WO2017012175A1 - Identity authentication method, identity authentication system, terminal and server - Google Patents

Identity authentication method, identity authentication system, terminal and server Download PDF

Info

Publication number
WO2017012175A1
WO2017012175A1 PCT/CN2015/088472 CN2015088472W WO2017012175A1 WO 2017012175 A1 WO2017012175 A1 WO 2017012175A1 CN 2015088472 W CN2015088472 W CN 2015088472W WO 2017012175 A1 WO2017012175 A1 WO 2017012175A1
Authority
WO
WIPO (PCT)
Prior art keywords
biometric
vector
information
identity authentication
biometric information
Prior art date
Application number
PCT/CN2015/088472
Other languages
French (fr)
Chinese (zh)
Inventor
钟焰涛
傅文治
林荣辉
Original Assignee
宇龙计算机通信科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 宇龙计算机通信科技(深圳)有限公司 filed Critical 宇龙计算机通信科技(深圳)有限公司
Publication of WO2017012175A1 publication Critical patent/WO2017012175A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina

Definitions

  • the present invention relates to the field of biometrics, and in particular to an identity authentication method, an identity authentication system, a terminal, and a server.
  • biometric technology refers to the technology of using human biometrics for identity authentication.
  • biometric technologies include fingerprint recognition, face recognition, and iris recognition.
  • biometric template data is a key issue because malicious programs on mobile terminals may steal storage on mobile terminals.
  • the biometric template data makes it easy to pass biometric authentication, leading to the leakage of important information and giving users a bad experience.
  • Homomorphic encryption is a special encryption technique that allows people to perform specific algebraic operations on ciphertext and obtain the same results as the plaintext. In other words, this technology allows people to operate on encrypted data to get the right results without having to decrypt the data throughout the process.
  • the current homomorphic encryption technology cannot be directly applied to complex operations such as biometric template matching.
  • a new identity authentication method which can combine biometric technology with homomorphic encryption technology, so that the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art.
  • the invention is based on the above problems, and proposes a new technical solution.
  • the server can perform correct biometric information matching without decryption, and effectively avoid the present
  • the user biometric information is stored on the terminal.
  • the problem of being easily stolen by malicious people realizes the secure storage of biometric information of users, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
  • an identity authentication method for a terminal, including: collecting first biometric information of a preset user; and at least one of the first biometric information is first
  • the attribute information is represented in a vector form, and homomorphicly encrypts the at least one first attribute information represented by a vector form according to a preset key to generate a first biometric vector; and the first biometric vector is Sending to a server for the server to store the first biometric vector as a first biometric template vector.
  • the pre-storing process of the first biometric template vector is first performed, and specifically, the first attribute information that can be used for identity authentication in the first biometric information of the collected preset user is represented by a vector form.
  • the first attribute information for identity authentication has one or more items, and each first attribute information is represented by a vector form, thereby obtaining a vector group representing the first biometric information, according to the stored preset
  • the key performs homomorphic encryption on each of the vector vectors in the vector group to obtain the first biometric vector, and then sends the first object feature vector to the server, which is stored by the server as the first biometric template vector.
  • the preset key may be randomly generated by the terminal, or may be set according to actual needs of the user, and finally stored in the terminal, and the first biometric template vector generated by homomorphic encryption is stored in the server, and used.
  • the decrypted preset key is stored in the terminal, and the server cannot know the preset key, so by using the biometric technology
  • the combination of encryption technology enables the server to perform correct biometric information matching without decryption, and can effectively avoid the problem that the user biometric information is easily maliciously stolen on the terminal in the prior art, and the user creature is realized.
  • the secure storage of feature information improves the security and reliability of identity authentication based on biometric information, thereby improving the user experience.
  • the method further includes: collecting second biometric information of the current user; and expressing at least one second attribute information of the second biometric information in a vector form, and according to the preset secret
  • the key pair performs homomorphic encryption processing on the at least one second attribute information represented by the vector form to generate a second biometric vector; and sends the second biometric vector to the server for the server to Generating a first Euclidean distance from the first biometric template vector; receiving the first Euclidean distance from the server; performing homomorphic decryption processing on the first Euclidean distance Obtaining a second Euclidean distance; according to the second Euclidean The distance determines whether the second biometric information matches the first biometric information to determine whether the identity authentication is successful.
  • the second attribute information that is available for identity authentication in the collected second biometric information of the current user is represented in a vector form, wherein the second attribute information that can be authenticated has one or more And each of the second attribute information is represented by a vector form, and a vector group representing the second biometric information is obtained, and each sub-vector in the vector group is homomorphically encrypted according to the preset key.
  • the distance of course, the first Euclidean distance is also encrypted, and the server cannot know the specific result of the first Euclidean distance.
  • the server can be prevented from abusing the user's first biometric template vector, ensuring the security of the matching result.
  • the server will calculate the first The Euclidean distance is sent to the terminal, and is homomorphically decrypted by the terminal to obtain a second Euclidean distance, thereby determining whether the second biometric information matches the first biometric information according to the second Euclidean distance to determine whether Whether the identity authentication is successful, that is, the preset key used for the homomorphic decryption is stored in the terminal, and the server cannot know the preset key, thereby further ensuring the security and reliability of the identity authentication.
  • the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art that the user biometric information is easily maliciously stored on the terminal.
  • the problem of stealing realizes the secure storage of user biometric information, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
  • determining whether the second biometric information matches the first biometric information according to the second Euclidean distance, to determine whether the identity authentication is successful specifically, determining: Whether the second Euclidean distance is less than or equal to the preset distance; and when it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, The identity authentication succeeds; when it is determined that the second Euclidean distance is greater than the preset distance, the second biometric information is mismatched with the first biometric information. If it fails, the identity authentication fails.
  • whether the second biometric information matches the first biometric information is determined by the second Euclidean distance, and the second Euclidean distance and the preset distance are determined to determine whether the matching is
  • the second Euclidean distance is determined to be less than or equal to the preset distance
  • the second biometric information is successfully matched with the first biometric information, indicating that the user identity authentication is successful, otherwise, the identity authentication fails, and thus, effective
  • the problem that the first biometric template vector is easily maliciously stolen on the terminal is avoided in the prior art, and the security and reliability of the biometric information based identity authentication are improved, thereby improving the user experience.
  • the preset distance can be calculated according to the actual application scenario.
  • the first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
  • the first biometric information and the second biometric information include at least but not limited to one or a combination of the following: fingerprint image information, iris image information, and face image information, that is, the solution may be based on different creatures.
  • the feature information is implemented, so that the server can perform correct biometric information matching without decrypting, and can effectively avoid the problem that the first biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving
  • the security and reliability effects of identity authentication based on biometric information further improve the applicability of identity authentication.
  • an identity authentication system for a terminal, comprising: an acquisition module, configured to collect first biometric information of a preset user; and an encryption module, configured to use the first biometric feature
  • the at least one first attribute information of the information is represented in a vector form, and the at least one first attribute information represented by the vector form is homomorphicly encrypted according to the preset key to generate the first biometric vector; a sending module, configured to send the first biometric vector to a server, for the server to store the first biometric vector as a first biometric template vector.
  • the pre-storing process of the first biometric template vector is first performed, and specifically, the first attribute information that can be used for identity authentication in the first biometric information of the collected preset user is represented by a vector form.
  • the first attribute information for identity authentication has one or more items, and each of the first attribute information is represented by a vector form, thereby obtaining a representation of the first biometric
  • the vector group of the information is homomorphically encrypted according to the stored preset key, and the first biometric vector is obtained, and then the first object feature vector is sent to the server, and the server
  • the first biometric template vector is stored as a first biometric template vector.
  • the preset key may be randomly generated by the terminal, or may be set according to actual needs of the user, and finally stored in the terminal, and is first generated by homomorphic encryption.
  • the biometric template vector is stored in the server, and the preset key used for decryption is stored in the terminal, and the server cannot know the preset key.
  • the server is enabled.
  • the correct biometric information matching can be performed without decryption, and the problem that the user biometric information is easily maliciously stolen in the prior art can be effectively avoided, and the safe storage of the biometric information of the user is realized and improved.
  • the security and reliability of identity authentication based on biometric information enhances the user experience.
  • the collecting module is further configured to collect second biometric information of the current user;
  • the encryption module is further configured to use at least one second attribute information of the second biometric information a vector form representation, and performing homomorphic encryption processing on the at least one second attribute information represented by a vector form according to the preset key to generate a second biometric vector;
  • the first sending module is further used to Transmitting the second biometric vector to the server for the server to generate a first Euclidean distance from the first biometric template vector according to the second biometric vector;
  • the identity authentication system further
  • the first receiving module is configured to receive the first Euclidean distance from the server, and the decrypting module is configured to perform homomorphic decryption processing on the first Euclidean distance to obtain a second Euclidean distance; And determining, according to the second Euclidean distance, whether the second biometric information matches the first biometric information to determine whether the identity authentication is successful.
  • the second attribute information that is available for identity authentication in the collected second biometric information of the current user is represented in a vector form, wherein the second attribute information that can be authenticated has one or more And each of the second attribute information is represented by a vector form, and a vector group representing the second biometric information is obtained, and each sub-vector in the vector group is homomorphically encrypted according to the preset key.
  • the server will calculate the first The Euclidean distance is sent to the terminal, and is homomorphically decrypted by the terminal to obtain a second Euclidean distance, thereby determining whether the second biometric information matches the first biometric information according to the second Euclidean distance to determine whether Whether the identity authentication is successful, that is, the preset key used for the homomorphic decryption is stored in the terminal, and the server cannot know the preset key, thereby further ensuring the security and reliability of the identity authentication.
  • the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art that the user biometric information is easily maliciously stored on the terminal.
  • the problem of stealing realizes the secure storage of user biometric information, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
  • the determining module is specifically configured to determine whether the second Euclidean distance is less than or equal to a preset distance; and when determining that the second Euclidean distance is less than or equal to the preset distance
  • the identity authentication is successful; when it is determined that the second Euclidean distance is greater than the preset distance, the second biometric information is If the first biometric information fails to be matched, the identity authentication fails.
  • whether the second biometric information matches the first biometric information is determined by the second Euclidean distance, and determining whether the second Euclidean distance and the preset distance are matched, specifically, When it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, indicating that the user identity authentication is successful, otherwise, the identity authentication fails, thus effectively avoiding the existing In the technology, the first biometric template vector is stored on the terminal and is easily maliciously stolen, thereby improving the security and reliability of the biometric information based identity authentication, thereby improving the user experience.
  • the preset distance can be calculated according to the actual application scenario.
  • the first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
  • the first biometric information and the second biometric information include at least but not limited to one or a combination of the following: fingerprint image information, iris image information, and face image information, that is, the solution may be based on different creatures.
  • the feature information is implemented, so that the server can perform correct biometric information matching without decrypting, and can effectively avoid the problem that the first biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving
  • the security and reliability effects of identity authentication based on biometric information further improve the applicability of identity authentication.
  • an identity authentication method for a server, comprising: receiving a third biometric vector from a terminal; storing the third biometric vector as the second biometric template vector The third biometric vector is obtained by the terminal performing homomorphic encryption processing on the at least one third attribute information of the collected third biometric information of the preset user.
  • the process of storing the second biometric template vector is first performed, specifically, by storing the received third biometric vector from the terminal as the second biometric template vector, so as to smoothly carry out the subsequent matching step.
  • the third biometric vector is obtained by the terminal performing homomorphic encryption processing on each third attribute information for identity authentication of the third biometric information of the preset preset user, that is, It is a vector obtained by encryption processing, and the server cannot know the specific content. Therefore, the server avoids the abuse of the biometric information of the user, further improves the security and reliability of the identity authentication based on the biometric information, thereby improving the user experience.
  • the method further includes: receiving a fourth biometric vector from the terminal, wherein the fourth biometric vector is the fourth biometric information of the current user acquired by the terminal Obtaining a third Euclidean distance according to the fourth biometric template vector and the second biometric template vector; and transmitting the third Euclidean distance to the terminal And determining, by the terminal, whether the fourth biometric information matches the third biometric information according to the third Euclidean distance; and the third biometric information and the fourth biometric information are at least One or a combination of the following is included: fingerprint image information, iris image information, and face image information.
  • the third Euclidean distance calculated according to the fourth biometric vector and the second biometric template vector is sent to the terminal, so that the terminal can perform homomorphic decryption on the terminal. And determining whether the identity authentication is successful, wherein the fourth biometric vector is obtained by the terminal performing homomorphic encryption processing on each fourth attribute information of the fourth biometric information of the current user that is available for identity authentication, that is, It is a vector obtained by encryption processing, and the server cannot know its specific content.
  • the server can perform correct biometric information matching without decryption, and can effectively avoid
  • the user biometric information is stored on the terminal and is easily maliciously stolen, thereby realizing the secure storage of the biometric information of the user, avoiding the abuse of the biometric information of the user by the server, and further improving the identity based on the biometric information.
  • the security and reliability of authentication enhances the user experience.
  • the third biometric information and the fourth biometric information include at least but not limited to one of the following or a combination thereof: fingerprint image information, iris image information, and face image information, that is, the solution may be implemented based on different biometric information, So that the server can perform correct biometric information matching without decryption, and can effectively avoid the problem that the second biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving the biometric information based.
  • the effectiveness of identity authentication and reliability further enhances the applicability of identity authentication.
  • an identity authentication system for a server, comprising: a second receiving module, configured to receive a third biometric vector from the terminal; and a storage module, configured to use the third biometric
  • the feature vector is stored as the second biometric template vector, wherein the third biometric vector is homomorphic to the terminal for at least one third attribute information of the collected third biometric information of the preset user. Encrypted processing.
  • the process of storing the second biometric template vector is first performed, specifically, by storing the received third biometric vector from the terminal as the second biometric template vector, so as to smoothly carry out the subsequent matching step.
  • the third biometric vector is obtained by the terminal performing homomorphic encryption processing on each third attribute information for identity authentication of the third biometric information of the preset preset user, that is, It is a vector obtained by encryption processing, and the server cannot know the specific content. Therefore, the server avoids the abuse of the biometric information of the user, further improves the security and reliability of the identity authentication based on the biometric information, thereby improving the user experience.
  • the second receiving module is further configured to receive a fourth biometric vector from the terminal, where the fourth biometric vector is the terminal pair acquisition
  • the at least one fourth attribute information of the fourth biometric information of the current user is obtained by homomorphic encryption processing
  • the identity authentication system further includes: the processing module is further configured to: according to the fourth biometric vector and the second The biometric template vector obtains a third Euclidean distance; and the identity authentication system further includes: a second sending module, configured to send the third Euclidean distance to the terminal, for the terminal to be according to the Determining whether the fourth biometric information matches the third biometric information; and the third biometric information and the fourth biometric information include at least one of the following or a combination thereof: a fingerprint image Information, iris image information, and face image information.
  • the third Euclidean distance calculated according to the fourth biometric vector and the second biometric template vector is sent to the terminal, so that the terminal performs homomorphic decryption to determine whether the identity authentication is successful.
  • the fourth biometric vector is obtained by the terminal performing homomorphic encryption processing on each fourth attribute information of the fourth biometric information of the current user that is available for identity authentication, that is, a vector obtained by encryption processing.
  • the server cannot know the specific content. Thus, by combining the biometric technology with the homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the user in the prior art.
  • the biometric information is stored on the terminal and is easily stolen by malicious people, which realizes the safe storage of the biometric information of the user, avoids the abuse of the biometric information of the user by the server, and further improves the security and reliability of the identity authentication based on the biometric information. , which enhances the user experience.
  • the third biometric information and the fourth biometric information include at least but not limited to one of the following or a combination thereof: fingerprint image information, iris image information, and face image information, that is, the solution may be implemented based on different biometric information, So that the server can perform correct biometric information matching without decryption, and can effectively avoid the problem that the second biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving the biometric information based.
  • the effectiveness of identity authentication and reliability further enhances the applicability of identity authentication.
  • a terminal comprising: the identity authentication system for a terminal according to any one of the preceding claims, All the beneficial effects of the identity authentication system for the terminal are not described herein.
  • a server comprising: the identity authentication system for a server according to any one of the preceding claims, and thus having the above technical party All the beneficial effects of the identity authentication system for the server described in any of the above are not described herein.
  • the biometric identification technology can be combined with the homomorphic encryption technology, so that the server can perform correct biometric information matching without decryption, and can effectively avoid the biometric information of the user in the prior art.
  • the problem that the terminal is easily maliciously stolen on the terminal realizes the secure storage of the biometric information of the user, improves the security and reliability of the identity authentication based on the biometric information, thereby improving the user experience.
  • FIG. 1 is a flow chart showing an identity authentication method according to an embodiment of the present invention
  • FIG. 2 shows a block diagram of an identity authentication system in accordance with one embodiment of the present invention
  • FIG. 3 is a flow chart showing an identity authentication method according to another embodiment of the present invention.
  • FIG. 4 shows a block diagram of an identity authentication system in accordance with another embodiment of the present invention.
  • Figure 5 shows a block diagram of a terminal in accordance with one embodiment of the present invention.
  • Figure 6 shows a block diagram of a server in accordance with one embodiment of the present invention.
  • FIG. 7 is a flow chart showing an identity authentication method according to still another embodiment of the present invention.
  • FIG. 8 is a flow chart showing a biometric information registration method according to an embodiment of the present invention.
  • FIG. 1 shows a flow chart of an identity authentication method according to an embodiment of the present invention.
  • an identity authentication method is used for a terminal, including: Step 102: Collecting first biometric information of a preset user; Step 104: at least one of the first biometric information
  • the item first attribute information is represented in a vector form, and performs homomorphic encryption processing on the at least one first attribute information represented by a vector form according to a preset key to generate a first biometric vector;
  • the first biometric vector is sent to the server for the server to store the first biometric vector as a first biometric template vector.
  • the pre-storing process of the first biometric template vector is first performed, and specifically, the first attribute information that can be used for identity authentication in the first biometric information of the collected preset user is represented by a vector form.
