WO2017177435A1 - Identity authentication method, terminal and server - Google Patents

Identity authentication method, terminal and server Download PDF

Info

Publication number
WO2017177435A1
WO2017177435A1 PCT/CN2016/079397 CN2016079397W WO2017177435A1 WO 2017177435 A1 WO2017177435 A1 WO 2017177435A1 CN 2016079397 W CN2016079397 W CN 2016079397W WO 2017177435 A1 WO2017177435 A1 WO 2017177435A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
terminal
random code
server
private key
Prior art date
Application number
PCT/CN2016/079397
Other languages
French (fr)
Chinese (zh)
Inventor
张站朝
Original Assignee
深圳前海达闼云端智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海达闼云端智能科技有限公司 filed Critical 深圳前海达闼云端智能科技有限公司
Priority to CN201680002936.5A priority Critical patent/CN107113315B/en
Priority to PCT/CN2016/079397 priority patent/WO2017177435A1/en
Publication of WO2017177435A1 publication Critical patent/WO2017177435A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/25Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the present invention relates to the field of identity recognition technologies, and in particular, to an identity authentication method, a terminal, and a server.
  • the cloud robot is an intelligent robot that puts the cognitive system in the cloud, the body, the drive and the sensor are placed on the robot body, and connects the two through mobile communication; the cloud robot is the development direction of the intelligent humanoid robot.
  • Identity authentication also known as authentication or identity authentication, refers to the process of confirming the identity of an operator in a computer and computer network system to determine whether the user has access to and use of certain resources to ensure system and data security. .
  • the more common authentication methods mainly include password-based authentication methods and biometric-based authentication methods.
  • the biometric-based authentication method is based on the unique, reliable and stable biological characteristics (such as iris, fingerprint, face, palm print, etc.), and has good security.
  • the existing biometric-based authentication method is usually that the terminal is connected to the server. After collecting the biometric information of the user, the terminal uploads the biometric information to the server, and compares and matches the biometric information prestored by the server. If the matching is successful, the matching is successful. Certification passed.
  • the existing biometric-based authentication method needs to upload the biometric information of the user to the server during implementation, and the biometric information of the user is easily leaked.
  • the embodiment of the invention provides an identity authentication method, a terminal and a server, to solve the existing In the technology, the biometric-based authentication method needs to upload the biometric information of the user to the server during implementation, and the biometric information of the user is easily leaked, resulting in technical problems of unsafe user information.
  • an embodiment of the present invention provides an identity authentication method, including the following steps:
  • the identity authentication request includes a user identifier
  • the method before the sending the identity authentication request to the server, the method further includes:
  • Generating a public-private key pair for the user establishing a correspondence between the biometric information, the terminal identifier, the user private key, and the user identifier, and sending the user public key and the user identifier to the server.
  • the second random code that is encrypted by the user private key is sent to the server, where the second random code encrypted by the user private key, the user identifier, and the terminal identifier are sent to the server.
  • the server is
  • the method before the sending the identity authentication request to the server, the method further includes: establishing, by using a pre-stored certificate generated by the server, a secure transport layer protocol TLS two-way authentication connection with the server; and the communication with the server is specifically Said TLS two-way authentication connection.
  • the second random code is encrypted by using a pre-stored user private key corresponding to the user identifier, where the password is verified by using a pre-stored private key password and a password of the security device, and the verification succeeds.
  • the user private key stored in the security area is obtained, and the second random code is encrypted according to the user private key.
  • the method further includes: receiving a random private key password sent by the server, and modifying a password of the security device according to the random private key password.
  • an embodiment of the present invention provides an identity authentication method, including the following steps:
  • the identity authentication request includes a user identifier
  • the method before the receiving the identity authentication request sent by the terminal, the method further includes:
  • the receiving the second random code that is sent by the terminal and encrypted by the user private key is specifically: receiving a second random code that is sent by the terminal and encrypted by the user private key, and the user identifier, And a terminal identifier; the user that uses the pre-stored corresponding to the user identifier
  • the public key decrypts the second random code encrypted by the user private key, specifically: the second random code and the user identifier encrypted by the user private key by using the user public key corresponding to the terminal identifier Performing decryption; whether the second random code obtained by the verification and decryption is consistent with the transmitted second random code, and if the identity is consistent, the identity authentication is passed, specifically: whether the second random code obtained by verifying the decryption is consistent with the transmitted second random code And verifying the correspondence between the user identifier and the terminal identifier; if the decrypted second random code is consistent with the transmitted second random code and the terminal identifier corresponds to the user identifier, the identity authentication by.
  • the method before the receiving the identity authentication request sent by the terminal, the method further includes: establishing a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate; and communicating with the terminal specifically by using the TLS Two-way authentication connection is made.
  • the method further includes: sending the random private key password to the terminal.
  • an embodiment of the present invention provides a terminal, including:
  • a first sending module configured to send an identity authentication request to the server;
  • the identity authentication request includes a user identifier;
  • a first receiving module configured to receive a second random code sent by the server
  • a comparison module configured to compare the received biometric information of the user input with the pre-stored biometric information corresponding to the user identifier
  • an encryption module configured to encrypt the second random code by using a pre-stored user private key corresponding to the user identifier
  • the second sending module is configured to send the second random code encrypted by the user private key to the server.
  • a second receiving module configured to receive a first random code sent by the server before sending the identity authentication request to the server
  • a third sending module configured to send the terminal identifier, the user identifier, and the first random code to the server
  • a third receiving module configured to receive biometric information recorded by the user after receiving the verification pass message sent by the server;
  • a key processing module configured to generate a public-private key pair for the user, establish a correspondence between the biometric information, a terminal identifier, a user private key, and a user identifier, and send the user public key and the user identifier to The server.
  • the second sending module is specifically configured to send the second random code encrypted by the user private key, the user identifier, and the terminal identifier to the server.
  • connection establishing module configured to establish a secure transport layer protocol TLS two-way authentication connection with the server by using a pre-stored certificate generated by the server before sending the identity authentication request to the server, where the communication with the server is specifically TLS two-way authentication connection.
  • the cryptographic module is specifically configured to perform verification by using a pre-stored private key cryptogram and a password of the security device, and obtain the user private key stored in the security zone after the verification succeeds, according to the user private key pair.
  • the second random code is described for encryption.
  • a fourth receiving module configured to: after the encrypting the second random code according to the user private key, receive a random private key password sent by the server, and modify a password of the security device according to the random private key password.
  • an embodiment of the present invention provides a server, including:
  • a first receiving unit configured to receive an identity authentication request sent by the terminal; the identity authentication request includes a user identifier;
  • a first sending unit configured to send a second random code to the terminal
  • a second receiving unit configured to receive, by the terminal, a second encrypted by a user private key random code
  • a decrypting unit configured to decrypt the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier
  • the first authentication unit is configured to verify whether the decrypted second random code is consistent with the sent second random code, and if they are consistent, the identity authentication is passed.
  • a determining unit configured to determine, according to the identity authentication request sent by the receiving terminal, a correspondence between the terminal identifier and the user identifier;
  • a second sending unit configured to send a first random code to the terminal
  • a second authentication unit configured to perform verification after receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, and send a verification pass message to the terminal after the verification is passed;
  • the relationship establishing unit is configured to receive the user identifier and the user public key sent by the terminal, and establish a correspondence between the user identifier, the user public key, and the terminal identifier.
  • the second receiving unit is specifically configured to receive a second random code that is sent by the terminal and that is encrypted by a user private key, and the user identifier, and a terminal identifier, where the decrypting unit is specifically used to utilize The user's public key corresponding to the terminal identifier decrypts the second random code and the user identifier encrypted by the user private key; the first authentication unit is specifically configured to verify the second random code obtained by decryption and the second sent Whether the random code is consistent, and verifying the correspondence between the user identifier and the terminal identifier; if the decrypted second random code is consistent with the transmitted second random code, and the terminal identifier corresponds to the user identifier , the identity passed.
  • connection establishing unit configured to establish a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate before the identity authentication request sent by the receiving terminal, and the communication with the terminal is specifically using the TLS bidirectional The authentication connection is made.
  • a third sending unit configured to send a random private key password to the terminal after the second random code that is sent by the receiving terminal and encrypted by the user private key.
  • the current identity authentication technology needs to upload the biometric information of the user to the server, and there is a problem that the personal information is leaked and unsafe.
  • the identity authentication scheme provided by the embodiment of the present invention saves the biometric information of the user on the terminal side, and does not need to be uploaded.
  • the server completes the verification of the user biometric by the terminal, and after the terminal passes the verification, the random code and the user identifier encrypted by the pre-stored user private key are used to upload the server, and the server decrypts the user identifier and randomizes by using the pre-stored user public key.
  • the code and other information can be verified without storing the biometric information of the user, thereby ensuring that the personal information of the user is safe and not leaked.
  • FIG. 1 is a schematic flowchart of implementing an identity authentication method according to Embodiment 1 of the present invention
  • FIG. 2 is a schematic flowchart of implementing an identity authentication method in Embodiment 2 of the present invention.
  • FIG. 3 is a schematic structural diagram 1 of a terminal in Embodiment 3 of the present invention.
  • FIG. 4 is a second schematic structural diagram of a terminal in Embodiment 3 of the present invention.
  • FIG. 5 is a schematic structural diagram 3 of a terminal in Embodiment 3 of the present invention.
  • FIG. 6 is a schematic structural view 4 of a terminal in Embodiment 3 of the present invention.
  • FIG. 7 is a schematic structural diagram 1 of a server in Embodiment 4 of the present invention.
  • FIG. 8 is a second schematic structural diagram of a server in Embodiment 4 of the present invention.
  • FIG. 9 is a schematic structural diagram 3 of a server in Embodiment 4 of the present invention.
  • FIG. 10 is a schematic structural diagram 4 of a server in Embodiment 4 of the present invention.
  • FIG. 11 is a schematic diagram showing a process of registering biometric information of a user in Embodiment 5 of the present invention.
  • FIG. 12 is a schematic diagram showing a process of user identity authentication in Embodiment 5 of the present invention.
  • FIG. 13 is a schematic diagram showing an identity authentication process of a mobile payment scenario in Embodiment 6 of the present invention.
  • FIG. 14 is a schematic diagram showing an identity authentication process of a cloud robot scenario in Embodiment 7 of the present invention.
  • FIG. 15 is a schematic diagram showing the identity authentication process of the access control system in the eighth embodiment of the present invention.
  • the implementation process of existing biometric-based authentication methods usually includes the following steps:
  • the terminal collects biometric information of the user
  • the terminal uploads the biometric information to the server
  • the server compares and matches the biometric information uploaded by the terminal with the pre-stored biometric information. If the matching is successful, the authentication passes.
  • the above authentication method is adopted. Since the biometric information of the user needs to be uploaded to the server during implementation, the biometric information of the user is easily leaked, which has a certain security risk.
  • the embodiment of the present invention provides an identity authentication method, a terminal, and a server.
  • the biometric information of the user for example, personal privacy information such as a face, a fingerprint, and an iris
  • the biometric information of the user exists only in the terminal. Side, thus ensuring that biometric information will not be leaked, and the security of user privacy is guaranteed.
  • FIG. 1 is a schematic flowchart of the implementation of the identity authentication method in the first embodiment of the present invention. As shown in the figure, the identity authentication method may include the following steps:
  • Step 101 Send an identity authentication request to a server, where the identity authentication request includes a user identifier.
  • Step 102 Receive a second random code sent by the server.
  • Step 103 Compare the received biometric information input by the user with the biometric information corresponding to the user identifier stored in advance;
  • Step 104 If they are consistent, encrypt the second random code by using a pre-stored user private key corresponding to the user identifier.
  • Step 105 Send a second random code encrypted by the user private key to the server.
  • the identity authentication method provided by the embodiment of the present invention may be implemented on the terminal side, and may be implemented on a mobile terminal such as a mobile phone, a pad, a tablet computer, or an intelligent robot.
  • the sending the identity authentication request to the server may be triggered by the user (for example, the user clicks/starts the identity authentication service), or may be triggered according to the user's operation (for example, when the user wants to access the application on the terminal or the terminal, the terminal itself
  • the identity authentication request may include information such as a user identifier, a terminal identifier, and the like, and the user identifier may be a user account, a user ID, a user QR code, etc., and the terminal identifier may be an international mobile device. Identification code (IMEI, International Mobile Equipment Identity), etc.
  • the identity authentication request may be sent to the server, the second random code sent by the server is received, and then the biometric information input by the user is received, and the biometric information input by the user is pre-stored with the Comparing the biometric information corresponding to the user identifier; if consistent, encrypting the second random code by using a pre-stored user private key corresponding to the user identifier; and second randomizing the user private key
  • the code is sent to the server.
  • the user can input the authentication request while receiving the identity authentication request.
  • Biometric information receiving a second random code sent by the server, and comparing biometric information input by the user with biometric information corresponding to the user identifier stored in advance; if they are consistent, using pre-storage And encrypting, by the user private key corresponding to the user identifier, the second random code; and sending the second random code encrypted by the user private key to the server.
  • the biometric information input by the user may be received first, and then the biometric information input by the user is compared with the pre-stored biometric information corresponding to the user identifier, and if they are consistent, the server sends the biometric information to the server.
  • An identity authentication request receiving a second random code sent by the server, encrypting the second random code by using a pre-stored user private key corresponding to the user identifier; and second randomizing the user private key The code is sent to the server.
  • the biometric information input by the user may be received first, and then the biometric information input by the user is compared with the pre-stored biometric information corresponding to the user identifier, and an identity authentication request is sent to the server.
  • Receiving a second random code sent by the server if the biometric comparison is consistent, encrypting the second random code by using a pre-stored user private key corresponding to the user identifier; and encrypting the user private key
  • the second random code is sent to the server.
  • the received second random code sent by the server may be a string of characters, a letter or a combination of the two.
  • the binding relationship between the user identifier, the user biometric information, and the user private key may be pre-stored.
  • the biometric information input by the user may be stored in advance with the pre-stored Comparing the biometric information corresponding to the user identifier, if the user identifier is matched, the user identifier is matched with the biometric information, and then the second random code is performed by using a pre-stored user private key corresponding to the user identifier. Encryption, sending the encrypted second random code to the server.
  • the user private key may be a private key in a public-private key pair generated by using an existing key generation algorithm, and the existing key generation algorithm may include a RAS algorithm, a 3DES algorithm, and the like.
  • the identity authentication method provided by the embodiment of the present invention compares the biometric information input by the user with the pre-stored biometric information of the user after the identity authentication request is sent to the server, and completes verification of the biometric information. After the verification is passed, the second random code is encrypted and sent to the server by using the user's private key. Since the embodiment of the present invention completes the verification of the user biometric information locally, the biometric information of the user does not need to be sent to the server by the server. Verification ensures the security of user information and reduces the amount of data transferred.
  • the method before the sending the identity authentication request to the server, the method may further include:
  • the user registration process before the sending of the identity verification request to the server, the user registration process may be performed.
  • the method may be: receiving a first random code sent by the server, and sending the terminal identifier, the user identifier, and the first random code to the
  • the server is configured to perform verification by the server; after receiving the verification pass message sent by the server, receiving the biometric information entered by the user, generating a public-private key pair for the user, storing the user private key, and storing the user public key and the user identifier Sent to the server.
  • the registration request may be filed by the user.
  • the embodiment of the present invention first sends a user registration request to the server, and the server establishes the user for the user after receiving the registration request.
  • the first random code sent by the server is received by the server in the embodiment of the present invention; the user identifier is created by the server and the corresponding relationship between the user identifier and the terminal identifier is established, and then received by the embodiment of the present invention.
  • the first random code sent by the server is a user registration request to the server, and the server establishes the user for the user after receiving the registration request.
  • the first random code sent by the server is received by the server in the embodiment of the present invention; the user identifier is created by the server and the corresponding relationship between the user identifier and the terminal identifier is established, and then received by the embodiment of the present invention.
  • the first random code sent by the server is corresponding relationship between the user identifier and the terminal identifier is established, and then received by the embodiment of the present invention.
  • the terminal identifier and the user identifier may be in a one-to-one relationship, or may be a one-to-many relationship, and the user identifier may have a one-to-one relationship with the user private key and the biometric information.
  • the local device can successfully store the correspondence between the user identifier, the user private key, the terminal identifier, and the user biometric information
  • the server side can successfully store the user identifier, the user public key, and the terminal identifier.
  • the correspondence provides data support for subsequent identity authentication.
  • the second random code that is encrypted by the user's private key is sent to the server, and the second random code that is encrypted by the user's private key, the user identifier, and the terminal identifier are sent to the server.
  • the server The server.
  • the terminal identifier may be sent to the second random code encrypted by the user private key. Server so that the server authenticates the terminal ID.
  • the receiving the biometric information input by the user may specifically: receiving a fingerprint, a palm print, an iris, a face, and/or a sound input by the user.
  • the biometric information may include a fingerprint, a palm print, an iris, a face, a sound, and the like.
  • the biometric information input by the user may be: receiving a fingerprint, a palm print, an iris, and a face input by the user. , sound, etc.
  • the fingerprint, the palm print, the iris, the face, the sound, and the like input by the user may be implemented by using an existing sensor or a collector, and the present invention is not described herein.
  • the embodiment of the present invention proposes to complete the biometric test locally. The way to license, you do not need to upload biometric information to the server.
  • the present application may also be implemented in the following manner.
  • the method before the sending the identity authentication request to the server, the method may further include:
  • TLS secure transport layer protocol
  • a certificate generated by the server may be preset on the terminal side, and the certificate may be used for establishing a TLS mutual authentication connection between the terminal and the server, and all subsequent communications may be performed based on the TLS connection.
  • the embodiment of the present application can prevent the terminal from being illegally intercepted when transmitting the public key of the public-private key pair generated by the terminal to the server, thereby further improving security.
  • the second random code is encrypted by using a pre-stored user private key corresponding to the user identifier, which may be:
  • the password is verified by using the pre-stored private key cipher and the password of the security device. After the verification succeeds, the user private key stored in the security area is obtained, and the second random code is encrypted according to the user private key.
  • the public-private key pair generated by the terminal may use a security device and be stored in a secure area of the terminal.
  • the private key can be used to authenticate the security device. If the password is successfully verified, the user private key stored in the security zone can be obtained, which further improves the security of the user's private key.
  • the method may further include:
  • a random private key password is obtained from the server to modify the password of the security device, that is, the password of the security device is one-time, and is updated once used. Once, thereby ensuring the security of the user's private key stored in the secure area in the secure device.
  • FIG. 2 is a schematic flowchart of the implementation of the identity authentication method in the second embodiment of the present invention. As shown in the figure, the identity authentication method may include the following steps:
  • Step 201 Receive an identity authentication request sent by the terminal, where the identity authentication request includes a user identifier.
  • Step 202 Send a second random code to the terminal.
  • Step 203 Receive a second random code that is sent by the terminal and encrypted by a user private key.
  • Step 204 Decrypt the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier.
  • Step 205 Verify whether the decrypted second random code is consistent with the transmitted second random code. If they are consistent, the identity authentication is passed.
  • the identity authentication method provided by the embodiment of the present invention can be implemented on the network side or the server side.
  • the identity authentication request sent by the terminal may include information such as a user identifier and a terminal identifier, where the user identifier may be information such as an account number and an ID of the user, and the terminal identifier may be information such as an IMEI of the terminal.
  • the correspondence between the user identifier, the user public key, and the terminal identifier may be pre-stored, and after receiving the second random code that is sent by the terminal and encrypted by the user private key, the user may be utilized.
  • the public key decrypts the second random code, and if the second random code obtained by the decryption is consistent with the previously transmitted second random code, the identity authentication is passed.
  • the identity authentication method provided by the embodiment of the present invention is only required to be utilized by the server side.
  • the public key corresponding to the user identifier decrypts and verifies the second random code sent by the terminal, so as to achieve the purpose of identity authentication, and the terminal does not need to upload the biometric information of the user, thereby ensuring the security of the user's personal information. .
  • the method before the receiving the identity authentication request sent by the terminal, the method may further include:
  • the determining the correspondence between the terminal identifier and the user identifier may be: receiving a user registration request sent by the terminal, where the registration request may include a user identifier and a terminal identifier, and establishing the user identifier and the terminal
  • Corresponding relationship between the identifiers may be: generating a user identifier for the user, and establishing a correspondence between the user identifier and the terminal identifier.
  • the authentication pass message may be sent to the terminal, and the user identifier and the user public key sent by the terminal are received, and the correspondence between the user identifier, the user public key, and the terminal identifier is established.
  • the correspondence between the terminal identifier and the user identifier may be a one-to-one relationship or a one-to-many relationship; the correspondence between the user identifier and the user public key may be a pair. A relationship.
  • the user public key and the user private key are a pair of public and private key pairs.
