WO2017181691A1 - Secure communication method and device, system, and secure server - Google Patents

Secure communication method and device, system, and secure server Download PDF

Info

Publication number
WO2017181691A1
WO2017181691A1 PCT/CN2016/108763 CN2016108763W WO2017181691A1 WO 2017181691 A1 WO2017181691 A1 WO 2017181691A1 CN 2016108763 W CN2016108763 W CN 2016108763W WO 2017181691 A1 WO2017181691 A1 WO 2017181691A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
template data
biometric template
communication information
information
Prior art date
Application number
PCT/CN2016/108763
Other languages
French (fr)
Chinese (zh)
Inventor
徐大昭
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017181691A1 publication Critical patent/WO2017181691A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration

Definitions

  • the present invention relates to the field of secure communications, and in particular to a secure communication method and apparatus, system and security server.
  • the secure communication in the related art is to implement secure communication between two terminals through a conventional encryption technology.
  • the sender sends a message and can directly send the message to send it. After the receiver receives the message, enter the traditional password to view the message.
  • the two terminals communicate, and it is impossible to determine whether the sender is the person.
  • the sender can forge a message by voice, text, etc., and send it to another communication terminal.
  • the terminal communication receiver can view the message of the sender as long as the password is entered correctly, and cannot be viewed by himself.
  • the embodiments of the present invention provide a secure communication method, apparatus, system, and security server, so as to solve at least the problem that the sender cannot operate by itself when communicating between terminals in the related art.
  • a secure communication method including: receiving communication information sent by a first terminal and first biometric template data; wherein the first biometric template data is biometrically collected by the first terminal The identification information; the communication information is information that the first terminal communicates with the second terminal; the first terminal and the second terminal are terminals with biometric functions; and the biometric template corresponding to the first terminal pre-stored in the database Data, the first bio-template data is verified; in the case of successful verification, the communication information is sent to the second terminal.
  • the method further includes: in the case that the verification is successful, according to the communication information, Querying the second biometric template data corresponding to the second terminal in the database; sending the second biometric template data to the second terminal, where the second biometric template data is used by the second terminal after receiving the communication information Have the right to view communication information for verification.
  • verifying whether the second terminal has the right to view the communication information includes: performing, by the second terminal, the biological template data collected by the second terminal according to the second biological template data. Verification; wherein, in case the verification is successful, determining that the second terminal has the authority; and/or, if the verification is unsuccessful, determining that the second terminal does not have the right.
  • the method before receiving the communication information and the bio-template data sent by the first terminal, the method further includes: encrypting the bio-template data corresponding to the first terminal and the registration information of the first terminal, and saving the data in the database. And the second biometric template data corresponding to the second terminal and the registration information of the second terminal are encrypted and saved in the database.
  • the biometrics include at least one of the following: a fingerprint feature, an eye mark feature, an iris feature, and a face feature.
  • a secure communication apparatus including: a receiving module, configured to receive communication information sent by a first terminal and first biometric template data; wherein the first biometric template data is a first terminal The collected biometric identification data; the communication information is information that the first terminal communicates with the second terminal; the first terminal and the second terminal are terminals with biometric functions; and the verification module is set to be pre-stored according to The biometric template data corresponding to the first terminal in the database is used to verify the first biometric template data; and the sending module is configured to send the communication information to the second terminal if the verification is successful.
  • the device further includes: a query module, configured to query, in the case that the verification is successful, the second bio-template data corresponding to the second terminal in the database according to the communication information; and the sending module is further configured to Sending the second biometric template data to the second terminal, where After the second terminal receives the communication information, the second biometric template data verifies whether the second terminal has the right to view the communication information.
  • a query module configured to query, in the case that the verification is successful, the second bio-template data corresponding to the second terminal in the database according to the communication information
  • the sending module is further configured to Sending the second biometric template data to the second terminal, where After the second terminal receives the communication information, the second biometric template data verifies whether the second terminal has the right to view the communication information.
  • the device further includes: a storage module, configured to encrypt the biometric template data corresponding to the first terminal and the registration information of the first terminal, and save the data in the database, and the second biometric corresponding to the second terminal
  • the template data and the registration information of the second terminal are encrypted and saved in the database.
  • the biometrics include at least one of the following: a fingerprint feature, an eye mark feature, an iris feature, and a face feature.
  • a security server including the apparatus described above.
  • a secure communication system including the above-mentioned security server and a second terminal; wherein the second terminal is configured to be based on the case where the security server successfully authenticates the first biometric template data, according to And verifying, by the second biometric template data corresponding to the second terminal, the biometric template data collected by the second terminal, where the verification succeeds, determining that the second terminal has the right to view the communication information; and Or, if the verification is unsuccessful, it is determined that the second terminal does not have the right.
  • a storage medium is also provided.
  • the storage medium is configured to store program code for performing the following steps: receiving communication information sent by the first terminal and first biometric template data; wherein the first biometric template data is biometric identification data collected by the first terminal
  • the communication information is information for the first terminal to communicate with the second terminal; the first terminal and the second terminal are terminals with a biometric function; and according to the biometric template data corresponding to the first terminal pre-stored in the database,
  • the first biometric template data is verified; in the case where the verification is successful, the communication information is transmitted to the second terminal.
  • the storage medium is further configured to store program code for performing the following steps: in case the verification is successful, querying, in the database, the second bio-template data corresponding to the second terminal according to the communication information; The second biometric template data is sent to the second terminal, where the second biometric template data is used by the second terminal after receiving the communication information Check the permissions of the communication information for verification.
  • the storage medium is further configured to store program code for performing the following steps: encrypting the bio-template data corresponding to the first terminal and the registration information of the first terminal, and saving the data in the database, and the second The second bio-template data corresponding to the terminal and the registration information of the second terminal are encrypted and saved in the database.
  • the first biometric template data collected by the first terminal is verified by the bio-template data corresponding to the first terminal stored in the database in advance, and the verification is performed.
  • the communication information is sent to the second terminal. Since the first biometric template data is biometric identification data, the first biometric template data is verified to send the communication information. Whether the party is verified by himself or not, and thus solves the problem that the sender cannot operate by itself when communicating between terminals in the related art, and the communication security is improved.
  • FIG. 1 is a block diagram showing the hardware structure of a computer terminal of a secure communication method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a network architecture according to an embodiment of the present invention.
  • FIG. 3 is a flowchart 1 of a secure communication method according to an embodiment of the present invention.
  • FIG. 4 is a second flowchart of a secure communication method according to an embodiment of the present invention.
  • FIG. 5 is a third flowchart of a secure communication method according to an embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of terminal information registration according to a preferred embodiment of the present invention.
  • FIG. 7 is a flow chart showing communication between terminals according to a preferred embodiment of the present invention.
  • FIG. 8 is a structural block diagram 1 of a secure communication device according to an embodiment of the present invention.
  • FIG. 9 is a structural block diagram 2 of a secure communication device according to an embodiment of the present invention.
  • Figure 10 is a block diagram 3 of the structure of a secure communication device in accordance with an embodiment of the present invention.
  • FIG. 1 is a block diagram showing the hardware structure of a computer terminal of a secure communication method according to an embodiment of the present invention.
  • computer terminal 10 may include one or more (only one shown) processor 102 (processor 102 may include, but is not limited to, a Microcontroller Unit (MCU) or a programmable logic device.
  • MCU Microcontroller Unit
  • a processing device such as a Field Programmable Gate Array (FPGA), a memory 104 for storing data, and a transmission device 106 for a communication function.
  • FPGA Field Programmable Gate Array
  • FIG. 1 is merely illustrative and does not limit the structure of the above electronic device.
  • computer terminal 10 may also include more or fewer components than those shown in FIG. 1, or have a different configuration than that shown in FIG.
  • the memory 104 can be used to store software programs and modules of application software, such as program instructions/modules corresponding to the secure communication method in the embodiment of the present invention, and the processor 102 executes various programs by running software programs and modules stored in the memory 104. Functional application and data processing, that is, the above method is implemented.
  • Memory 104 may include high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
  • memory 104 may further include memory remotely located relative to processor 102, which may be coupled to computer terminal 10 via a network. Examples of the above network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combination.
  • Transmission device 106 is for receiving or transmitting data via a network.
  • the network specific examples described above may include a wireless network provided by a communication provider of the computer terminal 10.
  • the transmission device 106 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet.
  • the transmission device 106 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
  • NIC Network Interface Controller
  • RF Radio Frequency
  • FIG. 2 is a schematic diagram of a network architecture according to an embodiment of the present invention.
  • the network architecture includes: a first terminal 22, a security server 24, and a The second terminal 26, wherein the first terminal 22 is a sender of communication information, the second terminal 26 is a receiver of communication information, and the first terminal 22 and the second terminal 26 communicate via the security server 24.
  • the security server shown in FIG. 2 may also be the computer terminal 10 shown in FIG. 1, and is not limited thereto.