  • the first attribute information for identity authentication has one or more items, and each first attribute information is represented by a vector form, thereby obtaining a vector group representing the first biometric information, according to the stored preset
  • the key performs homomorphic encryption on each of the vector vectors in the vector group to obtain the first biometric vector, and then sends the first object feature vector to the server, which is stored by the server as the first biometric template vector.
  • the preset key may be randomly generated by the terminal, or may be set according to actual needs of the user, and finally stored in the terminal, and the first biometric template vector generated by homomorphic encryption is stored in the server, and used.
  • the decrypted preset key is stored in the terminal, and the server cannot know the preset key, so by using the biometric technology
  • the combination of encryption technology enables the server to perform correct biometric information matching without decryption, and can effectively avoid the problem that the user biometric information is easily maliciously stolen on the terminal in the prior art, and the user creature is realized.
  • the secure storage of feature information improves the security and reliability of identity authentication based on biometric information, thereby improving the user experience.
  • the method further includes: collecting second biometric information of the current user; and expressing at least one second attribute information of the second biometric information in a vector form, and according to the preset secret
  • the key pair performs homomorphic encryption processing on the at least one second attribute information represented by the vector form to generate a second biometric vector; and sends the second biometric vector to the server for the server to Generating a first Euclidean distance from the first biometric template vector; receiving the first Euclidean distance from the server; performing homomorphic decryption processing on the first Euclidean distance Obtaining a second Euclidean distance; determining, according to the second Euclidean distance, whether the second biometric information matches the first biometric information to determine whether the identity authentication is successful.
  • the second attribute information that is available for identity authentication in the collected second biometric information of the current user is represented in a vector form, wherein the second attribute information that can be authenticated has one or more And each of the second attribute information is represented by a vector form, and a vector group representing the second biometric information is obtained, and each sub-vector in the vector group is homomorphically encrypted according to the preset key.
  • the distance of course, the first Euclidean distance is also encrypted, and the server cannot know the specific result of the first Euclidean distance.
  • the server can be prevented from abusing the user's first biometric template vector, ensuring the security of the matching result.
  • the server will calculate the first The Euclidean distance is sent to the terminal, and is homomorphically decrypted by the terminal to obtain a second Euclidean distance, thereby determining whether the second biometric information matches the first biometric information according to the second Euclidean distance to determine whether Whether the identity authentication is successful, that is, the preset key used for the homomorphic decryption is stored in the terminal, and the server cannot know the preset key, thereby further ensuring the security and reliability of the identity authentication.
  • the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art that the user biometric information is easily maliciously stored on the terminal.
  • the problem of stealing realizes the secure storage of user biometric information, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
  • determining whether the second biometric information matches the first biometric information according to the second Euclidean distance, to determine whether the identity authentication is successful specifically, determining: Whether the second Euclidean distance is less than or equal to the preset distance; and when it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, The identity authentication succeeds; when it is determined that the second Euclidean distance is greater than the preset distance, the second biometric information fails to match the first biometric information, and the identity authentication fails.
  • the second biometric information matches the first biometric information Determined by the second Euclidean distance, by determining the second Euclidean distance and the preset distance, whether it is matched, specifically, when determining that the second Euclidean distance is less than or equal to the preset distance, the second If the biometric information is successfully matched with the first biometric information, it indicates that the user identity authentication is successful, otherwise, the identity authentication fails, so that the prior art is convenient to store the first biometric template vector on the terminal.
  • the problem of being maliciously stolen improves the security and reliability of identity authentication based on biometric information, thereby improving the user experience.
  • the preset distance can be calculated according to the actual application scenario.
  • the first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
  • the first biometric information and the second biometric information include at least but not limited to one or a combination of the following: fingerprint image information, iris image information, and face image information, that is, the solution may be based on different creatures.
  • the feature information is implemented, so that the server can perform correct biometric information matching without decrypting, and can effectively avoid the problem that the first biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving
  • the security and reliability effects of identity authentication based on biometric information further improve the applicability of identity authentication.
  • FIG. 2 shows a block diagram of an identity authentication system in accordance with one embodiment of the present invention.
  • the identity authentication system 200 of an embodiment of the present invention is used for a terminal, and includes: an acquisition module 202, configured to collect first biometric information of a preset user; and an encryption module 204, configured to: The at least one first attribute information of the first biometric information is represented in a vector form, and the at least one first attribute information represented by the vector form is homomorphically encrypted according to the preset key to generate the first creature. And a first sending module 206, configured to send the first biometric vector to a server, where the server stores the first biometric vector as a first biometric template vector.
  • the pre-storing process of the first biometric template vector is first performed, and specifically, the first attribute information that can be used for identity authentication in the first biometric information of the collected preset user is represented by a vector form.
  • the first attribute information for identity authentication has one or more items, and each first attribute information is represented by a vector form, thereby obtaining a vector group representing the first biometric information, according to the stored preset
  • the key is the same for each of the vector vectors in the vector group
  • the first bio-feature vector is obtained, and then the first object feature vector is sent to the server, which is stored by the server as the first bio-feature template vector, wherein the preset key may be randomly generated by the terminal, It may be set according to actual needs of the user, and finally stored in the terminal, that is, the first biometric template vector generated by homomorphic encryption is stored in the server, and the preset key used for decryption is stored in the terminal, then the server This preset key cannot be known.
  • the server can perform correct biometric information matching without decryption, and can effectively avoid the user in the prior art.
  • the biometric information is stored on the terminal and is easily maliciously stolen.
  • the secure storage of the biometric information of the user is realized, and the security and reliability of the identity authentication based on the biometric information are improved, thereby improving the user experience.
  • the collecting module 202 is further configured to collect second biometric information of the current user; the encryption module 204 is further configured to use at least one second attribute of the second biometric information.
  • the information is represented in a vector form, and performs homomorphic encryption processing on the at least one second attribute information in a vector form according to the preset key to generate a second biometric vector; the first sending module 206 Also for transmitting the second biometric vector to the server for the server to generate a first Euclidean distance from the first biometric template vector according to the second biometric vector; and the identity
  • the authentication system 200 further includes: a first receiving module 208, configured to receive the first Euclidean distance from the server; and a decryption module 210, configured to perform a homomorphic decryption process on the first Euclidean distance to obtain a second An Euclidean distance; a determining module 212, configured to determine, according to the second Euclidean distance, whether the second biometric information matches the first biometric information to determine an
  • the second attribute information that is available for identity authentication in the collected second biometric information of the current user is represented in a vector form, wherein the second attribute information that can be authenticated has one or more And each of the second attribute information is represented by a vector form, and a vector group representing the second biometric information is obtained, and each sub-vector in the vector group is homomorphically encrypted according to the preset key.
  • the distance of course, the first Euclidean distance is also encrypted, and the server cannot know the specific result of the first Euclidean distance.
  • the server can be prevented from abusing the user's first biometric template vector, ensuring the security of the matching result.
  • the server will calculate the first The Euclidean distance is sent to the terminal, and is homomorphically decrypted by the terminal to obtain a second Euclidean distance, thereby determining whether the second biometric information matches the first biometric information according to the second Euclidean distance to determine whether Whether the identity authentication is successful, that is, the preset key used for the homomorphic decryption is stored in the terminal, and the server cannot know the preset key, thereby further ensuring the security and reliability of the identity authentication.
  • the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art that the user biometric information is easily maliciously stored on the terminal.
  • the problem of stealing realizes the secure storage of user biometric information, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
  • the determining module 212 is specifically configured to determine whether the second Euclidean distance is less than or equal to a preset distance; and when determining that the second Euclidean distance is less than or equal to the preset When the distance is that the second biometric information is successfully matched with the first biometric information, the identity authentication is successful; when the second Euclidean distance is determined to be greater than the preset distance, the second biometric information is If the matching with the first biometric information fails, the identity authentication fails.
  • whether the second biometric information matches the first biometric information is determined by the second Euclidean distance, and determining whether the second Euclidean distance and the preset distance are matched, specifically, When it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, indicating that the user identity authentication is successful, otherwise, the identity authentication fails, thus effectively avoiding the existing In the technology, the first biometric template vector is stored on the terminal and is easily maliciously stolen, thereby improving the security and reliability of the biometric information based identity authentication, thereby improving the user experience.
  • the preset distance can be calculated according to the actual application scenario.
  • the first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
  • the first biometric information and the second biometric information include at least but not limited to one or a combination of the following: fingerprint image information, iris image information, and face image information, that is, the solution may be based on different creatures.
  • the feature information is implemented, so that the server can perform correct biometric information matching without decrypting, and can effectively avoid the problem that the first biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving
  • the security and reliability effects of identity authentication based on biometric information further improve the applicability of identity authentication.
  • FIG. 3 is a flow chart showing an identity authentication method according to another embodiment of the present invention.
  • an identity authentication method is used for a server, including: step 302, receiving a third biometric vector from a terminal; and step 304, storing the third biometric vector as The second biometric template vector, wherein the third biometric vector is obtained by the terminal performing homomorphic encryption processing on at least one third attribute information of the collected third biometric information of the preset user. .
  • the process of storing the second biometric template vector is first performed, specifically, by storing the received third biometric vector from the terminal as the second biometric template vector, so as to smoothly carry out the subsequent matching step.
  • the third biometric vector is obtained by the terminal performing homomorphic encryption processing on each third attribute information for identity authentication of the third biometric information of the preset preset user, that is, It is a vector obtained by encryption processing, and the server cannot know the specific content. Therefore, the server avoids the abuse of the biometric information of the user, further improves the security and reliability of the identity authentication based on the biometric information, thereby improving the user experience.
  • the method further includes: receiving a fourth biometric vector from the terminal, wherein the fourth biometric vector is the fourth biometric information of the current user acquired by the terminal Obtaining a third Euclidean distance according to the fourth biometric template vector and the second biometric template vector; and transmitting the third Euclidean distance to the terminal And determining, by the terminal, whether the fourth biometric information matches the third biometric information according to the third Euclidean distance; and the third biometric information and the fourth biometric information are at least One or a combination of the following is included: fingerprint image information, iris image information, and face image information.
  • the third Euclidean distance calculated according to the fourth biometric vector and the second biometric template vector is sent to the terminal, so that the terminal performs homomorphic decryption to determine whether the identity authentication is successful.
  • the fourth biometric vector is obtained by the terminal performing homomorphic encryption processing on each fourth attribute information of the fourth biometric information of the current user that is available for identity authentication, that is, a vector obtained by encryption processing.
  • the server cannot know the specific content. Thus, by combining the biometric technology with the homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the user in the prior art.
  • the biometric information is stored on the terminal and is easily stolen by malicious people, which realizes the safe storage of the biometric information of the user, avoids the abuse of the biometric information of the user by the server, and further improves the security and reliability of the identity authentication based on the biometric information. , which enhances the user experience.
  • the third biometric information and the fourth biometric information include at least but not limited to one of the following or a combination thereof: fingerprint image information, iris image information, and face image information, that is, the solution may be implemented based on different biometric information, So that the server can perform correct biometric information matching without decryption, and can effectively avoid the problem that the second biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving the biometric information based.
  • the effectiveness of identity authentication and reliability further enhances the applicability of identity authentication.
  • FIG. 4 shows a block diagram of an identity authentication system in accordance with another embodiment of the present invention.
  • the identity authentication system 400 of another embodiment of the present invention is used for a server, including: a second receiving module 402, configured to receive a third biometric vector from a terminal; and a storage module 404, configured to The third biometric vector is stored as the second biometric template vector, wherein the third biometric vector is at least one third of the third biometric information of the collected preset user by the terminal.
  • the attribute information is obtained by homomorphic encryption processing.
  • the second receiving module 402 is further configured to receive a fourth biometric vector from the terminal, where the fourth biometric vector is the collected current user of the terminal pair.
  • the at least one fourth attribute information of the fourth biometric information is obtained by homomorphic encryption processing; and the identity authentication system further includes: a processing module 406, configured to use the fourth biometric vector and the second biometric
  • the template vector obtains a third Euclidean distance;
  • a second sending module 408 is configured to send the third Euclidean distance to the terminal, for the terminal to determine the fourth creature according to the third Euclidean distance Whether the feature information matches the third biometric information; and the third biometric information and the fourth biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information .
  • the third Euclidean distance calculated according to the fourth biometric vector and the second biometric template vector is sent to the terminal, so that the terminal performs homomorphic decryption to determine whether the identity authentication is successful.
  • the fourth biometric vector is obtained by the terminal performing homomorphic encryption processing on each fourth attribute information of the fourth biometric information of the current user that is available for identity authentication, that is, a vector obtained by encryption processing.
  • the server cannot know the specific content. Thus, by combining the biometric technology with the homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the user in the prior art.
  • the biometric information is stored on the terminal and is easily stolen by malicious people, which realizes the safe storage of the biometric information of the user, avoids the abuse of the biometric information of the user by the server, and further improves the security and reliability of the identity authentication based on the biometric information. , which enhances the user experience.
  • the third biometric information and the fourth biometric information include at least but not limited to one of the following or a combination thereof: fingerprint image information, iris image information, and face image information, that is, the solution may be implemented based on different biometric information, So that the server can perform correct biometric information matching without decryption, and can effectively avoid the problem that the second biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving the biometric information based.
  • the effectiveness of identity authentication and reliability further enhances the applicability of identity authentication.
  • Figure 5 shows a block diagram of a terminal in accordance with one embodiment of the present invention.
  • the terminal 500 of an embodiment of the present invention includes: the identity authentication system 200 for the terminal 500 according to any one of the foregoing technical solutions, and thus has All the beneficial effects of the identity authentication system 200 for the terminal 500 described in any one of the technical solutions are not described herein again.
  • Figure 6 shows a block diagram of a server in accordance with one embodiment of the present invention.
  • the server 600 of an embodiment of the present invention includes the identity authentication system 400 for the server 600 according to any one of the foregoing technical solutions, and thus has any of the foregoing technical solutions. All the beneficial effects of the identity authentication system 400 for the server 600 described in the section are not described herein again.
  • FIG. 7 is a flow chart showing an identity authentication method according to still another embodiment of the present invention.
  • FIG. 8 is a flow chart showing a biometric information registration method according to an embodiment of the present invention.
  • the biometric template (ie, the first biometric template vector) is represented as a vector, and each component of the vector is homomorphically encrypted, and at least one second of the second biometric information is second.
  • the attribute information is represented in a vector form, and the at least one second attribute information represented by the vector form is homomorphically encrypted according to the preset key to generate a second biometric vector; the two vectors (ie, the second biometric vector)
  • the similarity between the first biometric template vector and the first biometric template vector is determined by the Euclidean distance of the two vectors. When the distance between the two is less than a certain threshold (ie, the preset distance), the matching is considered successful, otherwise the matching fails.
  • the mobile end decrypts the Euclidean distance between the two unencrypted vectors (ie, The second Euclidean distance) determines whether the user is authenticated successfully.
  • Enc k represents that a homomorphic encryption operation is performed with k as a key
  • Dec k represents a homomorphic decryption operation with k as a key
  • the program includes two processes: biometric registration and upload process, and identity authentication process.
  • the identity authentication method in still another embodiment of the present invention specifically includes:
  • Step 702 The mobile phone collects a biometric image of the user (ie, second biometric information).
  • Step 704 processing the biometric image, extracting the vector form to represent different features, and forming a biometric vector group, such as (t' 1 , t' 2 , ..., t' n ).
  • At least one second attribute information of the second biometric information is represented in a vector form, and the at least one second attribute information represented by the vector form is homomorphicly encrypted according to the preset key to generate the second biometric vector.
  • Step 708 uploading (e' 1 , e' 2 , . . . , e' n ) (ie, the second biometric vector) to the cloud server.
  • the cloud server reads the stored encrypted biometric template (e 1 , e 2 , . . . , e n ).
  • Step 712 the cloud server calculates the Euclidean distance of the input biometric and the registered biometric template as That is, the server generates a first Euclidean distance from the first biometric vector according to the second biometric vector.
  • the cloud server transmits the Euclidean distance (ie, the first Euclidean distance) to the mobile phone.
  • step 716 the mobile phone decrypts the Euclidean distance (ie, the first Euclidean distance) result to obtain a second Euclidean distance.
  • Step 718 The mobile phone determines whether the user authentication is successful according to the value of the dist (ie, the second Euclidean distance). If the dist is greater than or equal to a certain threshold h, the authentication succeeds, otherwise the authentication fails.
  • the value of the dist ie, the second Euclidean distance
  • the biometric information registration method of an embodiment of the present invention includes:
  • Step 802 The mobile phone collects biometric features of the current user (ie, first biometric information), where the biometric data may be fingerprints, irises, faces, etc., and images of fingerprints, irises, faces, and the like are collected.
  • biometric features of the current user ie, first biometric information
  • the biometric data may be fingerprints, irises, faces, etc.
  • Step 804 Processing the biometric image, extracting feature data (ie, first attribute information) that can be identified, and representing different feature data in a vector form to form a vector group, such as (t 1 , t 2 ,... ..., t n ).
  • feature data ie, first attribute information
  • a set of keys ie, preset keys
  • Step 808 Upload (e 1 , e 2 , . . . , e n ) (ie, the first biometric vector) to the cloud server, for the server to store the first biometric vector as the second biometric template vector.
  • step 810 the mobile phone stores the key set (k 1 , k 2 , . . . , k n ).
  • the biometric template is not stored locally in the mobile phone, and there is no risk of leakage in the local area;
  • biometric template stored in the cloud is encrypted and will not leak
  • the mobile phone collects the biometric data of the user, forms a vector, encrypts and sends it to the cloud server (ie, the server), and with the help of the cloud server, the mobile phone calculates the collected biometric data and the registered biometric template (ie, the second biometric The Euclidean distance between the feature vector and the first biometric template vector), and based on the result, judge whether the authentication is successful.
  • the cloud server ie, the server
  • the mobile phone calculates the collected biometric data and the registered biometric template (ie, the second biometric The Euclidean distance between the feature vector and the first biometric template vector), and based on the result, judge whether the authentication is successful.
  • the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art. Because the user biometric information is stored on the terminal and is easily maliciously stolen, the user's biometric information is safely stored, and the security and reliability of the biometric information based identity authentication is improved, thereby improving the user experience.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Biomedical Technology (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Collating Specific Patterns (AREA)