  • the existing encryption algorithm may be used to generate the public key pair.
  • the specific process of generating the public and private key pairs is not described herein.
  • the server side may store the correspondence between the user identifier, the terminal identifier, and the user public key, and provide support for subsequent identity authentication.
  • the receiving the second random code that is sent by the terminal and encrypted by the user's private key may be: receiving a second random code that is sent by the terminal and encrypted by the user's private key, and the user identifier, And terminal identification;
  • Decrypting the second random code that is encrypted by the user private key by using a user public key corresponding to the user identifier which may be: using a public key pair corresponding to the terminal identifier Decoding the second random code encrypted by the user private key and the user identifier;
  • the authentication may be: whether the second random code obtained by the decryption is consistent with the second random code sent, and And verifying the correspondence between the user identifier and the terminal identifier; if the second random code obtained by the decryption is consistent with the sent second random code and the terminal identifier is corresponding to the user identifier, the identity authentication is passed.
  • the terminal identifier sent by the terminal and the second random code encrypted by the user private key may be received, and when the identity authentication is performed, whether the second random code obtained by the decryption is consistent with the second random code sent may be verified. And verifying a correspondence between the terminal identifier and the user identifier. If the decrypted second random code is consistent with the transmitted second random code and the terminal identifier corresponds to the user identifier, the identity authentication is passed.
  • the correspondence between the terminal identifier and the user identifier may be a one-to-one relationship.
  • the embodiment of the present invention may also be implemented in the following manner.
  • the terminal After performing the verification of the biometric information, the terminal encrypts and signs the second random code and the user identifier by using the user private key of the user, and encrypts the second random code after the signature and the user identifier, and the terminal.
  • the identifier is sent to the server, and the server is determined according to the terminal identifier. Determining, by the terminal identifier, the user public key, using the user public key to decrypt the second random code and the user identifier, and verifying whether the second random code obtained by the decryption and the previously sent random code are Consistently, the correspondence between the decrypted user identifier and the terminal identifier is verified.
  • the embodiment of the present invention does not require the terminal to upload the biometric information of the user, and only needs to verify the user identifier, the user public key, and the terminal identifier, and the verification of the biometric information of the user is completed by the terminal itself, thereby ensuring the user's biological Feature information is not leaked, which improves the security of personal information and reduces the amount of data in the transmission process.
  • the method before the receiving the identity authentication request sent by the terminal, the method may further include:
  • TLS two-way authentication connection Establishing a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate; the communication with the terminal is specifically performed by using the TLS two-way authentication connection.
  • the embodiment of the present application may establish a secure connection before the communication with the terminal, and the server pre-stores the certificate, and the terminal also pre-stores the certificate generated by the server, and both parties pass the
  • the certificate establishes a TLS two-way authentication connection to ensure the security of subsequent communications and prevent data from being intercepted illegally during communication.
  • the method may further include:
  • the server may generate a random private key password for the terminal, and send the random private key password to the terminal, so that the terminal updates the password of the security device, so that the terminal
  • the use of the security device's password is one-time, ensuring the security of the user's private key.
  • an embodiment of the present invention further provides a terminal, because of these settings.
  • the principle of the problem-solving is similar to the above-mentioned identity authentication method (terminal side). Therefore, the implementation of these devices can be referred to the implementation of the method, and the repeated description will not be repeated.
  • FIG. 3 is a schematic structural diagram 1 of a terminal in Embodiment 3 of the present invention. As shown in the figure, the terminal may include:
  • the first sending module 301 is configured to send an identity authentication request to the server, where the identity authentication request includes a user identifier.
  • the first receiving module 302 is configured to receive a second random code sent by the server
  • the comparison module 303 is configured to compare the received biometric information input by the user with the pre-stored biometric information corresponding to the user identifier;
  • the encryption module 304 is configured to encrypt the second random code by using a pre-stored user private key corresponding to the user identifier if the one is consistent;
  • the second sending module 305 is configured to send the second random code encrypted by the user private key to the server.
  • FIG. 4 is a schematic structural diagram 2 of the terminal in the third embodiment of the present invention. As shown in the figure, the terminal may further include:
  • the second receiving module 306 is configured to receive the first random code sent by the server before sending the identity authentication request to the server.
  • the third sending module 307 is configured to send the terminal identifier, the user identifier input by the user, and the first random code to the server;
  • the third receiving module 308 is configured to receive the biometric information recorded by the user after receiving the verification pass message sent by the server;
  • the key processing module 309 is configured to generate a public-private key pair for the user, establish a correspondence between the biometric information, the terminal identifier, the user private key, and the user identifier, and send the user public key and the user identifier. To the server.
  • the terminal in the embodiment of the present invention may specifically be a mobile terminal such as a mobile phone, a pad, or a tablet computer.
  • the mobile terminal may be in the form of a touch screen or a button. The present invention does not limit this.
  • the first sending module sends an identity authentication request
  • the first receiving module receives the second random code sent by the server, after the second receiving module receives the biometric information input by the user
  • the comparison module compares the biometric information input by the user with the pre-stored biometric information corresponding to the user identifier, and completes the verification of the biometric information on the terminal side, without sending the biometric information to the
  • the server is authenticated by the server to avoid leakage of biometric information caused during the uploading process, thereby ensuring the security of the biometric information and reducing the amount of data in the transmission process.
  • the second sending module may be configured to send the second random code encrypted by the user private key, the user identifier, and the terminal identifier to the server.
  • the biometric information may specifically be: a fingerprint, a palm print, an iris, a face, and/or a sound.
  • the biometric information may be: biometric information such as a fingerprint, a palm print, an iris, a face, and a sound.
  • the device can be collected by a device such as a palmprint collecting device, an iris collecting device, a face collecting device, a sound input device, etc., and the devices can be used in the prior art, or can be used by those skilled in the art. The development and design are carried out according to actual needs, and the present invention does not limit this.
  • FIG. 5 is a schematic structural diagram 3 of the terminal in the third embodiment of the present invention. As shown in the figure, the terminal may further include:
  • the connection establishing module 310 is configured to establish a secure transport layer protocol TLS two-way authentication connection with the server by using a pre-stored certificate generated by the server before sending the identity authentication request to the server, where the communication with the server is specifically Said TLS two-way authentication connection.
  • the cryptographic module is specifically configured to perform verification by using a pre-stored private key cryptogram and a password of the security device, and obtain a user private key stored in the security area after the verification succeeds, according to the user private key pair.
  • the second random code is encrypted.
  • FIG. 6 is a schematic structural diagram of a terminal in a third embodiment of the present invention. As shown in the figure, the terminal may further include:
  • the fourth receiving module 311 is configured to: after the second random code is encrypted according to the user private key, receive a random private key password sent by the server, and modify the password of the security device according to the random private key password.
  • a server is also provided in the embodiment of the present invention. Since the principle of solving the problem of these devices is similar to an identity authentication method (network side), the implementation of these devices can be referred to the implementation of the method, and the repetition is performed. No longer.
  • FIG. 7 is a schematic structural diagram 1 of a server in Embodiment 4 of the present invention.
  • the server may include:
  • the first receiving unit 701 is configured to receive an identity authentication request sent by the terminal, where the identity authentication request includes a user identifier.
  • the first sending unit 702 is configured to send a second random code to the terminal.
  • the second receiving unit 703 is configured to receive a second random code that is sent by the terminal and encrypted by a user private key.
  • the decrypting unit 704 is configured to decrypt the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier;
  • the first authentication unit 705 is configured to verify whether the decrypted second random code is consistent with the sent second random code, and if they are consistent, the identity authentication is passed.
  • the server receives an identity authentication request sent by the terminal, where the identity authentication request may include a user identifier, a terminal identifier, other information, and the like.
  • the server provided by the embodiment of the present invention may pre-store the correspondence between the user identifier, the user public key, and the terminal identifier, and use the pre-stored after receiving the second random code that is sent by the terminal and encrypted by the user private key.
  • the user public key corresponding to the user identifier is the second encrypted by the user private key
  • the random code is decrypted to verify whether the decrypted second random code is consistent with the transmitted second random code, and the identity authentication can be completed.
  • the server provided by the embodiment of the present invention verifies the user identifier, decrypts the second random code by using the user public key corresponding to the user identifier, and can verify the correspondence between the user public key and the user identifier, and does not need to upload the living entity.
  • the feature information is verified to ensure that the biometric information is not leaked, and the security is reduced while reducing the amount of data transmitted.
  • FIG. 8 is a schematic structural diagram 2 of a server in Embodiment 4 of the present invention. As shown in the figure, the server may further include:
  • the determining unit 706 is configured to determine, according to the identity authentication request sent by the receiving terminal, a correspondence between the terminal identifier and the user identifier.
  • a second sending unit 707 configured to send a first random code to the terminal
  • the second authentication unit 708 is configured to perform verification after receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, and send a verification pass message to the terminal after the verification is passed;
  • the relationship establishing unit 709 is configured to receive the user identifier and the user public key sent by the terminal, and establish a correspondence between the user identifier, the user public key, and the terminal identifier.
  • the second receiving unit may be configured to receive a second random code, the user identifier, and a terminal identifier that are sent by the terminal and encrypted by a user private key;
  • the decrypting unit may be configured to decrypt the second random code and the user identifier encrypted by the user private key by using a public key corresponding to the terminal identifier;
  • the first authentication unit may be configured to verify whether the decrypted second random code is consistent with the sent second random code, and verify the correspondence between the user identifier and the terminal identifier; if the decrypted The second random code is consistent with the transmitted second random code, and the terminal identifier corresponds to the user identifier, and the identity authentication is passed.
  • FIG. 9 is a schematic structural diagram 3 of the server in the fourth embodiment of the present invention. As shown in the figure, the server may further include:
  • the connection establishing unit 710 is configured to establish a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate before the identity authentication request sent by the receiving terminal, and the communication with the terminal is specifically using the TLS Two-way authentication connection is made.
  • FIG. 10 is a schematic structural diagram 4 of a server in Embodiment 4 of the present invention. As shown in the figure, the server may further include:
  • the third sending unit 711 is configured to send a random private key password to the terminal after the second random code that is sent by the receiving terminal and encrypted by the user private key.
  • the terminal side and the network side can be implemented as follows.
  • the implementation of the terminal and the network side server will be respectively explained, but this does not mean that the two must cooperate with the implementation.
  • the terminal and the server are separately implemented, they also solve the terminal side and the network side respectively. The problem is that when the two are combined, they will get better technical results.
  • the embodiment of the present invention takes the interaction process of the mobile terminal and the identity authentication server as an example for description.
  • the identity authentication process may include two steps: the first step is to register the mobile terminal user identity information; the second step is to perform fingerprint, iris or face biometric identification by the mobile terminal and secondary authentication at the identity authentication server.
  • FIG. 11 is a schematic diagram of a user biometric information registration process in Embodiment 5 of the present invention. As shown in the figure, the user biometric information registration process may include the following steps:
  • Step 1101 The user applies for registering an account.
  • the user uses the mobile terminal to perform terminal device registration, input user account information, and the terminal sends a registration request to the server.
  • Step 1102 Create a user account for the mobile terminal user in the identity authentication server.
  • Step 1103 Establish a relationship between the user account and the mobile terminal identifier in the identity authentication server. Binding relationship to one;
  • Step 1104 The identity authentication server sends a random code to the mobile terminal.
  • Step 1105 The user inputs the random code sent by the identity authentication server by using the mobile terminal, and sends the identifier to the identity authentication server for verification.
  • Step 1106 the identity authentication server verifies the user account, the mobile terminal identifier, and the random code, if the verification is successful, step 1107 is performed;
  • Step 1107 The identity authentication server sends prompt information to the mobile terminal, prompting the user to input biometric information.
  • Step 1108 The user inputs biometric information such as a fingerprint, an iris, or a face on the mobile terminal.
  • Step 1109 The mobile terminal generates a public-private key pair:
  • the generated private key is stored in the security area of the mobile terminal to ensure that other devices cannot access the access;
  • Step 1110 The identity authentication server stores the user public key and the user identity information.
  • FIG. 12 is a schematic diagram of a user identity authentication process in Embodiment 5 of the present invention. As shown in the figure, the user identity authentication process may include the following steps:
  • Step 1201 The user starts an identity authentication service, and the mobile terminal sends an identity authentication request to the identity authentication server.
  • Step 1202 The identity authentication server generates a random code according to current user information, and sends the random code to the user.
  • Step 1203 The user enters a biometric such as a fingerprint, an iris, or a face to be verified according to the prompt of the mobile terminal, and a random code sent by the identity authentication server;
  • a biometric such as a fingerprint, an iris, or a face to be verified according to the prompt of the mobile terminal, and a random code sent by the identity authentication server;
  • Step 1204 the mobile terminal verifies the biometrics such as fingerprints, irises, or faces, and after the verification is successful, step 1205 is performed;
  • Step 1205 Perform cryptographic signature on the user information and the random code by using a private key stored in the mobile terminal, and send the encrypted and signed information to the identity authentication server.
  • Step 1206 The identity authentication server performs the decryption check by using the user public key stored in the identity authentication server, and verifies whether the random code is correct, and completes the secondary verification of the user identity. If the verification succeeds, step 1207 is performed. ;
  • Step 1207 Notify other control systems to allow the user to access and operate.
  • the identity authentication scheme provided by the embodiment of the present invention can be applied to a mobile payment scenario.
  • user A After user A downloads the mobile payment software on the mobile phone A-mobile, user A can click on the registration in the interface of the mobile payment software to input the user name, password and other information, and the mobile phone A-mobile can use the information and the mobile phone itself.
  • the IMEI number is sent to the server.
  • the server creates an account A for the user A, establishes a binding relationship between the account A and the 123456, and then sends a random code to the mobile phone A-mobile.
  • the user inputs the random code on the mobile payment software interface of the mobile phone A-mobile, and the mobile phone A-mobile sends the account A and the random code to the server.
  • the user A is prompted to enter a fingerprint on the mobile phone; the user records on the mobile phone.
  • the mobile phone can generate a public-private key pair for the user A through the internal device, store the generated private key in the secure area of the mobile phone, and send the generated public key and account A to the server.
  • the server After receiving the public keys of the accounts A and A, the server stores the one-to-one information in a designated area of the server.
  • the mobile phone side stores the correspondence between the account A, the mobile phone IMEI, the private key of the user A, and the fingerprint of the user A.
  • the server side stores the account A, the mobile phone IMEI, and the user A. The correspondence of the keys.
  • FIG. 13 is a schematic diagram of an identity authentication process of a mobile payment scenario in Embodiment 6 of the present invention. As shown in the figure, the identity verification process may include:
  • the authentication request may include information such as a mobile phone IMEI, a user account A, and the like.
  • the server may generate a random code and send it to the mobile phone A-mobile.
  • the mobile phone A-mobile may prompt the user A to enter the fingerprint and the random code, and after the user A enters the fingerprint and the random code, verify the fingerprint of the user A, and determine the fingerprint and the entered fingerprint. Whether the fingerprints stored in the mobile phone A-mobile match, if they match (the threshold can be set when the implementation is implemented, and the matching is less than a certain error can be considered as matching), the biometric verification is considered successful.
  • the mobile phone A-mobile encrypts and signs the account A and the random code by using the pre-stored user A's private key, and sends it to the server.
  • the identity of the user may be verified twice, that is, the information is decrypted and verified by the public key of the user A stored in advance, and the randomized decryption is verified. Whether the code is consistent with the random code sent by the server before, verifying the end Whether the end identifier corresponds to the account A or the like.
  • the server can notify the payment system to perform the payment operation.
  • the fingerprint verification of the mobile terminal and the terminal-user authentication of the server end are performed, and the fingerprint of the user A is not required to be uploaded by the mobile phone, thereby ensuring the security of the privacy information of the user A.
  • the identity authentication scheme provided by the embodiment of the present invention can be applied to a cloud robot scenario.
  • the cloud robot is taken as an example for description.
  • the cloud robot may include a robot body and a cloud robot, and the cloud robot may specifically be a cloud server.
  • User B purchases the robot Joan. If the robot Joan is numbered JQR1, the user B can make a registration request, and the cloud robot establishes the account b for the user B and establishes a one-to-one binding relationship between the account b and the JQR1, and Sending a random code to the robot Joan, after the user B inputs the random code on the robot Joan, the robot Joan sends the account b together with the code JQR1 and the random code to the cloud robot.
  • the cloud robot verifies the correspondence between the account b and the code JQR1, and verifies whether the random code is consistent with the previously sent random code. If the verification passes, the robot Joan is notified to pass the verification.
  • User B can record sound on the robot Joan, for example: "I am user B, I am your master.”
  • Robot Joan can store this sound, and can also recognize this sound, extract sound features, etc., such as tone, Voice, etc.
  • the robot Joan generates a public-private key pair for the user B, stores the private key in the robot body, and transmits the account b, the number JQR1, and the public key to the cloud robot.
  • the cloud robot stores the received account b, the number JQR1, and the public key one-to-one.
  • the robot body stores the correspondence relationship between the account b, the private key of the number JQR1, B, and the voice feature of B;
  • the cloud robot stores the public key of the account b, the numbers JQR1 and B Correspondence relationship.
  • the identity authentication process of the cloud robot scenario may include:
  • the robot Joan can send the account b to the cloud robot.
  • the user B can input the random code according to the prompt, and the specific implementation can be manual keyboard input, touch screen input or voice input.
  • the robot Joan performs voice recognition on the voice information of the user B ("sweeping the ground"), extracts the voice features, and compares the voice features with the pre-stored voice features, if the features such as pitch, timbre, etc. are consistent or within a certain error range. , the user is considered to be user B.
  • the robot Joan can encrypt and sign the random code with the private key, and send the encrypted code and the user information to the cloud robot.
  • the cloud robot performs the decryption check by using the public key of the user B stored in advance, and verifies the correspondence between the account b, the number JQR1, and the public key, and verifies whether the random code is consistent with the previously issued random code.
  • the robot's sweep control module can be notified that the sweep operation can be performed, and the robot Joan can clean the room floor.
  • the above solution is adopted to avoid the leakage of the voice information of the user B, and the security of the personal information of the user B is ensured.
  • the robot Joan recognizes the voice information of the user C and pre-stores the user B.
  • the voice features are compared, and it is found that the information such as the tone and the timbre of the two are greatly different (greater than the error range), and it can be determined that the user is not the user B and refuses to provide services for the user.
  • the biometrics can be verified locally in the robot. If the verification fails, the verification result can be directly and quickly given, and the biometric information of the user does not need to be sent to the cloud robot, and the personal information of the user is ensured. It is transmitted and leaked, and on the other hand, the efficiency of verification is improved.
  • the identity authentication scheme provided by the embodiment of the present invention can be applied to an access control scenario.
  • company D purchases an access control system (which can include access control devices and network side servers) and installs access control devices at the company's door.
  • Each employee can enter his or her face information through a registered account, which is generated for each employee.
  • the public-private key pair stores the employee number, the relative face information, the corresponding private key, and the access control device number
  • the network side of the access control system stores the employee number, the corresponding public key, and the access control device number.
  • FIG. 15 is a schematic diagram of the identity authentication process of the access control system in the eighth embodiment of the present invention. As shown in the figure, the identity authentication process of the access control system may include:
  • an identity authentication service is initiated.
  • the network side sends a random code to the access control device.
  • the employee inputs a random code according to the prompt and faces his/her face to the collection device of the access control device.
  • the access device obtains the face information of the employee, it compares it with the pre-stored face information, and if the comparison is consistent, The number of the employee is determined according to the face information.
  • the random code is cryptographically signed by using the employee's private key, and the random code and the employee number and the access control device number are sent to the network side.
  • the network side determines the public key of the employee by using the employee number, and performs decryption check on the random code.
  • the identity verification is considered successful, and the switch control module is notified, and the switch control module performs unlocking on the company door after receiving the verification notification.
  • the identity authentication scheme provided by the embodiment of the present invention can also be applied to other scenarios such as a smart home, and the present invention will not be described herein.
  • the mobile terminal may pre-store the binding relationship between the user identifier, the biometric information, the user private key, and the terminal identifier, and the server side may pre-store the binding of the user identifier, the user public key, and the terminal identifier.
  • the authentication process may include one-time authentication of the local biometric information of the mobile terminal and secondary authentication of the server-side device information, thereby implementing identity authentication under the premise of ensuring that the user's personal privacy information is not leaked.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Abstract

Provided are an identity authentication method, a terminal and a server. The method comprises: a terminal sending an identity authentication request to a server; the server sending a random code to the terminal; the terminal comparing biological feature information input by a user with pre-stored biological feature information corresponding to a user identifier, and if a comparison result is that the two are consistent, using a pre-stored user private key corresponding to the user identifier to encrypt a second random code and sending same to the server; and the server using a pre-stored user public key corresponding to the user identifier to decrypt the second random code after being encrypted by means of the user private key, verifying whether the decrypted second random code is consistent with the sent second random code, and if so, passing identity authentication. The present invention does not require a terminal to upload biological feature information about a user, and the verification of the biological feature information about the user is completed by the terminal itself, thereby ensuring that the biological feature information about the user is not revealed.