  • FIG. 3 is a flowchart 1 of a secure communication method according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following steps. :
  • Step S302 Receive communication information and first biometric template data sent by the first terminal, where the first biometric template data is biometric identification data collected by the first terminal, and the communication information is performed by the first terminal and the second terminal. Communication information; the first terminal and the second terminal are terminals with biometric functions;
  • Step S304 verifying the first bio-template data according to the bio-template data corresponding to the first terminal stored in the database in advance;
  • Step S306 if the verification is successful, the communication information is sent to the second terminal.
  • the first biometric template data collected by the first terminal is verified by the first terminal when the communication information is sent to the second terminal by using the biometric template data corresponding to the first terminal stored in the database.
  • the communication information is sent to The second terminal, because the first bio-template data is biometric-identified identification data, is verified by verifying the first bio-template data to verify whether the sender of the communication information is the person, thereby solving the correlation
  • the above biometrics may be fingerprint features, eye pattern features, iris features, face features, etc., but are not limited thereto.
  • the first biometric template data may be fingerprint template data corresponding to the fingerprint. Since these biometrics can reflect the characteristics of the user, it is possible to determine whether the communication information is sent by the user himself or herself by the verification of the first biometric template data, thereby avoiding the defect that the criminals are unsafe by the forgery of the information.
  • the verification in the above step S304 may be performed by comparing the bio-template data corresponding to the first terminal stored in the database in advance with the first bio-template data, and the two are consistent. Next, it is considered that the verification is successful. It should be noted that the two can be consistently displayed. If the same data exceeds a predetermined threshold, it can be considered that the two are consistent, but not limited thereto.
  • the predetermined threshold may be based on The actual situation is set.
  • step S304 if the verification in step S304 is unsuccessful, the communication information is returned to the first terminal, indicating that the communication information is not a message sent by the first terminal itself.
  • the first terminal and the second terminal may implement a biometric function through a certain sensor.
  • the fingerprint recognition sensor may be used to identify the fingerprint, but is not limited thereto.
  • the foregoing communication information may be content information that is communicated by the first terminal and the second terminal, where The communication information may carry the identifiers of the first terminal and the second terminal, but is not limited thereto.
  • receiving the communication information and the first biometric template data sent by the first terminal may be performed by: receiving the foregoing communication information and the first biometric template data respectively, or by carrying the first biometric template data in The above communication information is received together, but is not limited thereto.
  • FIG. 4 is a flowchart of a secure communication method according to an embodiment of the present invention. As shown in FIG. 4, after the step S304, the method may further include:
  • Step S402 in the case that the verification is successful, query the second bio-template data corresponding to the second terminal in the database according to the communication information;
  • Step S404 Send the second biometric template data to the second terminal, where the second biometric template data is used to verify whether the second terminal has the right to view the communication information after receiving the communication information by the second terminal.
  • verifying whether the second terminal has the right to view the communication information may be performed by: the second terminal performing, according to the second bio-template data, the bio-template data collected by the second terminal. Verification; wherein, in case the verification is successful, determining that the second terminal has the authority; and/or, if the verification is unsuccessful, determining that the second terminal does not have the right.
  • the second terminal And verifying, by the second terminal, the biometric template data collected by the second terminal according to the received second biometric template data, and determining whether the second terminal has the right to view the communication information, where the second biometric template data reflects the receiving The identity information of the party, and thus, whether the recipient is the person, and thus the second terminal can receive the communication information, only the person can view the communication information, thereby further ensuring the security of the communication.
  • step S404 may be performed before step S306, or step S404 may be performed at the same time as step S306, or may be performed after step S306 is performed. It should be noted that the step S404 is performed at the step of performing step S306.
  • the second biometric template data and the communication information may be sent to the second terminal at the same time. Specifically, the second biometric template data is carried in the communication information and sent to the second terminal, but is not limited thereto.
  • FIG. 4 shows a schematic diagram of step S404 performed before step S306.
  • the method may further include: receiving biometric template data collected by the second terminal sent by the second terminal; and according to the second biometric template data corresponding to the second terminal in the pre-stored database
  • the biometric template data collected by the second terminal is verified, and in the case that the verification is successful, an indication signal for instructing the second terminal to allow the second terminal to view the communication information is sent to the second terminal; and/or, in the case that the verification is unsuccessful, the The second terminal sends a prohibition signal for instructing the second terminal to view the communication information.
  • the above method can also be used to verify whether the second terminal has the right to view the communication information.
  • FIG. 5 is a flowchart of a secure communication method according to an embodiment of the present invention.
  • the method may further include: step S502,
  • the bio-template data corresponding to the terminal and the registration information of the first terminal are encrypted and stored in the database
  • the second bio-template data corresponding to the second terminal and the registration information of the second terminal are encrypted and stored in the database.
  • the biometric template data is stored in the database by encrypting the biometric template data of the first terminal and the second terminal in the database, and the first terminal and the second terminal do not store the fingerprint template information locally.
  • the control of the terminal is saved, and the database is protected from being attacked by encrypting the biometric template data, thereby increasing the security of the information.
  • the bio-template data stored in the database is the bio-template data that has been encrypted, and further, in order to maintain consistency in the verification process, the bio-template data collected by the first terminal may be encrypted. And then sent to the server to directly match the two encrypted bio-template data, or the first terminal directly sends the collected bio-template data to the server, and the server first decrypts the stored encrypted bio-template data, and then If the two are matched, the first terminal directly sends the collected biological template data to the server, and the server encrypts the data, and then matches the stored encrypted biological template data, and may also be the first terminal to use the biological template. After the data is encrypted, it is sent to the server, and the server decrypts it.
  • the server decrypts the encrypted bio-template data and then decrypts it twice.
  • the biotemplate data is matched, but is not limited thereto. It should be noted that the verification process performed on the receiving side (second terminal) is similar to that here, and will not be described again.
  • the first terminal and the second terminal may be registered first, and the first terminal is registered, and the biometric is a fingerprint feature, for example, the user may open the terminal program, and the user first Fill in the necessary account information of the user; after completing the account information, the first terminal collects the fingerprint of the user; after collecting the fingerprint, the registration information (account information) is uploaded to the server together with the fingerprint template information to complete the user registration process.
  • the biometric is a fingerprint feature
  • the execution entity of the foregoing step may be a security server, where the database is located in the security server, but is not limited thereto.
  • the preferred embodiment of the present invention can be operated in a system comprising a terminal with biometric identification (fingerprint recognition, eye pattern recognition, iris recognition, face recognition, etc., taking fingerprint as an example) (corresponding to the first terminal described above)
  • a terminal with biometric identification fingerprint recognition, eye pattern recognition, iris recognition, face recognition, etc., taking fingerprint as an example
  • the second terminal and the security server are composed of two parts, which can be used for biometric identification between the one-to-one (single call) and one-to-many (group call) between the communication record and the communication group to achieve secure communication (hereinafter One-to-one communication is an example).
  • a biometric terminal such as a mobile phone with fingerprint recognition (not limited to a mobile phone).
  • the security server is used to store fingerprint template data, to be responsible for forwarding data between terminals, and for authenticating the sender of the information.
  • the secure communication method of the preferred embodiment of the present invention may include the following steps:
  • the first step fill in the account information, collect fingerprints.
  • the account information is sent along with the fingerprint template data to the secure server for registration.
  • Step 2 The user can communicate with other registered users through the terminal (you can contact one-to-one or group communication).
  • Step 3 Before the user initiates the message, the finger can be sent to the fingerprint recognition sensor to send a message (only the fingerprint sensor can be sent to ensure that the server authenticates your fingerprint).
  • Step 4 The receiver needs to identify the authentication through the fingerprint identification sensor before viewing the information.
  • FIG. 6 is a schematic flowchart of terminal information registration according to a preferred embodiment of the present invention. As shown in FIG. 6, the registration process includes :
  • Step S601 The user opens the terminal program, and the user first fills in the account information necessary for the user.
  • Step S602 The user needs to collect fingerprints in the last step of completing the account information.
  • Step S603 After collecting the fingerprint, the user uploads the registration information together with the fingerprint template information to the server to complete the user registration process, and the server encrypts and stores the fingerprint template data and the user registration information to the database (corresponding to step S502 in the above embodiment).
  • the fingerprint template data is not stored locally by the terminal.
  • FIG. 7 is a schematic flowchart of inter-terminal communication according to a preferred embodiment of the present invention. As shown in FIG. 7, the process includes:
  • Step S701 The program for opening the terminal Si (corresponding to the first terminal in the above embodiment) is ready to communicate with the Ri terminal (corresponding to the second terminal in the above embodiment), and the Si enters a message (text, multimedia, etc.) to be transmitted. (corresponds to the communication information in the above embodiment). Then touch the fingerprint sensor, and the fingerprint template data of Si is collected and sent to the server S along with the message entered by Si.
  • the fingerprint sensor has two functions in this process. On the one hand, the fingerprint sensor collects the fingerprint template data of Si; the effect of the Si message transmission is that only the fingerprint sensor can be pressed to send the message.
  • Step S702 The server S receives the message of Si (corresponding to step S302 in the above embodiment), the server S queries the fingerprint template data of the Si from the database, and transmits the fingerprint template data with the Si (corresponding to the above embodiment).