Abstract

Proposed are an identity authentication method, an identity authentication system, a terminal and a server. The identity authentication method comprises: acquiring first biological characteristic information about a pre-set user; and expressing at least one piece of first attribute information of the first biological characteristic information in a vector form and carrying out homomorphic encryption processing on the at least one piece of first attribute information, which is expressed in the vector form, according to a pre-set key pair, so as to generate a first biological characteristic vector; and sending the first biological characteristic vector to the server and storing the first biological characteristic vector as a first biological characteristic template vector by the server. The solution realizes safety storage and efficient authentication of biological characteristic information about a user.

Description

身份认证方法、身份认证系统、终端和服务器Identity authentication method, identity authentication system, terminal and server 技术领域Technical field
本发明涉及生物识别技术领域,具体而言,涉及一种身份认证方法、一种身份认证系统、一种终端和一种服务器。The present invention relates to the field of biometrics, and in particular to an identity authentication method, an identity authentication system, a terminal, and a server.
背景技术Background technique
目前,生物识别技术是指利用人体生物特征进行身份认证的技术,常见的生物识别技术包括指纹识别、人脸识别、虹膜识别等。At present, biometric technology refers to the technology of using human biometrics for identity authentication. Common biometric technologies include fingerprint recognition, face recognition, and iris recognition.
在移动终端(比如手机)上集成生物识别技术能够有效保护移动终端上的信息的安全,其中,生物特征模板数据的存储是个关键的问题,因为移动终端上的恶意程序可能会窃取移动终端上存储的生物特征模板数据,从而轻易通过生物识别认证,导致重要信息的泄漏,给用户带来不好的体验。Integrating biometric technology on mobile terminals (such as mobile phones) can effectively protect the security of information on mobile terminals. The storage of biometric template data is a key issue because malicious programs on mobile terminals may steal storage on mobile terminals. The biometric template data makes it easy to pass biometric authentication, leading to the leakage of important information and giving users a bad experience.
同态加密是一种特殊的加密技术,它允许人们对密文进行特定的代数运算,且得到的运算结果与对明文进行同样的运算的结果一样。换言之,这项技术令人们可以在加密的数据中进行操作,得出正确的结果,而在整个处理过程中无需对数据进行解密。但是目前的同态加密技术还无法直接应用在生物特征模板匹配这样的复杂运算上。Homomorphic encryption is a special encryption technique that allows people to perform specific algebraic operations on ciphertext and obtain the same results as the plaintext. In other words, this technology allows people to operate on encrypted data to get the right results without having to decrypt the data throughout the process. However, the current homomorphic encryption technology cannot be directly applied to complex operations such as biometric template matching.
因此,需要一种新的身份认证方法,可以将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端以及服务器上易被恶意窃取的问题,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。Therefore, a new identity authentication method is needed, which can combine biometric technology with homomorphic encryption technology, so that the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art. The problem that the user biometric information is stored on the terminal and the server is easily maliciously stolen, and the security and reliability of the identity authentication based on the biometric information is improved, thereby improving the user experience.
发明内容Summary of the invention
本发明正是基于上述问题,提出了一种新的技术方案,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并有效的避免现有技术中因将用户生物特征信息存储在终端上 易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。The invention is based on the above problems, and proposes a new technical solution. By combining the biometric identification technology with the homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and effectively avoid the present In the technology, the user biometric information is stored on the terminal. The problem of being easily stolen by malicious people realizes the secure storage of biometric information of users, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
有鉴于此,本发明的第一方面,提出了一种身份认证方法,用于终端,包括:采集预设用户的第一生物特征信息;将所述第一生物特征信息的至少一项第一属性信息以向量形式表示,并根据预设密钥对以向量形式表示的所述至少一项第一属性信息进行同态加密处理,以生成第一生物特征向量;将所述第一生物特征向量发送至服务器,以供所述服务器将所述第一生物特征向量存储为第一生物特征模板向量。In view of this, in a first aspect of the present invention, an identity authentication method is provided for a terminal, including: collecting first biometric information of a preset user; and at least one of the first biometric information is first The attribute information is represented in a vector form, and homomorphicly encrypts the at least one first attribute information represented by a vector form according to a preset key to generate a first biometric vector; and the first biometric vector is Sending to a server for the server to store the first biometric vector as a first biometric template vector.
在该技术方案中,首先进行第一生物特征模板向量的预存储过程,具体地,通过将采集到的预设用户的第一生物特征信息中可供身份认证的第一属性信息以向量形式表示,其中,可供身份认证的第一属性信息有一项或多项,而用向量形式表示每一项第一属性信息,即可得到一个表示第一生物特征信息的向量组,根据存储的预设密钥对该向量组中的每一个分向量进行同态加密,即可得到第一生物特征向量,然后将第一物特征向量发送至服务器,由服务器将其存储为第一生物特征模板向量,其中,预设密钥可以是终端随机产生的,也可以是根据用户实际需要设定的,最终存储在终端中,即将经过同态加密生成的第一生物特征模板向量存储在服务器中,而用于解密的预设密钥存储在终端中,则服务器无法获知此预设密钥,如此,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In the technical solution, the pre-storing process of the first biometric template vector is first performed, and specifically, the first attribute information that can be used for identity authentication in the first biometric information of the collected preset user is represented by a vector form. Wherein, the first attribute information for identity authentication has one or more items, and each first attribute information is represented by a vector form, thereby obtaining a vector group representing the first biometric information, according to the stored preset The key performs homomorphic encryption on each of the vector vectors in the vector group to obtain the first biometric vector, and then sends the first object feature vector to the server, which is stored by the server as the first biometric template vector. The preset key may be randomly generated by the terminal, or may be set according to actual needs of the user, and finally stored in the terminal, and the first biometric template vector generated by homomorphic encryption is stored in the server, and used. The decrypted preset key is stored in the terminal, and the server cannot know the preset key, so by using the biometric technology The combination of encryption technology enables the server to perform correct biometric information matching without decryption, and can effectively avoid the problem that the user biometric information is easily maliciously stolen on the terminal in the prior art, and the user creature is realized. The secure storage of feature information improves the security and reliability of identity authentication based on biometric information, thereby improving the user experience.
在上述技术方案中,优选地,还包括:采集当前用户的第二生物特征信息;将所述第二生物特征信息的至少一项第二属性信息以向量形式表示,并根据所述预设密钥对以向量形式表示的所述至少一项第二属性信息进行同态加密处理,以生成第二生物特征向量;将所述第二生物特征向量发送至所述服务器,以供所述服务器根据所述第二生物特征向量与所述第一生物特征模板向量生成第一欧氏距离;接收来自所述服务器的所述第一欧氏距离;对所述第一欧氏距离进行同态解密处理得到第二欧氏距离;根据所述第二欧氏 距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功。In the above technical solution, preferably, the method further includes: collecting second biometric information of the current user; and expressing at least one second attribute information of the second biometric information in a vector form, and according to the preset secret The key pair performs homomorphic encryption processing on the at least one second attribute information represented by the vector form to generate a second biometric vector; and sends the second biometric vector to the server for the server to Generating a first Euclidean distance from the first biometric template vector; receiving the first Euclidean distance from the server; performing homomorphic decryption processing on the first Euclidean distance Obtaining a second Euclidean distance; according to the second Euclidean The distance determines whether the second biometric information matches the first biometric information to determine whether the identity authentication is successful.
在该技术方案中,通过将采集到的当前用户的第二生物特征信息中可供身份认证的第二属性信息以向量形式表示,其中,可供身份认证的第二属性信息有一项或多项,而用向量形式表示每一项第二属性信息,即可得到一个表示第二生物特征信息的向量组,根据预设密钥对该向量组中的每一个分向量进行同态加密,即可得到第二生物特征向量,然后将第二生物特征向量发送至服务器,以供服务器在不解密的情况下,计算得出第二生物特征向量与其预存储的第一生物特征模板向量的第一欧氏距离,当然,第一欧氏距离也是加密的,服务器也无法获知第一欧氏距离的具体结果,如此,可以防止服务器滥用用户的第一生物特征模板向量,确保了匹配结果的安全性。In the technical solution, the second attribute information that is available for identity authentication in the collected second biometric information of the current user is represented in a vector form, wherein the second attribute information that can be authenticated has one or more And each of the second attribute information is represented by a vector form, and a vector group representing the second biometric information is obtained, and each sub-vector in the vector group is homomorphically encrypted according to the preset key. Obtaining a second biometric vector, and then transmitting the second biometric vector to the server, so that the server calculates the first biometric vector and the first biometric template vector of the pre-stored first biometric template vector without decrypting The distance, of course, the first Euclidean distance is also encrypted, and the server cannot know the specific result of the first Euclidean distance. Thus, the server can be prevented from abusing the user's first biometric template vector, ensuring the security of the matching result.
另外,通过将第一生物特征模板向量存储在服务器中,与现有技术相比,避免了因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,服务器将计算得到的第一欧氏距离发送至终端,通过终端对其进行同态解密得到第二欧氏距离,进而即可根据第二欧氏距离确定第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功,即用于同态解密的预设密钥存储在终端中,服务器无法获知此预设密钥,进一步确保了身份认证的安全性和可靠性。In addition, by storing the first biometric template vector in the server, compared with the prior art, the problem that the first biometric template vector is easily maliciously stolen on the terminal is avoided, and the server will calculate the first The Euclidean distance is sent to the terminal, and is homomorphically decrypted by the terminal to obtain a second Euclidean distance, thereby determining whether the second biometric information matches the first biometric information according to the second Euclidean distance to determine whether Whether the identity authentication is successful, that is, the preset key used for the homomorphic decryption is stored in the terminal, and the server cannot know the preset key, thereby further ensuring the security and reliability of the identity authentication.
通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。By combining biometric technology with homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art that the user biometric information is easily maliciously stored on the terminal. The problem of stealing realizes the secure storage of user biometric information, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
在上述技术方案中,优选地,根据所述第二欧氏距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功,具体包括:判断所述第二欧氏距离是否小于或等于预设距离;以及当判定所述第二欧氏距离小于或等于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配成功,则身份认证成功;当判定所述第二欧氏距离大于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配失 败,则身份认证失败。In the above technical solution, preferably, determining whether the second biometric information matches the first biometric information according to the second Euclidean distance, to determine whether the identity authentication is successful, specifically, determining: Whether the second Euclidean distance is less than or equal to the preset distance; and when it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, The identity authentication succeeds; when it is determined that the second Euclidean distance is greater than the preset distance, the second biometric information is mismatched with the first biometric information. If it fails, the identity authentication fails.
在该技术方案中,第二生物特征信息与所述第一生物特征信息是否匹配由第二欧氏距离决定,通过判断第二欧氏距离与预设距离的大小即可确定其是否匹配,具体地,当判定第二欧氏距离小于或等于预设距离时,第二生物特征信息与所述第一生物特征信息匹配成功,则表明用户身份认证成功,否则,身份认证失败,如此,有效的避免了现有技术中因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。其中,预设距离可以根据实际应用场景需要测算出来。In the technical solution, whether the second biometric information matches the first biometric information is determined by the second Euclidean distance, and the second Euclidean distance and the preset distance are determined to determine whether the matching is When the second Euclidean distance is determined to be less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, indicating that the user identity authentication is successful, otherwise, the identity authentication fails, and thus, effective The problem that the first biometric template vector is easily maliciously stolen on the terminal is avoided in the prior art, and the security and reliability of the biometric information based identity authentication are improved, thereby improving the user experience. The preset distance can be calculated according to the actual application scenario.
在上述技术方案中,优选地,所述第一生物特征信息和所述第二生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。In the above technical solution, preferably, the first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
在该技术方案中,第一生物特征信息和第二生物特征信息至少包含但不限于以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息,即本方案可以基于不同的生物特征信息实现,以使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,进而提高基于生物特征信息的身份认证的安全性和可靠性的效果,进一步提高了身份认证的适用性。In this technical solution, the first biometric information and the second biometric information include at least but not limited to one or a combination of the following: fingerprint image information, iris image information, and face image information, that is, the solution may be based on different creatures. The feature information is implemented, so that the server can perform correct biometric information matching without decrypting, and can effectively avoid the problem that the first biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving The security and reliability effects of identity authentication based on biometric information further improve the applicability of identity authentication.
根据本发明的第二方面,提出了一种身份认证系统,用于终端,包括:采集模块,用于采集预设用户的第一生物特征信息;加密模块,用于将所述第一生物特征信息的至少一项第一属性信息以向量形式表示,并根据预设密钥对以向量形式表示的所述至少一项第一属性信息进行同态加密处理,以生成第一生物特征向量;第一发送模块,用于将所述第一生物特征向量发送至服务器,以供所述服务器将所述第一生物特征向量存储为第一生物特征模板向量。According to a second aspect of the present invention, an identity authentication system is provided for a terminal, comprising: an acquisition module, configured to collect first biometric information of a preset user; and an encryption module, configured to use the first biometric feature The at least one first attribute information of the information is represented in a vector form, and the at least one first attribute information represented by the vector form is homomorphicly encrypted according to the preset key to generate the first biometric vector; a sending module, configured to send the first biometric vector to a server, for the server to store the first biometric vector as a first biometric template vector.
在该技术方案中,首先进行第一生物特征模板向量的预存储过程,具体地,通过将采集到的预设用户的第一生物特征信息中可供身份认证的第一属性信息以向量形式表示,其中,可供身份认证的第一属性信息有一项或多项,而用向量形式表示每一项第一属性信息,即可得到一个表示第一生物特 征信息的向量组,根据存储的预设密钥对该向量组中的每一个分向量进行同态加密,即可得到第一生物特征向量,然后将第一物特征向量发送至服务器,由服务器将其存储为第一生物特征模板向量,其中,预设密钥可以是终端随机产生的,也可以是根据用户实际需要设定的,最终存储在终端中,即将经过同态加密生成的第一生物特征模板向量存储在服务器中,而用于解密的预设密钥存储在终端中,则服务器无法获知此预设密钥,如此,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In the technical solution, the pre-storing process of the first biometric template vector is first performed, and specifically, the first attribute information that can be used for identity authentication in the first biometric information of the collected preset user is represented by a vector form. Wherein, the first attribute information for identity authentication has one or more items, and each of the first attribute information is represented by a vector form, thereby obtaining a representation of the first biometric The vector group of the information is homomorphically encrypted according to the stored preset key, and the first biometric vector is obtained, and then the first object feature vector is sent to the server, and the server The first biometric template vector is stored as a first biometric template vector. The preset key may be randomly generated by the terminal, or may be set according to actual needs of the user, and finally stored in the terminal, and is first generated by homomorphic encryption. The biometric template vector is stored in the server, and the preset key used for decryption is stored in the terminal, and the server cannot know the preset key. Thus, by combining the biometric technology with the homomorphic encryption technology, the server is enabled. The correct biometric information matching can be performed without decryption, and the problem that the user biometric information is easily maliciously stolen in the prior art can be effectively avoided, and the safe storage of the biometric information of the user is realized and improved. The security and reliability of identity authentication based on biometric information enhances the user experience.
在上述技术方案中,优选地,所述采集模块还用于采集当前用户的第二生物特征信息;所述加密模块还用于将所述第二生物特征信息的至少一项第二属性信息以向量形式表示,并根据所述预设密钥对以向量形式表示的所述至少一项第二属性信息进行同态加密处理,以生成第二生物特征向量;所述第一发送模块还用于将所述第二生物特征向量发送至所述服务器,以供所述服务器根据所述第二生物特征向量与所述第一生物特征模板向量生成第一欧氏距离;以及所述身份认证系统还包括:第一接收模块,用于接收来自所述服务器的所述第一欧氏距离;解密模块,用于对所述第一欧氏距离进行同态解密处理得到第二欧氏距离;判断模块,用于根据所述第二欧氏距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功。In the above technical solution, preferably, the collecting module is further configured to collect second biometric information of the current user; the encryption module is further configured to use at least one second attribute information of the second biometric information a vector form representation, and performing homomorphic encryption processing on the at least one second attribute information represented by a vector form according to the preset key to generate a second biometric vector; the first sending module is further used to Transmitting the second biometric vector to the server for the server to generate a first Euclidean distance from the first biometric template vector according to the second biometric vector; and the identity authentication system further The first receiving module is configured to receive the first Euclidean distance from the server, and the decrypting module is configured to perform homomorphic decryption processing on the first Euclidean distance to obtain a second Euclidean distance; And determining, according to the second Euclidean distance, whether the second biometric information matches the first biometric information to determine whether the identity authentication is successful.
在该技术方案中,通过将采集到的当前用户的第二生物特征信息中可供身份认证的第二属性信息以向量形式表示,其中,可供身份认证的第二属性信息有一项或多项,而用向量形式表示每一项第二属性信息,即可得到一个表示第二生物特征信息的向量组,根据预设密钥对该向量组中的每一个分向量进行同态加密,即可得到第二生物特征向量,然后将第二生物特征向量发送至服务器,以供服务器在不解密的情况下,计算得出第二生物特征向量与其预存储的第一生物特征模板向量的第一欧氏距离,当然,第一欧氏距离也是加密的,服务器也无法获知第一欧氏距离的具体结果,如此,可以防止 服务器滥用用户的第一生物特征模板向量,确保了匹配结果的安全性。In the technical solution, the second attribute information that is available for identity authentication in the collected second biometric information of the current user is represented in a vector form, wherein the second attribute information that can be authenticated has one or more And each of the second attribute information is represented by a vector form, and a vector group representing the second biometric information is obtained, and each sub-vector in the vector group is homomorphically encrypted according to the preset key. Obtaining a second biometric vector, and then transmitting the second biometric vector to the server, so that the server calculates the first biometric vector and the first biometric template vector of the pre-stored first biometric template vector without decrypting Distance, of course, the first Euclidean distance is also encrypted, and the server cannot know the specific result of the first Euclidean distance, thus preventing The server abuses the user's first biometric template vector to ensure the security of the matching results.