Description

一种身份认证方法、终端及服务器Identity authentication method, terminal and server 技术领域Technical field
本发明涉及身份识别技术领域,特别涉及一种身份认证方法、终端及服务器。The present invention relates to the field of identity recognition technologies, and in particular, to an identity authentication method, a terminal, and a server.
背景技术Background technique
云端机器人是将认知系统放在云里,身体、驱动、传感器放在机器人本体上,通过移动通信将二者连接起来的智能机器人;云端机器人是智能仿人机器人发展的方向。The cloud robot is an intelligent robot that puts the cognitive system in the cloud, the body, the drive and the sensor are placed on the robot body, and connects the two through mobile communication; the cloud robot is the development direction of the intelligent humanoid robot.
身份认证也可以称为身份验证或身份鉴别,是指在计算机及计算机网络系统中确认操作者身份的过程,从而确定该用户是否具有对某种资源的访问和使用权限,保证系统和数据的安全。Identity authentication, also known as authentication or identity authentication, refers to the process of confirming the identity of an operator in a computer and computer network system to determine whether the user has access to and use of certain resources to ensure system and data security. .
目前,较为常见的身份认证方式主要有基于口令的认证方式和基于生物特征的认证方式。其中,基于生物特征的认证方式是以人体唯一、可靠、稳定的生物特征(例如:虹膜、指纹、脸部、掌纹等)为依据,具有很好的安全性。At present, the more common authentication methods mainly include password-based authentication methods and biometric-based authentication methods. Among them, the biometric-based authentication method is based on the unique, reliable and stable biological characteristics (such as iris, fingerprint, face, palm print, etc.), and has good security.
然而,现有基于生物特征的认证方式通常是终端与服务器连接,终端采集用户的生物特征信息后将这些生物特征信息上传至服务器,与服务器预存的生物特征信息进行对比匹配,如果匹配成功,则认证通过。However, the existing biometric-based authentication method is usually that the terminal is connected to the server. After collecting the biometric information of the user, the terminal uploads the biometric information to the server, and compares and matches the biometric information prestored by the server. If the matching is successful, the matching is successful. Certification passed.
现有技术不足在于:The disadvantages of the prior art are:
现有基于生物特征的认证方式在实施时需要将用户的生物特征信息上传至服务器,用户的生物特征信息容易泄露。The existing biometric-based authentication method needs to upload the biometric information of the user to the server during implementation, and the biometric information of the user is easily leaked.
发明内容Summary of the invention
本发明实施例提出了一种身份认证方法、终端及服务器,以解决现有 技术中基于生物特征的认证方式在实施时需要将用户的生物特征信息上传至服务器,用户的生物特征信息容易泄露,导致用户信息不安全的技术问题。The embodiment of the invention provides an identity authentication method, a terminal and a server, to solve the existing In the technology, the biometric-based authentication method needs to upload the biometric information of the user to the server during implementation, and the biometric information of the user is easily leaked, resulting in technical problems of unsafe user information.
第一个方面,本发明实施例提供了一种身份认证方法,包括如下步骤:In a first aspect, an embodiment of the present invention provides an identity authentication method, including the following steps:
向服务器发送身份认证请求;所述身份认证请求包括用户标识;Sending an identity authentication request to the server; the identity authentication request includes a user identifier;
接收所述服务器发送的第二随机码;Receiving a second random code sent by the server;
将接收到的用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对;Comparing the received biometric information input by the user with the pre-stored biometric information corresponding to the user identifier;
如果一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;If they are consistent, encrypting the second random code by using a pre-stored user private key corresponding to the user identifier;
将经过用户私钥加密后的第二随机码发送给所述服务器。Sending a second random code encrypted by the user private key to the server.
可选的,在所述向服务器发送身份认证请求之前,进一步包括:Optionally, before the sending the identity authentication request to the server, the method further includes:
接收服务器发送的第一随机码;Receiving a first random code sent by the server;
将终端标识、用户标识和所述第一随机码发送至所述服务器;Sending the terminal identifier, the user identifier, and the first random code to the server;
在接收到服务器发送的验证通过消息后,接收用户录入的生物特征信息;Receiving biometric information entered by the user after receiving the verification pass message sent by the server;
为所述用户生成公私钥对,建立所述生物特征信息、终端标识、用户私钥与用户标识之间的对应关系,并将用户公钥与所述用户标识发送至所述服务器。Generating a public-private key pair for the user, establishing a correspondence between the biometric information, the terminal identifier, the user private key, and the user identifier, and sending the user public key and the user identifier to the server.
可选的,所述将经过用户私钥加密后的第二随机码发送给所述服务器,具体为:将经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识发送给所述服务器。Optionally, the second random code that is encrypted by the user private key is sent to the server, where the second random code encrypted by the user private key, the user identifier, and the terminal identifier are sent to the server. The server.
可选的,在所述向服务器发送身份认证请求之前,进一步包括:利用预先存储的服务器生成的证书与所述服务器建立安全传输层协议TLS双向认证连接;与所述服务器的通信具体为利用所述TLS双向认证连接进行的。 Optionally, before the sending the identity authentication request to the server, the method further includes: establishing, by using a pre-stored certificate generated by the server, a secure transport layer protocol TLS two-way authentication connection with the server; and the communication with the server is specifically Said TLS two-way authentication connection.
可选的,所述利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密,具体为:利用预先存储的私钥密码与安全装置的密码进行验证,验证成功后获取存储于安全区域的用户私钥,根据所述用户私钥对所述第二随机码进行加密。Optionally, the second random code is encrypted by using a pre-stored user private key corresponding to the user identifier, where the password is verified by using a pre-stored private key password and a password of the security device, and the verification succeeds. The user private key stored in the security area is obtained, and the second random code is encrypted according to the user private key.
可选的,在所述根据用户私钥对所述第二随机码进行加密之后,进一步包括:接收服务器发送的随机私钥密码,根据所述随机私钥密码修改所述安全装置的密码。Optionally, after the encrypting the second random code according to the user private key, the method further includes: receiving a random private key password sent by the server, and modifying a password of the security device according to the random private key password.
第二个方面,本发明实施例提供了一种身份认证方法,包括如下步骤:In a second aspect, an embodiment of the present invention provides an identity authentication method, including the following steps:
接收终端发送的身份认证请求;所述身份认证请求包括用户标识;Receiving an identity authentication request sent by the terminal; the identity authentication request includes a user identifier;
向所述终端发送第二随机码;Sending a second random code to the terminal;
接收所述终端发送的经过用户私钥加密后的第二随机码;Receiving, by the terminal, a second random code encrypted by a user private key;
利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二随机码进行解密;Decrypting the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier;
验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致,则身份认证通过。Verify that the decrypted second random code is consistent with the transmitted second random code. If they are consistent, the identity authentication is passed.
可选的,在所述接收终端发送的身份认证请求之前,进一步包括:Optionally, before the receiving the identity authentication request sent by the terminal, the method further includes:
确定终端标识与用户标识的对应关系;Determining a correspondence between the terminal identifier and the user identifier;
向终端发送第一随机码;Sending a first random code to the terminal;
在收到终端发送的终端标识、用户标识和第一随机码之后进行验证,并在验证通过后向所述终端发送验证通过消息;After receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, performing verification, and sending a verification pass message to the terminal after the verification is passed;
接收所述终端发送的用户标识和用户公钥,建立所述用户标识、用户公钥与所述终端标识之间的对应关系。And receiving a user identifier and a user public key sent by the terminal, and establishing a correspondence between the user identifier, the user public key, and the terminal identifier.
可选的,所述接收所述终端发送的经过用户私钥加密后的第二随机码,具体为:接收所述终端发送的经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识;所述利用预先存储的与所述用户标识对应的用户 公钥对所述经过用户私钥加密后的第二随机码进行解密,具体为:利用与所述终端标识对应的用户公钥对所述经过用户私钥加密后的第二随机码和用户标识进行解密;所述验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致则身份认证通过,具体为:验证解密得到的第二随机码与发送的第二随机码是否一致,以及,验证所述用户标识与所述终端标识之间的对应关系;如果解密得到的第二随机码与发送的第二随机码一致且所述终端标识与所述用户标识对应,则身份认证通过。Optionally, the receiving the second random code that is sent by the terminal and encrypted by the user private key is specifically: receiving a second random code that is sent by the terminal and encrypted by the user private key, and the user identifier, And a terminal identifier; the user that uses the pre-stored corresponding to the user identifier The public key decrypts the second random code encrypted by the user private key, specifically: the second random code and the user identifier encrypted by the user private key by using the user public key corresponding to the terminal identifier Performing decryption; whether the second random code obtained by the verification and decryption is consistent with the transmitted second random code, and if the identity is consistent, the identity authentication is passed, specifically: whether the second random code obtained by verifying the decryption is consistent with the transmitted second random code And verifying the correspondence between the user identifier and the terminal identifier; if the decrypted second random code is consistent with the transmitted second random code and the terminal identifier corresponds to the user identifier, the identity authentication by.
可选的,在所述接收终端发送的身份认证请求之前,进一步包括:利用预先存储的证书与所述终端建立安全传输层协议TLS双向认证连接;与所述终端的通信具体为利用所述TLS双向认证连接进行的。Optionally, before the receiving the identity authentication request sent by the terminal, the method further includes: establishing a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate; and communicating with the terminal specifically by using the TLS Two-way authentication connection is made.
可选的,在所述接收终端发送的经过用户私钥加密后的第二随机码之后,进一步包括:向所述终端发送随机私钥密码。Optionally, after the second random code that is sent by the receiving terminal and encrypted by the user private key, the method further includes: sending the random private key password to the terminal.
第三个方面,本发明实施例提供了一种终端,包括:In a third aspect, an embodiment of the present invention provides a terminal, including:
第一发送模块,用于向服务器发送身份认证请求;所述身份认证请求包括用户标识;a first sending module, configured to send an identity authentication request to the server; the identity authentication request includes a user identifier;
第一接收模块,用于接收所述服务器发送的第二随机码;a first receiving module, configured to receive a second random code sent by the server;
比对模块,用于将接收到的用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对;And a comparison module, configured to compare the received biometric information of the user input with the pre-stored biometric information corresponding to the user identifier;
加密模块,用于如果一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;And an encryption module, configured to encrypt the second random code by using a pre-stored user private key corresponding to the user identifier;
第二发送模块,用于将经过用户私钥加密后的第二随机码发送给所述服务器。The second sending module is configured to send the second random code encrypted by the user private key to the server.
可选的,进一步包括:Optionally, further comprising:
第二接收模块,用于在所述向服务器发送身份认证请求之前,接收服务器发送的第一随机码; a second receiving module, configured to receive a first random code sent by the server before sending the identity authentication request to the server;
第三发送模块,用于将终端标识、用户标识和所述第一随机码发送至所述服务器;a third sending module, configured to send the terminal identifier, the user identifier, and the first random code to the server;
第三接收模块,用于在接收到服务器发送的验证通过消息后,接收用户录入的生物特征信息;a third receiving module, configured to receive biometric information recorded by the user after receiving the verification pass message sent by the server;
密钥处理模块,用于为所述用户生成公私钥对,建立所述生物特征信息、终端标识、用户私钥与用户标识之间的对应关系,并将用户公钥与所述用户标识发送至所述服务器。a key processing module, configured to generate a public-private key pair for the user, establish a correspondence between the biometric information, a terminal identifier, a user private key, and a user identifier, and send the user public key and the user identifier to The server.
可选的,所述第二发送模块具体用于将经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识发送给所述服务器。Optionally, the second sending module is specifically configured to send the second random code encrypted by the user private key, the user identifier, and the terminal identifier to the server.
可选的,进一步包括:Optionally, further comprising:
连接建立模块,用于在所述向服务器发送身份认证请求之前,利用预先存储的服务器生成的证书与所述服务器建立安全传输层协议TLS双向认证连接;与所述服务器的通信具体为利用所述TLS双向认证连接进行的。a connection establishing module, configured to establish a secure transport layer protocol TLS two-way authentication connection with the server by using a pre-stored certificate generated by the server before sending the identity authentication request to the server, where the communication with the server is specifically TLS two-way authentication connection.
可选的,所述加密模块具体用于如果一致,利用预先存储的私钥密码与安全装置的密码进行验证,验证成功后获取存储于安全区域的用户私钥,根据所述用户私钥对所述第二随机码进行加密。Optionally, the cryptographic module is specifically configured to perform verification by using a pre-stored private key cryptogram and a password of the security device, and obtain the user private key stored in the security zone after the verification succeeds, according to the user private key pair. The second random code is described for encryption.
可选的,进一步包括:Optionally, further comprising:
第四接收模块,用于在所述根据用户私钥对所述第二随机码进行加密之后,接收服务器发送的随机私钥密码,根据所述随机私钥密码修改所述安全装置的密码。And a fourth receiving module, configured to: after the encrypting the second random code according to the user private key, receive a random private key password sent by the server, and modify a password of the security device according to the random private key password.
第四个方面,本发明实施例提供了一种服务器,包括:In a fourth aspect, an embodiment of the present invention provides a server, including:
第一接收单元,用于接收终端发送的身份认证请求;所述身份认证请求包括用户标识;a first receiving unit, configured to receive an identity authentication request sent by the terminal; the identity authentication request includes a user identifier;
第一发送单元,用于向所述终端发送第二随机码;a first sending unit, configured to send a second random code to the terminal;
第二接收单元,用于接收所述终端发送的经过用户私钥加密后的第二 随机码;a second receiving unit, configured to receive, by the terminal, a second encrypted by a user private key random code;
解密单元,用于利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二随机码进行解密;a decrypting unit, configured to decrypt the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier;
第一认证单元,用于验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致,则身份认证通过。The first authentication unit is configured to verify whether the decrypted second random code is consistent with the sent second random code, and if they are consistent, the identity authentication is passed.
可选的,进一步包括:Optionally, further comprising:
确定单元,用于在所述接收终端发送的身份认证请求之前,确定终端标识与用户标识的对应关系;a determining unit, configured to determine, according to the identity authentication request sent by the receiving terminal, a correspondence between the terminal identifier and the user identifier;
第二发送单元,用于向终端发送第一随机码;a second sending unit, configured to send a first random code to the terminal;
第二认证单元,用于在收到终端发送的终端标识、用户标识和第一随机码之后进行验证,并在验证通过后向所述终端发送验证通过消息;a second authentication unit, configured to perform verification after receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, and send a verification pass message to the terminal after the verification is passed;
关系建立单元,用于接收所述终端发送的用户标识和用户公钥,建立所述用户标识、用户公钥与所述终端标识之间的对应关系。The relationship establishing unit is configured to receive the user identifier and the user public key sent by the terminal, and establish a correspondence between the user identifier, the user public key, and the terminal identifier.
可选的,所述第二接收单元具体用于接收所述终端发送的经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识;所述解密单元具体用于利用与所述终端标识对应的用户公钥对所述经过用户私钥加密后的第二随机码和用户标识进行解密;所述第一认证单元具体用于验证解密得到的第二随机码与发送的第二随机码是否一致,以及,验证所述用户标识与所述终端标识之间的对应关系;如果解密得到的第二随机码与发送的第二随机码一致且所述终端标识与所述用户标识对应,则身份认证通过。Optionally, the second receiving unit is specifically configured to receive a second random code that is sent by the terminal and that is encrypted by a user private key, and the user identifier, and a terminal identifier, where the decrypting unit is specifically used to utilize The user's public key corresponding to the terminal identifier decrypts the second random code and the user identifier encrypted by the user private key; the first authentication unit is specifically configured to verify the second random code obtained by decryption and the second sent Whether the random code is consistent, and verifying the correspondence between the user identifier and the terminal identifier; if the decrypted second random code is consistent with the transmitted second random code, and the terminal identifier corresponds to the user identifier , the identity passed.
可选的,进一步包括:Optionally, further comprising:
连接建立单元,用于在所述接收终端发送的身份认证请求之前,利用预先存储的证书与所述终端建立安全传输层协议TLS双向认证连接;与所述终端的通信具体为利用所述TLS双向认证连接进行的。a connection establishing unit, configured to establish a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate before the identity authentication request sent by the receiving terminal, and the communication with the terminal is specifically using the TLS bidirectional The authentication connection is made.
可选的,进一步包括: Optionally, further comprising:
第三发送单元,用于在所述接收终端发送的经过用户私钥加密后的第二随机码之后,向所述终端发送随机私钥密码。And a third sending unit, configured to send a random private key password to the terminal after the second random code that is sent by the receiving terminal and encrypted by the user private key.
有益效果如下:The benefits are as follows:
当前身份认证技术需要将用户的生物特征信息上传至服务器,存在个人信息泄露、不安全的问题,由于本发明实施例所提供的身份认证方案,用户的生物特征信息保存在终端侧,不需要上传服务器,由终端完成用户生物特征的验证,在终端验证通过后将利用预先存储的用户私钥加密后的随机码和用户标识上传服务器,服务器利用预先存储的用户公钥解密后对用户标识和随机码等信息进行验证即可,无需存储用户的生物特征信息,从而确保了用户的个人信息安全、不被泄露。The current identity authentication technology needs to upload the biometric information of the user to the server, and there is a problem that the personal information is leaked and unsafe. The identity authentication scheme provided by the embodiment of the present invention saves the biometric information of the user on the terminal side, and does not need to be uploaded. The server completes the verification of the user biometric by the terminal, and after the terminal passes the verification, the random code and the user identifier encrypted by the pre-stored user private key are used to upload the server, and the server decrypts the user identifier and randomizes by using the pre-stored user public key. The code and other information can be verified without storing the biometric information of the user, thereby ensuring that the personal information of the user is safe and not leaked.
附图说明DRAWINGS
下面将参照附图描述本发明的具体实施例,其中:Specific embodiments of the present invention will be described below with reference to the accompanying drawings, in which:
图1示出了本发明实施例一中身份认证方法实施的流程示意图;FIG. 1 is a schematic flowchart of implementing an identity authentication method according to Embodiment 1 of the present invention;
图2示出了本发明实施例二中身份认证方法实施的流程示意图;2 is a schematic flowchart of implementing an identity authentication method in Embodiment 2 of the present invention;
图3示出了本发明实施例三中终端的结构示意图一;3 is a schematic structural diagram 1 of a terminal in Embodiment 3 of the present invention;
图4示出了本发明实施例三中终端的结构示意图二;4 is a second schematic structural diagram of a terminal in Embodiment 3 of the present invention;
图5示出了本发明实施例三中终端的结构示意图三;FIG. 5 is a schematic structural diagram 3 of a terminal in Embodiment 3 of the present invention;
图6示出了本发明实施例三中终端的结构示意图四;6 is a schematic structural view 4 of a terminal in Embodiment 3 of the present invention;
图7示出了本发明实施例四中服务器的结构示意图一;FIG. 7 is a schematic structural diagram 1 of a server in Embodiment 4 of the present invention; FIG.
图8示出了本发明实施例四中服务器的结构示意图二;FIG. 8 is a second schematic structural diagram of a server in Embodiment 4 of the present invention;
图9示出了本发明实施例四中服务器的结构示意图三;FIG. 9 is a schematic structural diagram 3 of a server in Embodiment 4 of the present invention; FIG.
图10示出了本发明实施例四中服务器的结构示意图四;FIG. 10 is a schematic structural diagram 4 of a server in Embodiment 4 of the present invention; FIG.
图11示出了本发明实施例五中用户生物特征信息注册过程的示意图;FIG. 11 is a schematic diagram showing a process of registering biometric information of a user in Embodiment 5 of the present invention;
图12示出了本发明实施例五中用户身份认证过程的示意图;FIG. 12 is a schematic diagram showing a process of user identity authentication in Embodiment 5 of the present invention; FIG.
图13示出了本发明实施例六中移动支付场景的身份认证过程示意图; 13 is a schematic diagram showing an identity authentication process of a mobile payment scenario in Embodiment 6 of the present invention;
图14示出了本发明实施例七中云机器人场景的身份认证过程示意图;14 is a schematic diagram showing an identity authentication process of a cloud robot scenario in Embodiment 7 of the present invention;
图15示出了本发明实施例八中门禁系统的身份认证过程示意图。FIG. 15 is a schematic diagram showing the identity authentication process of the access control system in the eighth embodiment of the present invention.
具体实施方式detailed description
为了使本发明的技术方案及优点更加清楚明白,以下结合附图对本发明的示例性实施例进行进一步详细的说明,显然,所描述的实施例仅是本发明的一部分实施例,而不是所有实施例的穷举。并且在不冲突的情况下,本说明中的实施例及实施例中的特征可以互相结合。The embodiments of the present invention are further described in detail with reference to the accompanying drawings, in which FIG. An exhaustive example. And in the case of no conflict, the features in the embodiments and the embodiments in the description can be combined with each other.
发明人在发明过程中注意到:The inventor noticed during the invention:
现有基于生物特征的认证方式(例如:人脸识别、指纹识别等)的实现过程通常包括以下步骤:The implementation process of existing biometric-based authentication methods (for example, face recognition, fingerprint recognition, etc.) usually includes the following steps:
1、终端采集用户的生物特征信息;1. The terminal collects biometric information of the user;
2、终端将这些生物特征信息上传至服务器;2. The terminal uploads the biometric information to the server;