  • the first biometric template data is verified (corresponding to step S304 in the above embodiment), and if the verification fails, the message is returned, indicating that the message is not sent by Si himself. If the verification is passed, the fingerprint template data of Ri (corresponding to the second bio-template data in the above embodiment) is queried according to the Ri information carried by Si (corresponding to step S402 in the above embodiment).
  • Step S703 The server S sends the information of the Si (the fingerprint template data not including Si at this time) and the fingerprint template data of the Ri to the Ri (corresponding to the steps in the above embodiment). S306 and step S404 are performed simultaneously).
  • Step S704 After the terminal Ri receives the information of step S203, Ri puts the fingerprint into the fingerprint sensor and the fingerprint template data of the Ri carried in the message of step S703 for authentication. After the authentication is passed, the Ri can view the message carried by the Si. Otherwise, the authentication fails, indicating that the person cannot view the data to achieve secure communication.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present invention which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
  • a secure communication device is also provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 8 is a structural block diagram 1 of a secure communication apparatus according to an embodiment of the present invention. As shown in FIG. 8, the apparatus includes:
  • the receiving module 82 is configured to receive the communication information and the first biometric template data sent by the first terminal, where the first biometric template data is the biometric identification data collected by the first terminal; the communication information is the first terminal and the first The information that the second terminal performs communication; the first terminal and the second terminal are terminals with biometric functions;
  • the verification module 84 is connected to the receiving module 82, and configured to verify the first bio-template data according to the bio-template data corresponding to the first terminal stored in the database;
  • the sending module 86 is connected to the verification module 84, and is configured to send the communication information to the second terminal if the verification is successful.
  • the first biometric template data collected by the first terminal is verified by the verification module 84 according to the biometric template data corresponding to the first terminal stored in the database. If the verification is successful, the sending module 86 The communication information is sent to the second terminal. Since the first biometric template data is biometric identification data, whether the sender of the communication information is verified by verifying the first biometric template data. Furthermore, the problem of whether the sender is an operation of the sender cannot be determined when the communication between the terminals in the related art is improved, and the security of the communication is improved.
  • the above biometrics may be fingerprint features, eye pattern features, iris features, face features, etc., but are not limited thereto.
  • the first biometric template data may be fingerprint template data corresponding to the fingerprint. Since these biometrics can reflect the characteristics of the user, it is possible to determine whether the communication information is sent by the user himself or herself by the verification of the first biometric template data, thereby avoiding the defect that the criminals are unsafe by the forgery of the information.
  • FIG. 9 is a block diagram showing the structure of a secure communication device according to an embodiment of the present invention. As shown in FIG. 9, the device includes, in addition to all the modules shown in FIG.
  • the query module 92 is connected to the verification module 84, and is configured to query, in the database, the second bio-template data corresponding to the second terminal in the database according to the communication information;
  • the sending module 86 is further configured to send the second biometric template data to the second terminal, where the second biometric template data is used after the second terminal receives the communication information, and whether the second terminal has the right to view the communication information. verification.
  • verifying whether the second terminal has the right to view the communication information may be performed as follows: the second terminal is configured according to the second biometric template.
  • the biometric template data collected by the second terminal is verified; wherein, in case the verification is successful, determining that the second terminal has the authority; and/or, if the verification is unsuccessful, determining that the second terminal does not have the authority.
  • the second biometric template data is sent to the second terminal by the sending module 86, so that the second terminal can verify the biometric template data collected by the second terminal according to the received second biometric template data, thereby determining whether the second terminal is Having the right to view the communication information, since the second bio-template data reflects the identity information of the recipient, it can be determined whether the recipient is the person, and thus, when the second terminal receives the communication information, only the present Talents can view the communication information to further ensure the security of the communication.
  • the receiving module 82 is further configured to receive the biometric template data collected by the second terminal sent by the second terminal; the verification module 84 is further configured to: according to the second biometric corresponding to the second terminal in the pre-stored database.
  • the template data is used to verify the biometric template data collected by the second terminal.
  • the sending module 86 is further configured to send, to the second terminal, an indication signal for instructing the second terminal to view the communication information, and/or In case the verification is unsuccessful, a prohibition signal for instructing the second terminal to prohibit the communication information from being viewed is sent to the second terminal.
  • the device can also verify whether the second terminal has the right to view the communication information.
  • the process of verifying that the second terminal is authenticated by having the right to view the communication information may be implemented in the second terminal, or may be implemented in the secure communication device in this embodiment.
  • FIG. 10 is a structural block diagram 3 of a secure communication device according to an embodiment of the present invention. As shown in FIG. 10, the device includes:
  • the storage module 1002 is connected to the receiving module 82, and is configured to encrypt the bio-template data corresponding to the first terminal and the registration information of the first terminal, and store the data in the database, and the second bio-template data corresponding to the second terminal.
  • the registration information of the second terminal is encrypted and saved in the database.
  • the biometric template data of the first terminal and the second terminal are encrypted and stored in the database by the storage module 1002, and the first terminal and the second terminal do not store the fingerprint template information locally.
  • the bio-template data is saved in the terminal, which saves the control of the terminal, and the database is encrypted by encrypting the bio-template data, thereby increasing the security of the information.
  • the foregoing apparatus may further include a registration module, and is connected to the storage module 1002, and is configured to register the first terminal and the second terminal.
  • the specific registration process may refer to the corresponding method embodiment, where Narration.
  • the above device may be located in the security server, but is not limited thereto.
  • each of the above modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination.
  • the forms are located in different processors.
  • a security server is further provided, including the device shown in any one of the foregoing FIG. 8 to FIG. 10, and the security server may be the computer terminal shown in FIG. 1 in the foregoing Embodiment 1, but not Limited to this.
  • a secure communication system including the security server and the second terminal in the embodiment, wherein the second terminal is configured to be based on the case that the security server successfully authenticates the first biometric template data, according to The second biometric template data corresponding to the second terminal obtained from the database is used to verify the biometric template data collected by the second terminal; wherein, in the case that the verification is successful, determining that the second terminal has the authority; and/or, in the verification In the case of unsuccessful, it is determined that the second terminal does not have the authority.
  • Embodiments of the present invention also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • first The biometric template data is biometric identification data collected by the first terminal;
  • the communication information is information that the first terminal communicates with the second terminal; and the first terminal and the second terminal are terminals with biometric functions;
  • the storage medium is further arranged to store program code for performing the following steps:
  • the second biometric template data is sent to the second terminal, where the second biometric template data is used to verify whether the second terminal has the right to view the communication information after receiving the communication information by the second terminal.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the biometric template data corresponding to the first terminal and the registration information of the first terminal are encrypted and stored in the database
  • the second biometric template data corresponding to the second terminal and the registration information of the second terminal are encrypted and saved in the database. in.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Multimedia (AREA)
  • Business, Economics & Management (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Business, Economics & Management (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The present invention provides a secure communication method and device, a system, and a secure server. The method comprises: receiving communication information and first biological template data sent by a first terminal, wherein the first biological template data is identification data having biological features acquired by the first terminal, the communication information is information for communication between the first terminal and a second terminal, and the first terminal and the second terminal are terminals having a biometric identification function; verifying the first biological template data according to biological template data corresponding to the first terminal pre-stored in a database; and sending the communication information to the second terminal when the verification is successful. The present invention solves the problem in the related art of being unable to determine whether an operation is performed by a sender during communication between terminals, thereby improving communication security.

Description

安全通信方法及装置、系统和安全服务器Secure communication method and device, system and security server 技术领域Technical field
本发明涉及安全通信领域,具体而言,涉及一种安全通信方法及装置、系统和安全服务器。The present invention relates to the field of secure communications, and in particular to a secure communication method and apparatus, system and security server.
背景技术Background technique
相关技术中的安全通信都是通过传统的加密技术实现两个终端之间的安全通信。发送者发送消息,直接录入信息即可发送。接收方收到消息后,输入传统的密码就能查看消息。The secure communication in the related art is to implement secure communication between two terminals through a conventional encryption technology. The sender sends a message and can directly send the message to send it. After the receiver receives the message, enter the traditional password to view the message.
针对相关技术中的安全通信方法,主要存在以下缺陷:In view of the secure communication method in the related art, there are mainly the following defects:
1、两个终端通信,无法确定发送方就是本人。发送者可以通过声音、文字等消息进行伪造,发送给另外一个通信终端。1. The two terminals communicate, and it is impossible to determine whether the sender is the person. The sender can forge a message by voice, text, etc., and send it to another communication terminal.
2、传统终端通信,终端通信接收方只要录入密码正确可以查看到发送方的消息,无法真正做到本人才能查看。2. Traditional terminal communication, the terminal communication receiver can view the message of the sender as long as the password is entered correctly, and cannot be viewed by himself.
针对相关技术中的上述技术问题,目前尚未提出有效的解决方案。In view of the above technical problems in the related art, an effective solution has not yet been proposed.
发明内容Summary of the invention
本发明实施例提供了一种安全通信方法及装置、系统和安全服务器,以至少解决相关技术中的终端之间通信时无法确定发送方是否是本人操作的问题。The embodiments of the present invention provide a secure communication method, apparatus, system, and security server, so as to solve at least the problem that the sender cannot operate by itself when communicating between terminals in the related art.