另外,通过将第一生物特征模板向量存储在服务器中,与现有技术相比,避免了因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,服务器将计算得到的第一欧氏距离发送至终端,通过终端对其进行同态解密得到第二欧氏距离,进而即可根据第二欧氏距离确定第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功,即用于同态解密的预设密钥存储在终端中,服务器无法获知此预设密钥,进一步确保了身份认证的安全性和可靠性。In addition, by storing the first biometric template vector in the server, compared with the prior art, the problem that the first biometric template vector is easily maliciously stolen on the terminal is avoided, and the server will calculate the first The Euclidean distance is sent to the terminal, and is homomorphically decrypted by the terminal to obtain a second Euclidean distance, thereby determining whether the second biometric information matches the first biometric information according to the second Euclidean distance to determine whether Whether the identity authentication is successful, that is, the preset key used for the homomorphic decryption is stored in the terminal, and the server cannot know the preset key, thereby further ensuring the security and reliability of the identity authentication.
通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。By combining biometric technology with homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art that the user biometric information is easily maliciously stored on the terminal. The problem of stealing realizes the secure storage of user biometric information, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
在上述技术方案中,优选地,所述判断模块具体用于判断所述第二欧氏距离是否小于或等于预设距离;以及当判定所述第二欧氏距离小于或等于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配成功,则身份认证成功;当判定所述第二欧氏距离大于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配失败,则身份认证失败。In the above technical solution, preferably, the determining module is specifically configured to determine whether the second Euclidean distance is less than or equal to a preset distance; and when determining that the second Euclidean distance is less than or equal to the preset distance When the second biometric information is successfully matched with the first biometric information, the identity authentication is successful; when it is determined that the second Euclidean distance is greater than the preset distance, the second biometric information is If the first biometric information fails to be matched, the identity authentication fails.
在该技术方案中,第二生物特征信息与第一生物特征信息是否匹配由第二欧氏距离决定,通过判断第二欧氏距离与预设距离的大小即可确定其是否匹配,具体地,当判定第二欧氏距离小于或等于预设距离时,第二生物特征信息与第一生物特征信息匹配成功,则表明用户身份认证成功,否则,身份认证失败,如此,有效的避免了现有技术中因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。其中,预设距离可以根据实际应用场景需要测算出来。In the technical solution, whether the second biometric information matches the first biometric information is determined by the second Euclidean distance, and determining whether the second Euclidean distance and the preset distance are matched, specifically, When it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, indicating that the user identity authentication is successful, otherwise, the identity authentication fails, thus effectively avoiding the existing In the technology, the first biometric template vector is stored on the terminal and is easily maliciously stolen, thereby improving the security and reliability of the biometric information based identity authentication, thereby improving the user experience. The preset distance can be calculated according to the actual application scenario.
在上述技术方案中,优选地,所述第一生物特征信息和所述第二生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。 In the above technical solution, preferably, the first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
在该技术方案中,第一生物特征信息和第二生物特征信息至少包含但不限于以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息,即本方案可以基于不同的生物特征信息实现,以使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,进而提高基于生物特征信息的身份认证的安全性和可靠性的效果,进一步提高了身份认证的适用性。In this technical solution, the first biometric information and the second biometric information include at least but not limited to one or a combination of the following: fingerprint image information, iris image information, and face image information, that is, the solution may be based on different creatures. The feature information is implemented, so that the server can perform correct biometric information matching without decrypting, and can effectively avoid the problem that the first biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving The security and reliability effects of identity authentication based on biometric information further improve the applicability of identity authentication.
根据本发明的第三方面,提出了一种身份认证方法,用于服务器,包括:接收来自终端的第三生物特征向量;将所述第三生物特征向量存储为所述第二生物特征模板向量,其中,所述第三生物特征向量为所述终端对采集到的预设用户的第三生物特征信息的至少一项第三属性信息进行同态加密处理得到的。According to a third aspect of the present invention, an identity authentication method is provided for a server, comprising: receiving a third biometric vector from a terminal; storing the third biometric vector as the second biometric template vector The third biometric vector is obtained by the terminal performing homomorphic encryption processing on the at least one third attribute information of the collected third biometric information of the preset user.
在该技术方案中,首先进行第二生物特征模板向量存储的过程,具体地,通过将接收到的来自终端的第三生物特征向量存储为第二生物特征模板向量,以为后续匹配步骤的顺利进行提供必要的前提保障,其中,第三生物特征向量是终端对采集到的预设用户的第三生物特征信息的可供身份认证的每一项第三属性信息进行同态加密处理得到的,即是经加密处理得到的向量,服务器同样无法获知其具体内容,如此,避免了服务器滥用用户的生物特征信息,进一步提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In this technical solution, the process of storing the second biometric template vector is first performed, specifically, by storing the received third biometric vector from the terminal as the second biometric template vector, so as to smoothly carry out the subsequent matching step. Providing the necessary premise guarantee, wherein the third biometric vector is obtained by the terminal performing homomorphic encryption processing on each third attribute information for identity authentication of the third biometric information of the preset preset user, that is, It is a vector obtained by encryption processing, and the server cannot know the specific content. Therefore, the server avoids the abuse of the biometric information of the user, further improves the security and reliability of the identity authentication based on the biometric information, thereby improving the user experience. .
在上述技术方案中,优选地,还包括:接收来自所述终端的第四生物特征向量,其中,所述第四生物特征向量为所述终端对采集到的当前用户的第四生物特征信息的至少一项第四属性信息进行同态加密处理得到的;根据所述第四生物特征向量与第二生物特征模板向量得到第三欧氏距离;将所述第三欧氏距离发送至所述终端,以供所述终端根据所述第三欧氏距离确定所述第四生物特征信息与所述第三生物特征信息是否匹配;以及所述第三生物特征信息和所述第四生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。In the above technical solution, preferably, the method further includes: receiving a fourth biometric vector from the terminal, wherein the fourth biometric vector is the fourth biometric information of the current user acquired by the terminal Obtaining a third Euclidean distance according to the fourth biometric template vector and the second biometric template vector; and transmitting the third Euclidean distance to the terminal And determining, by the terminal, whether the fourth biometric information matches the third biometric information according to the third Euclidean distance; and the third biometric information and the fourth biometric information are at least One or a combination of the following is included: fingerprint image information, iris image information, and face image information.
在该技术方案中,通过将根据第四生物特征向量与第二生物特征模板向量计算得到的第三欧氏距离发送至终端,以供终端对其进行同态解密,进 而确定身份认证是否成功,其中,第四生物特征向量是终端对采集到的当前用户的第四生物特征信息的可供身份认证的每一项第四属性信息进行同态加密处理得到的,即是经加密处理得到的向量,服务器无法获知其具体内容,如此,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,避免了服务器滥用用户的生物特征信息,进一步提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In the technical solution, the third Euclidean distance calculated according to the fourth biometric vector and the second biometric template vector is sent to the terminal, so that the terminal can perform homomorphic decryption on the terminal. And determining whether the identity authentication is successful, wherein the fourth biometric vector is obtained by the terminal performing homomorphic encryption processing on each fourth attribute information of the fourth biometric information of the current user that is available for identity authentication, that is, It is a vector obtained by encryption processing, and the server cannot know its specific content. Thus, by combining biometric technology with homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid In the prior art, the user biometric information is stored on the terminal and is easily maliciously stolen, thereby realizing the secure storage of the biometric information of the user, avoiding the abuse of the biometric information of the user by the server, and further improving the identity based on the biometric information. The security and reliability of authentication enhances the user experience.
另外,第三生物特征信息和第四生物特征信息至少包含但不限于以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息,即本方案可以基于不同的生物特征信息实现,以使服务器不需要解密就能进行正确的生物特征信息匹配并可以有效的避免现有技术中因将第二生物特征模板向量存储在终端上易被恶意窃取的问题,进而提高基于生物特征信息的身份认证的安全性和可靠性的效果,进一步提高了身份认证的适用性。In addition, the third biometric information and the fourth biometric information include at least but not limited to one of the following or a combination thereof: fingerprint image information, iris image information, and face image information, that is, the solution may be implemented based on different biometric information, So that the server can perform correct biometric information matching without decryption, and can effectively avoid the problem that the second biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving the biometric information based. The effectiveness of identity authentication and reliability further enhances the applicability of identity authentication.
根据本发明的第四方面,提出了一种身份认证系统,用于服务器,包括:第二接收模块,用于接收来自终端的第三生物特征向量;存储模块,用于将所述第三生物特征向量存储为所述第二生物特征模板向量,其中,所述第三生物特征向量为所述终端对采集到的预设用户的第三生物特征信息的至少一项第三属性信息进行同态加密处理得到的。According to a fourth aspect of the present invention, an identity authentication system is provided for a server, comprising: a second receiving module, configured to receive a third biometric vector from the terminal; and a storage module, configured to use the third biometric The feature vector is stored as the second biometric template vector, wherein the third biometric vector is homomorphic to the terminal for at least one third attribute information of the collected third biometric information of the preset user. Encrypted processing.
在该技术方案中,首先进行第二生物特征模板向量存储的过程,具体地,通过将接收到的来自终端的第三生物特征向量存储为第二生物特征模板向量,以为后续匹配步骤的顺利进行提供必要的前提保障,其中,第三生物特征向量是终端对采集到的预设用户的第三生物特征信息的可供身份认证的每一项第三属性信息进行同态加密处理得到的,即是经加密处理得到的向量,服务器同样无法获知其具体内容,如此,避免了服务器滥用用户的生物特征信息,进一步提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In this technical solution, the process of storing the second biometric template vector is first performed, specifically, by storing the received third biometric vector from the terminal as the second biometric template vector, so as to smoothly carry out the subsequent matching step. Providing the necessary premise guarantee, wherein the third biometric vector is obtained by the terminal performing homomorphic encryption processing on each third attribute information for identity authentication of the third biometric information of the preset preset user, that is, It is a vector obtained by encryption processing, and the server cannot know the specific content. Therefore, the server avoids the abuse of the biometric information of the user, further improves the security and reliability of the identity authentication based on the biometric information, thereby improving the user experience. .
在上述技术方案中,优选地,所述第二接收模块还用于接收来自所述终端的第四生物特征向量,其中,所述第四生物特征向量为所述终端对采集 到的当前用户的第四生物特征信息的至少一项第四属性信息进行同态加密处理得到的;所述身份认证系统还包括:处理模块还用于根据所述第四生物特征向量与第二生物特征模板向量得到第三欧氏距离;以及所述身份认证系统还包括:第二发送模块,用于将所述第三欧氏距离发送至所述终端,以供所述终端根据所述第三欧氏距离确定所述第四生物特征信息与所述第三生物特征信息是否匹配;以及所述第三生物特征信息和所述第四生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。In the above technical solution, preferably, the second receiving module is further configured to receive a fourth biometric vector from the terminal, where the fourth biometric vector is the terminal pair acquisition The at least one fourth attribute information of the fourth biometric information of the current user is obtained by homomorphic encryption processing; the identity authentication system further includes: the processing module is further configured to: according to the fourth biometric vector and the second The biometric template vector obtains a third Euclidean distance; and the identity authentication system further includes: a second sending module, configured to send the third Euclidean distance to the terminal, for the terminal to be according to the Determining whether the fourth biometric information matches the third biometric information; and the third biometric information and the fourth biometric information include at least one of the following or a combination thereof: a fingerprint image Information, iris image information, and face image information.
在该技术方案中,通过将根据第四生物特征向量与第二生物特征模板向量计算得到的第三欧氏距离发送至终端,以供终端对其进行同态解密,进而确定身份认证是否成功,其中,第四生物特征向量是终端对采集到的当前用户的第四生物特征信息的可供身份认证的每一项第四属性信息进行同态加密处理得到的,即是经加密处理得到的向量,服务器无法获知其具体内容,如此,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,避免了服务器滥用用户的生物特征信息,进一步提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In the technical solution, the third Euclidean distance calculated according to the fourth biometric vector and the second biometric template vector is sent to the terminal, so that the terminal performs homomorphic decryption to determine whether the identity authentication is successful. The fourth biometric vector is obtained by the terminal performing homomorphic encryption processing on each fourth attribute information of the fourth biometric information of the current user that is available for identity authentication, that is, a vector obtained by encryption processing. The server cannot know the specific content. Thus, by combining the biometric technology with the homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the user in the prior art. The biometric information is stored on the terminal and is easily stolen by malicious people, which realizes the safe storage of the biometric information of the user, avoids the abuse of the biometric information of the user by the server, and further improves the security and reliability of the identity authentication based on the biometric information. , which enhances the user experience.
另外,第三生物特征信息和第四生物特征信息至少包含但不限于以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息,即本方案可以基于不同的生物特征信息实现,以使服务器不需要解密就能进行正确的生物特征信息匹配并可以有效的避免现有技术中因将第二生物特征模板向量存储在终端上易被恶意窃取的问题,进而提高基于生物特征信息的身份认证的安全性和可靠性的效果,进一步提高了身份认证的适用性。In addition, the third biometric information and the fourth biometric information include at least but not limited to one of the following or a combination thereof: fingerprint image information, iris image information, and face image information, that is, the solution may be implemented based on different biometric information, So that the server can perform correct biometric information matching without decryption, and can effectively avoid the problem that the second biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving the biometric information based. The effectiveness of identity authentication and reliability further enhances the applicability of identity authentication.
根据本发明的第五方面,提出了一种终端,包括:如上述技术方案中任一项所述的用于终端的所述的身份认证系统,因此具有上述技术方案中任一项所述的用于终端的所述的身份认证系统的所有有益效果,这里不再赘述。According to a fifth aspect of the present invention, there is provided a terminal, comprising: the identity authentication system for a terminal according to any one of the preceding claims, All the beneficial effects of the identity authentication system for the terminal are not described herein.
根据本发明的第六方面,提出了一种服务器,包括:如上述技术方案中任一项所述的用于服务器的所述的身份认证系统,因此具有上述技术方 案中任一项所述的用于服务器的所述的身份认证系统的所有有益效果,这里不再赘述。According to a sixth aspect of the present invention, a server is provided, comprising: the identity authentication system for a server according to any one of the preceding claims, and thus having the above technical party All the beneficial effects of the identity authentication system for the server described in any of the above are not described herein.
通过本发明的技术方案,可以将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。Through the technical solution of the invention, the biometric identification technology can be combined with the homomorphic encryption technology, so that the server can perform correct biometric information matching without decryption, and can effectively avoid the biometric information of the user in the prior art. The problem that the terminal is easily maliciously stolen on the terminal realizes the secure storage of the biometric information of the user, improves the security and reliability of the identity authentication based on the biometric information, thereby improving the user experience.
附图说明DRAWINGS
图1示出了根据本发明的一个实施例的身份认证方法的流程示意图;1 is a flow chart showing an identity authentication method according to an embodiment of the present invention;
图2示出了根据本发明的一个实施例的身份认证系统的框图;2 shows a block diagram of an identity authentication system in accordance with one embodiment of the present invention;
图3示出了根据本发明的另一个实施例的身份认证方法的流程示意图;FIG. 3 is a flow chart showing an identity authentication method according to another embodiment of the present invention; FIG.
图4示出了根据本发明的另一个实施例的身份认证系统的框图;4 shows a block diagram of an identity authentication system in accordance with another embodiment of the present invention;
图5示出了根据本发明的一个实施例的终端的框图;Figure 5 shows a block diagram of a terminal in accordance with one embodiment of the present invention;
图6示出了根据本发明的一个实施例的服务器的框图;Figure 6 shows a block diagram of a server in accordance with one embodiment of the present invention;
图7示出了根据本发明的又一个实施例的身份认证方法的流程示意图;FIG. 7 is a flow chart showing an identity authentication method according to still another embodiment of the present invention;
图8示出了根据本发明的一个实施例的生物特征信息注册方法的流程示意图。FIG. 8 is a flow chart showing a biometric information registration method according to an embodiment of the present invention.
具体实施方式detailed description
为了可以更清楚地理解本发明的上述目的、特征和优点,下面结合附图和具体实施方式对本发明进行进一步的详细描述。需要说明的是,在不冲突的情况下,本申请的实施例及实施例中的特征可以相互组合。The above described objects, features and advantages of the present invention will become more apparent from the detailed description of the appended claims. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
在下面的描述中阐述了很多具体细节以便于充分理解本发明,但是,本发明还可以采用其他不同于在此描述的其他方式来实施,因此,本发明的保护范围并不受下面公开的具体实施例的限制。In the following description, numerous specific details are set forth in order to provide a full understanding of the invention, but the invention may be practiced otherwise than as described herein. Limitations of the embodiments.
图1示出了根据本发明的一个实施例的身份认证方法的流程示意图。 FIG. 1 shows a flow chart of an identity authentication method according to an embodiment of the present invention.
如图1所示,本发明的一个实施例的身份认证方法,用于终端,包括:步骤102,采集预设用户的第一生物特征信息;步骤104将所述第一生物特征信息的至少一项第一属性信息以向量形式表示,并根据预设密钥对以向量形式表示的所述至少一项第一属性信息进行同态加密处理,以生成第一生物特征向量;步骤106将所述第一生物特征向量发送至服务器,以供所述服务器将所述第一生物特征向量存储为第一生物特征模板向量。As shown in FIG. 1 , an identity authentication method according to an embodiment of the present invention is used for a terminal, including: Step 102: Collecting first biometric information of a preset user; Step 104: at least one of the first biometric information The item first attribute information is represented in a vector form, and performs homomorphic encryption processing on the at least one first attribute information represented by a vector form according to a preset key to generate a first biometric vector; The first biometric vector is sent to the server for the server to store the first biometric vector as a first biometric template vector.