3、服务器将终端上传的生物特征信息与预存的生物特征信息进行对比匹配,如果匹配成功,则认证通过。3. The server compares and matches the biometric information uploaded by the terminal with the pre-stored biometric information. If the matching is successful, the authentication passes.
采用上述认证方式,由于在实施时需要将用户的生物特征信息上传至服务器,导致用户的生物特征信息容易泄露,具有一定的安全风险。The above authentication method is adopted. Since the biometric information of the user needs to be uploaded to the server during implementation, the biometric information of the user is easily leaked, which has a certain security risk.
针对上述不足,本发明实施例提出了一种身份认证方法、终端及服务器,由于本发明实施例中用户个人的生物特征信息(例如:人脸、指纹、虹膜等个人隐私信息)仅存在于终端侧,从而确保了生物特征信息不会泄露,保障用户隐私的安全性。For the above-mentioned deficiencies, the embodiment of the present invention provides an identity authentication method, a terminal, and a server. The biometric information of the user (for example, personal privacy information such as a face, a fingerprint, and an iris) exists only in the terminal. Side, thus ensuring that biometric information will not be leaked, and the security of user privacy is guaranteed.
为了便于本发明的实施,下面结合具体实施例对本发明所提供的身份认证方法、终端及服务器进行说明。In order to facilitate the implementation of the present invention, the identity authentication method, terminal, and server provided by the present invention are described below in conjunction with specific embodiments.
实施例一、Embodiment 1
图1示出了本发明实施例一中身份认证方法实施的流程示意图,如图所示,所述身份认证方法可以包括如下步骤: FIG. 1 is a schematic flowchart of the implementation of the identity authentication method in the first embodiment of the present invention. As shown in the figure, the identity authentication method may include the following steps:
步骤101、向服务器发送身份认证请求;所述身份认证请求包括用户标识;Step 101: Send an identity authentication request to a server, where the identity authentication request includes a user identifier.
步骤102、接收所述服务器发送的第二随机码;Step 102: Receive a second random code sent by the server.
步骤103、将接收到的用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对;Step 103: Compare the received biometric information input by the user with the biometric information corresponding to the user identifier stored in advance;
步骤104、如果一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;Step 104: If they are consistent, encrypt the second random code by using a pre-stored user private key corresponding to the user identifier.
步骤105、将经过用户私钥加密后的第二随机码发送给所述服务器。Step 105: Send a second random code encrypted by the user private key to the server.
本发明实施例所提供的身份认证方法可以在终端侧实施,具体可以在手机、pad、平板电脑、智能机器人等移动终端上实施。The identity authentication method provided by the embodiment of the present invention may be implemented on the terminal side, and may be implemented on a mobile terminal such as a mobile phone, a pad, a tablet computer, or an intelligent robot.
所述向服务器发送身份认证请求可以由用户触发(例如:用户点击/启动身份认证服务),也可以根据用户的操作自行触发(例如:用户想要访问终端或终端上的应用程序时,终端自行发起认证请求),所述身份认证请求可以包括用户标识、终端标识等信息,所述用户标识具体可以为用户的账号、用户ID、用户二维码等,所述终端标识具体可以为国际移动设备标识码(IMEI,International Mobile Equipment Identity)等。The sending the identity authentication request to the server may be triggered by the user (for example, the user clicks/starts the identity authentication service), or may be triggered according to the user's operation (for example, when the user wants to access the application on the terminal or the terminal, the terminal itself Initiating an authentication request, the identity authentication request may include information such as a user identifier, a terminal identifier, and the like, and the user identifier may be a user account, a user ID, a user QR code, etc., and the terminal identifier may be an international mobile device. Identification code (IMEI, International Mobile Equipment Identity), etc.
需要说明的是,本发明实施例对上述步骤之间的顺序不作限制。例如,可以有以下几种情况:It should be noted that the embodiment of the present invention does not limit the order between the above steps. For example, there are several situations:
第一种情况,可以先向服务器发送身份认证请求,接收所述服务器发送的第二随机码,然后接收用户输入的生物特征信息,将所述用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对;如果一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;将经过用户私钥加密后的第二随机码发送给所述服务器。In the first case, the identity authentication request may be sent to the server, the second random code sent by the server is received, and then the biometric information input by the user is received, and the biometric information input by the user is pre-stored with the Comparing the biometric information corresponding to the user identifier; if consistent, encrypting the second random code by using a pre-stored user private key corresponding to the user identifier; and second randomizing the user private key The code is sent to the server.
第二种情况,可以向服务器发送身份认证请求的同时接收用户输入的 生物特征信息,接收所述服务器发送的第二随机码,并将所述用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对;如果一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;将经过用户私钥加密后的第二随机码发送给所述服务器。In the second case, the user can input the authentication request while receiving the identity authentication request. Biometric information, receiving a second random code sent by the server, and comparing biometric information input by the user with biometric information corresponding to the user identifier stored in advance; if they are consistent, using pre-storage And encrypting, by the user private key corresponding to the user identifier, the second random code; and sending the second random code encrypted by the user private key to the server.
第三种情况是,可以先接收用户输入的生物特征信息,然后将所述用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对,如果一致,向服务器发送身份认证请求,接收所述服务器发送的第二随机码,利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;将经过用户私钥加密后的第二随机码发送给所述服务器。In the third case, the biometric information input by the user may be received first, and then the biometric information input by the user is compared with the pre-stored biometric information corresponding to the user identifier, and if they are consistent, the server sends the biometric information to the server. An identity authentication request, receiving a second random code sent by the server, encrypting the second random code by using a pre-stored user private key corresponding to the user identifier; and second randomizing the user private key The code is sent to the server.
第四种情况,可以先接收用户输入的生物特征信息,然后将所述用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对,并向服务器发送身份认证请求,接收所述服务器发送的第二随机码,如果生物特征比对一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;将经过用户私钥加密后的第二随机码发送给所述服务器。In the fourth case, the biometric information input by the user may be received first, and then the biometric information input by the user is compared with the pre-stored biometric information corresponding to the user identifier, and an identity authentication request is sent to the server. Receiving a second random code sent by the server, if the biometric comparison is consistent, encrypting the second random code by using a pre-stored user private key corresponding to the user identifier; and encrypting the user private key The second random code is sent to the server.
所述接收到的所述服务器发送的第二随机码具体可以为数字、字母或二者结合的一串字符串。The received second random code sent by the server may be a string of characters, a letter or a combination of the two.
本发明实施例中可以预先存储用户标识、用户生物特征信息、用户私钥的绑定关系,在接收到用户输入的生物特征信息之后,可以将所述用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对,如果一致,则认为该用户标识与生物特征信息匹配,然后利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密,将加密后的第二随机码发送给所述服务器。 In the embodiment of the present invention, the binding relationship between the user identifier, the user biometric information, and the user private key may be pre-stored. After receiving the biometric information input by the user, the biometric information input by the user may be stored in advance with the pre-stored Comparing the biometric information corresponding to the user identifier, if the user identifier is matched, the user identifier is matched with the biometric information, and then the second random code is performed by using a pre-stored user private key corresponding to the user identifier. Encryption, sending the encrypted second random code to the server.
其中,所述用户私钥可以为利用现有的密钥生成算法生成的公私钥对中的私钥,所述现有的密钥生成算法可以包括RAS算法、3DES算法等。The user private key may be a private key in a public-private key pair generated by using an existing key generation algorithm, and the existing key generation algorithm may include a RAS algorithm, a 3DES algorithm, and the like.
本发明实施例所提供的身份认证方法,在向服务器发送身份认证请求后,将用户输入的生物特征信息与预先存储的所述用户的生物特征信息进行比对,完成生物特征信息的验证,在验证通过后利用所述用户的用户私钥对第二随机码进行加密发送给服务器,由于本发明实施例在本地完成了用户生物特征信息的验证,无需将用户的生物特征信息发送至服务器由服务器验证,从而确保了用户信息的安全性,且降低了传输的数据量。The identity authentication method provided by the embodiment of the present invention compares the biometric information input by the user with the pre-stored biometric information of the user after the identity authentication request is sent to the server, and completes verification of the biometric information. After the verification is passed, the second random code is encrypted and sent to the server by using the user's private key. Since the embodiment of the present invention completes the verification of the user biometric information locally, the biometric information of the user does not need to be sent to the server by the server. Verification ensures the security of user information and reduces the amount of data transferred.
实施中,在所述向服务器发送身份认证请求之前,所述方法可以进一步包括:In an implementation, before the sending the identity authentication request to the server, the method may further include:
接收服务器发送的第一随机码;Receiving a first random code sent by the server;
将终端标识、用户输入的用户标识和所述第一随机码发送至所述服务器;Transmitting the terminal identifier, the user identifier input by the user, and the first random code to the server;
在接收到服务器发送的验证通过消息后,接收用户录入的生物特征信息;Receiving biometric information entered by the user after receiving the verification pass message sent by the server;
为所述用户生成公私钥对,存储用户私钥并将用户公钥与所述用户标识发送至所述服务器。Generating a public-private key pair for the user, storing the user private key and transmitting the user public key and the user identification to the server.
本发明实施例中在向服务器发送身份验证请求之前,可以先进行用户注册过程,具体可以为:接收服务器发送的第一随机码,将终端标识、用户标识和所述第一随机码发送至所述服务器,以便服务器进行验证;在接收到服务器发送的验证通过消息后,接收用户录入的生物特征信息,为所述用户生成公私钥对,存储用户私钥并将用户公钥与所述用户标识发送至所述服务器。In the embodiment of the present invention, before the sending of the identity verification request to the server, the user registration process may be performed. The method may be: receiving a first random code sent by the server, and sending the terminal identifier, the user identifier, and the first random code to the The server is configured to perform verification by the server; after receiving the verification pass message sent by the server, receiving the biometric information entered by the user, generating a public-private key pair for the user, storing the user private key, and storing the user public key and the user identifier Sent to the server.
具体实施时,可以由用户提出注册申请,本发明实施例先将用户注册请求发送给服务器,服务器在接收到所述注册请求之后为所述用户建立用 户标识与终端标识的对应关系,本发明实施例接收服务器发送的第一随机码;也可以由服务器主动创建用户标识并建立所述用户标识与终端标识的对应关系,然后,本发明实施例接收服务器发送的第一随机码。In a specific implementation, the registration request may be filed by the user. The embodiment of the present invention first sends a user registration request to the server, and the server establishes the user for the user after receiving the registration request. Corresponding relationship between the user identifier and the terminal identifier, the first random code sent by the server is received by the server in the embodiment of the present invention; the user identifier is created by the server and the corresponding relationship between the user identifier and the terminal identifier is established, and then received by the embodiment of the present invention. The first random code sent by the server.
其中,所述终端标识与所述用户标识可以为一对一的关系,也可以为一对多的关系,所述用户标识与用户私钥、生物特征信息之间可以为一对一的关系。The terminal identifier and the user identifier may be in a one-to-one relationship, or may be a one-to-many relationship, and the user identifier may have a one-to-one relationship with the user private key and the biometric information.
经过上述过程后,本地可以成功存储所述用户标识、用户私钥、终端标识、用户生物特征信息之间的对应关系,服务器侧可以成功存储所述用户标识、用户公钥、终端标识之间的对应关系,为后续身份认证提供数据支撑。After the foregoing process, the local device can successfully store the correspondence between the user identifier, the user private key, the terminal identifier, and the user biometric information, and the server side can successfully store the user identifier, the user public key, and the terminal identifier. The correspondence provides data support for subsequent identity authentication.
实施中,所述将经过用户私钥加密后的第二随机码发送给所述服务器,具体可以为:将经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识发送给所述服务器。In the implementation, the second random code that is encrypted by the user's private key is sent to the server, and the second random code that is encrypted by the user's private key, the user identifier, and the terminal identifier are sent to the server. The server.
具体实施时,在利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密之后,可以将终端标识与经过用户私钥加密后的第二随机码发送给所述服务器,以便服务器对终端标识进行验证。In a specific implementation, after the second random code is encrypted by using a pre-stored user private key corresponding to the user identifier, the terminal identifier may be sent to the second random code encrypted by the user private key. Server so that the server authenticates the terminal ID.
实施中,所述接收用户输入的生物特征信息具体可以为:接收用户输入的指纹、掌纹、虹膜、人脸和/或声音。In an implementation, the receiving the biometric information input by the user may specifically: receiving a fingerprint, a palm print, an iris, a face, and/or a sound input by the user.
具体实施时,所述生物特征信息可以包括指纹、掌纹、虹膜、人脸、声音等,所述接收用户输入的生物特征信息具体可以为:接收用户输入的指纹、掌纹、虹膜、人脸、声音等。其中,接收用户输入的指纹、掌纹、虹膜、人脸、声音等,均可以采用现有的传感器或采集器实现,本发明在此不做赘述。In a specific implementation, the biometric information may include a fingerprint, a palm print, an iris, a face, a sound, and the like. The biometric information input by the user may be: receiving a fingerprint, a palm print, an iris, and a face input by the user. , sound, etc. The fingerprint, the palm print, the iris, the face, the sound, and the like input by the user may be implemented by using an existing sensor or a collector, and the present invention is not described herein.
由于指纹、掌纹、虹膜、人脸、声音等信息均为用户的隐私信息,为了确保用户的隐私信息安全,本发明实施例提出了在本地完成生物特征验 证的方式,无需将生物特征信息上传至服务器。Since the fingerprint, the palm print, the iris, the face, the sound and the like are all the user's private information, in order to ensure the privacy information of the user, the embodiment of the present invention proposes to complete the biometric test locally. The way to license, you do not need to upload biometric information to the server.
为了进一步增强本申请实施例的数据安全性,本申请还可以采用如下方式实施。In order to further enhance the data security of the embodiment of the present application, the present application may also be implemented in the following manner.
实施中,在所述向服务器发送身份认证请求之前,所述方法可以进一步包括:In an implementation, before the sending the identity authentication request to the server, the method may further include:
利用预先存储的服务器生成的证书与所述服务器建立安全传输层协议(TLS,Transport Layer Security Protocol)双向认证连接;与所述服务器的通信具体为利用所述TLS双向认证连接进行的。Establishing a secure transport layer protocol (TLS) two-way authentication connection with the server by using a certificate generated by a pre-stored server; the communication with the server is specifically performed by using the TLS two-way authentication connection.
具体实施时,可以在终端侧预置一个服务器端生成的证书,这个证书可以用于终端与服务器建立TLS双向认证的连接,后续的所有通信均可以基于所述TLS连接进行。In a specific implementation, a certificate generated by the server may be preset on the terminal side, and the certificate may be used for establishing a TLS mutual authentication connection between the terminal and the server, and all subsequent communications may be performed based on the TLS connection.
本申请实施例通过采用这种方式实施,可以防止终端在向服务器发送终端生成的公私钥对的用户公钥时被非法截取,进一步提高安全性。By implementing in this manner, the embodiment of the present application can prevent the terminal from being illegally intercepted when transmitting the public key of the public-private key pair generated by the terminal to the server, thereby further improving security.
实施中,所述利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密,具体可以为:In the implementation, the second random code is encrypted by using a pre-stored user private key corresponding to the user identifier, which may be:
利用预先存储的私钥密码与安全装置的密码进行验证,验证成功后获取存储于安全区域的用户私钥,根据所述用户私钥对所述第二随机码进行加密。The password is verified by using the pre-stored private key cipher and the password of the security device. After the verification succeeds, the user private key stored in the security area is obtained, and the second random code is encrypted according to the user private key.
具体实施时,所述终端生成的公私钥对可以使用一个安全装置并存储在终端的安全区域内。在使用私钥时,可以先利用私钥密钥在安全装置进行验证,如果密码验证成功,则可以获取存储于安全区域的用户私钥,进一步提高了用户私钥使用时的安全性。In a specific implementation, the public-private key pair generated by the terminal may use a security device and be stored in a secure area of the terminal. When the private key is used, the private key can be used to authenticate the security device. If the password is successfully verified, the user private key stored in the security zone can be obtained, which further improves the security of the user's private key.
实施中,在所述根据用户私钥对所述第二随机码进行加密之后,所述方法可以进一步包括:In an implementation, after the encrypting the second random code according to the user private key, the method may further include:
接收服务器发送的随机私钥密码,根据所述随机私钥密码修改所述安 全装置的密码。Receiving a random private key password sent by the server, and modifying the security according to the random private key password The password for the full device.
具体实施时,可以在每次使用完私钥密码之后,从服务器获取一个随机私钥密码,来修改所述安全装置的密码,即所述安全装置的密码是一次性的,使用完一次就更新一次,从而保证安全装置中在安全区域存储的用户私钥的安全性。In a specific implementation, after each time the private key password is used, a random private key password is obtained from the server to modify the password of the security device, that is, the password of the security device is one-time, and is updated once used. Once, thereby ensuring the security of the user's private key stored in the secure area in the secure device.
实施例二、Embodiment 2
图2示出了本发明实施例二中身份认证方法实施的流程示意图,如图所示,所述身份认证方法可以包括如下步骤:FIG. 2 is a schematic flowchart of the implementation of the identity authentication method in the second embodiment of the present invention. As shown in the figure, the identity authentication method may include the following steps:
步骤201、接收终端发送的身份认证请求;所述身份认证请求包括用户标识;Step 201: Receive an identity authentication request sent by the terminal, where the identity authentication request includes a user identifier.
步骤202、向所述终端发送第二随机码;Step 202: Send a second random code to the terminal.
步骤203、接收所述终端发送的经过用户私钥加密后的第二随机码;Step 203: Receive a second random code that is sent by the terminal and encrypted by a user private key.
步骤204、利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二随机码进行解密;Step 204: Decrypt the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier.
步骤205、验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致,则身份认证通过。Step 205: Verify whether the decrypted second random code is consistent with the transmitted second random code. If they are consistent, the identity authentication is passed.
本发明实施例所提供的身份认证方法可以在网络侧、服务器端实施。The identity authentication method provided by the embodiment of the present invention can be implemented on the network side or the server side.
所述终端发送的身份认证请求中可以包括用户标识、终端标识等信息,所述用户标识可以为用户的账号、ID等信息,所述终端标识可以为终端的IMEI等信息。The identity authentication request sent by the terminal may include information such as a user identifier and a terminal identifier, where the user identifier may be information such as an account number and an ID of the user, and the terminal identifier may be information such as an IMEI of the terminal.
本发明实施例中可以预先存储所述用户标识、用户公钥、终端标识之间的对应关系,在接收到终端发送的经过用户私钥加密后的第二随机码后,可以利用所述用户的公钥对所述第二随机码进行解密,如果解密得到的第二随机码与之前发送的第二随机码一致,则身份认证通过。In the embodiment of the present invention, the correspondence between the user identifier, the user public key, and the terminal identifier may be pre-stored, and after receiving the second random code that is sent by the terminal and encrypted by the user private key, the user may be utilized. The public key decrypts the second random code, and if the second random code obtained by the decryption is consistent with the previously transmitted second random code, the identity authentication is passed.
采用本发明实施例所提供的身份认证方法,由于服务器侧只需要利用 与所述用户标识对应的公钥对所述终端发送的第二随机码进行解密验证,即可实现身份认证的目的,无需终端上传用户的生物特征信息,从而确保了用户的个人信息的安全性。The identity authentication method provided by the embodiment of the present invention is only required to be utilized by the server side. The public key corresponding to the user identifier decrypts and verifies the second random code sent by the terminal, so as to achieve the purpose of identity authentication, and the terminal does not need to upload the biometric information of the user, thereby ensuring the security of the user's personal information. .
实施中,在所述接收终端发送的身份认证请求之前,所述方法可以进一步包括:In an implementation, before the receiving the identity authentication request sent by the terminal, the method may further include:
确定终端标识与用户标识的对应关系;Determining a correspondence between the terminal identifier and the user identifier;
向终端发送第一随机码;Sending a first random code to the terminal;
在收到终端发送的终端标识、用户标识和第一随机码之后进行验证,并在验证通过后向所述终端发送验证通过消息;After receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, performing verification, and sending a verification pass message to the terminal after the verification is passed;
接收所述终端发送的用户标识和用户公钥,建立所述用户标识、用户公钥与所述终端标识之间的对应关系。And receiving a user identifier and a user public key sent by the terminal, and establishing a correspondence between the user identifier, the user public key, and the terminal identifier.
具体实施时,所述确定终端标识和用户标识的对应关系,具体可以为:接收终端发送的用户注册请求,所述注册请求中可以包括用户标识和终端标识,建立所述用户标识和所述终端标识之间的对应关系;也可以为:为用户生成用户标识,将所述用户标识与终端标识建立对应关系。In a specific implementation, the determining the correspondence between the terminal identifier and the user identifier may be: receiving a user registration request sent by the terminal, where the registration request may include a user identifier and a terminal identifier, and establishing the user identifier and the terminal Corresponding relationship between the identifiers may be: generating a user identifier for the user, and establishing a correspondence between the user identifier and the terminal identifier.