根据本发明的一个实施例,提供了一种安全通信方法,包括:接收第一终端发送的通信信息和第一生物模板数据;其中,第一生物模板数据为第一终端采集的具有生物特征的身份识别数据;通信信息为第一终端与第二终端进行通信的信息;第一终端和第二终端为带有生物识别功能的终端;根据预先存储在数据库中的与第一终端对应的生物模板数据,对第一生物模板数据进行验证;在验证成功的情况下,将通信信息发送给第二终端。 According to an embodiment of the present invention, a secure communication method is provided, including: receiving communication information sent by a first terminal and first biometric template data; wherein the first biometric template data is biometrically collected by the first terminal The identification information; the communication information is information that the first terminal communicates with the second terminal; the first terminal and the second terminal are terminals with biometric functions; and the biometric template corresponding to the first terminal pre-stored in the database Data, the first bio-template data is verified; in the case of successful verification, the communication information is sent to the second terminal.
在本发明实施例中,在根据预先存储在数据库中的与第一终端对应的生物模板数据,对第一生物模板数据进行验证之后,还包括:在验证成功的情况下,根据通信信息,在数据库中查询与第二终端对应的第二生物模板数据;将第二生物模板数据发送给第二终端,其中,第二生物模板数据用于第二终端接收到通信信息之后,对第二终端是否具备查看通信信息的权限进行验证。In the embodiment of the present invention, after the first biometric template data is verified according to the biometric template data corresponding to the first terminal stored in the database, the method further includes: in the case that the verification is successful, according to the communication information, Querying the second biometric template data corresponding to the second terminal in the database; sending the second biometric template data to the second terminal, where the second biometric template data is used by the second terminal after receiving the communication information Have the right to view communication information for verification.
在本发明实施例中,第二终端接收到通信信息之后,对第二终端是否具备查看通信信息的权限进行验证包括:第二终端根据第二生物模板数据对第二终端采集的生物模板数据进行验证;其中,在验证成功的情况下,确定第二终端具备权限;和/或,在验证不成功的情况下,确定第二终端不具备权限。In the embodiment of the present invention, after the second terminal receives the communication information, verifying whether the second terminal has the right to view the communication information includes: performing, by the second terminal, the biological template data collected by the second terminal according to the second biological template data. Verification; wherein, in case the verification is successful, determining that the second terminal has the authority; and/or, if the verification is unsuccessful, determining that the second terminal does not have the right.
在本发明实施例中,在接收第一终端发送的通信信息和生物模板数据之前,方法还包括:将与第一终端对应的生物模板数据和第一终端的注册信息加密后保存在数据库中,以及与第二终端对应的第二生物模板数据和第二终端的注册信息加密后保存在数据库中。In the embodiment of the present invention, before receiving the communication information and the bio-template data sent by the first terminal, the method further includes: encrypting the bio-template data corresponding to the first terminal and the registration information of the first terminal, and saving the data in the database. And the second biometric template data corresponding to the second terminal and the registration information of the second terminal are encrypted and saved in the database.
在本发明实施例中,生物特征包括以下至少之一:指纹特征、眼纹特征、虹膜特征、人脸特征。In an embodiment of the invention, the biometrics include at least one of the following: a fingerprint feature, an eye mark feature, an iris feature, and a face feature.
根据本发明的另一个实施例,提供了一种安全通信装置,包括:接收模块,设置为接收第一终端发送的通信信息和第一生物模板数据;其中,第一生物模板数据为第一终端采集的具有生物特征的身份识别数据;通信信息为第一终端与第二终端进行通信的信息;第一终端和第二终端为带有生物识别功能的终端;验证模块,设置为根据预先存储在数据库中的与第一终端对应的生物模板数据,对第一生物模板数据进行验证;发送模块,设置为在验证成功的情况下,将通信信息发送给第二终端。According to another embodiment of the present invention, a secure communication apparatus is provided, including: a receiving module, configured to receive communication information sent by a first terminal and first biometric template data; wherein the first biometric template data is a first terminal The collected biometric identification data; the communication information is information that the first terminal communicates with the second terminal; the first terminal and the second terminal are terminals with biometric functions; and the verification module is set to be pre-stored according to The biometric template data corresponding to the first terminal in the database is used to verify the first biometric template data; and the sending module is configured to send the communication information to the second terminal if the verification is successful.
在本发明实施例中,装置还包括:查询模块,设置为在验证成功的情况下,根据通信信息,在数据库中查询与第二终端对应的第二生物模板数据;发送模块,还设置为将第二生物模板数据发送给第二终端,其中,第 二生物模板数据用于第二终端接收到通信信息之后,对第二终端是否具备查看通信信息的权限进行验证。In the embodiment of the present invention, the device further includes: a query module, configured to query, in the case that the verification is successful, the second bio-template data corresponding to the second terminal in the database according to the communication information; and the sending module is further configured to Sending the second biometric template data to the second terminal, where After the second terminal receives the communication information, the second biometric template data verifies whether the second terminal has the right to view the communication information.
在本发明实施例中,装置还包括:存储模块,设置为将与第一终端对应的生物模板数据和第一终端的注册信息加密后保存在数据库中,以及与第二终端对应的第二生物模板数据和第二终端的注册信息加密后保存在数据库中。In the embodiment of the present invention, the device further includes: a storage module, configured to encrypt the biometric template data corresponding to the first terminal and the registration information of the first terminal, and save the data in the database, and the second biometric corresponding to the second terminal The template data and the registration information of the second terminal are encrypted and saved in the database.
在本发明实施例中,生物特征包括以下至少之一:指纹特征、眼纹特征、虹膜特征、人脸特征。In an embodiment of the invention, the biometrics include at least one of the following: a fingerprint feature, an eye mark feature, an iris feature, and a face feature.
根据本发明的另一个实施例,提供了一种安全服务器,包括上述的装置。In accordance with another embodiment of the present invention, a security server is provided, including the apparatus described above.
根据本发明的另一个实施例,提供了一种安全通信系统,包括上述的安全服务器和第二终端;其中,第二终端设置为在安全服务器对第一生物模板数据验证成功的情况下,根据从数据库中获取的与第二终端对应的第二生物模板数据对第二终端采集的生物模板数据进行验证;其中,在验证成功的情况下,确定第二终端具备查看通信信息的权限;和/或,在验证不成功的情况下,确定第二终端不具备权限。According to another embodiment of the present invention, a secure communication system is provided, including the above-mentioned security server and a second terminal; wherein the second terminal is configured to be based on the case where the security server successfully authenticates the first biometric template data, according to And verifying, by the second biometric template data corresponding to the second terminal, the biometric template data collected by the second terminal, where the verification succeeds, determining that the second terminal has the right to view the communication information; and Or, if the verification is unsuccessful, it is determined that the second terminal does not have the right.
根据本发明的又一个实施例,还提供了一种存储介质。该存储介质设置为存储用于执行以下步骤的程序代码:接收第一终端发送的通信信息和第一生物模板数据;其中,第一生物模板数据为第一终端采集的具有生物特征的身份识别数据;通信信息为第一终端与第二终端进行通信的信息;第一终端和第二终端为带有生物识别功能的终端;根据预先存储在数据库中的与第一终端对应的生物模板数据,对第一生物模板数据进行验证;在验证成功的情况下,将通信信息发送给第二终端。According to still another embodiment of the present invention, a storage medium is also provided. The storage medium is configured to store program code for performing the following steps: receiving communication information sent by the first terminal and first biometric template data; wherein the first biometric template data is biometric identification data collected by the first terminal The communication information is information for the first terminal to communicate with the second terminal; the first terminal and the second terminal are terminals with a biometric function; and according to the biometric template data corresponding to the first terminal pre-stored in the database, The first biometric template data is verified; in the case where the verification is successful, the communication information is transmitted to the second terminal.
在本发明实施例中,存储介质还设置为存储用于执行以下步骤的程序代码:在验证成功的情况下,根据通信信息,在数据库中查询与第二终端对应的第二生物模板数据;将第二生物模板数据发送给第二终端,其中,第二生物模板数据用于第二终端接收到通信信息之后,对第二终端是否具 备查看通信信息的权限进行验证。In the embodiment of the present invention, the storage medium is further configured to store program code for performing the following steps: in case the verification is successful, querying, in the database, the second bio-template data corresponding to the second terminal according to the communication information; The second biometric template data is sent to the second terminal, where the second biometric template data is used by the second terminal after receiving the communication information Check the permissions of the communication information for verification.
在本发明实施例中,存储介质还设置为存储用于执行以下步骤的程序代码:将与第一终端对应的生物模板数据和第一终端的注册信息加密后保存在数据库中,以及与第二终端对应的第二生物模板数据和第二终端的注册信息加密后保存在数据库中。In the embodiment of the present invention, the storage medium is further configured to store program code for performing the following steps: encrypting the bio-template data corresponding to the first terminal and the registration information of the first terminal, and saving the data in the database, and the second The second bio-template data corresponding to the terminal and the registration information of the second terminal are encrypted and saved in the database.