在该技术方案中,首先进行第一生物特征模板向量的预存储过程,具体地,通过将采集到的预设用户的第一生物特征信息中可供身份认证的第一属性信息以向量形式表示,其中,可供身份认证的第一属性信息有一项或多项,而用向量形式表示每一项第一属性信息,即可得到一个表示第一生物特征信息的向量组,根据存储的预设密钥对该向量组中的每一个分向量进行同态加密,即可得到第一生物特征向量,然后将第一物特征向量发送至服务器,由服务器将其存储为第一生物特征模板向量,其中,预设密钥可以是终端随机产生的,也可以是根据用户实际需要设定的,最终存储在终端中,即将经过同态加密生成的第一生物特征模板向量存储在服务器中,而用于解密的预设密钥存储在终端中,则服务器无法获知此预设密钥,如此,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In the technical solution, the pre-storing process of the first biometric template vector is first performed, and specifically, the first attribute information that can be used for identity authentication in the first biometric information of the collected preset user is represented by a vector form. Wherein, the first attribute information for identity authentication has one or more items, and each first attribute information is represented by a vector form, thereby obtaining a vector group representing the first biometric information, according to the stored preset The key performs homomorphic encryption on each of the vector vectors in the vector group to obtain the first biometric vector, and then sends the first object feature vector to the server, which is stored by the server as the first biometric template vector. The preset key may be randomly generated by the terminal, or may be set according to actual needs of the user, and finally stored in the terminal, and the first biometric template vector generated by homomorphic encryption is stored in the server, and used. The decrypted preset key is stored in the terminal, and the server cannot know the preset key, so by using the biometric technology The combination of encryption technology enables the server to perform correct biometric information matching without decryption, and can effectively avoid the problem that the user biometric information is easily maliciously stolen on the terminal in the prior art, and the user creature is realized. The secure storage of feature information improves the security and reliability of identity authentication based on biometric information, thereby improving the user experience.
在上述技术方案中,优选地,还包括:采集当前用户的第二生物特征信息;将所述第二生物特征信息的至少一项第二属性信息以向量形式表示,并根据所述预设密钥对以向量形式表示的所述至少一项第二属性信息进行同态加密处理,以生成第二生物特征向量;将所述第二生物特征向量发送至所述服务器,以供所述服务器根据所述第二生物特征向量与所述第一生物特征模板向量生成第一欧氏距离;接收来自所述服务器的所述第一欧氏距离;对所述第一欧氏距离进行同态解密处理得到第二欧氏距离;根据所述第二欧氏距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功。 In the above technical solution, preferably, the method further includes: collecting second biometric information of the current user; and expressing at least one second attribute information of the second biometric information in a vector form, and according to the preset secret The key pair performs homomorphic encryption processing on the at least one second attribute information represented by the vector form to generate a second biometric vector; and sends the second biometric vector to the server for the server to Generating a first Euclidean distance from the first biometric template vector; receiving the first Euclidean distance from the server; performing homomorphic decryption processing on the first Euclidean distance Obtaining a second Euclidean distance; determining, according to the second Euclidean distance, whether the second biometric information matches the first biometric information to determine whether the identity authentication is successful.
在该技术方案中,通过将采集到的当前用户的第二生物特征信息中可供身份认证的第二属性信息以向量形式表示,其中,可供身份认证的第二属性信息有一项或多项,而用向量形式表示每一项第二属性信息,即可得到一个表示第二生物特征信息的向量组,根据预设密钥对该向量组中的每一个分向量进行同态加密,即可得到第二生物特征向量,然后将第二生物特征向量发送至服务器,以供服务器在不解密的情况下,计算得出第二生物特征向量与其预存储的第一生物特征模板向量的第一欧氏距离,当然,第一欧氏距离也是加密的,服务器也无法获知第一欧氏距离的具体结果,如此,可以防止服务器滥用用户的第一生物特征模板向量,确保了匹配结果的安全性。In the technical solution, the second attribute information that is available for identity authentication in the collected second biometric information of the current user is represented in a vector form, wherein the second attribute information that can be authenticated has one or more And each of the second attribute information is represented by a vector form, and a vector group representing the second biometric information is obtained, and each sub-vector in the vector group is homomorphically encrypted according to the preset key. Obtaining a second biometric vector, and then transmitting the second biometric vector to the server, so that the server calculates the first biometric vector and the first biometric template vector of the pre-stored first biometric template vector without decrypting The distance, of course, the first Euclidean distance is also encrypted, and the server cannot know the specific result of the first Euclidean distance. Thus, the server can be prevented from abusing the user's first biometric template vector, ensuring the security of the matching result.
另外,通过将第一生物特征模板向量存储在服务器中,与现有技术相比,避免了因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,服务器将计算得到的第一欧氏距离发送至终端,通过终端对其进行同态解密得到第二欧氏距离,进而即可根据第二欧氏距离确定第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功,即用于同态解密的预设密钥存储在终端中,服务器无法获知此预设密钥,进一步确保了身份认证的安全性和可靠性。In addition, by storing the first biometric template vector in the server, compared with the prior art, the problem that the first biometric template vector is easily maliciously stolen on the terminal is avoided, and the server will calculate the first The Euclidean distance is sent to the terminal, and is homomorphically decrypted by the terminal to obtain a second Euclidean distance, thereby determining whether the second biometric information matches the first biometric information according to the second Euclidean distance to determine whether Whether the identity authentication is successful, that is, the preset key used for the homomorphic decryption is stored in the terminal, and the server cannot know the preset key, thereby further ensuring the security and reliability of the identity authentication.
通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。By combining biometric technology with homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art that the user biometric information is easily maliciously stored on the terminal. The problem of stealing realizes the secure storage of user biometric information, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
在上述技术方案中,优选地,根据所述第二欧氏距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功,具体包括:判断所述第二欧氏距离是否小于或等于预设距离;以及当判定所述第二欧氏距离小于或等于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配成功,则身份认证成功;当判定所述第二欧氏距离大于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配失败,则身份认证失败。In the above technical solution, preferably, determining whether the second biometric information matches the first biometric information according to the second Euclidean distance, to determine whether the identity authentication is successful, specifically, determining: Whether the second Euclidean distance is less than or equal to the preset distance; and when it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, The identity authentication succeeds; when it is determined that the second Euclidean distance is greater than the preset distance, the second biometric information fails to match the first biometric information, and the identity authentication fails.
在该技术方案中,第二生物特征信息与所述第一生物特征信息是否匹配 由第二欧氏距离决定,通过判断第二欧氏距离与预设距离的大小即可确定其是否匹配,具体地,当判定第二欧氏距离小于或等于预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配成功,则表明用户身份认证成功,否则,身份认证失败,如此,有效的避免了现有技术中因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。其中,预设距离可以根据实际应用场景需要测算出来。In the technical solution, whether the second biometric information matches the first biometric information Determined by the second Euclidean distance, by determining the second Euclidean distance and the preset distance, whether it is matched, specifically, when determining that the second Euclidean distance is less than or equal to the preset distance, the second If the biometric information is successfully matched with the first biometric information, it indicates that the user identity authentication is successful, otherwise, the identity authentication fails, so that the prior art is convenient to store the first biometric template vector on the terminal. The problem of being maliciously stolen improves the security and reliability of identity authentication based on biometric information, thereby improving the user experience. The preset distance can be calculated according to the actual application scenario.
在上述技术方案中,优选地,所述第一生物特征信息和所述第二生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。In the above technical solution, preferably, the first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
在该技术方案中,第一生物特征信息和第二生物特征信息至少包含但不限于以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息,即本方案可以基于不同的生物特征信息实现,以使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,进而提高基于生物特征信息的身份认证的安全性和可靠性的效果,进一步提高了身份认证的适用性。In this technical solution, the first biometric information and the second biometric information include at least but not limited to one or a combination of the following: fingerprint image information, iris image information, and face image information, that is, the solution may be based on different creatures. The feature information is implemented, so that the server can perform correct biometric information matching without decrypting, and can effectively avoid the problem that the first biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving The security and reliability effects of identity authentication based on biometric information further improve the applicability of identity authentication.
图2示出了根据本发明的一个实施例的身份认证系统的框图。2 shows a block diagram of an identity authentication system in accordance with one embodiment of the present invention.
如图2所示,本发明的一个实施例的身份认证系统200,用于终端,包括:采集模块202,用于采集预设用户的第一生物特征信息;加密模块204,用于将所述第一生物特征信息的至少一项第一属性信息以向量形式表示,并根据预设密钥对以向量形式表示的所述至少一项第一属性信息进行同态加密处理,以生成第一生物特征向量;第一发送模块206,用于将所述第一生物特征向量发送至服务器,以供所述服务器将所述第一生物特征向量存储为第一生物特征模板向量。As shown in FIG. 2, the identity authentication system 200 of an embodiment of the present invention is used for a terminal, and includes: an acquisition module 202, configured to collect first biometric information of a preset user; and an encryption module 204, configured to: The at least one first attribute information of the first biometric information is represented in a vector form, and the at least one first attribute information represented by the vector form is homomorphically encrypted according to the preset key to generate the first creature. And a first sending module 206, configured to send the first biometric vector to a server, where the server stores the first biometric vector as a first biometric template vector.
在该技术方案中,首先进行第一生物特征模板向量的预存储过程,具体地,通过将采集到的预设用户的第一生物特征信息中可供身份认证的第一属性信息以向量形式表示,其中,可供身份认证的第一属性信息有一项或多项,而用向量形式表示每一项第一属性信息,即可得到一个表示第一生物特征信息的向量组,根据存储的预设密钥对该向量组中的每一个分向量进行同 态加密,即可得到第一生物特征向量,然后将第一物特征向量发送至服务器,由服务器将其存储为第一生物特征模板向量,其中,预设密钥可以是终端随机产生的,也可以是根据用户实际需要设定的,最终存储在终端中,即将经过同态加密生成的第一生物特征模板向量存储在服务器中,而用于解密的预设密钥存储在终端中,则服务器无法获知此预设密钥,如此,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In the technical solution, the pre-storing process of the first biometric template vector is first performed, and specifically, the first attribute information that can be used for identity authentication in the first biometric information of the collected preset user is represented by a vector form. Wherein, the first attribute information for identity authentication has one or more items, and each first attribute information is represented by a vector form, thereby obtaining a vector group representing the first biometric information, according to the stored preset The key is the same for each of the vector vectors in the vector group State-encrypted, the first bio-feature vector is obtained, and then the first object feature vector is sent to the server, which is stored by the server as the first bio-feature template vector, wherein the preset key may be randomly generated by the terminal, It may be set according to actual needs of the user, and finally stored in the terminal, that is, the first biometric template vector generated by homomorphic encryption is stored in the server, and the preset key used for decryption is stored in the terminal, then the server This preset key cannot be known. Thus, by combining biometric technology with homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the user in the prior art. The biometric information is stored on the terminal and is easily maliciously stolen. The secure storage of the biometric information of the user is realized, and the security and reliability of the identity authentication based on the biometric information are improved, thereby improving the user experience.
在上述技术方案中,优选地,所述采集模块202还用于采集当前用户的第二生物特征信息;所述加密模块204还用于将所述第二生物特征信息的至少一项第二属性信息以向量形式表示,并根据所述预设密钥对以向量形式表示的所述至少一项第二属性信息进行同态加密处理,以生成第二生物特征向量;所述第一发送模块206还用于将所述第二生物特征向量发送至所述服务器,以供所述服务器根据所述第二生物特征向量与所述第一生物特征模板向量生成第一欧氏距离;以及所述身份认证系统200还包括:第一接收模块208,用于接收来自所述服务器的所述第一欧氏距离;解密模块210,用于对所述第一欧氏距离进行同态解密处理得到第二欧氏距离;判断模块212,用于根据所述第二欧氏距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功。In the above technical solution, preferably, the collecting module 202 is further configured to collect second biometric information of the current user; the encryption module 204 is further configured to use at least one second attribute of the second biometric information. The information is represented in a vector form, and performs homomorphic encryption processing on the at least one second attribute information in a vector form according to the preset key to generate a second biometric vector; the first sending module 206 Also for transmitting the second biometric vector to the server for the server to generate a first Euclidean distance from the first biometric template vector according to the second biometric vector; and the identity The authentication system 200 further includes: a first receiving module 208, configured to receive the first Euclidean distance from the server; and a decryption module 210, configured to perform a homomorphic decryption process on the first Euclidean distance to obtain a second An Euclidean distance; a determining module 212, configured to determine, according to the second Euclidean distance, whether the second biometric information matches the first biometric information to determine an identity whether succeed.
在该技术方案中,通过将采集到的当前用户的第二生物特征信息中可供身份认证的第二属性信息以向量形式表示,其中,可供身份认证的第二属性信息有一项或多项,而用向量形式表示每一项第二属性信息,即可得到一个表示第二生物特征信息的向量组,根据预设密钥对该向量组中的每一个分向量进行同态加密,即可得到第二生物特征向量,然后将第二生物特征向量发送至服务器,以供服务器在不解密的情况下,计算得出第二生物特征向量与其预存储的第一生物特征模板向量的第一欧氏距离,当然,第一欧氏距离也是加密的,服务器也无法获知第一欧氏距离的具体结果,如此,可以防止服务器滥用用户的第一生物特征模板向量,确保了匹配结果的安全性。 In the technical solution, the second attribute information that is available for identity authentication in the collected second biometric information of the current user is represented in a vector form, wherein the second attribute information that can be authenticated has one or more And each of the second attribute information is represented by a vector form, and a vector group representing the second biometric information is obtained, and each sub-vector in the vector group is homomorphically encrypted according to the preset key. Obtaining a second biometric vector, and then transmitting the second biometric vector to the server, so that the server calculates the first biometric vector and the first biometric template vector of the pre-stored first biometric template vector without decrypting The distance, of course, the first Euclidean distance is also encrypted, and the server cannot know the specific result of the first Euclidean distance. Thus, the server can be prevented from abusing the user's first biometric template vector, ensuring the security of the matching result.
另外,通过将第一生物特征模板向量存储在服务器中,与现有技术相比,避免了因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,服务器将计算得到的第一欧氏距离发送至终端,通过终端对其进行同态解密得到第二欧氏距离,进而即可根据第二欧氏距离确定第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功,即用于同态解密的预设密钥存储在终端中,服务器无法获知此预设密钥,进一步确保了身份认证的安全性和可靠性。In addition, by storing the first biometric template vector in the server, compared with the prior art, the problem that the first biometric template vector is easily maliciously stolen on the terminal is avoided, and the server will calculate the first The Euclidean distance is sent to the terminal, and is homomorphically decrypted by the terminal to obtain a second Euclidean distance, thereby determining whether the second biometric information matches the first biometric information according to the second Euclidean distance to determine whether Whether the identity authentication is successful, that is, the preset key used for the homomorphic decryption is stored in the terminal, and the server cannot know the preset key, thereby further ensuring the security and reliability of the identity authentication.
通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。By combining biometric technology with homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art that the user biometric information is easily maliciously stored on the terminal. The problem of stealing realizes the secure storage of user biometric information, improves the security and reliability of identity authentication based on biometric information, and improves the user experience.
在上述技术方案中,优选地,所述判断模块212具体用于判断所述第二欧氏距离是否小于或等于预设距离;以及当判定所述第二欧氏距离小于或等于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配成功,则身份认证成功;当判定所述第二欧氏距离大于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配失败,则身份认证失败。In the above technical solution, preferably, the determining module 212 is specifically configured to determine whether the second Euclidean distance is less than or equal to a preset distance; and when determining that the second Euclidean distance is less than or equal to the preset When the distance is that the second biometric information is successfully matched with the first biometric information, the identity authentication is successful; when the second Euclidean distance is determined to be greater than the preset distance, the second biometric information is If the matching with the first biometric information fails, the identity authentication fails.
在该技术方案中,第二生物特征信息与第一生物特征信息是否匹配由第二欧氏距离决定,通过判断第二欧氏距离与预设距离的大小即可确定其是否匹配,具体地,当判定第二欧氏距离小于或等于预设距离时,第二生物特征信息与第一生物特征信息匹配成功,则表明用户身份认证成功,否则,身份认证失败,如此,有效的避免了现有技术中因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。其中,预设距离可以根据实际应用场景需要测算出来。In the technical solution, whether the second biometric information matches the first biometric information is determined by the second Euclidean distance, and determining whether the second Euclidean distance and the preset distance are matched, specifically, When it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, indicating that the user identity authentication is successful, otherwise, the identity authentication fails, thus effectively avoiding the existing In the technology, the first biometric template vector is stored on the terminal and is easily maliciously stolen, thereby improving the security and reliability of the biometric information based identity authentication, thereby improving the user experience. The preset distance can be calculated according to the actual application scenario.
在上述技术方案中,优选地,所述第一生物特征信息和所述第二生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。 In the above technical solution, preferably, the first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
在该技术方案中,第一生物特征信息和第二生物特征信息至少包含但不限于以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息,即本方案可以基于不同的生物特征信息实现,以使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将第一生物特征模板向量存储在终端上易被恶意窃取的问题,进而提高基于生物特征信息的身份认证的安全性和可靠性的效果,进一步提高了身份认证的适用性。In this technical solution, the first biometric information and the second biometric information include at least but not limited to one or a combination of the following: fingerprint image information, iris image information, and face image information, that is, the solution may be based on different creatures. The feature information is implemented, so that the server can perform correct biometric information matching without decrypting, and can effectively avoid the problem that the first biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving The security and reliability effects of identity authentication based on biometric information further improve the applicability of identity authentication.
图3示出了根据本发明的另一个实施例的身份认证方法的流程示意图。FIG. 3 is a flow chart showing an identity authentication method according to another embodiment of the present invention.
如图3所示,本发明的另一个实施例的身份认证方法,用于服务器,包括:步骤302,接收来自终端的第三生物特征向量;步骤304,将所述第三生物特征向量存储为所述第二生物特征模板向量,其中,所述第三生物特征向量为所述终端对采集到的预设用户的第三生物特征信息的至少一项第三属性信息进行同态加密处理得到的。As shown in FIG. 3, an identity authentication method according to another embodiment of the present invention is used for a server, including: step 302, receiving a third biometric vector from a terminal; and step 304, storing the third biometric vector as The second biometric template vector, wherein the third biometric vector is obtained by the terminal performing homomorphic encryption processing on at least one third attribute information of the collected third biometric information of the preset user. .
