring the predetermined operation request or the predetermined application by the whitelist, and when the terminal device receives the operation request or starts the application, matching the operation request or the application with the whitelist; when the matching succeeds, the reading is allowed The eye pattern characteristic data pre-stored in the terminal device.
  4. 如权利要求1到3中任一项所述的方法,其中,The method according to any one of claims 1 to 3, wherein
    所述预定条件及预存的眼纹特征数据均包括多个,分别对应于不同的安全等级;The predetermined condition and the pre-stored eye pattern characteristic data each include a plurality of, respectively, corresponding to different security levels;
    所述终端设备将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对包括:The comparing, by the terminal device, the scanned eye pattern characteristic data and the pre-stored eye pattern characteristic data in the terminal device, includes:
    所述终端设备查找所满足的预定条件对应的安全等级,获取该安全等级对应的预存的眼纹特征数据;将扫描得到的眼纹特征数据和所获取的眼纹特征数据进行比对。The terminal device searches for a security level corresponding to the predetermined condition, and obtains pre-stored eye pattern data corresponding to the security level; and compares the scanned eye pattern data with the acquired eye pattern data.
  5. 一种设置于终端设备中的身份识别的装置,包括:An apparatus for identifying an identity set in a terminal device, comprising:
    扫描模块,设置为在符合预定条件时扫描当前用户的眼纹;a scanning module configured to scan an eyelet of a current user when a predetermined condition is met;
    比较模块,设置为将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对;The comparison module is configured to compare the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device;
    执行模块,设置为当比对结果为一致时执行后续操作。 Execution module, set to perform subsequent operations when the comparison results are consistent.
  6. 如权利要求5所述的装置,其中,所述预定条件包括:The apparatus of claim 5 wherein said predetermined condition comprises:
    所述终端设备收到预定的操作请求;和/或Receiving, by the terminal device, a predetermined operation request; and/or
    在所述终端设备上预定应用开启的情况下,所述预定应用到达认证周期。In the case where the predetermined application is turned on on the terminal device, the predetermined application arrives at the authentication period.
  7. 如权利要求6所述的装置,还包括:The apparatus of claim 6 further comprising:
    配置模块,设置为通过白名单配置所述预定的操作请求或预定应用;当所述终端设备收到操作请求或启动应用时,将所述操作请求或应用与所述白名单进行匹配;匹配成功时允许所述比较模块读取所述终端设备中预存的眼纹特征数据。a configuration module, configured to configure the predetermined operation request or a predetermined application by using a whitelist; when the terminal device receives an operation request or starts an application, matching the operation request or the application with the whitelist; The comparison module is allowed to read pre-stored eye pattern characteristic data in the terminal device.
  8. 如权利要求5~7中任一项所述的装置,其中:The apparatus according to any one of claims 5 to 7, wherein:
    所述预定条件及预存的眼纹特征数据均包括多个,分别对应于不同的安全等级;The predetermined condition and the pre-stored eye pattern characteristic data each include a plurality of, respectively, corresponding to different security levels;
    比较模块是设置为通过如下方式实现将扫描得到的眼纹特征数据和所述终端设备中预存的眼纹特征数据进行比对:The comparison module is configured to compare the scanned eye pattern characteristic data with the pre-stored eye pattern characteristic data in the terminal device by:
    查找所满足的预定条件对应的安全等级,获取该安全等级对应的预存的眼纹特征数据;将扫描得到的眼纹特征数据和所获取的眼纹特征数据进行比对。Finding a security level corresponding to the predetermined condition that is met, acquiring pre-stored eye pattern characteristic data corresponding to the security level; and comparing the scanned eye pattern characteristic data with the acquired eye pattern characteristic data.
  9. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1~4中任一项所述的方法。 A computer storage medium having stored therein computer executable instructions for performing the method of any one of claims 1 to 4.
PCT/CN2015/083458 2014-11-19 2015-07-07 Identity recognition method and apparatus WO2016078429A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410665618.XA CN105678137A (en) 2014-11-19 2014-11-19 Method and device for identity recognition
CN201410665618.X 2014-11-19

Publications (1)

Publication Number Publication Date
WO2016078429A1 true WO2016078429A1 (en) 2016-05-26

Family

ID=56013238

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/083458 WO2016078429A1 (en) 2014-11-19 2015-07-07 Identity recognition method and apparatus

Country Status (2)

Country Link
CN (1) CN105678137A (en)
WO (1) WO2016078429A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108319830A (en) * 2017-01-17 2018-07-24 中兴通讯股份有限公司 A kind of auth method and device