通过本发明,采用第一终端在向第二终端发送通信信息时,通过预先存储在数据库中的与第一终端对应的生物模板数据对第一终端采集的第一生物模板数据进行验证,在验证成功的情况下,将该通信信息发送给第二终端,由于第一生物模板数据为具有生物特征的身份识别数据,因而,通过对上述第一生物模板数据进行验证,来对该通信信息的发送方是否是本人进行验证,进而解决了相关技术中的终端之间通信时无法确定发送方是否是本人操作的问题,提高了通信的安全性。According to the present invention, when the first terminal transmits the communication information to the second terminal, the first biometric template data collected by the first terminal is verified by the bio-template data corresponding to the first terminal stored in the database in advance, and the verification is performed. In the case of success, the communication information is sent to the second terminal. Since the first biometric template data is biometric identification data, the first biometric template data is verified to send the communication information. Whether the party is verified by himself or not, and thus solves the problem that the sender cannot operate by itself when communicating between terminals in the related art, and the communication security is improved.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是本发明实施例的一种安全通信方法的计算机终端的硬件结构框图;1 is a block diagram showing the hardware structure of a computer terminal of a secure communication method according to an embodiment of the present invention;
图2是本发明实施例的网络架构示意图;2 is a schematic diagram of a network architecture according to an embodiment of the present invention;
图3是根据本发明实施例的安全通信方法的流程图一;3 is a flowchart 1 of a secure communication method according to an embodiment of the present invention;
图4是根据本发明实施例的安全通信方法的流程图二;4 is a second flowchart of a secure communication method according to an embodiment of the present invention;
图5是根据本发明实施例的安全通信方法的流程图三;FIG. 5 is a third flowchart of a secure communication method according to an embodiment of the present invention; FIG.
图6是根据本发明优选实施例提供的终端信息注册的流程示意图;FIG. 6 is a schematic flowchart of terminal information registration according to a preferred embodiment of the present invention; FIG.
图7是根据本发明优选实施例的终端间通信的流程示意图;7 is a flow chart showing communication between terminals according to a preferred embodiment of the present invention;
图8是根据本发明实施例的安全通信装置的结构框图一; FIG. 8 is a structural block diagram 1 of a secure communication device according to an embodiment of the present invention; FIG.
图9是根据本发明实施例的安全通信装置的结构框图二;9 is a structural block diagram 2 of a secure communication device according to an embodiment of the present invention;
图10是根据本发明实施例的安全通信装置的结构框图三。Figure 10 is a block diagram 3 of the structure of a secure communication device in accordance with an embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It is to be understood that the terms "first", "second" and the like in the specification and claims of the present invention are used to distinguish similar objects, and are not necessarily used to describe a particular order or order.
实施例1Example 1
本申请实施例1所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。以运行在计算机终端上为例,图1是本发明实施例的一种安全通信方法的计算机终端的硬件结构框图。如图1所示,计算机终端10可以包括一个或多个(图中仅示出一个)处理器102(处理器102可以包括但不限于微处理器(Microcontroller Unit,简称MCU)或可编程逻辑器件(Field Programmable Gate Array,简称FPGA)等的处理装置)、用于存储数据的存储器104、以及用于通信功能的传输装置106。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,计算机终端10还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiment provided by Embodiment 1 of the present application can be executed in a mobile terminal, a computer terminal or the like. Taking a computer terminal as an example, FIG. 1 is a block diagram showing the hardware structure of a computer terminal of a secure communication method according to an embodiment of the present invention. As shown in FIG. 1, computer terminal 10 may include one or more (only one shown) processor 102 (processor 102 may include, but is not limited to, a Microcontroller Unit (MCU) or a programmable logic device. A processing device such as a Field Programmable Gate Array (FPGA), a memory 104 for storing data, and a transmission device 106 for a communication function. It will be understood by those skilled in the art that the structure shown in FIG. 1 is merely illustrative and does not limit the structure of the above electronic device. For example, computer terminal 10 may also include more or fewer components than those shown in FIG. 1, or have a different configuration than that shown in FIG.
存储器104可用于存储应用软件的软件程序以及模块,如本发明实施例中的安全通信方法对应的程序指令/模块,处理器102通过运行存储在存储器104内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络连接至计算机终端10。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其 组合。The memory 104 can be used to store software programs and modules of application software, such as program instructions/modules corresponding to the secure communication method in the embodiment of the present invention, and the processor 102 executes various programs by running software programs and modules stored in the memory 104. Functional application and data processing, that is, the above method is implemented. Memory 104 may include high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 104 may further include memory remotely located relative to processor 102, which may be coupled to computer terminal 10 via a network. Examples of the above network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combination.
传输装置106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括计算机终端10的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,RF)模块,其用于通过无线方式与互联网进行通讯。Transmission device 106 is for receiving or transmitting data via a network. The network specific examples described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
本申请实施例也可以运行于图2所示的网络架构上,图2是本发明实施例的网络架构示意图,如图2所示,该网络架构包括:第一终端22,安全服务器24,第二终端26,其中,第一终端22是通信信息的发送方,第二终端26是通信信息的接收方,第一终端22和第二终端26通过安全服务器24进行通信。The embodiment of the present application can also be run on the network architecture shown in FIG. 2. FIG. 2 is a schematic diagram of a network architecture according to an embodiment of the present invention. As shown in FIG. 2, the network architecture includes: a first terminal 22, a security server 24, and a The second terminal 26, wherein the first terminal 22 is a sender of communication information, the second terminal 26 is a receiver of communication information, and the first terminal 22 and the second terminal 26 communicate via the security server 24.
需要说明的是,上述两种场景也可以结合,比如图2所示的安全服务器也可以是图1所示的计算机终端10,并不限于此。It should be noted that the above two scenarios may also be combined. For example, the security server shown in FIG. 2 may also be the computer terminal 10 shown in FIG. 1, and is not limited thereto.
在本实施例中提供了一种运行于上述移动终端或网络架构的安全通信方法,图3是根据本发明实施例的安全通信方法的流程图一,如图3所示,该流程包括如下步骤:In this embodiment, a secure communication method running on the mobile terminal or the network architecture is provided. FIG. 3 is a flowchart 1 of a secure communication method according to an embodiment of the present invention. As shown in FIG. 3, the process includes the following steps. :
步骤S302,接收第一终端发送的通信信息和第一生物模板数据;其中,第一生物模板数据为第一终端采集的具有生物特征的身份识别数据;通信信息为第一终端与第二终端进行通信的信息;第一终端和第二终端为带有生物识别功能的终端;Step S302: Receive communication information and first biometric template data sent by the first terminal, where the first biometric template data is biometric identification data collected by the first terminal, and the communication information is performed by the first terminal and the second terminal. Communication information; the first terminal and the second terminal are terminals with biometric functions;
步骤S304,根据预先存储在数据库中的与第一终端对应的生物模板数据,对第一生物模板数据进行验证;Step S304, verifying the first bio-template data according to the bio-template data corresponding to the first terminal stored in the database in advance;
步骤S306,在验证成功的情况下,将通信信息发送给第二终端。Step S306, if the verification is successful, the communication information is sent to the second terminal.
通过上述步骤,采用第一终端在向第二终端发送通信信息时,通过预先存储在数据库中的与第一终端对应的生物模板数据对第一终端采集的第一生物模板数据进行验证,在验证成功的情况下,将该通信信息发送给 第二终端,由于第一生物模板数据为具有生物特征的身份识别数据,因而,通过对上述第一生物模板数据进行验证,来对该通信信息的发送方是否是本人进行验证,进而解决了相关技术中的终端之间通信时无法确定发送方是否是本人操作的问题,提高了通信的安全性。The first biometric template data collected by the first terminal is verified by the first terminal when the communication information is sent to the second terminal by using the biometric template data corresponding to the first terminal stored in the database. In case of success, the communication information is sent to The second terminal, because the first bio-template data is biometric-identified identification data, is verified by verifying the first bio-template data to verify whether the sender of the communication information is the person, thereby solving the correlation When communicating between terminals in the technology, it is impossible to determine whether the sender is an operation of the user, and the security of the communication is improved.
需要说明的是,上述生物特征可以是指纹特征,眼纹特征、虹膜特征、人脸特征等,但并不限于此。以指纹特征为例,上述第一生物模板数据可以是与指纹对应的指纹模板数据。由于这些生物特征能够反映用户的特征,因而可以通过上述第一生物模板数据的验证来确定上述通信信息是否由用户本人发送的,避免了不法分子通过伪造信息所带来的通信不安全的缺陷。It should be noted that the above biometrics may be fingerprint features, eye pattern features, iris features, face features, etc., but are not limited thereto. Taking the fingerprint feature as an example, the first biometric template data may be fingerprint template data corresponding to the fingerprint. Since these biometrics can reflect the characteristics of the user, it is possible to determine whether the communication information is sent by the user himself or herself by the verification of the first biometric template data, thereby avoiding the defect that the criminals are unsafe by the forgery of the information.