在接收到终端发送的终端标识、用户标识和第一随机码之后,对所述终端标识和用户标识的对应关系进行验证,并验证所述第一随机码与之前发送的第一随机码是否一致,在验证通过后可以向终端发送验证通过消息,接收所述终端发送的用户标识和用户公钥,建立所述用户标识、用户公钥与所述终端标识之间的对应关系。After receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, verifying the correspondence between the terminal identifier and the user identifier, and verifying whether the first random code is consistent with the previously sent first random code. After the verification is passed, the authentication pass message may be sent to the terminal, and the user identifier and the user public key sent by the terminal are received, and the correspondence between the user identifier, the user public key, and the terminal identifier is established.
其中,所述终端标识与所述用户标识之间的对应关系可以是一对一的关系,也可以是一对多的关系;所述用户标识与用户公钥之间的对应关系可以为一对一的关系。The correspondence between the terminal identifier and the user identifier may be a one-to-one relationship or a one-to-many relationship; the correspondence between the user identifier and the user public key may be a pair. A relationship.
所述用户公钥与用户私钥为一对公私钥对,具体实施时,可以采用现有的加密算法生成,公私钥对的具体生成过程本发明不再赘述。 The user public key and the user private key are a pair of public and private key pairs. In the specific implementation, the existing encryption algorithm may be used to generate the public key pair. The specific process of generating the public and private key pairs is not described herein.
经过上述过程,服务器侧可以存储了所述用户标识、终端标识以及用户公钥之间的对应关系,为后续的身份认证提供了支撑。After the foregoing process, the server side may store the correspondence between the user identifier, the terminal identifier, and the user public key, and provide support for subsequent identity authentication.
实施中,所述接收所述终端发送的经过用户私钥加密后的第二随机码,具体可以为:接收所述终端发送的经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识;In an implementation, the receiving the second random code that is sent by the terminal and encrypted by the user's private key may be: receiving a second random code that is sent by the terminal and encrypted by the user's private key, and the user identifier, And terminal identification;
所述利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二随机码进行解密,具体可以为:利用与所述终端标识对应的用户公钥对所述经过用户私钥加密后的第二随机码和用户标识进行解密;Decrypting the second random code that is encrypted by the user private key by using a user public key corresponding to the user identifier, which may be: using a public key pair corresponding to the terminal identifier Decoding the second random code encrypted by the user private key and the user identifier;
所述验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致则身份认证通过,具体可以为:验证解密得到的第二随机码与发送的第二随机码是否一致,以及,验证所述用户标识与所述终端标识之间的对应关系;如果解密得到的第二随机码与发送的第二随机码一致且所述终端标识与所述用户标识对应,则身份认证通过。Whether the second random code obtained by the verification and the decryption is consistent with the second random code that is sent, and if the identity authentication is passed, the authentication may be: whether the second random code obtained by the decryption is consistent with the second random code sent, and And verifying the correspondence between the user identifier and the terminal identifier; if the second random code obtained by the decryption is consistent with the sent second random code and the terminal identifier is corresponding to the user identifier, the identity authentication is passed.
具体实施时,可以接收终端发送的终端标识和所述经过用户私钥加密后的第二随机码,在进行身份认证时,可以验证解密得到的第二随机码与发送的第二随机码是否一致,以及,验证所述终端标识与所述用户标识之间的对应关系。如果解密得到的第二随机码与发送的第二随机码一致且所述终端标识与所述用户标识对应,则身份认证通过。其中,所述终端标识与所述用户标识之间的对应关系可以为一对一的关系。In a specific implementation, the terminal identifier sent by the terminal and the second random code encrypted by the user private key may be received, and when the identity authentication is performed, whether the second random code obtained by the decryption is consistent with the second random code sent may be verified. And verifying a correspondence between the terminal identifier and the user identifier. If the decrypted second random code is consistent with the transmitted second random code and the terminal identifier corresponds to the user identifier, the identity authentication is passed. The correspondence between the terminal identifier and the user identifier may be a one-to-one relationship.
如果所述终端标识与所述用户标识之间的对应关系为一对一关系,那么,本发明实施例还可以采用如下方式实施。If the corresponding relationship between the terminal identifier and the user identifier is a one-to-one relationship, the embodiment of the present invention may also be implemented in the following manner.
终端在进行生物特征信息验证之后,利用所述用户的用户私钥对所述第二随机码和所述用户标识进行加密签名,将加密签名后的第二随机码和所述用户标识、以及终端标识发送给服务器,服务器根据所述终端标识确 定所述终端标识确定所述用户公钥,利用所述用户公钥对所述第二随机码和所述用户标识进行解密验签,验证解密得到的第二随机码与之前发送的随机码是否一致,对解密得到的用户标识与所述终端标识的对应关系进行验证。After performing the verification of the biometric information, the terminal encrypts and signs the second random code and the user identifier by using the user private key of the user, and encrypts the second random code after the signature and the user identifier, and the terminal. The identifier is sent to the server, and the server is determined according to the terminal identifier. Determining, by the terminal identifier, the user public key, using the user public key to decrypt the second random code and the user identifier, and verifying whether the second random code obtained by the decryption and the previously sent random code are Consistently, the correspondence between the decrypted user identifier and the terminal identifier is verified.
本发明实施例不需要终端上传用户的生物特征信息,只需要对用户标识、用户公钥以及终端标识进行验证即可,对用户的生物特征信息的验证由终端自身完成,从而确保了用户的生物特征信息不被泄露,提高了个人信息的安全性,同时降低了传输过程的数据量。The embodiment of the present invention does not require the terminal to upload the biometric information of the user, and only needs to verify the user identifier, the user public key, and the terminal identifier, and the verification of the biometric information of the user is completed by the terminal itself, thereby ensuring the user's biological Feature information is not leaked, which improves the security of personal information and reduces the amount of data in the transmission process.
实施中,在所述接收终端发送的身份认证请求之前,所述方法可以进一步包括:In an implementation, before the receiving the identity authentication request sent by the terminal, the method may further include:
利用预先存储的证书与所述终端建立安全传输层协议TLS双向认证连接;与所述终端的通信具体为利用所述TLS双向认证连接进行的。Establishing a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate; the communication with the terminal is specifically performed by using the TLS two-way authentication connection.
具体实施时,为了确保终端与服务器的通信安全,本申请实施例在与终端进行通信之前,可以先建立安全连接,服务器预先存储有证书,终端也预先存储所述服务器所生成的证书,双方通过证书建立TLS双向认证连接,从而确保后续通信的安全性,防止通信过程中的数据被非法截获。In a specific implementation, in order to ensure the communication security between the terminal and the server, the embodiment of the present application may establish a secure connection before the communication with the terminal, and the server pre-stores the certificate, and the terminal also pre-stores the certificate generated by the server, and both parties pass the The certificate establishes a TLS two-way authentication connection to ensure the security of subsequent communications and prevent data from being intercepted illegally during communication.
实施中,在所述接收终端发送的经过用户私钥加密后的第二随机码之后,所述方法可以进一步包括:In an implementation, after the second random code that is sent by the receiving terminal and encrypted by the user's private key, the method may further include:
向所述终端发送随机私钥密码。Sending a random private key password to the terminal.
具体实施时,在每次使用完一次私钥密码后,服务器可以为终端生成一个随机私钥密码,并将所述随机私钥密码发送给所述终端,以便终端更新自身安全装置的密码,使得安全装置的密码的使用为一次性的,确保用户私钥的安全。In a specific implementation, after each time the private key password is used, the server may generate a random private key password for the terminal, and send the random private key password to the terminal, so that the terminal updates the password of the security device, so that the terminal The use of the security device's password is one-time, ensuring the security of the user's private key.
实施例三、Embodiment 3
基于同一发明构思,本发明实施例中还提供了一种终端,由于这些设 备解决问题的原理与上述一种身份认证方法(终端侧)相似,因此这些设备的实施可以参见方法的实施,重复之处不再赘述。Based on the same inventive concept, an embodiment of the present invention further provides a terminal, because of these settings. The principle of the problem-solving is similar to the above-mentioned identity authentication method (terminal side). Therefore, the implementation of these devices can be referred to the implementation of the method, and the repeated description will not be repeated.
图3示出了本发明实施例三中终端的结构示意图一,如图所示,所述终端可以包括:FIG. 3 is a schematic structural diagram 1 of a terminal in Embodiment 3 of the present invention. As shown in the figure, the terminal may include:
第一发送模块301,用于向服务器发送身份认证请求;所述身份认证请求包括用户标识;The first sending module 301 is configured to send an identity authentication request to the server, where the identity authentication request includes a user identifier.
第一接收模块302,用于接收所述服务器发送的第二随机码;The first receiving module 302 is configured to receive a second random code sent by the server;
比对模块303,用于将接收到的用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对;The comparison module 303 is configured to compare the received biometric information input by the user with the pre-stored biometric information corresponding to the user identifier;
加密模块304,用于如果一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;The encryption module 304 is configured to encrypt the second random code by using a pre-stored user private key corresponding to the user identifier if the one is consistent;
第二发送模块305,用于将经过用户私钥加密后的第二随机码发送给所述服务器。The second sending module 305 is configured to send the second random code encrypted by the user private key to the server.
图4示出了本发明实施例三中终端的结构示意图二,如图所示,所述终端可以进一步包括:FIG. 4 is a schematic structural diagram 2 of the terminal in the third embodiment of the present invention. As shown in the figure, the terminal may further include:
第二接收模块306,用于在所述向服务器发送身份认证请求之前,接收服务器发送的第一随机码;The second receiving module 306 is configured to receive the first random code sent by the server before sending the identity authentication request to the server.
第三发送模块307,用于将终端标识、用户输入的用户标识和所述第一随机码发送至所述服务器;The third sending module 307 is configured to send the terminal identifier, the user identifier input by the user, and the first random code to the server;
第三接收模块308,用于在接收到服务器发送的验证通过消息后,接收用户录入的生物特征信息;The third receiving module 308 is configured to receive the biometric information recorded by the user after receiving the verification pass message sent by the server;
密钥处理模块309,用于为所述用户生成公私钥对,建立所述生物特征信息、终端标识、用户私钥与用户标识之间的对应关系,并将用户公钥与所述用户标识发送至所述服务器。The key processing module 309 is configured to generate a public-private key pair for the user, establish a correspondence between the biometric information, the terminal identifier, the user private key, and the user identifier, and send the user public key and the user identifier. To the server.
本发明实施例所述的终端具体可以为手机、pad、平板电脑等移动终端, 这些移动终端可以为触摸屏、也可以为按键形式,本发明对此不作限制。The terminal in the embodiment of the present invention may specifically be a mobile terminal such as a mobile phone, a pad, or a tablet computer. The mobile terminal may be in the form of a touch screen or a button. The present invention does not limit this.
由于本发明实施例所提供的终端,第一发送模块发送身份认证请求,第一接收模块接收服务器发送的第二随机码,在所述第二接收模块接收到用户输入的生物特征信息之后,只需要比对模块将所述用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对,在终端侧即可完成生物特征信息的验证,无需将生物特征信息发送给服务器由服务器验证,避免在上传过程中导致的生物特征信息泄露,从而确保了生物特征信息的安全性,同时也降低了传输过程的数据量。According to the terminal provided by the embodiment of the present invention, the first sending module sends an identity authentication request, and the first receiving module receives the second random code sent by the server, after the second receiving module receives the biometric information input by the user, The comparison module compares the biometric information input by the user with the pre-stored biometric information corresponding to the user identifier, and completes the verification of the biometric information on the terminal side, without sending the biometric information to the The server is authenticated by the server to avoid leakage of biometric information caused during the uploading process, thereby ensuring the security of the biometric information and reducing the amount of data in the transmission process.
实施中,所述第二发送模块具体可以用于将经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识发送给所述服务器。In an implementation, the second sending module may be configured to send the second random code encrypted by the user private key, the user identifier, and the terminal identifier to the server.
实施中,所述生物特征信息具体可以为:指纹、掌纹、虹膜、人脸和/或声音。In an implementation, the biometric information may specifically be: a fingerprint, a palm print, an iris, a face, and/or a sound.
具体实施时,所述生物特征信息具体可以为:指纹、掌纹、虹膜、人脸、声音等生物特征信息。本发明实施例中可以掌纹采集仪、虹膜采集装置、人脸采集装置、声音录入装置等设备进行采集,这些设备在具体实现时可以采用现有技术中的元器件,也可以由本领域技术人员根据实际需要进行开发设计,本发明对此不作限制。In a specific implementation, the biometric information may be: biometric information such as a fingerprint, a palm print, an iris, a face, and a sound. In the embodiment of the present invention, the device can be collected by a device such as a palmprint collecting device, an iris collecting device, a face collecting device, a sound input device, etc., and the devices can be used in the prior art, or can be used by those skilled in the art. The development and design are carried out according to actual needs, and the present invention does not limit this.
图5示出了本发明实施例三中终端的结构示意图三,如图所示,所述终端可以进一步包括:FIG. 5 is a schematic structural diagram 3 of the terminal in the third embodiment of the present invention. As shown in the figure, the terminal may further include:
连接建立模块310,用于在所述向服务器发送身份认证请求之前,利用预先存储的服务器生成的证书与所述服务器建立安全传输层协议TLS双向认证连接;与所述服务器的通信具体为利用所述TLS双向认证连接进行的。The connection establishing module 310 is configured to establish a secure transport layer protocol TLS two-way authentication connection with the server by using a pre-stored certificate generated by the server before sending the identity authentication request to the server, where the communication with the server is specifically Said TLS two-way authentication connection.
实施中,所述加密模块具体用于如果一致,利用预先存储的私钥密码与安全装置的密码进行验证,验证成功后获取存储于安全区域的用户私钥,根据所述用户私钥对所述第二随机码进行加密。 In an implementation, the cryptographic module is specifically configured to perform verification by using a pre-stored private key cryptogram and a password of the security device, and obtain a user private key stored in the security area after the verification succeeds, according to the user private key pair. The second random code is encrypted.
图6示出了本发明实施例三中终端的结构示意图四,如图所示,所述终端可以进一步包括:FIG. 6 is a schematic structural diagram of a terminal in a third embodiment of the present invention. As shown in the figure, the terminal may further include:
第四接收模块311,用于在所述根据用户私钥对所述第二随机码进行加密之后,接收服务器发送的随机私钥密码,根据所述随机私钥密码修改所述安全装置的密码。The fourth receiving module 311 is configured to: after the second random code is encrypted according to the user private key, receive a random private key password sent by the server, and modify the password of the security device according to the random private key password.
实施例四、Embodiment 4
基于同一发明构思,本发明实施例中还提供了一种服务器,由于这些设备解决问题的原理与一种身份认证方法(网络侧)相似,因此这些设备的实施可以参见方法的实施,重复之处不再赘述。Based on the same inventive concept, a server is also provided in the embodiment of the present invention. Since the principle of solving the problem of these devices is similar to an identity authentication method (network side), the implementation of these devices can be referred to the implementation of the method, and the repetition is performed. No longer.
图7示出了本发明实施例四中服务器的结构示意图一,如图所示,所述服务器可以包括:FIG. 7 is a schematic structural diagram 1 of a server in Embodiment 4 of the present invention. As shown in the figure, the server may include:
第一接收单元701,用于接收终端发送的身份认证请求;所述身份认证请求包括用户标识;The first receiving unit 701 is configured to receive an identity authentication request sent by the terminal, where the identity authentication request includes a user identifier.
第一发送单元702,用于向所述终端发送第二随机码;The first sending unit 702 is configured to send a second random code to the terminal.
第二接收单元703,用于接收所述终端发送的经过用户私钥加密后的第二随机码;The second receiving unit 703 is configured to receive a second random code that is sent by the terminal and encrypted by a user private key.
解密单元704,用于利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二随机码进行解密;The decrypting unit 704 is configured to decrypt the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier;
第一认证单元705,用于验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致,则身份认证通过。The first authentication unit 705 is configured to verify whether the decrypted second random code is consistent with the sent second random code, and if they are consistent, the identity authentication is passed.
具体实施时,服务器接收终端发送的身份认证请求,所述身份认证请求中可以包括用户标识、终端标识、其他信息等。本发明实施例所提供的服务器可以预先存储所述用户标识、用户公钥和终端标识的对应关系,在接收到所述终端发送的经过用户私钥加密后的第二随机码之后,利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二 随机码进行解密,验证解密得到的第二随机码与发送的第二随机码是否一致,即可完成身份认证。In a specific implementation, the server receives an identity authentication request sent by the terminal, where the identity authentication request may include a user identifier, a terminal identifier, other information, and the like. The server provided by the embodiment of the present invention may pre-store the correspondence between the user identifier, the user public key, and the terminal identifier, and use the pre-stored after receiving the second random code that is sent by the terminal and encrypted by the user private key. The user public key corresponding to the user identifier is the second encrypted by the user private key The random code is decrypted to verify whether the decrypted second random code is consistent with the transmitted second random code, and the identity authentication can be completed.
本发明实施例所提供的服务器,对用户标识进行验证、利用所述用户标识对应的用户公钥对第二随机码进行解密,即可验证用户公钥、用户标识的对应关系,无需终端上传生物特征信息进行验证,确保了生物特征信息不会被泄露,提高安全性的同时降低了传输的数据量。The server provided by the embodiment of the present invention verifies the user identifier, decrypts the second random code by using the user public key corresponding to the user identifier, and can verify the correspondence between the user public key and the user identifier, and does not need to upload the living entity. The feature information is verified to ensure that the biometric information is not leaked, and the security is reduced while reducing the amount of data transmitted.
图8示出了本发明实施例四中服务器的结构示意图二,如图所示,所述服务器可以进一步包括:FIG. 8 is a schematic structural diagram 2 of a server in Embodiment 4 of the present invention. As shown in the figure, the server may further include:
确定单元706,用于在所述接收终端发送的身份认证请求之前,确定终端标识与用户标识的对应关系;The determining unit 706 is configured to determine, according to the identity authentication request sent by the receiving terminal, a correspondence between the terminal identifier and the user identifier.
第二发送单元707,用于向终端发送第一随机码;a second sending unit 707, configured to send a first random code to the terminal;
第二认证单元708,用于在收到终端发送的终端标识、用户标识和第一随机码之后进行验证,并在验证通过后向所述终端发送验证通过消息;The second authentication unit 708 is configured to perform verification after receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, and send a verification pass message to the terminal after the verification is passed;
关系建立单元709,用于接收所述终端发送的用户标识和用户公钥,建立所述用户标识、用户公钥与所述终端标识之间的对应关系。The relationship establishing unit 709 is configured to receive the user identifier and the user public key sent by the terminal, and establish a correspondence between the user identifier, the user public key, and the terminal identifier.
实施中,所述第二接收单元具体可以用于接收所述终端发送的经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识;In an implementation, the second receiving unit may be configured to receive a second random code, the user identifier, and a terminal identifier that are sent by the terminal and encrypted by a user private key;
所述解密单元具体可以用于利用与所述终端标识对应的用户公钥对所述经过用户私钥加密后的第二随机码和用户标识进行解密;The decrypting unit may be configured to decrypt the second random code and the user identifier encrypted by the user private key by using a public key corresponding to the terminal identifier;
所述第一认证单元具体可以用于验证解密得到的第二随机码与发送的第二随机码是否一致,以及,验证所述用户标识与所述终端标识之间的对应关系;如果解密得到的第二随机码与发送的第二随机码一致且所述终端标识与所述用户标识对应,则身份认证通过。The first authentication unit may be configured to verify whether the decrypted second random code is consistent with the sent second random code, and verify the correspondence between the user identifier and the terminal identifier; if the decrypted The second random code is consistent with the transmitted second random code, and the terminal identifier corresponds to the user identifier, and the identity authentication is passed.
图9示出了本发明实施例四中服务器的结构示意图三,如图所示,所述服务器可以进一步包括: FIG. 9 is a schematic structural diagram 3 of the server in the fourth embodiment of the present invention. As shown in the figure, the server may further include:
连接建立单元710,用于在所述接收终端发送的身份认证请求之前,利用预先存储的证书与所述终端建立安全传输层协议TLS双向认证连接;与所述终端的通信具体为利用所述TLS双向认证连接进行的。The connection establishing unit 710 is configured to establish a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate before the identity authentication request sent by the receiving terminal, and the communication with the terminal is specifically using the TLS Two-way authentication connection is made.
图10示出了本发明实施例四中服务器的结构示意图四,如图所示,所述服务器可以进一步包括:FIG. 10 is a schematic structural diagram 4 of a server in Embodiment 4 of the present invention. As shown in the figure, the server may further include:
第三发送单元711,用于在所述接收终端发送的经过用户私钥加密后的第二随机码之后,向所述终端发送随机私钥密码。The third sending unit 711 is configured to send a random private key password to the terminal after the second random code that is sent by the receiving terminal and encrypted by the user private key.