在该技术方案中,首先进行第二生物特征模板向量存储的过程,具体地,通过将接收到的来自终端的第三生物特征向量存储为第二生物特征模板向量,以为后续匹配步骤的顺利进行提供必要的前提保障,其中,第三生物特征向量是终端对采集到的预设用户的第三生物特征信息的可供身份认证的每一项第三属性信息进行同态加密处理得到的,即是经加密处理得到的向量,服务器同样无法获知其具体内容,如此,避免了服务器滥用用户的生物特征信息,进一步提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In this technical solution, the process of storing the second biometric template vector is first performed, specifically, by storing the received third biometric vector from the terminal as the second biometric template vector, so as to smoothly carry out the subsequent matching step. Providing the necessary premise guarantee, wherein the third biometric vector is obtained by the terminal performing homomorphic encryption processing on each third attribute information for identity authentication of the third biometric information of the preset preset user, that is, It is a vector obtained by encryption processing, and the server cannot know the specific content. Therefore, the server avoids the abuse of the biometric information of the user, further improves the security and reliability of the identity authentication based on the biometric information, thereby improving the user experience. .
在上述技术方案中,优选地,还包括:接收来自所述终端的第四生物特征向量,其中,所述第四生物特征向量为所述终端对采集到的当前用户的第四生物特征信息的至少一项第四属性信息进行同态加密处理得到的;根据所述第四生物特征向量与第二生物特征模板向量得到第三欧氏距离;将所述第三欧氏距离发送至所述终端,以供所述终端根据所述第三欧氏距离确定所述第四生物特征信息与所述第三生物特征信息是否匹配;以及所述第三生物特征信息和所述第四生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。 In the above technical solution, preferably, the method further includes: receiving a fourth biometric vector from the terminal, wherein the fourth biometric vector is the fourth biometric information of the current user acquired by the terminal Obtaining a third Euclidean distance according to the fourth biometric template vector and the second biometric template vector; and transmitting the third Euclidean distance to the terminal And determining, by the terminal, whether the fourth biometric information matches the third biometric information according to the third Euclidean distance; and the third biometric information and the fourth biometric information are at least One or a combination of the following is included: fingerprint image information, iris image information, and face image information.
在该技术方案中,通过将根据第四生物特征向量与第二生物特征模板向量计算得到的第三欧氏距离发送至终端,以供终端对其进行同态解密,进而确定身份认证是否成功,其中,第四生物特征向量是终端对采集到的当前用户的第四生物特征信息的可供身份认证的每一项第四属性信息进行同态加密处理得到的,即是经加密处理得到的向量,服务器无法获知其具体内容,如此,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,避免了服务器滥用用户的生物特征信息,进一步提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In the technical solution, the third Euclidean distance calculated according to the fourth biometric vector and the second biometric template vector is sent to the terminal, so that the terminal performs homomorphic decryption to determine whether the identity authentication is successful. The fourth biometric vector is obtained by the terminal performing homomorphic encryption processing on each fourth attribute information of the fourth biometric information of the current user that is available for identity authentication, that is, a vector obtained by encryption processing. The server cannot know the specific content. Thus, by combining the biometric technology with the homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the user in the prior art. The biometric information is stored on the terminal and is easily stolen by malicious people, which realizes the safe storage of the biometric information of the user, avoids the abuse of the biometric information of the user by the server, and further improves the security and reliability of the identity authentication based on the biometric information. , which enhances the user experience.
另外,第三生物特征信息和第四生物特征信息至少包含但不限于以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息,即本方案可以基于不同的生物特征信息实现,以使服务器不需要解密就能进行正确的生物特征信息匹配并可以有效的避免现有技术中因将第二生物特征模板向量存储在终端上易被恶意窃取的问题,进而提高基于生物特征信息的身份认证的安全性和可靠性的效果,进一步提高了身份认证的适用性。In addition, the third biometric information and the fourth biometric information include at least but not limited to one of the following or a combination thereof: fingerprint image information, iris image information, and face image information, that is, the solution may be implemented based on different biometric information, So that the server can perform correct biometric information matching without decryption, and can effectively avoid the problem that the second biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving the biometric information based. The effectiveness of identity authentication and reliability further enhances the applicability of identity authentication.
图4示出了根据本发明的另一个实施例的身份认证系统的框图。4 shows a block diagram of an identity authentication system in accordance with another embodiment of the present invention.
如图4所示,本发明的另一个实施例的身份认证系统400,用于服务器,包括:第二接收模块402,用于接收来自终端的第三生物特征向量;存储模块404,用于将所述第三生物特征向量存储为所述第二生物特征模板向量,其中,所述第三生物特征向量为所述终端对采集到的预设用户的第三生物特征信息的至少一项第三属性信息进行同态加密处理得到的。As shown in FIG. 4, the identity authentication system 400 of another embodiment of the present invention is used for a server, including: a second receiving module 402, configured to receive a third biometric vector from a terminal; and a storage module 404, configured to The third biometric vector is stored as the second biometric template vector, wherein the third biometric vector is at least one third of the third biometric information of the collected preset user by the terminal. The attribute information is obtained by homomorphic encryption processing.
在该技术方案中,首先进行第二生物特征模板向量存储的过程,具体地,通过将接收到的来自终端的第三生物特征向量存储为第二生物特征模板向量,以为后续匹配步骤的顺利进行提供必要的前提保障,其中,第三生物特征向量是终端对采集到的预设用户的第三生物特征信息的可供身份认证的每一项第三属性信息进行同态加密处理得到的,即是经加密处理得到的向量,服务器同样无法获知其具体内容,如此,避免了服务器滥用用户的生物特征信息,进一步提高了基于生物特征信息的身份认证的安全性和可靠性, 从而提升了用户体验。In this technical solution, the process of storing the second biometric template vector is first performed, specifically, by storing the received third biometric vector from the terminal as the second biometric template vector, so as to smoothly carry out the subsequent matching step. Providing the necessary premise guarantee, wherein the third biometric vector is obtained by the terminal performing homomorphic encryption processing on each third attribute information for identity authentication of the third biometric information of the preset preset user, that is, It is a vector obtained by encryption processing, and the server cannot know the specific content. Therefore, the server avoids the abuse of the biometric information of the user, and further improves the security and reliability of the identity authentication based on the biometric information. Thereby improving the user experience.
在上述技术方案中,优选地,所述第二接收模块402还用于接收来自所述终端的第四生物特征向量,其中,所述第四生物特征向量为所述终端对采集到的当前用户的第四生物特征信息的至少一项第四属性信息进行同态加密处理得到的;以及所述身份认证系统还包括:处理模块406,用于根据所述第四生物特征向量与第二生物特征模板向量得到第三欧氏距离;第二发送模块408,用于将所述第三欧氏距离发送至所述终端,以供所述终端根据所述第三欧氏距离确定所述第四生物特征信息与所述第三生物特征信息是否匹配;以及所述第三生物特征信息和所述第四生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。In the above technical solution, preferably, the second receiving module 402 is further configured to receive a fourth biometric vector from the terminal, where the fourth biometric vector is the collected current user of the terminal pair. The at least one fourth attribute information of the fourth biometric information is obtained by homomorphic encryption processing; and the identity authentication system further includes: a processing module 406, configured to use the fourth biometric vector and the second biometric The template vector obtains a third Euclidean distance; a second sending module 408 is configured to send the third Euclidean distance to the terminal, for the terminal to determine the fourth creature according to the third Euclidean distance Whether the feature information matches the third biometric information; and the third biometric information and the fourth biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information .
在该技术方案中,通过将根据第四生物特征向量与第二生物特征模板向量计算得到的第三欧氏距离发送至终端,以供终端对其进行同态解密,进而确定身份认证是否成功,其中,第四生物特征向量是终端对采集到的当前用户的第四生物特征信息的可供身份认证的每一项第四属性信息进行同态加密处理得到的,即是经加密处理得到的向量,服务器无法获知其具体内容,如此,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特征信息匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,避免了服务器滥用用户的生物特征信息,进一步提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。In the technical solution, the third Euclidean distance calculated according to the fourth biometric vector and the second biometric template vector is sent to the terminal, so that the terminal performs homomorphic decryption to determine whether the identity authentication is successful. The fourth biometric vector is obtained by the terminal performing homomorphic encryption processing on each fourth attribute information of the fourth biometric information of the current user that is available for identity authentication, that is, a vector obtained by encryption processing. The server cannot know the specific content. Thus, by combining the biometric technology with the homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the user in the prior art. The biometric information is stored on the terminal and is easily stolen by malicious people, which realizes the safe storage of the biometric information of the user, avoids the abuse of the biometric information of the user by the server, and further improves the security and reliability of the identity authentication based on the biometric information. , which enhances the user experience.
另外,第三生物特征信息和第四生物特征信息至少包含但不限于以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息,即本方案可以基于不同的生物特征信息实现,以使服务器不需要解密就能进行正确的生物特征信息匹配并可以有效的避免现有技术中因将第二生物特征模板向量存储在终端上易被恶意窃取的问题,进而提高基于生物特征信息的身份认证的安全性和可靠性的效果,进一步提高了身份认证的适用性。In addition, the third biometric information and the fourth biometric information include at least but not limited to one of the following or a combination thereof: fingerprint image information, iris image information, and face image information, that is, the solution may be implemented based on different biometric information, So that the server can perform correct biometric information matching without decryption, and can effectively avoid the problem that the second biometric template vector is easily maliciously stolen on the terminal in the prior art, thereby improving the biometric information based. The effectiveness of identity authentication and reliability further enhances the applicability of identity authentication.
图5示出了根据本发明的一个实施例的终端的框图。Figure 5 shows a block diagram of a terminal in accordance with one embodiment of the present invention.
如图5所示,本发明的一个实施例的终端500,包括:如上述技术方案中任一项所述的用于终端500的所述的身份认证系统200,因此具有上 述技术方案中任一项所述的用于终端500的所述的身份认证系统200的所有有益效果,这里不再赘述。As shown in FIG. 5, the terminal 500 of an embodiment of the present invention includes: the identity authentication system 200 for the terminal 500 according to any one of the foregoing technical solutions, and thus has All the beneficial effects of the identity authentication system 200 for the terminal 500 described in any one of the technical solutions are not described herein again.
图6示出了根据本发明的一个实施例的服务器的框图。Figure 6 shows a block diagram of a server in accordance with one embodiment of the present invention.
如图6所示,本发明的一个实施例的服务器600,包括:如上述技术方案中任一项所述的用于服务器600的所述的身份认证系统400,因此具有上述技术方案中任一项所述的用于服务器600的所述的身份认证系统400的所有有益效果,这里不再赘述。As shown in FIG. 6, the server 600 of an embodiment of the present invention includes the identity authentication system 400 for the server 600 according to any one of the foregoing technical solutions, and thus has any of the foregoing technical solutions. All the beneficial effects of the identity authentication system 400 for the server 600 described in the section are not described herein again.
下面结合图7和图8详细说明本发明的技术方案:The technical solution of the present invention will be described in detail below with reference to FIG. 7 and FIG. 8 :
图7示出了根据本发明的又一个实施例的身份认证方法的流程示意图。FIG. 7 is a flow chart showing an identity authentication method according to still another embodiment of the present invention.
图8示出了根据本发明的一个实施例的生物特征信息注册方法的流程示意图。FIG. 8 is a flow chart showing a biometric information registration method according to an embodiment of the present invention.
在本实施例中将生物特征模板(即第一生物特征模板向量)表示为向量的形式,并对该向量的每个分量分别进行同态加密,将第二生物特征信息的至少一项第二属性信息以向量形式表示,并根据预设密钥对以向量形式表示的至少一项第二属性信息进行同态加密处理,以生成第二生物特征向量;两个向量(即第二生物特征向量与第一生物特征模版向量)之间的相似度由这两个向量的欧氏距离决定,当二者之间的距离小于某个阈值(即预设距离)时,认为匹配成功,否则匹配失败;在云端计算加密后的两个向量之间的欧氏距离(即第一欧氏距离),结果发送给手机端后,手机端解密得到未加密的两个向量之间的欧氏距离(即第二欧氏距离),从而判定用户是否认证成功。In this embodiment, the biometric template (ie, the first biometric template vector) is represented as a vector, and each component of the vector is homomorphically encrypted, and at least one second of the second biometric information is second. The attribute information is represented in a vector form, and the at least one second attribute information represented by the vector form is homomorphically encrypted according to the preset key to generate a second biometric vector; the two vectors (ie, the second biometric vector) The similarity between the first biometric template vector and the first biometric template vector is determined by the Euclidean distance of the two vectors. When the distance between the two is less than a certain threshold (ie, the preset distance), the matching is considered successful, otherwise the matching fails. Calculate the Euclidean distance (ie, the first Euclidean distance) between the encrypted two vectors in the cloud, and after the result is sent to the mobile terminal, the mobile end decrypts the Euclidean distance between the two unencrypted vectors (ie, The second Euclidean distance) determines whether the user is authenticated successfully.
本方案描述中Enck表示以k为密钥执行同态加密操作,Deck表示以k为密钥执行同态解密操作;In the description of the scheme, Enc k represents that a homomorphic encryption operation is performed with k as a key, and Dec k represents a homomorphic decryption operation with k as a key;
本方案包括两个流程:生物特征注册及上传过程、身份认证过程。The program includes two processes: biometric registration and upload process, and identity authentication process.
如图7所示,本发明的又一个实施例的身份认证方法,具体包括:As shown in FIG. 7, the identity authentication method in still another embodiment of the present invention specifically includes:
步骤702,手机采集用户的生物特征图像(即第二生物特征信息)。Step 702: The mobile phone collects a biometric image of the user (ie, second biometric information).
步骤704,对生物特征图像进行处理,提取出向量形式表示不同的特征,形成生物特征向量组,比如(t′1,t′2,……,t′n)。 Step 704, processing the biometric image, extracting the vector form to represent different features, and forming a biometric vector group, such as (t' 1 , t' 2 , ..., t' n ).
步骤706,读取手机存储的密钥组(k1,k2,……,kn),对上述特征向量中每 个分量分别进行同态加密,得到
Figure PCTCN2015088472-appb-000001
(即第二生物特征向量),其中i=1,2,……,n。Step 706: Read a key group (k 1 , k 2 , . . . , k n ) stored in the mobile phone, and perform homomorphic encryption on each component in the feature vector respectively.
Figure PCTCN2015088472-appb-000001
(ie the second biometric vector), where i = 1, 2, ..., n.
即将第二生物特征信息的至少一项第二属性信息以向量形式表示,并根据预设密钥对以向量形式表示的至少一项第二属性信息进行同态加密处理,以生成第二生物特征向量。And at least one second attribute information of the second biometric information is represented in a vector form, and the at least one second attribute information represented by the vector form is homomorphicly encrypted according to the preset key to generate the second biometric vector.
步骤708,将(e′1,e′2,……,e′n)(即第二生物特征向量)上传至云服务器。 Step 708, uploading (e' 1 , e' 2 , . . . , e' n ) (ie, the second biometric vector) to the cloud server.
步骤710,云服务器读取所存储的加密生物特征模板(e1,e2,……,en)。In step 710, the cloud server reads the stored encrypted biometric template (e 1 , e 2 , . . . , e n ).
步骤712,云服务器计算出输入生物特征和注册生物特征模板的欧氏距离为
Figure PCTCN2015088472-appb-000002
即服务器根据所述第二生物特征向量与第一生物特征向量生成第一欧氏距离。 Step 712, the cloud server calculates the Euclidean distance of the input biometric and the registered biometric template as
Figure PCTCN2015088472-appb-000002
That is, the server generates a first Euclidean distance from the first biometric vector according to the second biometric vector.
步骤714,云服务器将欧氏距离(即第一欧氏距离)发送给手机。In step 714, the cloud server transmits the Euclidean distance (ie, the first Euclidean distance) to the mobile phone.
步骤716,手机将欧氏距离(即第一欧氏距离)结果解密,得到第二欧氏距离。In step 716, the mobile phone decrypts the Euclidean distance (ie, the first Euclidean distance) result to obtain a second Euclidean distance.
步骤718,手机根据dist(即第二欧氏距离)的值判断用户认证是否成功,若dist大于或等于某个阈值h,则认证成功,否则认证失败Step 718: The mobile phone determines whether the user authentication is successful according to the value of the dist (ie, the second Euclidean distance). If the dist is greater than or equal to a certain threshold h, the authentication succeeds, otherwise the authentication fails.
如图8所示,本发明的一个实施例的生物特征信息注册方法,包括:As shown in FIG. 8, the biometric information registration method of an embodiment of the present invention includes:
步骤802,手机采集当前用户的生物特征(即第一生物特征信息),这里的生物特征数据可以是指纹、虹膜、人脸等,采集到的是指纹、虹膜、人脸等的图像。Step 802: The mobile phone collects biometric features of the current user (ie, first biometric information), where the biometric data may be fingerprints, irises, faces, etc., and images of fingerprints, irises, faces, and the like are collected.
步骤804,对生物特征图像进行处理,提取出可供身份识别的特征数据(即第一属性信息),并以向量形式表示不同的特征数据,形成向量组,比如(t1,t2,……,tn)。Step 804: Processing the biometric image, extracting feature data (ie, first attribute information) that can be identified, and representing different feature data in a vector form to form a vector group, such as (t 1 , t 2 ,... ..., t n ).
步骤806,选定一组密钥(即预设密钥)比如:k1,k2,……,kn,对向量组(t1,t2,……,tn)中每个分量分别进行同态加密,得到
Figure PCTCN2015088472-appb-000003
(即第二生物特征向量),其中i=1,2,……,n。 Step 806, selecting a set of keys (ie, preset keys) such as: k 1 , k 2 , . . . , k n , each component of the pair of vectors (t 1 , t 2 , . . . , t n ) Homomorphic encryption is obtained separately
Figure PCTCN2015088472-appb-000003
(ie the second biometric vector), where i = 1, 2, ..., n.
步骤808,将(e1,e2,……,en)(即第一生物特征向量)上传至云服务器,以供服务器将所述第一生物特征向量存储为第二生物特征模板向量。Step 808: Upload (e 1 , e 2 , . . . , e n ) (ie, the first biometric vector) to the cloud server, for the server to store the first biometric vector as the second biometric template vector.
步骤810,手机存储密钥组(k1,k2,……,kn)。In step 810, the mobile phone stores the key set (k 1 , k 2 , . . . , k n ).
本实施例的有益效果: The beneficial effects of this embodiment:
1、手机本地不存储生物特征模板,本地没有泄露风险;1. The biometric template is not stored locally in the mobile phone, and there is no risk of leakage in the local area;
2、云端存储的生物特征模板经过加密,不会泄漏;2. The biometric template stored in the cloud is encrypted and will not leak;
3、使用同态加密方案,确保了经过加密的生物特征模板不需要解密就能执行用户认证。3. Using a homomorphic encryption scheme ensures that the encrypted biometric template can perform user authentication without decryption.
本实施例中,手机采集用户的生物特征数据,形成向量后加密并发送到云服务器(即服务器),在云服务器帮助下,手机计算出所采集生物特征数据和注册生物特征模板(即第二生物特征向量与第一生物特征模板向量)之间的欧氏距离,并根据结果判断认证是否成功。In this embodiment, the mobile phone collects the biometric data of the user, forms a vector, encrypts and sends it to the cloud server (ie, the server), and with the help of the cloud server, the mobile phone calculates the collected biometric data and the registered biometric template (ie, the second biometric The Euclidean distance between the feature vector and the first biometric template vector), and based on the result, judge whether the authentication is successful.
以上结合附图详细说明了本发明的技术方案,通过将生物识别技术与同态加密技术相结合,使服务器不需要解密就能进行正确的生物特信息征匹配,并可以有效的避免现有技术中因将用户生物特征信息存储在终端上易被恶意窃取的问题,实现了用户生物特征信息的安全储存,提高了基于生物特征信息的身份认证的安全性和可靠性,从而提升了用户体验。The technical solution of the present invention is described in detail above with reference to the accompanying drawings. By combining the biometric identification technology with the homomorphic encryption technology, the server can perform correct biometric information matching without decryption, and can effectively avoid the prior art. Because the user biometric information is stored on the terminal and is easily maliciously stolen, the user's biometric information is safely stored, and the security and reliability of the biometric information based identity authentication is improved, thereby improving the user experience.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims (14)