需要说明的是,上述步骤S304中的验证可以表现为,将预先存储在数据库中的与第一终端对应的生物模板数据,与第一生物模板数据进行一一比对,在两者一致的情况下,认为是验证成功。需要说明的是,两者一致可以是表现为,两者比对,如果存在的相同的数据超过预先设定的预定阈值,可以认为是两者一致,但并不限于此,该预定阈值可以根据实际情况进行设定,当然,该预定阈值设定的越高,验证结果可能越准确,通信也可能越安全,但有时用户的生物特征(比如指纹)可能会收到一定的磨损等,因而可能对验证造成一定的干扰,此时如果预定阈值设定的很高,可能将原本验证结果为本人,误判为非本人,进而影响了正常的通信,因而可以在实际应用中,根据实际需要可以设定一个合理的预定阈值,进而得到可靠的验证结果。It should be noted that the verification in the above step S304 may be performed by comparing the bio-template data corresponding to the first terminal stored in the database in advance with the first bio-template data, and the two are consistent. Next, it is considered that the verification is successful. It should be noted that the two can be consistently displayed. If the same data exceeds a predetermined threshold, it can be considered that the two are consistent, but not limited thereto. The predetermined threshold may be based on The actual situation is set. Of course, the higher the predetermined threshold is set, the more accurate the verification result may be, and the more secure the communication may be, but sometimes the user's biometrics (such as fingerprints) may receive certain wear and the like, and thus may If the predetermined threshold is set to a high level, the original verification result may be the person, and the misjudgment is not the person, thereby affecting the normal communication. Therefore, in actual applications, according to actual needs, Set a reasonable predetermined threshold to get reliable verification results.
在本发明的一个实施例中,在上述步骤S304验证不成功的情况下,将上述通信信息返回给上述第一终端,表示该通信信息不是第一终端本人发送的消息。In an embodiment of the present invention, if the verification in step S304 is unsuccessful, the communication information is returned to the first terminal, indicating that the communication information is not a message sent by the first terminal itself.
需要说明的是,上述第一终端和第二终端可以通过一定的传感器来实现生物识别功能,比如可以通过指纹识别传感器来实现指纹的识别,但并不限于此。上述通信信息可以是第一终端和第二终端通信的内容信息,该 通信信息中可以携带有上述第一终端和第二终端的标识,但并不限于此。It should be noted that the first terminal and the second terminal may implement a biometric function through a certain sensor. For example, the fingerprint recognition sensor may be used to identify the fingerprint, but is not limited thereto. The foregoing communication information may be content information that is communicated by the first terminal and the second terminal, where The communication information may carry the identifiers of the first terminal and the second terminal, but is not limited thereto.
在本发明的一个实施例中,接收第一终端发送的通信信息和第一生物模板数据可以表现为:分别接收上述通信信息和第一生物模板数据,也可以通过将第一生物模板数据携带在上述通信信息中一起接收,但并不限于此。In an embodiment of the present invention, receiving the communication information and the first biometric template data sent by the first terminal may be performed by: receiving the foregoing communication information and the first biometric template data respectively, or by carrying the first biometric template data in The above communication information is received together, but is not limited thereto.
在本发明的一个实施例中,图4是根据本发明实施例的安全通信方法的流程图二,如图4所示,在步骤S304之后,上述方法还可以包括:In an embodiment of the present invention, FIG. 4 is a flowchart of a secure communication method according to an embodiment of the present invention. As shown in FIG. 4, after the step S304, the method may further include:
步骤S402,在验证成功的情况下,根据通信信息,在数据库中查询与第二终端对应的第二生物模板数据;Step S402, in the case that the verification is successful, query the second bio-template data corresponding to the second terminal in the database according to the communication information;
步骤S404,将第二生物模板数据发送给第二终端,其中,第二生物模板数据用于第二终端接收到通信信息之后,对第二终端是否具备查看通信信息的权限进行验证。Step S404: Send the second biometric template data to the second terminal, where the second biometric template data is used to verify whether the second terminal has the right to view the communication information after receiving the communication information by the second terminal.
需要说明的是,第二终端接收到通信信息之后,对第二终端是否具备查看通信信息的权限进行验证可以表现为:第二终端根据第二生物模板数据对第二终端采集的生物模板数据进行验证;其中,在验证成功的情况下,确定第二终端具备权限;和/或,在验证不成功的情况下,确定第二终端不具备权限。It should be noted that, after the second terminal receives the communication information, verifying whether the second terminal has the right to view the communication information may be performed by: the second terminal performing, according to the second bio-template data, the bio-template data collected by the second terminal. Verification; wherein, in case the verification is successful, determining that the second terminal has the authority; and/or, if the verification is unsuccessful, determining that the second terminal does not have the right.
通过第二终端根据接收到的第二生物模板数据对第二终端采集的生物模板数据进行验证,进而能够确定该第二终端是否具备查看通信信息的权限,由于第二生物模板数据反映的是接收方的身份信息,因而,能够确定接收方是否是本人,进而能够实现在第二终端接收到上述通信信息的情况下,只有本人才能够查看该通信信息,进一步保证了通信的安全。And verifying, by the second terminal, the biometric template data collected by the second terminal according to the received second biometric template data, and determining whether the second terminal has the right to view the communication information, where the second biometric template data reflects the receiving The identity information of the party, and thus, whether the recipient is the person, and thus the second terminal can receive the communication information, only the person can view the communication information, thereby further ensuring the security of the communication.
需要说明的是,上述步骤S404可以在步骤S306之前执行,也可以在执行步骤S306的同时执行步骤S404,也可以在执行步骤S306之后执行,需要说明的是,在执行步骤S306的通知执行步骤S404可以表现为将第二生物模板数据和通信信息同时发送给第二终端,具体可以表现为:将上述第二生物模板数据携带在通信信息中一起发送给第二终端,但并不限于此。 It should be noted that the foregoing step S404 may be performed before step S306, or step S404 may be performed at the same time as step S306, or may be performed after step S306 is performed. It should be noted that the step S404 is performed at the step of performing step S306. The second biometric template data and the communication information may be sent to the second terminal at the same time. Specifically, the second biometric template data is carried in the communication information and sent to the second terminal, but is not limited thereto.
需要说明的是,图4表示的是步骤S404在步骤S306之前执行的示意图。It should be noted that FIG. 4 shows a schematic diagram of step S404 performed before step S306.
需要说明的是,在步骤S306之后,上述方法还可以包括:接收第二终端发送的第二终端采集的生物模板数据;根据预先存储的数据库中的与第二终端对应的第二生物模板数据对第二终端采集的生物模板数据进行验证,在验证成功的情况下,向第二终端发送用于指示允许第二终端查看通信信息的指示信号;和/或在验证不成功的情况下,向第二终端发送用于指示禁止所述第二终端查看通信信息的禁止信号。通过上述方法也可以实现对第二终端是否具有查看通信信息的权限进行验证。It should be noted that, after the step S306, the method may further include: receiving biometric template data collected by the second terminal sent by the second terminal; and according to the second biometric template data corresponding to the second terminal in the pre-stored database The biometric template data collected by the second terminal is verified, and in the case that the verification is successful, an indication signal for instructing the second terminal to allow the second terminal to view the communication information is sent to the second terminal; and/or, in the case that the verification is unsuccessful, the The second terminal sends a prohibition signal for instructing the second terminal to view the communication information. The above method can also be used to verify whether the second terminal has the right to view the communication information.
在本发明的一个实施例中,图5是根据本发明实施例的安全通信方法的流程图三,如图5所示,在上述步骤S302之前,上述方法还可以包括:步骤S502,将与第一终端对应的生物模板数据和第一终端的注册信息加密后保存在数据库中,以及与第二终端对应的第二生物模板数据和第二终端的注册信息加密后保存在数据库中。In an embodiment of the present invention, FIG. 5 is a flowchart of a secure communication method according to an embodiment of the present invention. As shown in FIG. 5, before the step S302, the method may further include: step S502, The bio-template data corresponding to the terminal and the registration information of the first terminal are encrypted and stored in the database, and the second bio-template data corresponding to the second terminal and the registration information of the second terminal are encrypted and stored in the database.
通过将第一终端和第二终端的生物模板数据加密保存在数据库中,而第一终端和第二终端本地并不存放指纹模板信息,与现有技术中相比,生物模板数据保存在终端本地相比,节省了终端的控件,并且,通过对生物模板数据进行加密可以防止该数据库被攻击,进而增加了信息的安全。The biometric template data is stored in the database by encrypting the biometric template data of the first terminal and the second terminal in the database, and the first terminal and the second terminal do not store the fingerprint template information locally. In contrast, the control of the terminal is saved, and the database is protected from being attacked by encrypting the biometric template data, thereby increasing the security of the information.