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899567B (en) 2016-08-24 2019-12-13 阿里巴巴集团控股有限公司 User body checking method, device and system
CN107145772B (en) * 2017-04-12 2020-01-10 Oppo广东移动通信有限公司 Terminal equipment security control method and device and terminal equipment
CN108922114B (en) * 2018-06-22 2020-11-17 张小勇 Security monitoring method and system
CN110674486A (en) * 2019-09-25 2020-01-10 珠海格力电器股份有限公司 Terminal security control method, storage medium and terminal equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1496417A1 (en) * 2002-04-15 2005-01-12 Matsushita Electric Industrial Co., Ltd. Information device
US20060280340A1 (en) * 2005-05-04 2006-12-14 West Virginia University Conjunctival scans for personal identification
CN102158595A (en) * 2011-02-16 2011-08-17 中兴通讯股份有限公司 Method and device for realizing burglary prevention of mobile terminal by face recognition
CN102592099A (en) * 2011-01-14 2012-07-18 启碁科技股份有限公司 Security identification method and electronic device thereof
CN103390153A (en) * 2012-08-10 2013-11-13 眼验有限责任公司 Method and system of texture features for biometric authentication
CN103577801A (en) * 2012-08-10 2014-02-12 眼验有限责任公司 Quality metrics method and system for biometric authentication
CN104778396A (en) * 2015-04-29 2015-07-15 惠州Tcl移动通信有限公司 Method and system for eyeprint recognition unlocking based on environment filtering frames
CN104834852A (en) * 2015-05-04 2015-08-12 惠州Tcl移动通信有限公司 Method and system for unlocking mobile terminal on basis of high-quality eyeprint image

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4650386B2 (en) * 2006-09-29 2011-03-16 沖電気工業株式会社 Personal authentication system and personal authentication method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1496417A1 (en) * 2002-04-15 2005-01-12 Matsushita Electric Industrial Co., Ltd. Information device
US20060280340A1 (en) * 2005-05-04 2006-12-14 West Virginia University Conjunctival scans for personal identification
CN102592099A (en) * 2011-01-14 2012-07-18 启碁科技股份有限公司 Security identification method and electronic device thereof
CN102158595A (en) * 2011-02-16 2011-08-17 中兴通讯股份有限公司 Method and device for realizing burglary prevention of mobile terminal by face recognition
CN103390153A (en) * 2012-08-10 2013-11-13 眼验有限责任公司 Method and system of texture features for biometric authentication
CN103577801A (en) * 2012-08-10 2014-02-12 眼验有限责任公司 Quality metrics method and system for biometric authentication
CN104778396A (en) * 2015-04-29 2015-07-15 惠州Tcl移动通信有限公司 Method and system for eyeprint recognition unlocking based on environment filtering frames
CN104834852A (en) * 2015-05-04 2015-08-12 惠州Tcl移动通信有限公司 Method and system for unlocking mobile terminal on basis of high-quality eyeprint image

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108319830A (en) * 2017-01-17 2018-07-24 中兴通讯股份有限公司 A kind of auth method and device
WO2018133584A1 (en) * 2017-01-17 2018-07-26 中兴通讯股份有限公司 Identity authentication method and device

Also Published As

Publication number Publication date
CN105678137A (en) 2016-06-15

Similar Documents

Publication Publication Date Title
US11126754B2 (en) Personalized and cryptographically secure access control in operating systems
JP6239788B2 (en) Fingerprint authentication method, apparatus, intelligent terminal, and computer storage medium
US7174463B2 (en) Method and system for preboot user authentication
CN112513857A (en) Personalized cryptographic security access control in a trusted execution environment
WO2016078429A1 (en) Identity recognition method and apparatus
US11556617B2 (en) Authentication translation
CN107622203A (en) Guard method, device, storage medium and the electronic equipment of sensitive information
CN105279449A (en) Context based data access control
WO2015014128A1 (en) Authentication method for wearable device, and wearable device
KR101724401B1 (en) Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method
CN108335105B (en) Data processing method and related equipment
CN105701420B (en) A kind of management method and terminal of user data
CN104021358A (en) Anti-theft control method and device for mobile terminal
US20170201528A1 (en) Method for providing trusted service based on secure area and apparatus using the same
WO2015117523A1 (en) Access control method and device
CN110032847A (en) Technology for pre-boot biological characteristic authentication
JP4724107B2 (en) User authentication method using removable device and computer
US20100208950A1 (en) Biometric identification data protection
CN117009928A (en) Software authorization verification method, computer device and storage medium
WO2016180234A1 (en) Method and apparatus for building secure environment
KR20190061606A (en) Method and system for protecting personal information infringement using division of authentication process and biometrics authentication
Apostol et al. Android Fingerprint Sensor: Pitfalls and Challenges
Sharp Security in Operating Systems
CN107305607B (en) One kind preventing the independently operated method and apparatus of backstage rogue program
Chantal et al. A security analysis and reinforcement design adopting fingerprints over drawbacks of passwords based authentication in remote home automation control system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15861678

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15861678

Country of ref document: EP

Kind code of ref document: A1