在明了运用的环境后,在终端侧、网络侧分别可以按如下方式实施。在说明过程中,将分别从终端与网络侧服务器的实施进行说明,但这并不意味着二者必须配合实施,实际上,当终端与服务器分开实施时,其也各自解决终端侧、网络侧的问题,只是二者结合使用时,会获得更好的技术效果。After understanding the environment to be used, the terminal side and the network side can be implemented as follows. In the description process, the implementation of the terminal and the network side server will be respectively explained, but this does not mean that the two must cooperate with the implementation. In fact, when the terminal and the server are separately implemented, they also solve the terminal side and the network side respectively. The problem is that when the two are combined, they will get better technical results.
实施例五、Embodiment 5
本发明实施例以移动终端和身份认证服务器的交互过程为例,进行说明。The embodiment of the present invention takes the interaction process of the mobile terminal and the identity authentication server as an example for description.
身份认证过程可以包括两个步骤:第一步,移动终端用户身份信息注册;第二步,通过移动终端进行指纹、虹膜或人脸生物特征识别以及在身份认证服务器进行二次认证。The identity authentication process may include two steps: the first step is to register the mobile terminal user identity information; the second step is to perform fingerprint, iris or face biometric identification by the mobile terminal and secondary authentication at the identity authentication server.
图11示出了本发明实施例五中用户生物特征信息注册过程的示意图,如图所示,用户生物特征信息注册过程可以包括如下步骤:11 is a schematic diagram of a user biometric information registration process in Embodiment 5 of the present invention. As shown in the figure, the user biometric information registration process may include the following steps:
步骤1101、用户申请注册账号;Step 1101: The user applies for registering an account.
用户使用所述移动终端进行终端设备注册,输入用户账号信息,终端向服务器发送注册请求。The user uses the mobile terminal to perform terminal device registration, input user account information, and the terminal sends a registration request to the server.
步骤1102、为所述移动终端用户在身份认证服务器中建立用户账号;Step 1102: Create a user account for the mobile terminal user in the identity authentication server.
步骤1103、在身份认证服务器中建立用户账号与移动终端标识之间一 对一的绑定关系;Step 1103: Establish a relationship between the user account and the mobile terminal identifier in the identity authentication server. Binding relationship to one;
步骤1104、身份认证服务器向所述移动终端发送随机码;Step 1104: The identity authentication server sends a random code to the mobile terminal.
步骤1105、用户使用所述移动终端输入所述身份认证服务器下发的随机码,发送到身份认证服务器进行验证;Step 1105: The user inputs the random code sent by the identity authentication server by using the mobile terminal, and sends the identifier to the identity authentication server for verification.
步骤1106、所述身份认证服务器验证所述用户账号、所述移动终端标识以及所述随机码,如果验证成功,执行步骤1107;Step 1106, the identity authentication server verifies the user account, the mobile terminal identifier, and the random code, if the verification is successful, step 1107 is performed;
步骤1107、所述身份认证服务器向所述移动终端发送提示信息,提示所述用户输入生物特征信息;Step 1107: The identity authentication server sends prompt information to the mobile terminal, prompting the user to input biometric information.
步骤1108、所述用户在所述移动终端上录入指纹、虹膜或人脸等生物特征信息;Step 1108: The user inputs biometric information such as a fingerprint, an iris, or a face on the mobile terminal.
步骤1109、所述移动终端生成公私钥对:Step 1109: The mobile terminal generates a public-private key pair:
将生成的私钥存储在所述移动终端的安全区域内,以保证其他设备无法访问获取;The generated private key is stored in the security area of the mobile terminal to ensure that other devices cannot access the access;
将生成的公钥以及用户标识信息(例如:用户账号等)通过安全网络发送至所述身份认证服务器;Transmitting the generated public key and user identification information (for example, a user account, etc.) to the identity authentication server through a secure network;
步骤1110、所述身份认证服务器存储所述用户公钥和所述用户标识信息。Step 1110: The identity authentication server stores the user public key and the user identity information.
在完成用户注册后,当用户下次再对所述移动终端进行操作时,则需要进行身份认证。After the user registration is completed, when the user operates the mobile terminal next time, identity authentication is required.
图12示出了本发明实施例五中用户身份认证过程的示意图,如图所示,所述用户身份认证过程可以包括如下步骤:FIG. 12 is a schematic diagram of a user identity authentication process in Embodiment 5 of the present invention. As shown in the figure, the user identity authentication process may include the following steps:
步骤1201、所述用户启动身份认证服务,所述移动终端向所述身份认证服务器发送身份认证请求;Step 1201: The user starts an identity authentication service, and the mobile terminal sends an identity authentication request to the identity authentication server.
步骤1202、所述身份认证服务器根据当前用户信息生成随机码,并将所述随机码发送至所述用户; Step 1202: The identity authentication server generates a random code according to current user information, and sends the random code to the user.
步骤1203、所述用户根据所述移动终端的提示录入需要验证的指纹、虹膜或人脸等生物特征,以及所述身份认证服务器下发的随机码;Step 1203: The user enters a biometric such as a fingerprint, an iris, or a face to be verified according to the prompt of the mobile terminal, and a random code sent by the identity authentication server;
步骤1204、所述移动终端对录入的指纹、虹膜或人脸等生物特征进行验证,在验证成功后,执行步骤1205;Step 1204, the mobile terminal verifies the biometrics such as fingerprints, irises, or faces, and after the verification is successful, step 1205 is performed;
步骤1205、利用所述移动终端内存储的私钥对所述用户信息以及所述随机码进行加密签名,将加密签名后的信息发送至所述身份认证服务器;Step 1205: Perform cryptographic signature on the user information and the random code by using a private key stored in the mobile terminal, and send the encrypted and signed information to the identity authentication server.
步骤1206、所述身份认证服务器利用存储在所述身份认证服务器端的用户公钥进行解密验签,并验证所述随机码是否正确,完成用户身份的二次验证,如果验证成功,则执行步骤1207;Step 1206: The identity authentication server performs the decryption check by using the user public key stored in the identity authentication server, and verifies whether the random code is correct, and completes the secondary verification of the user identity. If the verification succeeds, step 1207 is performed. ;
步骤1207、通知其他控制系统,允许所述用户访问、操作。Step 1207: Notify other control systems to allow the user to access and operate.
由于本发明实施例所提供的身份认证方式,用户的人脸、指纹或虹膜等个人隐私信息仅存在于所述移动终端内,并不会发送给所述身份认证服务器,因此,确保了用户的生物特征信息不被泄露,提高了数据安全性。Due to the identity authentication mode provided by the embodiment of the present invention, personal privacy information such as a user's face, fingerprint, or iris exists only in the mobile terminal, and is not sent to the identity authentication server, thereby ensuring the user's Biometric information is not leaked, improving data security.
实施例六、Embodiment 6
本发明实施例所提供的身份认证方案可以应用于移动支付场景,下面以移动支付为例进行说明。The identity authentication scheme provided by the embodiment of the present invention can be applied to a mobile payment scenario.
在用户A在手机A-mobile下载了移动支付软件之后,用户A可以在所述移动支付软件的界面内点击注册,输入用户名、密码等信息,手机A-mobile可以将这些信息以及手机自身的IMEI号码发送给服务器。After user A downloads the mobile payment software on the mobile phone A-mobile, user A can click on the registration in the interface of the mobile payment software to input the user name, password and other information, and the mobile phone A-mobile can use the information and the mobile phone itself. The IMEI number is sent to the server.
假设所述手机A-mobile的IMEI号码为123456,服务器为用户A创建账号A,建立所述账号A与123456的绑定关系,然后向所述手机A-mobile下发随机码。Assume that the IMEI number of the mobile phone A-mobile is 123456, the server creates an account A for the user A, establishes a binding relationship between the account A and the 123456, and then sends a random code to the mobile phone A-mobile.
用户在所述手机A-mobile的移动支付软件界面输入所述随机码,所述手机A-mobile将账号A和所述随机码发送至所述服务器。The user inputs the random code on the mobile payment software interface of the mobile phone A-mobile, and the mobile phone A-mobile sends the account A and the random code to the server.
服务器验证成功后,提示用户A在手机上录入指纹;用户在手机上录 入指纹之后,手机可以通过内部装置为用户A生成公私钥对,将生成的私钥存储在手机的安全区域内,将生成的公钥以及账号A发送给服务器。After the server is successfully authenticated, the user A is prompted to enter a fingerprint on the mobile phone; the user records on the mobile phone. After the fingerprint is entered, the mobile phone can generate a public-private key pair for the user A through the internal device, store the generated private key in the secure area of the mobile phone, and send the generated public key and account A to the server.
所述服务器接收到账号A和A的公钥之后,将这些一对一的信息存储在服务器的指定区域。After receiving the public keys of the accounts A and A, the server stores the one-to-one information in a designated area of the server.
以上,完成了用户注册过程,所述手机侧存储了账号A、手机IMEI、用户A的私钥、用户A的指纹的对应关系,所述服务器侧存储了账号A、手机IMEI、用户A的公钥的对应关系。The user registration process is completed. The mobile phone side stores the correspondence between the account A, the mobile phone IMEI, the private key of the user A, and the fingerprint of the user A. The server side stores the account A, the mobile phone IMEI, and the user A. The correspondence of the keys.
图13示出了本发明实施例六中移动支付场景的身份认证过程示意图,如图所示,身份验证过程可以包括:FIG. 13 is a schematic diagram of an identity authentication process of a mobile payment scenario in Embodiment 6 of the present invention. As shown in the figure, the identity verification process may include:
当用户A进行了消费、需要进行支付时,用户A可以点击身份认证按钮触发手机A-mobile向服务器发送认证请求,也可以在用户A点击支付按钮时手机A-mobile自行发起向服务器发送认证请求,所述认证请求中可以包括手机IMEI、用户账号A等信息。When user A makes a purchase and needs to make a payment, user A can click the identity authentication button to trigger the mobile phone A-mobile to send an authentication request to the server, or the mobile phone A-mobile can initiate an authentication request to the server when user A clicks the payment button. The authentication request may include information such as a mobile phone IMEI, a user account A, and the like.
服务器在接收到手机A-mobile发送的认证请求后,可以生成一个随机码发送给所述手机A-mobile。After receiving the authentication request sent by the mobile phone A-mobile, the server may generate a random code and send it to the mobile phone A-mobile.
所述手机A-mobile收到随机码之后,可以提示用户A录入指纹和随机码,并在用户A录入指纹和随机码之后对所述用户A的指纹进行验证,确定所述录入的指纹与所述手机A-mobile中存储的指纹是否匹配,如果匹配(具体实施时可以设定阈值,小于一定误差即可认为是匹配的)则认为生物特征验证成功。After receiving the random code, the mobile phone A-mobile may prompt the user A to enter the fingerprint and the random code, and after the user A enters the fingerprint and the random code, verify the fingerprint of the user A, and determine the fingerprint and the entered fingerprint. Whether the fingerprints stored in the mobile phone A-mobile match, if they match (the threshold can be set when the implementation is implemented, and the matching is less than a certain error can be considered as matching), the biometric verification is considered successful.
所述手机A-mobile利用预先存储的用户A的私钥对账号A和随机码进行加密签名,发送给服务器。The mobile phone A-mobile encrypts and signs the account A and the random code by using the pre-stored user A's private key, and sends it to the server.
所述服务器接收到经加密签名后的信息时,可以对用户的身份进行二次验证,即,用预先存储的用户A的公钥对所述信息进行解密验签,验证所述解密得到的随机码是否与服务器之前发送的随机码一致,验证所述终 端标识与所述账号A是否对应等。When the server receives the encrypted and signed information, the identity of the user may be verified twice, that is, the information is decrypted and verified by the public key of the user A stored in advance, and the randomized decryption is verified. Whether the code is consistent with the random code sent by the server before, verifying the end Whether the end identifier corresponds to the account A or the like.
如果验证通过,所述服务器可以通知支付系统进行支付操作。If the verification passes, the server can notify the payment system to perform the payment operation.
至此,完成了移动支付过程。At this point, the mobile payment process has been completed.
在移动支付之前进行了手机端的指纹验证以及服务器端的终端-用户验证,不需要手机上传用户A的指纹,确保了用户A的隐私信息的安全性。Before the mobile payment, the fingerprint verification of the mobile terminal and the terminal-user authentication of the server end are performed, and the fingerprint of the user A is not required to be uploaded by the mobile phone, thereby ensuring the security of the privacy information of the user A.
实施例七、Example VII.
本发明实施例所提供的身份认证方案可以应用于云机器人场景,下面以云机器人为例进行说明。The identity authentication scheme provided by the embodiment of the present invention can be applied to a cloud robot scenario. The cloud robot is taken as an example for description.
所述云机器人可以包括机器人本体和云端机器人,所述云端机器人具体可以为云服务器。The cloud robot may include a robot body and a cloud robot, and the cloud robot may specifically be a cloud server.
用户B购买了机器人Joan,假设机器人Joan的编号为JQR1,用户B可以提出注册请求,所述云端机器人为用户B建立账号b并建立账号b与JQR1之间的一对一的绑定关系,并向所述机器人Joan发送随机码,用户B在机器人Joan上输入所述随机码之后,机器人Joan将账号b与编码JQR1、随机码一并发送至云端机器人。User B purchases the robot Joan. If the robot Joan is numbered JQR1, the user B can make a registration request, and the cloud robot establishes the account b for the user B and establishes a one-to-one binding relationship between the account b and the JQR1, and Sending a random code to the robot Joan, after the user B inputs the random code on the robot Joan, the robot Joan sends the account b together with the code JQR1 and the random code to the cloud robot.
所述云端机器人对账号b与编码JQR1的对应关系进行验证,并验证随机码是否与之前发送的随机码一致,如果验证通过,则通知机器人Joan验证通过。The cloud robot verifies the correspondence between the account b and the code JQR1, and verifies whether the random code is consistent with the previously sent random code. If the verification passes, the robot Joan is notified to pass the verification.
用户B可以在机器人Joan上录入声音,例如:“我是用户B,我是你的主人。”机器人Joan可以存储这段声音,也可以对这段声音进行识别、提取声音特征等,如音调、音色等。User B can record sound on the robot Joan, for example: "I am user B, I am your master." Robot Joan can store this sound, and can also recognize this sound, extract sound features, etc., such as tone, Voice, etc.
机器人Joan为所述用户B生成公私钥对,将私钥存储在机器人本体内,将账号b、编号JQR1以及公钥发送至所述云端机器人。The robot Joan generates a public-private key pair for the user B, stores the private key in the robot body, and transmits the account b, the number JQR1, and the public key to the cloud robot.
所述云端机器人将收到的账号b、编号JQR1以及公钥一对一的存储起来。 The cloud robot stores the received account b, the number JQR1, and the public key one-to-one.
以上,完成了机器人注册过程,所述机器人本体存储了账号b、编号JQR1、B的私钥及B的语音特征的对应关系;所述云端机器人存储了账号b、编号JQR1及B的公钥的对应关系。In the above, the robot registration process is completed, the robot body stores the correspondence relationship between the account b, the private key of the number JQR1, B, and the voice feature of B; the cloud robot stores the public key of the account b, the numbers JQR1 and B Correspondence relationship.
图14示出了本发明实施例七中云机器人场景的身份认证过程示意图,如图所示,所述云机器人场景的身份认证过程可以包括:14 is a schematic diagram of an identity authentication process of a cloud robot scenario in the seventh embodiment of the present invention. As shown in the figure, the identity authentication process of the cloud robot scenario may include:
当用户B需要所述机器人Joan为他提供服务时,例如:用户B通过语音发出“请扫地。”When user B needs the robot Joan to provide services for him, for example, user B sends out a voice "Please sweep the floor."
机器人Joan可以将账号b发送给云端机器人,在收到云端机器人下发的随机码之后,用户B可以根据提示输入所述随机码,具体实施时可以为手动键盘输入、触摸屏输入或者语音输入等。The robot Joan can send the account b to the cloud robot. After receiving the random code sent by the cloud robot, the user B can input the random code according to the prompt, and the specific implementation can be manual keyboard input, touch screen input or voice input.
机器人Joan对用户B的语音信息(“请扫地”)进行语音识别、提取语音特征,并将所述语音特征与预先存储的语音特征进行比较,如果音调、音色等特征一致或在一定误差范围内,则认为该用户是用户B。The robot Joan performs voice recognition on the voice information of the user B ("sweeping the ground"), extracts the voice features, and compares the voice features with the pre-stored voice features, if the features such as pitch, timbre, etc. are consistent or within a certain error range. , the user is considered to be user B.
此时,机器人Joan可以用私钥对随机码进行加密签名,将加密签名后的随机码和用户信息发送至云端机器人。At this time, the robot Joan can encrypt and sign the random code with the private key, and send the encrypted code and the user information to the cloud robot.
所述云端机器人利用预先存储的所述用户B的公钥进行解密验签,验证账号b、编号JQR1以及公钥之间的对应关系,验证随机码是否与之前下发的随机码一致。The cloud robot performs the decryption check by using the public key of the user B stored in advance, and verifies the correspondence between the account b, the number JQR1, and the public key, and verifies whether the random code is consistent with the previously issued random code.
如果验证成功,则可以通知机器人的扫地控制模块可以执行扫地操作,所述机器人Joan即可对房间地面进行打扫。If the verification is successful, the robot's sweep control module can be notified that the sweep operation can be performed, and the robot Joan can clean the room floor.
采用上述方案,避免用户B的语音信息泄露,确保了用户B的个人信息安全性。The above solution is adopted to avoid the leakage of the voice information of the user B, and the security of the personal information of the user B is ensured.
假设用户C来到用户B的家中,用户C对所述机器人Joan发出语音指令,例如“你家主人叫什么名字?”Suppose user C comes to user B's home. User C gives a voice command to the robot Joan, such as "What is the name of your home owner?"
机器人Joan将所述用户C的语音信息进行识别后与预先存储的用户B 的语音特征进行比较,发现二者的音调、音色等信息有较大区别(大于误差范围),则可以确定所述用户不是用户B,拒绝为其提供服务。The robot Joan recognizes the voice information of the user C and pre-stores the user B. The voice features are compared, and it is found that the information such as the tone and the timbre of the two are greatly different (greater than the error range), and it can be determined that the user is not the user B and refuses to provide services for the user.
采用上述方案,在机器人本地即可完成生物特征的验证,如果验证不通过可以直接、快速的给出验证结果,无需将用户的生物特征信息发送至云端机器人,一方面确保了用户个人信息不会被传输、泄露,另一方面也提高了验证的效率。With the above scheme, the biometrics can be verified locally in the robot. If the verification fails, the verification result can be directly and quickly given, and the biometric information of the user does not need to be sent to the cloud robot, and the personal information of the user is ensured. It is transmitted and leaked, and on the other hand, the efficiency of verification is improved.
实施例八、Example VIII.
本发明实施例所提供的身份认证方案可以应用于门禁场景,下面以门禁为例进行说明。The identity authentication scheme provided by the embodiment of the present invention can be applied to an access control scenario.
假设公司D购买了门禁系统(可以包括门禁设备和网络侧服务器)并在公司门口安装了门禁设备,每位员工可以通过注册账号录入了自己的人脸信息,所述门禁设备为每位员工生成了公私钥对,所述门禁设备端保存了员工编号、相对的人脸信息、相应的私钥、门禁设备号,所述门禁系统的网络侧存储了员工编号、相应的公钥以及门禁设备号。Suppose company D purchases an access control system (which can include access control devices and network side servers) and installs access control devices at the company's door. Each employee can enter his or her face information through a registered account, which is generated for each employee. The public-private key pair stores the employee number, the relative face information, the corresponding private key, and the access control device number, and the network side of the access control system stores the employee number, the corresponding public key, and the access control device number. .
图15示出了本发明实施例八中门禁系统的身份认证过程示意图,如图所示,所述门禁系统的身份认证过程可以包括:FIG. 15 is a schematic diagram of the identity authentication process of the access control system in the eighth embodiment of the present invention. As shown in the figure, the identity authentication process of the access control system may include:
当员工进出公司时,发起身份认证服务。When an employee enters and exits the company, an identity authentication service is initiated.
所述网络侧向所述门禁设备发送随机码。The network side sends a random code to the access control device.
员工根据提示输入随机码并将自己的面部朝向门禁设备的采集装置,所述门禁设备获取到员工的人脸信息后将其与预先存储的人脸信息进行比对,如果比对一致,即可根据所述人脸信息确定所述员工的编号。The employee inputs a random code according to the prompt and faces his/her face to the collection device of the access control device. After the access device obtains the face information of the employee, it compares it with the pre-stored face information, and if the comparison is consistent, The number of the employee is determined according to the face information.
利用所述员工的私钥对所述随机码进行加密签名,将所述随机码与员工编号、门禁设备号发送至网络侧。The random code is cryptographically signed by using the employee's private key, and the random code and the employee number and the access control device number are sent to the network side.
网络侧通过所述员工编号确定所述员工的公钥,对所述随机码进行解密验签。 The network side determines the public key of the employee by using the employee number, and performs decryption check on the random code.
如果解密后的随机码与之前下发的随机码一致,则认为身份验证成功,通知开关控制模块,所述开关控制模块收到验证通过通知后对公司的门执行解锁。If the decrypted random code is consistent with the previously issued random code, the identity verification is considered successful, and the switch control module is notified, and the switch control module performs unlocking on the company door after receiving the verification notification.
本发明实施例所提供的身份认证方案还可以应用于智能家居等其他场景,本发明在此不做一一说明。The identity authentication scheme provided by the embodiment of the present invention can also be applied to other scenarios such as a smart home, and the present invention will not be described herein.
本发明实施例所提供的身份认证方案,移动终端可以预先存储用户标识、生物特征信息、用户私钥和终端标识的绑定关系,服务器侧可以预先存储用户标识、用户公钥和终端标识的绑定关系,认证流程可以包括移动终端本地生物特征信息的一次认证和服务器侧设备信息的二次认证,从而在确保用户个人隐私信息不被泄露的前提下实现身份认证。In the identity authentication scheme provided by the embodiment of the present invention, the mobile terminal may pre-store the binding relationship between the user identifier, the biometric information, the user private key, and the terminal identifier, and the server side may pre-store the binding of the user identifier, the user public key, and the terminal identifier. The authentication process may include one-time authentication of the local biometric information of the mobile terminal and secondary authentication of the server-side device information, thereby implementing identity authentication under the premise of ensuring that the user's personal privacy information is not leaked.
为了描述的方便,以上所述装置的各部分以功能分为各种模块或单元分别描述。当然,在实施本发明时可以把各模块或单元的功能在同一个或多个软件或硬件中实现。For convenience of description, the various parts of the above described devices are described in terms of functions divided into various modules or units. Of course, the functions of the various modules or units may be implemented in one or more software or hardware in the practice of the invention.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产 生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that instructions are executed by a processor of a computer or other programmable data processing device Means for implementing the functions specified in one or more flows of the flowchart or in a block or blocks of the flowchart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。 While the preferred embodiment of the invention has been described, it will be understood that Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and