需要说明的是,在数据库中保存的生物模板数据是进行了加密处理后的生物模板数据,进而,为了在验证的过程中保持一致,可以是第一终端采集的生物模板数据进行相同的加密后再发送给服务器,直接对两个加密的生物模板数据进行匹配,也可以是第一终端直接将采集的生物模板数据发送给服务器,而服务器先将存储的加密的生物模板数据进行解密,再对两者进行匹配,还可以是第一终端直接将采集的生物模板数据发送给服务器,服务器对其进行加密后,再与存储的加密的生物模板数据进行匹配,还可以是第一终端将生物模板数据加密后发给服务器,服务器对其进行解密,同时服务器对加密保存的生物模板数据进行解密,然后对两次解密的 生物模板数据进行匹配,但并不限于此。需要说明的是,对于在接收方(第二终端)执行的验证过程,与此处类似,不再赘述。It should be noted that the bio-template data stored in the database is the bio-template data that has been encrypted, and further, in order to maintain consistency in the verification process, the bio-template data collected by the first terminal may be encrypted. And then sent to the server to directly match the two encrypted bio-template data, or the first terminal directly sends the collected bio-template data to the server, and the server first decrypts the stored encrypted bio-template data, and then If the two are matched, the first terminal directly sends the collected biological template data to the server, and the server encrypts the data, and then matches the stored encrypted biological template data, and may also be the first terminal to use the biological template. After the data is encrypted, it is sent to the server, and the server decrypts it. At the same time, the server decrypts the encrypted bio-template data and then decrypts it twice. The biotemplate data is matched, but is not limited thereto. It should be noted that the verification process performed on the receiving side (second terminal) is similar to that here, and will not be described again.
需要说明的是,在上述步骤S502之前,可以先对上述第一终端和第二终端进行注册,以第一终端注册,生物特征为指纹特征为例,可以表现为:用户打开终端程序,用户先填写用户必要的账户信息;用户在填写完账户信息后,第一终端采集用户的指纹;在采集指纹后将注册信息(账户信息)与指纹模板信息一起上传服务器,完成用户注册流程。It should be noted that, before the foregoing step S502, the first terminal and the second terminal may be registered first, and the first terminal is registered, and the biometric is a fingerprint feature, for example, the user may open the terminal program, and the user first Fill in the necessary account information of the user; after completing the account information, the first terminal collects the fingerprint of the user; after collecting the fingerprint, the registration information (account information) is uploaded to the server together with the fingerprint template information to complete the user registration process.
可选地,上述步骤的执行主体可以为安全服务器,上述数据库位于上述安全服务器中,但并不限于此。Optionally, the execution entity of the foregoing step may be a security server, where the database is located in the security server, but is not limited thereto.
为了更好的理解本发明,以下结合优选的实施例对本发明做进一步解释。For a better understanding of the invention, the invention is further explained in conjunction with the preferred embodiments.
本发明优选实施例可以运行于以下系统中,该系统由带有生物识别(指纹识别、眼纹识别、虹膜识别、人脸识别等,以下以指纹为例)的终端(相当于上述第一终端和第二终端)与安全服务器两大部分组成,可以用于通信录、通信群之间一对一(单呼)、一对多(群呼)之间进行生物识别来达到安全通信(以下以一对一通信为例)。The preferred embodiment of the present invention can be operated in a system comprising a terminal with biometric identification (fingerprint recognition, eye pattern recognition, iris recognition, face recognition, etc., taking fingerprint as an example) (corresponding to the first terminal described above) And the second terminal) and the security server are composed of two parts, which can be used for biometric identification between the one-to-one (single call) and one-to-many (group call) between the communication record and the communication group to achieve secure communication (hereinafter One-to-one communication is an example).
生物识别的终端,例如带有指纹识别的手机(不限于手机)。安全服务器是用来存放指纹模板数据、负责终端之间通信数据转发以及对信息的发送者进行身份认证。本发明的优选实施例的安全通信方法可以包括以下步骤:A biometric terminal, such as a mobile phone with fingerprint recognition (not limited to a mobile phone). The security server is used to store fingerprint template data, to be responsible for forwarding data between terminals, and for authenticating the sender of the information. The secure communication method of the preferred embodiment of the present invention may include the following steps:
第一步:填写账号信息,采集指纹。账号信息随同指纹模板数据通过加密发送至安全服务器上进行注册。The first step: fill in the account information, collect fingerprints. The account information is sent along with the fingerprint template data to the secure server for registration.
第二步:用户通过终端可以与其他注册的用户之间联系(可以一对一联系、也可以建立群通信)。Step 2: The user can communicate with other registered users through the terminal (you can contact one-to-one or group communication).
第三步:用户发起消息前,手指放入指纹识别传感器才能发送消息(只有触摸指纹传感器才能发送,保证服务器对你的指纹进行认证)。Step 3: Before the user initiates the message, the finger can be sent to the fingerprint recognition sensor to send a message (only the fingerprint sensor can be sent to ensure that the server authenticates your fingerprint).
第四步:接收方需要通过指纹识别传感器识别认证后才能查看到信息。 Step 4: The receiver needs to identify the authentication through the fingerprint identification sensor before viewing the information.
具体地,可以包括以下过程:终端信息的注册过程和终端间通信的过程;其中,图6是根据本发明优选实施例提供的终端信息注册的流程示意图,如图6所示,该注册过程包括:Specifically, the following process may be included: a process of registering terminal information and a process of communication between terminals; wherein FIG. 6 is a schematic flowchart of terminal information registration according to a preferred embodiment of the present invention. As shown in FIG. 6, the registration process includes :
步骤S601:用户打开终端程序,用户先填写用户必要的账户信息。Step S601: The user opens the terminal program, and the user first fills in the account information necessary for the user.
步骤S602:用户在填写完账户信息的最后一步,需要采集指纹。Step S602: The user needs to collect fingerprints in the last step of completing the account information.
步骤S603:用户在在采集指纹后将注册信息与指纹模板信息一起上传服务器,完成用户注册流程,服务器加密保存指纹模板数据与用户注册信息至数据库(相当于上述实施例中的步骤S502)。终端本地不存放指纹模板数据。Step S603: After collecting the fingerprint, the user uploads the registration information together with the fingerprint template information to the server to complete the user registration process, and the server encrypts and stores the fingerprint template data and the user registration information to the database (corresponding to step S502 in the above embodiment). The fingerprint template data is not stored locally by the terminal.
图7是根据本发明优选实施例的终端间通信的流程示意图,如图7所示,该流程包括:FIG. 7 is a schematic flowchart of inter-terminal communication according to a preferred embodiment of the present invention. As shown in FIG. 7, the process includes:
步骤S701:打开终端Si(相当于上述实施例中的第一终端)的程序准备与Ri终端(相当于上述实施例中的第二终端)通信,Si录入需要发送的消息(文字、多媒体等)(相当于上述实施例中的通信信息)。然后触摸指纹传感器,此时会采集Si的指纹模板数据并随同Si的录入的消息一同发给服务器S。此过程中指纹传感器有两方面作用。一方面指纹传感器对Si的指纹模板数据采集;二方面Si消息发送的作用,也就是只有按住指纹传感器才能发送消息。Step S701: The program for opening the terminal Si (corresponding to the first terminal in the above embodiment) is ready to communicate with the Ri terminal (corresponding to the second terminal in the above embodiment), and the Si enters a message (text, multimedia, etc.) to be transmitted. (corresponds to the communication information in the above embodiment). Then touch the fingerprint sensor, and the fingerprint template data of Si is collected and sent to the server S along with the message entered by Si. The fingerprint sensor has two functions in this process. On the one hand, the fingerprint sensor collects the fingerprint template data of Si; the effect of the Si message transmission is that only the fingerprint sensor can be pressed to send the message.
步骤S702:服务器S接收到Si的消息(相当于上述实施例中的步骤S302),服务器S从数据库中查询出Si的指纹模板数据,与Si传过来指纹模板数据(相当于上述实施例中的第一生物模板数据)进行验证(相当于上述实施例中的步骤S304),验证失败则将消息打回,表示不是Si本人发送的消息。如果验证通过,则根据Si所带的Ri信息,查询Ri的指纹模板数据(相当于上述实施例中的第二生物模板数据)(相当于上述实施例中的步骤S402)。Step S702: The server S receives the message of Si (corresponding to step S302 in the above embodiment), the server S queries the fingerprint template data of the Si from the database, and transmits the fingerprint template data with the Si (corresponding to the above embodiment). The first biometric template data is verified (corresponding to step S304 in the above embodiment), and if the verification fails, the message is returned, indicating that the message is not sent by Si himself. If the verification is passed, the fingerprint template data of Ri (corresponding to the second bio-template data in the above embodiment) is queried according to the Ri information carried by Si (corresponding to step S402 in the above embodiment).
步骤S703:服务器S通过将Si的信息(此时不包含Si的指纹模板数据),以及Ri的指纹模板数据,一同发送给Ri(相当于上述实施例中步骤 S306和步骤S404同时执行的情况)。Step S703: The server S sends the information of the Si (the fingerprint template data not including Si at this time) and the fingerprint template data of the Ri to the Ri (corresponding to the steps in the above embodiment). S306 and step S404 are performed simultaneously).