  1. 一种身份认证方法,用于终端,其特征在于,包括:An identity authentication method is provided for a terminal, and the method includes:
    采集预设用户的第一生物特征信息;Collecting first biometric information of the preset user;
    将所述第一生物特征信息的至少一项第一属性信息以向量形式表示,并根据预设密钥对以向量形式表示的所述至少一项第一属性信息进行同态加密处理,以生成第一生物特征向量;And performing at least one first attribute information of the first biometric information in a vector form, and performing homomorphic encryption processing on the at least one first attribute information represented by a vector form according to a preset key to generate First biometric vector;
    将所述第一生物特征向量发送至服务器,以供所述服务器将所述第一生物特征向量存储为第一生物特征模板向量。Transmitting the first biometric vector to a server for the server to store the first biometric vector as a first biometric template vector.
  2. 根据权利要求1所述的身份认证方法,其特征在于,还包括:The identity authentication method according to claim 1, further comprising:
    采集当前用户的第二生物特征信息;Collecting second biometric information of the current user;
    将所述第二生物特征信息的至少一项第二属性信息以向量形式表示,并根据所述预设密钥对以向量形式表示的所述至少一项第二属性信息进行同态加密处理,以生成第二生物特征向量;And performing at least one second attribute information of the second biometric information in a vector form, and performing homomorphic encryption processing on the at least one second attribute information represented by a vector form according to the preset key, To generate a second biometric vector;
    将所述第二生物特征向量发送至所述服务器,以供所述服务器根据所述第二生物特征向量与所述第一生物特征模板向量生成第一欧氏距离;Transmitting the second biometric vector to the server, for the server to generate a first Euclidean distance from the first biometric template vector according to the second biometric vector;
    接收来自所述服务器的所述第一欧氏距离;Receiving the first Euclidean distance from the server;
    对所述第一欧氏距离进行同态解密处理得到第二欧氏距离;Performing a homomorphic decryption process on the first Euclidean distance to obtain a second Euclidean distance;
    根据所述第二欧氏距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功。Determining, according to the second Euclidean distance, whether the second biometric information matches the first biometric information to determine whether the identity authentication is successful.
  3. 根据权利要求2所述的身份认证方法,其特征在于,根据所述第二欧氏距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功,具体包括:The identity authentication method according to claim 2, wherein determining whether the second biometric information matches the first biometric information according to the second Euclidean distance, to determine whether the identity authentication is successful, include:
    判断所述第二欧氏距离是否小于或等于预设距离;以及Determining whether the second Euclidean distance is less than or equal to a preset distance;
    当判定所述第二欧氏距离小于或等于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配成功,则身份认证成功;When it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, and the identity authentication is successful;
    当判定所述第二欧氏距离大于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配失败,则身份认证失败。When it is determined that the second Euclidean distance is greater than the preset distance, the second biometric information fails to match the first biometric information, and the identity authentication fails.
  4. 根据权利要求1至3中任一项所述的身份认证方法,其特征在于, The identity authentication method according to any one of claims 1 to 3, characterized in that
    所述第一生物特征信息和所述第二生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。The first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
  5. 一种身份认证系统,用于终端,其特征在于,包括:An identity authentication system for a terminal, comprising:
    采集模块,用于采集预设用户的第一生物特征信息;An acquisition module, configured to collect first biometric information of a preset user;
    加密模块,用于将所述第一生物特征信息的至少一项第一属性信息以向量形式表示,并根据预设密钥对以向量形式表示的所述至少一项第一属性信息进行同态加密处理,以生成第一生物特征向量;An encryption module, configured to represent at least one first attribute information of the first biometric information in a vector form, and perform homomorphism on the at least one first attribute information represented by a vector form according to a preset key Encryption processing to generate a first biometric vector;
    第一发送模块,用于将所述第一生物特征向量发送至服务器,以供所述服务器将所述第一生物特征向量存储为第一生物特征模板向量。And a first sending module, configured to send the first biometric vector to a server, where the server stores the first biometric vector as a first biometric template vector.
  6. 根据权利要求5所述的身份认证系统,其特征在于,The identity authentication system according to claim 5, characterized in that
    所述采集模块还用于采集当前用户的第二生物特征信息;The collection module is further configured to collect second biometric information of the current user;
    所述加密模块还用于将所述第二生物特征信息的至少一项第二属性信息以向量形式表示,并根据所述预设密钥对以向量形式表示的所述至少一项第二属性信息进行同态加密处理,以生成第二生物特征向量;The cryptographic module is further configured to represent at least one second attribute information of the second biometric information in a vector form, and according to the preset key pair, the at least one second attribute expressed in a vector form The information is homomorphic cryptographically processed to generate a second biometric vector;
    所述第一发送模块还用于将所述第二生物特征向量发送至所述服务器,以供所述服务器根据所述第二生物特征向量与所述第一生物特征模板向量生成第一欧氏距离;以及The first sending module is further configured to send the second biometric vector to the server, where the server generates the first Euclidean according to the second biometric vector and the first biometric template vector. Distance;
    所述身份认证系统还包括:The identity authentication system further includes:
    第一接收模块,用于接收来自所述服务器的所述第一欧氏距离;a first receiving module, configured to receive the first Euclidean distance from the server;
    解密模块,用于对所述第一欧氏距离进行同态解密处理得到第二欧氏距离;a decryption module, configured to perform a homomorphic decryption process on the first Euclidean distance to obtain a second Euclidean distance;
    判断模块,用于根据所述第二欧氏距离确定所述第二生物特征信息与所述第一生物特征信息是否匹配,以确定身份认证是否成功。And a determining module, configured to determine, according to the second Euclidean distance, whether the second biometric information matches the first biometric information to determine whether the identity authentication is successful.
  7. 根据权利要求6所述的身份认证系统,其特征在于,所述判断模块具体用于判断所述第二欧氏距离是否小于或等于预设距离;以及The identity authentication system according to claim 6, wherein the determining module is specifically configured to determine whether the second Euclidean distance is less than or equal to a preset distance;
    当判定所述第二欧氏距离小于或等于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配成功,则身份认证成功;When it is determined that the second Euclidean distance is less than or equal to the preset distance, the second biometric information is successfully matched with the first biometric information, and the identity authentication is successful;
    当判定所述第二欧氏距离大于所述预设距离时,所述第二生物特征信息与所述第一生物特征信息匹配失败,则身份认证失败。 When it is determined that the second Euclidean distance is greater than the preset distance, the second biometric information fails to match the first biometric information, and the identity authentication fails.
  8. 根据权利要求5至7中任一项所述的身份认证系统,其特征在于,An identity authentication system according to any one of claims 5 to 7, wherein
    所述第一生物特征信息和所述第二生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。The first biometric information and the second biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
  9. 一种身份认证方法,用于服务器,其特征在于,包括:An authentication method for a server, comprising:
    接收来自终端的第三生物特征向量;Receiving a third biometric vector from the terminal;
    将所述第三生物特征向量存储为所述第二生物特征模板向量,其中,所述第三生物特征向量为所述终端对采集到的预设用户的第三生物特征信息的至少一项第三属性信息进行同态加密处理得到的。And storing the third biometric vector as the second biometric template vector, wherein the third biometric vector is at least one of the third biometric information of the preset user that is collected by the terminal The three attribute information is obtained by homomorphic encryption processing.
  10. 根据权利要求9所述的身份认证方法,其特征在于,还包括:The identity authentication method according to claim 9, further comprising:
    接收来自所述终端的第四生物特征向量,其中,所述第四生物特征向量为所述终端对采集到的当前用户的第四生物特征信息的至少一项第四属性信息进行同态加密处理得到的;Receiving a fourth biometric vector from the terminal, wherein the fourth biometric vector is configured by the terminal to perform homomorphic encryption processing on at least one fourth attribute information of the collected fourth biometric information of the current user. owned;
    根据所述第四生物特征向量与第二生物特征模板向量得到第三欧氏距离;Obtaining a third Euclidean distance according to the fourth biometric vector and the second biometric template vector;
    将所述第三欧氏距离发送至所述终端,以供所述终端根据所述第三欧氏距离确定所述第四生物特征信息与所述第三生物特征信息是否匹配;以及Transmitting the third Euclidean distance to the terminal, for the terminal to determine whether the fourth biometric information matches the third biometric information according to the third Euclidean distance;
    所述第三生物特征信息和所述第四生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。The third biometric information and the fourth biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
  11. 一种身份认证系统,用于服务器,其特征在于,包括:An identity authentication system for a server, comprising:
    第二接收模块,用于接收来自终端的第三生物特征向量;a second receiving module, configured to receive a third biometric vector from the terminal;
    存储模块,用于将所述第三生物特征向量存储为所述第二生物特征模板向量,其中,所述第三生物特征向量为所述终端对采集到的预设用户的第三生物特征信息的至少一项第三属性信息进行同态加密处理得到的。a storage module, configured to store the third biometric vector as the second biometric template vector, where the third biometric vector is the third biometric information of the preset user that is collected by the terminal At least one third attribute information is obtained by homomorphic encryption processing.
  12. 根据权利要求11所述的身份认证系统,其特征在于,所述第二接收模块还用于接收来自所述终端的第四生物特征向量,其中,所述第四生物特征向量为所述终端对采集到的当前用户的第四生物特征信息的至少一项第四属性信息进行同态加密处理得到的;以及The identity authentication system according to claim 11, wherein the second receiving module is further configured to receive a fourth biometric vector from the terminal, wherein the fourth biometric vector is the terminal pair Obtaining at least one fourth attribute information of the collected fourth biometric information of the current user by homomorphic encryption processing;
    所述身份认证系统还包括:The identity authentication system further includes:
    处理模块,用于根据所述第四生物特征向量与第二生物特征模板向量得 到第三欧氏距离;a processing module, configured to obtain, according to the fourth biometric vector and the second biometric template vector To the third Euclidean distance;
    第二发送模块,用于将所述第三欧氏距离发送至所述终端,以供所述终端根据所述第三欧氏距离确定所述第四生物特征信息与所述第三生物特征信息是否匹配;以及所述第三生物特征信息和所述第四生物特征信息至少包括以下之一或其组合:指纹图像信息、虹膜图像信息和人脸图像信息。a second sending module, configured to send the third Euclidean distance to the terminal, where the terminal determines the fourth biometric information and the third biometric information according to the third Euclidean distance Whether the matching; and the third biometric information and the fourth biometric information include at least one of the following or a combination thereof: fingerprint image information, iris image information, and face image information.
  13. 一种终端,其特征在于,包括如权利要求5至8任一项所述的身份认证系统。A terminal characterized by comprising the identity authentication system according to any one of claims 5 to 8.
  14. 一种服务器,其特征在于,包括如权利要求11或12所述的身份认证系统。 A server characterized by comprising the identity authentication system according to claim 11 or 12.
PCT/CN2015/088472 2015-07-23 2015-08-30 Identity authentication method, identity authentication system, terminal and server WO2017012175A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510439665.7A CN105635099A (en) 2015-07-23 2015-07-23 Identity authentication method, identity authentication system, terminal and server
CN201510439665.7 2015-07-23