Claims (22)

  1. 一种身份认证方法,其特征在于,包括如下步骤:An identity authentication method includes the following steps:
    向服务器发送身份认证请求;所述身份认证请求包括用户标识;Sending an identity authentication request to the server; the identity authentication request includes a user identifier;
    接收所述服务器发送的第二随机码;Receiving a second random code sent by the server;
    将接收到的用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对;Comparing the received biometric information input by the user with the pre-stored biometric information corresponding to the user identifier;
    如果一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;If they are consistent, encrypting the second random code by using a pre-stored user private key corresponding to the user identifier;
    将经过用户私钥加密后的第二随机码发送给所述服务器。Sending a second random code encrypted by the user private key to the server.
  2. 如权利要求1所述的方法,其特征在于,在所述向服务器发送身份认证请求之前,进一步包括:The method of claim 1, wherein before the sending the identity authentication request to the server, the method further comprises:
    接收服务器发送的第一随机码;Receiving a first random code sent by the server;
    将终端标识、用户标识和第一随机码发送至所述服务器;Sending the terminal identifier, the user identifier, and the first random code to the server;
    在接收到服务器发送的验证通过消息后,接收用户录入的生物特征信息;Receiving biometric information entered by the user after receiving the verification pass message sent by the server;
    为所述用户生成公私钥对,建立所述生物特征信息、终端标识、用户私钥与用户标识之间的对应关系,并将用户公钥与所述用户标识发送至所述服务器。Generating a public-private key pair for the user, establishing a correspondence between the biometric information, the terminal identifier, the user private key, and the user identifier, and sending the user public key and the user identifier to the server.
  3. 如权利要求1所述的方法,其特征在于,所述将经过用户私钥加密后的第二随机码发送给所述服务器,具体为:将经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识发送给所述服务器。The method according to claim 1, wherein the second random code encrypted by the user private key is sent to the server, specifically: a second random code and a content encrypted by the user private key. The user identifier and the terminal identifier are sent to the server.
  4. 如权利要求1所述的方法,其特征在于,在所述向服务器发送身份认证请求之前,进一步包括:利用预先存储的服务器生成的证书与所述服务器建立安全传输层协议TLS双向认证连接;与所述服务器的通信具体为利用所述TLS双向认证连接进行的。 The method according to claim 1, wherein before the sending the identity authentication request to the server, the method further comprises: establishing a secure transport layer protocol TLS two-way authentication connection with the server by using a pre-stored certificate generated by the server; The communication of the server is specifically performed by using the TLS two-way authentication connection.
  5. 如权利要求1所述的方法,其特征在于,所述利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密,具体为:利用预先存储的私钥密码与安全装置的密码进行验证,验证成功后获取存储于安全区域的用户私钥,根据所述用户私钥对所述第二随机码进行加密。The method according to claim 1, wherein the encrypting the second random code by using a pre-stored user private key corresponding to the user identifier, specifically: using a pre-stored private key password and The password of the security device is verified. After the verification succeeds, the user private key stored in the security area is obtained, and the second random code is encrypted according to the user private key.
  6. 如权利要求6所述的方法,其特征在于,在所述根据用户私钥对所述第二随机码进行加密之后,进一步包括:接收服务器发送的随机私钥密码,根据所述随机私钥密码修改所述安全装置的密码。The method according to claim 6, wherein after the encrypting the second random code according to the user private key, the method further comprises: receiving a random private key password sent by the server, according to the random private key password Modify the password of the security device.
  7. 一种身份认证方法,其特征在于,包括如下步骤:An identity authentication method includes the following steps:
    接收终端发送的身份认证请求;所述身份认证请求包括用户标识;Receiving an identity authentication request sent by the terminal; the identity authentication request includes a user identifier;
    向所述终端发送第二随机码;Sending a second random code to the terminal;
    接收所述终端发送的经过用户私钥加密后的第二随机码;Receiving, by the terminal, a second random code encrypted by a user private key;
    利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二随机码进行解密;Decrypting the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier;
    验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致,则身份认证通过。Verify that the decrypted second random code is consistent with the transmitted second random code. If they are consistent, the identity authentication is passed.
  8. 如权利要求7所述的方法,其特征在于,在所述接收终端发送的身份认证请求之前,进一步包括:The method according to claim 7, wherein before the receiving the identity authentication request sent by the terminal, the method further comprises:
    确定终端标识与用户标识的对应关系;Determining a correspondence between the terminal identifier and the user identifier;
    向终端发送第一随机码;Sending a first random code to the terminal;
    在收到终端发送的终端标识、用户标识和第一随机码之后进行验证,并在验证通过后向所述终端发送验证通过消息;After receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, performing verification, and sending a verification pass message to the terminal after the verification is passed;
    接收所述终端发送的用户标识和用户公钥,建立所述用户标识、用户公钥与所述终端标识之间的对应关系。And receiving a user identifier and a user public key sent by the terminal, and establishing a correspondence between the user identifier, the user public key, and the terminal identifier.
  9. 如权利要求7所述的方法,其特征在于,所述接收所述终端发送的经过用户私钥加密后的第二随机码,具体为:接收所述终端发送的经过用 户私钥加密后的第二随机码和所述用户标识、以及终端标识;所述利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二随机码进行解密,具体为:利用与所述终端标识对应的用户公钥对所述经过用户私钥加密后的第二随机码和用户标识进行解密;所述验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致则身份认证通过,具体为:验证解密得到的第二随机码与发送的第二随机码是否一致,以及,验证所述用户标识与所述终端标识之间的对应关系;如果解密得到的第二随机码与发送的第二随机码一致且所述终端标识与所述用户标识对应,则身份认证通过。The method according to claim 7, wherein the receiving the second random code that is sent by the terminal and encrypted by the user private key is specifically: receiving the used transmission by the terminal a second random code encrypted by the user private key, the user identifier, and the terminal identifier; the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier Decrypting, specifically: decrypting the second random code and the user identifier encrypted by the user private key by using a public key corresponding to the terminal identifier; and the second random code obtained by the verification and decryption Whether the second random code is consistent, if the identity is consistent, the identity authentication is passed, specifically: verifying whether the second random code obtained by the decryption is consistent with the sent second random code, and verifying the relationship between the user identifier and the terminal identifier. Corresponding relationship; if the decrypted second random code is consistent with the transmitted second random code and the terminal identifier corresponds to the user identifier, the identity authentication is passed.
  10. 如权利要求7所述的方法,其特征在于,在所述接收终端发送的身份认证请求之前,进一步包括:利用预先存储的证书与所述终端建立安全传输层协议TLS双向认证连接;与所述终端的通信具体为利用所述TLS双向认证连接进行的。The method according to claim 7, wherein before the receiving the identity authentication request sent by the terminal, the method further comprises: establishing a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate; The communication of the terminal is specifically performed by using the TLS two-way authentication connection.
  11. 如权利要求7所述的方法,其特征在于,在所述接收终端发送的经过用户私钥加密后的第二随机码之后,进一步包括:向所述终端发送随机私钥密码。The method according to claim 7, wherein after the second random code encrypted by the user private key sent by the receiving terminal, the method further comprises: sending a random private key password to the terminal.
  12. 一种终端,其特征在于,包括:A terminal, comprising:
    第一发送模块,用于向服务器发送身份认证请求;所述身份认证请求包括用户标识;a first sending module, configured to send an identity authentication request to the server; the identity authentication request includes a user identifier;
    第一接收模块,用于接收所述服务器发送的第二随机码;a first receiving module, configured to receive a second random code sent by the server;
    比对模块,用于将接收到的用户输入的生物特征信息与预先存储的与所述用户标识对应的生物特征信息进行比对;And a comparison module, configured to compare the received biometric information of the user input with the pre-stored biometric information corresponding to the user identifier;
    加密模块,用于如果一致,则利用预先存储的与所述用户标识对应的用户私钥对所述第二随机码进行加密;And an encryption module, configured to encrypt the second random code by using a pre-stored user private key corresponding to the user identifier;
    第二发送模块,用于将经过用户私钥加密后的第二随机码发送给所述 服务器。a second sending module, configured to send the second random code encrypted by the user private key to the server.
  13. 如权利要求12所述的终端,其特征在于,进一步包括:The terminal of claim 12, further comprising:
    第二接收模块,用于在所述向服务器发送身份认证请求之前,接收服务器发送的第一随机码;a second receiving module, configured to receive a first random code sent by the server before sending the identity authentication request to the server;
    第三发送模块,用于将终端标识、用户标识和所述第一随机码发送至所述服务器;a third sending module, configured to send the terminal identifier, the user identifier, and the first random code to the server;
    第三接收模块,用于在接收到服务器发送的验证通过消息后,接收用户录入的生物特征信息;a third receiving module, configured to receive biometric information recorded by the user after receiving the verification pass message sent by the server;
    密钥处理模块,用于为所述用户生成公私钥对,建立所述生物特征信息、终端标识、用户私钥与用户标识之间的对应关系,并将用户公钥与所述用户标识发送至所述服务器。a key processing module, configured to generate a public-private key pair for the user, establish a correspondence between the biometric information, a terminal identifier, a user private key, and a user identifier, and send the user public key and the user identifier to The server.
  14. 如权利要求12所述的终端,其特征在于,所述第二发送模块具体用于将经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识发送给所述服务器。The terminal according to claim 12, wherein the second sending module is configured to send the second random code encrypted by the user private key, the user identifier, and the terminal identifier to the server.
  15. 如权利要求12所述的终端,其特征在于,进一步包括:The terminal of claim 12, further comprising:
    连接建立模块,用于在所述向服务器发送身份认证请求之前,利用预先存储的服务器生成的证书与所述服务器建立安全传输层协议TLS双向认证连接;与所述服务器的通信具体为利用所述TLS双向认证连接进行的。a connection establishing module, configured to establish a secure transport layer protocol TLS two-way authentication connection with the server by using a pre-stored certificate generated by the server before sending the identity authentication request to the server, where the communication with the server is specifically TLS two-way authentication connection.
  16. 如权利要求12所述的终端,其特征在于,所述加密模块具体用于如果一致,利用预先存储的私钥密码与安全装置的密码进行验证,验证成功后获取存储于安全区域的用户私钥,根据所述用户私钥对所述第二随机码进行加密。The terminal according to claim 12, wherein the encryption module is specifically configured to perform verification by using a pre-stored private key password and a password of the security device if the password is consistent, and obtain the user private key stored in the security area after the verification succeeds. And encrypting the second random code according to the user private key.
  17. 如权利要求16所述的终端,其特征在于,进一步包括:The terminal of claim 16, further comprising:
    第四接收模块,用于在所述根据用户私钥对所述第二随机码进行加密之后,接收服务器发送的随机私钥密码,根据所述随机私钥密码修改所述 安全装置的密码。a fourth receiving module, configured to: after the encrypting the second random code according to the user private key, receive a random private key password sent by the server, and modify the password according to the random private key password The password for the security device.
  18. 一种服务器,其特征在于,包括:A server, comprising:
    第一接收单元,用于接收终端发送的身份认证请求;所述身份认证请求包括用户标识;a first receiving unit, configured to receive an identity authentication request sent by the terminal; the identity authentication request includes a user identifier;
    第一发送单元,用于向所述终端发送第二随机码;a first sending unit, configured to send a second random code to the terminal;
    第二接收单元,用于接收所述终端发送的经过用户私钥加密后的第二随机码;a second receiving unit, configured to receive a second random code that is sent by the terminal and encrypted by a user private key;
    解密单元,用于利用预先存储的与所述用户标识对应的用户公钥对所述经过用户私钥加密后的第二随机码进行解密;a decrypting unit, configured to decrypt the second random code encrypted by the user private key by using a pre-stored user public key corresponding to the user identifier;
    第一认证单元,用于验证解密得到的第二随机码与发送的第二随机码是否一致,如果一致,则身份认证通过。The first authentication unit is configured to verify whether the decrypted second random code is consistent with the sent second random code, and if they are consistent, the identity authentication is passed.
  19. 如权利要求18所述的服务器,其特征在于,进一步包括:The server of claim 18, further comprising:
    确定单元,用于在所述接收终端发送的身份认证请求之前,确定终端标识与用户标识的对应关系;a determining unit, configured to determine, according to the identity authentication request sent by the receiving terminal, a correspondence between the terminal identifier and the user identifier;
    第二发送单元,用于向终端发送第一随机码;a second sending unit, configured to send a first random code to the terminal;
    第二认证单元,用于在收到终端发送的终端标识、用户标识和第一随机码之后进行验证,并在验证通过后向所述终端发送验证通过消息;a second authentication unit, configured to perform verification after receiving the terminal identifier, the user identifier, and the first random code sent by the terminal, and send a verification pass message to the terminal after the verification is passed;
    关系建立单元,用于接收所述终端发送的用户标识和用户公钥,建立所述用户标识、用户公钥与所述终端标识之间的对应关系。The relationship establishing unit is configured to receive the user identifier and the user public key sent by the terminal, and establish a correspondence between the user identifier, the user public key, and the terminal identifier.
  20. 如权利要求18所述的服务器,其特征在于,所述第二接收单元具体用于接收所述终端发送的经过用户私钥加密后的第二随机码和所述用户标识、以及终端标识;所述解密单元具体用于利用与所述终端标识对应的用户公钥对所述经过用户私钥加密后的第二随机码和用户标识进行解密;所述第一认证单元具体用于验证解密得到的第二随机码与发送的第二随机码是否一致,以及,验证所述用户标识与所述终端标识之间的对应关系;如 果解密得到的第二随机码与发送的第二随机码一致且所述终端标识与所述用户标识对应,则身份认证通过。The server according to claim 18, wherein the second receiving unit is specifically configured to receive a second random code, the user identifier, and a terminal identifier that are encrypted by the user and transmitted by the terminal; The decryption unit is configured to decrypt the second random code and the user identifier encrypted by the user private key by using a public key corresponding to the terminal identifier; the first authentication unit is specifically configured to verify the decrypted Whether the second random code is consistent with the transmitted second random code, and verifying the correspondence between the user identifier and the terminal identifier; If the second random code obtained by the decryption is consistent with the transmitted second random code and the terminal identifier corresponds to the user identifier, the identity authentication is passed.
  21. 如权利要求18所述的服务器,其特征在于,进一步包括:The server of claim 18, further comprising:
    连接建立单元,用于在所述接收终端发送的身份认证请求之前,利用预先存储的证书与所述终端建立安全传输层协议TLS双向认证连接;与所述终端的通信具体为利用所述TLS双向认证连接进行的。a connection establishing unit, configured to establish a secure transport layer protocol TLS two-way authentication connection with the terminal by using a pre-stored certificate before the identity authentication request sent by the receiving terminal, and the communication with the terminal is specifically using the TLS bidirectional The authentication connection is made.
  22. 如权利要求18所述的服务器,其特征在于,进一步包括:The server of claim 18, further comprising:
    第三发送单元,用于在所述接收终端发送的经过用户私钥加密后的第二随机码之后,向所述终端发送随机私钥密码。 And a third sending unit, configured to send a random private key password to the terminal after the second random code that is sent by the receiving terminal and encrypted by the user private key.
PCT/CN2016/079397 2016-04-15 2016-04-15 Identity authentication method, terminal and server WO2017177435A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201680002936.5A CN107113315B (en) 2016-04-15 2016-04-15 Identity authentication method, terminal and server
PCT/CN2016/079397 WO2017177435A1 (en) 2016-04-15 2016-04-15 Identity authentication method, terminal and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/079397 WO2017177435A1 (en) 2016-04-15 2016-04-15 Identity authentication method, terminal and server

Publications (1)

Publication Number Publication Date
WO2017177435A1 true WO2017177435A1 (en) 2017-10-19

Family

ID=59676329

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/079397 WO2017177435A1 (en) 2016-04-15 2016-04-15 Identity authentication method, terminal and server

Country Status (2)

Country Link
CN (1) CN107113315B (en)
WO (1) WO2017177435A1 (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107743131A (en) * 2017-11-20 2018-02-27 张博 A kind of identity identifying method and device based on a variety of different types input composite sequence
CN107945350A (en) * 2017-12-21 2018-04-20 美的集团股份有限公司 Door lock communication system and method based on safety chip
CN109617675A (en) * 2018-11-15 2019-04-12 国网电动汽车服务有限公司 Both sides' identification authentication method and system between a kind of charge-discharge facility and user terminal
CN110062383A (en) * 2019-04-24 2019-07-26 中国联合网络通信集团有限公司 A kind of authentication method, terminal, certificate server, application server
CN110239483A (en) * 2019-05-07 2019-09-17 山东工商学院 Control method for vehicle, system and computer readable storage medium
CN111291358A (en) * 2020-03-07 2020-06-16 深圳市中天网景科技有限公司 Authority authentication method, system, equipment and medium
CN111556022A (en) * 2020-03-30 2020-08-18 中国平安财产保险股份有限公司 Method and device for registering account, computer equipment and storage medium
CN111698225A (en) * 2020-05-28 2020-09-22 国家电网有限公司 Application service authentication encryption method suitable for power dispatching control system
CN111741469A (en) * 2020-06-11 2020-10-02 上海闻泰电子科技有限公司 Information security verification method, device, equipment and storage medium
CN111881478A (en) * 2020-07-28 2020-11-03 唐向阳 Passage management system with mark eliminating function
CN111954211A (en) * 2020-09-07 2020-11-17 北京计算机技术及应用研究所 Novel authentication key negotiation system of mobile terminal
CN112383556A (en) * 2020-11-17 2021-02-19 珠海大横琴科技发展有限公司 Data processing method and device
CN112600886A (en) * 2020-12-04 2021-04-02 支付宝(杭州)信息技术有限公司 Privacy protection method, device and equipment with combination of end cloud and device
CN113205628A (en) * 2019-06-28 2021-08-03 飞天诚信科技股份有限公司 Intelligent door lock control method and system based on biological feature recognition
CN113297552A (en) * 2021-02-05 2021-08-24 中国银联股份有限公司 Verification method based on biological characteristic ID chain, verification system and user terminal
CN114374550A (en) * 2021-12-29 2022-04-19 南方电网海南数字电网研究院有限公司 Electric power measurement platform that possesses high security
CN114531409A (en) * 2022-01-21 2022-05-24 中标软件有限公司 Mail attachment transmission method, system, user side and server side
CN114745184A (en) * 2022-04-15 2022-07-12 商客通尚景科技江苏有限公司 Method and system for graphical encryption of numbers
CN114866251A (en) * 2022-04-25 2022-08-05 中国银联股份有限公司 Equipment interconnection security authentication system, method, device, server and medium
CN115102795A (en) * 2022-08-26 2022-09-23 北京盈泽世纪科技发展有限公司 Communication security verification method and system
CN115374419A (en) * 2022-10-26 2022-11-22 中航信移动科技有限公司 Data processing system for paperless identity verification
CN115620358A (en) * 2022-09-21 2023-01-17 联通数字科技有限公司 Express delivery detection method and device and computer readable storage medium
CN111881478B (en) * 2020-07-28 2024-04-26 唐向阳 Traffic management system with trace elimination function

Families Citing this family (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11770373B2 (en) * 2017-09-25 2023-09-26 Telefonaktiebolaget Lm Ericsson (Publ) Provisioning of vendor credentials
CN107528688B (en) * 2017-09-30 2020-04-21 矩阵元技术(深圳)有限公司 Block chain key keeping and recovering method and device based on encryption delegation technology
CN108156155B (en) * 2017-12-25 2021-01-15 资密科技有限公司 Wireless network-based biometric authentication system, mobile device and method
CN108269334A (en) * 2018-01-10 2018-07-10 北京小米移动软件有限公司 Method for unlocking, terminal device and smart lock
CN108667800B (en) * 2018-03-30 2020-08-28 北京明朝万达科技股份有限公司 Access authority authentication method and device
CN108924091A (en) * 2018-06-06 2018-11-30 深圳市血之缘医疗科技有限公司 Method for authenticating user identity and Related product
TW202006604A (en) * 2018-07-04 2020-02-01 永豐金融控股股份有限公司 System and method of financial services certification
CN109194624B (en) * 2018-08-09 2021-03-26 顾宏超 Method for authenticating use of engineering machinery equipment, equipment and storage medium thereof
CN109120616B (en) * 2018-08-16 2021-12-21 上海达梦数据库有限公司 Identity authentication method, identity authentication device, proxy server and storage medium
CN109448164A (en) * 2018-09-07 2019-03-08 甘肃农业大学 A kind of terminal, lock body, door-locking system and management method
CN109345665A (en) * 2018-09-18 2019-02-15 金邦达有限公司 A kind of separate type novel intelligent door-locking system and its working method
CN111147225A (en) * 2018-11-02 2020-05-12 中国科学院沈阳自动化研究所 Credible measurement and control network authentication method based on double secret values and chaotic encryption
CN109992680A (en) * 2018-12-13 2019-07-09 阿里巴巴集团控股有限公司 Information processing method, device, electronic equipment and computer readable storage medium
CN109614779A (en) * 2018-12-28 2019-04-12 北京航天数据股份有限公司 A kind of secure data operation method, device, equipment and medium
CN109795446A (en) * 2019-02-26 2019-05-24 叶春林 Prevent vehicle by infringement system
CN110084017A (en) * 2019-04-24 2019-08-02 上海互啊佑智能科技有限公司 A kind of ID authentication device, system, method, apparatus and storage medium
CN111917536A (en) * 2019-05-09 2020-11-10 北京车和家信息技术有限公司 Identity authentication key generation method, identity authentication method, device and system
CN110365661B (en) * 2019-06-28 2021-11-26 苏州浪潮智能科技有限公司 Network security authentication method and device
CN110211275A (en) * 2019-07-09 2019-09-06 四川米众网络科技股份有限公司 A kind of interconnection type access control mainboard and control method based on safety chip
CN110942566B (en) * 2019-11-27 2022-10-21 中国银行股份有限公司 Identity authentication method and related equipment
CN110971616B (en) * 2019-12-24 2022-04-01 广州市百果园信息技术有限公司 Connection establishing method based on secure transport layer protocol, client and server
CN113055157B (en) * 2019-12-27 2023-03-10 京东科技控股股份有限公司 Biological characteristic verification method and device, storage medium and electronic equipment
CN111176710B (en) * 2019-12-30 2023-10-03 宁波视睿迪光电有限公司 Operation method of terminal software management system and terminal software management system
CN110955677A (en) * 2019-12-31 2020-04-03 中国银行股份有限公司 Identity verification method, device and system
CN113536278B (en) * 2020-04-20 2023-10-13 深圳市江波龙电子股份有限公司 Authentication method of storage device, storage device and authentication terminal
CN111698204B (en) * 2020-04-28 2024-02-23 视联动力信息技术股份有限公司 Bidirectional identity authentication method and device
CN111526511B (en) * 2020-05-15 2023-09-19 南京康尼机电股份有限公司 Charging pile and charging vehicle identity verification method based on random code decoding
CN112037393A (en) * 2020-08-28 2020-12-04 日立楼宇技术(广州)有限公司 Access control authentication method and device, electronic equipment and storage medium
CN112333253A (en) * 2020-10-27 2021-02-05 国网重庆市电力公司电力科学研究院 Electric power thing networking security monitoring system at intelligent thing networking terminal
CN112784237A (en) * 2020-12-31 2021-05-11 罗克佳华(重庆)科技有限公司 Authentication processing method, authentication authorization method and related equipment of electronic document
CN113204785A (en) * 2021-04-29 2021-08-03 广州朗国电子科技有限公司 Shared electronic whiteboard encryption method, electronic equipment, storage medium and program product
CN113885502A (en) * 2021-10-09 2022-01-04 北京云迹科技有限公司 Robot control method, control device and computer medium
CN113992411A (en) * 2021-11-01 2022-01-28 令牌云(上海)科技有限公司 User identity authentication method and device based on trusted equipment
CN114157451B (en) * 2021-11-11 2022-06-07 广东石油化工学院 Internet of things equipment identity authentication method, device and system and storage medium
CN115332955A (en) * 2022-07-13 2022-11-11 华能(广东)能源开发有限公司汕头电厂 Anti-misoperation high-voltage switch cabinet and anti-misoperation method
CN115296890B (en) * 2022-08-02 2024-03-12 浙江浙科信息技术有限公司 Method and system for safely interacting data between terminal applications
CN116582281B (en) * 2023-07-10 2023-09-22 中国人民解放军国防科技大学 Safe face recognition method, system and equipment based on password technology

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050246763A1 (en) * 2004-03-25 2005-11-03 National University Of Ireland Secure digital content reproduction using biometrically derived hybrid encryption techniques
CN101848213A (en) * 2010-04-22 2010-09-29 西北工业大学 Configurable mutual authentication method based on biometrics and password
CN104363099A (en) * 2014-11-27 2015-02-18 南京泽本信息技术有限公司 Mobile phone security co-processing chip
CN104660412A (en) * 2014-10-22 2015-05-27 南京泽本信息技术有限公司 Password-less security authentication method and system for mobile equipment
CN105227537A (en) * 2014-06-16 2016-01-06 华为技术有限公司 Method for authenticating user identity, terminal and service end

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100561909C (en) * 2005-06-20 2009-11-18 中兴通讯股份有限公司 A kind of IP Multimedia System access security guard method based on TLS
SG139580A1 (en) * 2006-07-20 2008-02-29 Privylink Pte Ltd Method for generating cryptographic key from biometric data
CN100558035C (en) * 2006-08-03 2009-11-04 西安电子科技大学 A kind of mutual authentication method and system
CN201286105Y (en) * 2008-07-16 2009-08-05 上海方立数码科技有限公司 Identity authentication system combining fingerprint recognition with PKI system
CN102695170A (en) * 2011-03-25 2012-09-26 国民技术股份有限公司 Mobile platform possessing identity authentication function and identity authentication method
CN104660605B (en) * 2015-03-05 2018-03-23 北京安普诺信息技术有限公司 A kind of multiple-factor auth method and its system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050246763A1 (en) * 2004-03-25 2005-11-03 National University Of Ireland Secure digital content reproduction using biometrically derived hybrid encryption techniques
CN101848213A (en) * 2010-04-22 2010-09-29 西北工业大学 Configurable mutual authentication method based on biometrics and password
CN105227537A (en) * 2014-06-16 2016-01-06 华为技术有限公司 Method for authenticating user identity, terminal and service end
CN104660412A (en) * 2014-10-22 2015-05-27 南京泽本信息技术有限公司 Password-less security authentication method and system for mobile equipment
CN104363099A (en) * 2014-11-27 2015-02-18 南京泽本信息技术有限公司 Mobile phone security co-processing chip

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107743131A (en) * 2017-11-20 2018-02-27 张博 A kind of identity identifying method and device based on a variety of different types input composite sequence
CN107945350A (en) * 2017-12-21 2018-04-20 美的集团股份有限公司 Door lock communication system and method based on safety chip
CN109617675A (en) * 2018-11-15 2019-04-12 国网电动汽车服务有限公司 Both sides' identification authentication method and system between a kind of charge-discharge facility and user terminal
CN109617675B (en) * 2018-11-15 2024-02-06 国网电动汽车服务有限公司 Method and system for authenticating identifiers of both sides between charge and discharge facility and user terminal
CN110062383A (en) * 2019-04-24 2019-07-26 中国联合网络通信集团有限公司 A kind of authentication method, terminal, certificate server, application server
CN110239483A (en) * 2019-05-07 2019-09-17 山东工商学院 Control method for vehicle, system and computer readable storage medium
CN113205628A (en) * 2019-06-28 2021-08-03 飞天诚信科技股份有限公司 Intelligent door lock control method and system based on biological feature recognition
CN113205628B (en) * 2019-06-28 2023-06-13 飞天诚信科技股份有限公司 Intelligent door lock control method and system based on biological feature recognition
CN111291358A (en) * 2020-03-07 2020-06-16 深圳市中天网景科技有限公司 Authority authentication method, system, equipment and medium
CN111556022A (en) * 2020-03-30 2020-08-18 中国平安财产保险股份有限公司 Method and device for registering account, computer equipment and storage medium
CN111698225A (en) * 2020-05-28 2020-09-22 国家电网有限公司 Application service authentication encryption method suitable for power dispatching control system
CN111741469A (en) * 2020-06-11 2020-10-02 上海闻泰电子科技有限公司 Information security verification method, device, equipment and storage medium
CN111741469B (en) * 2020-06-11 2023-12-19 上海闻泰电子科技有限公司 Information security verification method, device, equipment and storage medium
CN111881478B (en) * 2020-07-28 2024-04-26 唐向阳 Traffic management system with trace elimination function
CN111881478A (en) * 2020-07-28 2020-11-03 唐向阳 Passage management system with mark eliminating function
CN111954211B (en) * 2020-09-07 2023-05-02 北京计算机技术及应用研究所 Novel authentication key negotiation system of mobile terminal
CN111954211A (en) * 2020-09-07 2020-11-17 北京计算机技术及应用研究所 Novel authentication key negotiation system of mobile terminal
CN112383556A (en) * 2020-11-17 2021-02-19 珠海大横琴科技发展有限公司 Data processing method and device
CN112600886A (en) * 2020-12-04 2021-04-02 支付宝(杭州)信息技术有限公司 Privacy protection method, device and equipment with combination of end cloud and device
CN113297552A (en) * 2021-02-05 2021-08-24 中国银联股份有限公司 Verification method based on biological characteristic ID chain, verification system and user terminal
CN113297552B (en) * 2021-02-05 2023-11-17 中国银联股份有限公司 Verification method based on biological characteristic ID chain, verification system and user terminal thereof
CN114374550A (en) * 2021-12-29 2022-04-19 南方电网海南数字电网研究院有限公司 Electric power measurement platform that possesses high security
CN114531409A (en) * 2022-01-21 2022-05-24 中标软件有限公司 Mail attachment transmission method, system, user side and server side
CN114745184A (en) * 2022-04-15 2022-07-12 商客通尚景科技江苏有限公司 Method and system for graphical encryption of numbers
CN114745184B (en) * 2022-04-15 2024-03-22 商客通尚景科技江苏有限公司 Number graphical encryption method and system
CN114866251B (en) * 2022-04-25 2023-07-07 中国银联股份有限公司 Equipment interconnection security authentication system, method, device, server and medium
CN114866251A (en) * 2022-04-25 2022-08-05 中国银联股份有限公司 Equipment interconnection security authentication system, method, device, server and medium
CN115102795B (en) * 2022-08-26 2022-11-18 北京盈泽世纪科技发展有限公司 Communication security verification method and system
CN115102795A (en) * 2022-08-26 2022-09-23 北京盈泽世纪科技发展有限公司 Communication security verification method and system
CN115620358A (en) * 2022-09-21 2023-01-17 联通数字科技有限公司 Express delivery detection method and device and computer readable storage medium
CN115620358B (en) * 2022-09-21 2024-02-09 联通数字科技有限公司 Express delivery detection method and device and computer readable storage medium
CN115374419A (en) * 2022-10-26 2022-11-22 中航信移动科技有限公司 Data processing system for paperless identity verification

Also Published As

Publication number Publication date
CN107113315B (en) 2020-11-13
CN107113315A (en) 2017-08-29

Similar Documents

Publication Publication Date Title
WO2017177435A1 (en) Identity authentication method, terminal and server
US11489673B2 (en) System and method for device registration and authentication
WO2018090183A1 (en) Identity authentication method, terminal device, authentication server and electronic device
KR101666374B1 (en) Method, apparatus and computer program for issuing user certificate and verifying user
US9654468B2 (en) System and method for secure remote biometric authentication
CN110334503B (en) Method for unlocking one device by using the other device
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
WO2017197974A1 (en) Biometric characteristic-based security authentication method, device and electronic equipment
CN112214745B (en) Authenticated external biometric reader and verification device
WO2017071496A1 (en) Method and device for realizing session identifier synchronization
US10621584B2 (en) Network of biometrically secure devices with enhanced privacy protection
CN109150535A (en) A kind of identity identifying method, equipment, computer readable storage medium and device
JP2018532301A (en) User authentication method and apparatus
WO2019109097A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
CN105847247A (en) Authentication system and working method thereof
US9619804B1 (en) Network of biometrically secure devices with enhanced privacy protection
EP2628133B1 (en) Authenticate a fingerprint image
JP2018205906A5 (en)
CN112543166B (en) Real name login method and device
US10742410B2 (en) Updating biometric template protection keys
WO2017028595A1 (en) Payment verification method, terminal, and server
CN109462572B (en) Multi-factor authentication method, system, storage medium and security gateway based on encryption card and UsbKey
US10574452B2 (en) Two-step central matching
TWI675579B (en) Network authentication system and method
TWM552152U (en) Transaction authorization system and push server

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16898253

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16898253

Country of ref document: EP

Kind code of ref document: A1