Publications (1)

Publication Number Publication Date
WO2017012175A1 true WO2017012175A1 (en) 2017-01-26

Family

ID=56049595

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/088472 WO2017012175A1 (en) 2015-07-23 2015-08-30 Identity authentication method, identity authentication system, terminal and server

Country Status (2)

Country Link
CN (1) CN105635099A (en)
WO (1) WO2017012175A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112000940A (en) * 2020-09-11 2020-11-27 支付宝(杭州)信息技术有限公司 User identification method, device and equipment under privacy protection
CN112163542A (en) * 2020-10-12 2021-01-01 桂林电子科技大学 ElGamal encryption-based palm print privacy authentication method
CN117201698A (en) * 2023-11-07 2023-12-08 北京隐算科技有限公司 Safe and efficient image recognition method

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018090183A1 (en) * 2016-11-15 2018-05-24 深圳达闼科技控股有限公司 Identity authentication method, terminal device, authentication server and electronic device
US11328044B2 (en) 2017-01-19 2022-05-10 Huawei Technologies Co., Ltd. Dynamic recognition method and terminal device
CN106951865B (en) * 2017-03-21 2020-04-07 东莞理工学院 Privacy protection biological identification method based on Hamming distance
CN107196918B (en) * 2017-04-27 2020-10-30 北京小米移动软件有限公司 Data matching method and device
CN107919965B (en) * 2018-01-05 2020-10-09 杭州电子科技大学 Biological characteristic sensitive information outsourcing identity authentication method based on homomorphic encryption
CN108509874A (en) * 2018-03-16 2018-09-07 联想(北京)有限公司 A kind of data processing method and electronic equipment, computer storage media
CN108933655A (en) * 2018-07-12 2018-12-04 江苏慧学堂系统工程有限公司 A kind of computer network authentication system
CN109150538B (en) * 2018-07-16 2021-06-25 广州大学 Fingerprint and voiceprint fusion identity authentication method
CN109145829A (en) * 2018-08-24 2019-01-04 中共中央办公厅电子科技学院 A kind of safe and efficient face identification method based on deep learning and homomorphic cryptography
CN109714148B (en) * 2018-12-13 2022-06-10 北京九州云腾科技有限公司 Method for remote multi-party authentication of user identity
CN112084476A (en) * 2020-09-02 2020-12-15 支付宝(杭州)信息技术有限公司 Biological identification identity verification method, client, server, equipment and system
CN115086014A (en) * 2022-06-13 2022-09-20 中国银行股份有限公司 Face comparison method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101984576A (en) * 2010-10-22 2011-03-09 北京工业大学 Method and system for authenticating anonymous identity based on face encryption
CN102664885A (en) * 2012-04-18 2012-09-12 南京邮电大学 Identity authentication method based on biological feature encryption and homomorphic algorithm
CN103731271A (en) * 2013-12-30 2014-04-16 北京工业大学 On-line face identity authentication method based on homomorphic encrypting and chaotic scrambling
US20140281567A1 (en) * 2013-03-15 2014-09-18 Mitsubishi Electric Research Laboratories, Inc. Method for Authenticating an Encryption of Biometric Data

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104598835A (en) * 2014-12-29 2015-05-06 无锡清华信息科学与技术国家实验室物联网技术中心 Cloud-based real number vector distance calculation method for protecting privacy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101984576A (en) * 2010-10-22 2011-03-09 北京工业大学 Method and system for authenticating anonymous identity based on face encryption
CN102664885A (en) * 2012-04-18 2012-09-12 南京邮电大学 Identity authentication method based on biological feature encryption and homomorphic algorithm
US20140281567A1 (en) * 2013-03-15 2014-09-18 Mitsubishi Electric Research Laboratories, Inc. Method for Authenticating an Encryption of Biometric Data
CN103731271A (en) * 2013-12-30 2014-04-16 北京工业大学 On-line face identity authentication method based on homomorphic encrypting and chaotic scrambling

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112000940A (en) * 2020-09-11 2020-11-27 支付宝(杭州)信息技术有限公司 User identification method, device and equipment under privacy protection
CN112163542A (en) * 2020-10-12 2021-01-01 桂林电子科技大学 ElGamal encryption-based palm print privacy authentication method
CN117201698A (en) * 2023-11-07 2023-12-08 北京隐算科技有限公司 Safe and efficient image recognition method
CN117201698B (en) * 2023-11-07 2024-01-12 北京隐算科技有限公司 Safe and efficient image recognition method

Also Published As

Publication number Publication date
CN105635099A (en) 2016-06-01

Similar Documents

Publication Publication Date Title
WO2017012175A1 (en) Identity authentication method, identity authentication system, terminal and server
US10680808B2 (en) 1:N biometric authentication, encryption, signature system
CN106612259B (en) Identity recognition, business processing and biological characteristic information processing method and equipment
CN111738238B (en) Face recognition method and device
CN111466097B (en) Server-assisted privacy preserving biometric comparison
US9218473B2 (en) Creation and authentication of biometric information
Gomez-Barrero et al. Privacy-preserving comparison of variable-length data with application to biometric template protection
CN101420301A (en) Human face recognizing identity authentication system
CN112948795B (en) Identity authentication method and device for protecting privacy
US10963552B2 (en) Method and electronic device for authenticating a user
Rajeswari et al. Multi-fingerprint unimodel-based biometric authentication supporting cloud computing
CN106936775A (en) A kind of authentication method and system based on fingerprint recognition
CN114596639B (en) Biological feature recognition method and device, electronic equipment and storage medium
JP2006262333A (en) Living body authentication system
CN110392030B (en) Identity authentication and service processing method and system based on biological characteristics
US20190165939A1 (en) Two-step central matching
EP3745289A1 (en) Apparatus and method for registering biometric information, apparatus and method for biometric authentication
KR101808809B1 (en) Method for transmitting feature data, user authentication method and system using feature data
Bauspieß et al. MT-PRO: Multibiometric Template Protection Based On Homomorphic Transciphering
CN109005158B (en) Authentication method of dynamic gesture authentication system based on fuzzy safe
CN115941183B (en) Biological information processing method and related device
WO2021070275A1 (en) Information collation system and information collation method
Neethu Revocable Session Key Generation Using Combined Fingerprint Template
KR102210620B1 (en) Method for Storing Secret Information in Server and Restoring it in Client Terminal
CN115834088A (en) Biological characteristic authentication method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15898731

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15898731

Country of ref document: EP

Kind code of ref document: A1