步骤S704:终端Ri接收到步骤S203的信息后,Ri将指纹放入指纹传感器与步骤S703消息中携带的Ri的指纹模板数据进行认证,认证通过后,Ri可以查看Si携带的消息。否则认证失败,表示非本人不能查看数据,以达到安全通信。Step S704: After the terminal Ri receives the information of step S203, Ri puts the fingerprint into the fingerprint sensor and the fingerprint template data of the Ri carried in the message of step S703 for authentication. After the authentication is passed, the Ri can view the message carried by the Si. Otherwise, the authentication fails, indicating that the person cannot view the data to achieve secure communication.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a cell phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
实施例2Example 2
在本实施例中还提供了一种安全通信装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In the embodiment, a secure communication device is also provided, which is used to implement the above-mentioned embodiments and preferred embodiments, and has not been described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图8是根据本发明实施例的安全通信装置的结构框图一,如图8所示,该装置包括:FIG. 8 is a structural block diagram 1 of a secure communication apparatus according to an embodiment of the present invention. As shown in FIG. 8, the apparatus includes:
接收模块82,设置为接收第一终端发送的通信信息和第一生物模板数据;其中,第一生物模板数据为第一终端采集的具有生物特征的身份识别数据;通信信息为第一终端与第二终端进行通信的信息;第一终端和第二终端为带有生物识别功能的终端;The receiving module 82 is configured to receive the communication information and the first biometric template data sent by the first terminal, where the first biometric template data is the biometric identification data collected by the first terminal; the communication information is the first terminal and the first The information that the second terminal performs communication; the first terminal and the second terminal are terminals with biometric functions;
验证模块84,与上述接收模块82连接,设置为根据预先存储在数据库中的与第一终端对应的生物模板数据,对第一生物模板数据进行验证; The verification module 84 is connected to the receiving module 82, and configured to verify the first bio-template data according to the bio-template data corresponding to the first terminal stored in the database;
发送模块86,与上述验证模块84连接,设置为在验证成功的情况下,将通信信息发送给第二终端。The sending module 86 is connected to the verification module 84, and is configured to send the communication information to the second terminal if the verification is successful.
通过上述装置,通过验证模块84根据预先存储在数据库中的与第一终端对应的生物模板数据对第一终端采集的第一生物模板数据进行验证,在验证成功的情况下,发送模块86将该通信信息发送给第二终端,由于第一生物模板数据为具有生物特征的身份识别数据,因而,通过对上述第一生物模板数据进行验证,来对该通信信息的发送方是否是本人进行验证,进而解决了相关技术中的终端之间通信时无法确定发送方是否是本人操作的问题,提高了通信的安全性。The first biometric template data collected by the first terminal is verified by the verification module 84 according to the biometric template data corresponding to the first terminal stored in the database. If the verification is successful, the sending module 86 The communication information is sent to the second terminal. Since the first biometric template data is biometric identification data, whether the sender of the communication information is verified by verifying the first biometric template data. Furthermore, the problem of whether the sender is an operation of the sender cannot be determined when the communication between the terminals in the related art is improved, and the security of the communication is improved.
需要说明的是,上述生物特征可以是指纹特征,眼纹特征、虹膜特征、人脸特征等,但并不限于此。以指纹特征为例,上述第一生物模板数据可以是与指纹对应的指纹模板数据。由于这些生物特征能够反映用户的特征,因而可以通过上述第一生物模板数据的验证来确定上述通信信息是否由用户本人发送的,避免了不法分子通过伪造信息所带来的通信不安全的缺陷。It should be noted that the above biometrics may be fingerprint features, eye pattern features, iris features, face features, etc., but are not limited thereto. Taking the fingerprint feature as an example, the first biometric template data may be fingerprint template data corresponding to the fingerprint. Since these biometrics can reflect the characteristics of the user, it is possible to determine whether the communication information is sent by the user himself or herself by the verification of the first biometric template data, thereby avoiding the defect that the criminals are unsafe by the forgery of the information.
对于验证模块84对验证的解释以及其他(比如通信信息,第一终端,第二终端等)的解释,可以参考上述方案实施例中相应的解释,此处不再赘述。For the explanation of the verification by the verification module 84 and the other (such as the communication information, the first terminal, the second terminal, etc.), reference may be made to the corresponding explanation in the foregoing solution embodiment, and details are not described herein again.
图9是根据本发明实施例的安全通信装置的结构框图二,如图9所示,该装置除包括图8所示的所有模块外,还包括:FIG. 9 is a block diagram showing the structure of a secure communication device according to an embodiment of the present invention. As shown in FIG. 9, the device includes, in addition to all the modules shown in FIG.
查询模块92,与上述验证模块84连接,设置为在验证成功的情况下,根据通信信息,在数据库中查询与第二终端对应的第二生物模板数据;The query module 92 is connected to the verification module 84, and is configured to query, in the database, the second bio-template data corresponding to the second terminal in the database according to the communication information;
上述发送模块86,还设置为将第二生物模板数据发送给第二终端,其中,第二生物模板数据用于第二终端接收到通信信息之后,对第二终端是否具备查看通信信息的权限进行验证。The sending module 86 is further configured to send the second biometric template data to the second terminal, where the second biometric template data is used after the second terminal receives the communication information, and whether the second terminal has the right to view the communication information. verification.
需要说明的是,第二终端接收到通信信息之后,对第二终端是否具备查看通信信息的权限进行验证可以表现为:第二终端根据第二生物模板数 据对第二终端采集的生物模板数据进行验证;其中,在验证成功的情况下,确定第二终端具备权限;和/或,在验证不成功的情况下,确定第二终端不具备权限。It should be noted that after the second terminal receives the communication information, verifying whether the second terminal has the right to view the communication information may be performed as follows: the second terminal is configured according to the second biometric template. The biometric template data collected by the second terminal is verified; wherein, in case the verification is successful, determining that the second terminal has the authority; and/or, if the verification is unsuccessful, determining that the second terminal does not have the authority.
通过发送模块86将第二生物模板数据发送给第二终端,使得第二终端能够根据接收到的第二生物模板数据对第二终端采集的生物模板数据进行验证,进而能够确定该第二终端是否具备查看通信信息的权限,由于第二生物模板数据反映的是接收方的身份信息,因而,能够确定接收方是否是本人,进而能够实现在第二终端接收到上述通信信息的情况下,只有本人才能够查看该通信信息,进一步保证了通信的安全。The second biometric template data is sent to the second terminal by the sending module 86, so that the second terminal can verify the biometric template data collected by the second terminal according to the received second biometric template data, thereby determining whether the second terminal is Having the right to view the communication information, since the second bio-template data reflects the identity information of the recipient, it can be determined whether the recipient is the person, and thus, when the second terminal receives the communication information, only the present Talents can view the communication information to further ensure the security of the communication.
需要说明的是,上述接收模块82还设置为接收第二终端发送的第二终端采集的生物模板数据;上述验证模块84还设置为根据预先存储的数据库中的与第二终端对应的第二生物模板数据对第二终端采集的生物模板数据进行验证;上述发送模块86还设置为在验证成功的情况下,向第二终端发送用于指示允许第二终端查看通信信息的指示信号,和/或在验证不成功的情况下,向第二终端发送用于指示禁止所述第二终端查看通信信息的禁止信号。通过该装置也可以实现对第二终端是否具有查看通信信息的权限进行验证。It should be noted that the receiving module 82 is further configured to receive the biometric template data collected by the second terminal sent by the second terminal; the verification module 84 is further configured to: according to the second biometric corresponding to the second terminal in the pre-stored database. The template data is used to verify the biometric template data collected by the second terminal. The sending module 86 is further configured to send, to the second terminal, an indication signal for instructing the second terminal to view the communication information, and/or In case the verification is unsuccessful, a prohibition signal for instructing the second terminal to prohibit the communication information from being viewed is sent to the second terminal. The device can also verify whether the second terminal has the right to view the communication information.
对于第二终端是由具备查看通信信息的权限进行验证的过程可以在第二终端中实现,也可以在本实施例中的安全通信装置中实现。The process of verifying that the second terminal is authenticated by having the right to view the communication information may be implemented in the second terminal, or may be implemented in the secure communication device in this embodiment.
图10是根据本发明实施例的安全通信装置的结构框图三,如图10所示,该装置除包括图8所示的所有模块外,还包括:FIG. 10 is a structural block diagram 3 of a secure communication device according to an embodiment of the present invention. As shown in FIG. 10, the device includes:
存储模块1002,与上述接收模块82连接,设置为将与第一终端对应的生物模板数据和第一终端的注册信息加密后保存在数据库中,以及与第二终端对应的第二生物模板数据和第二终端的注册信息加密后保存在数据库中。The storage module 1002 is connected to the receiving module 82, and is configured to encrypt the bio-template data corresponding to the first terminal and the registration information of the first terminal, and store the data in the database, and the second bio-template data corresponding to the second terminal. The registration information of the second terminal is encrypted and saved in the database.
通过该存储模块1002将第一终端和第二终端的生物模板数据加密保存在数据库中,而第一终端和第二终端本地并不存放指纹模板信息,与现 有技术中相比,生物模板数据保存在终端本地相比,节省了终端的控件,并且,通过对生物模板数据进行加密可以防止该数据库被攻击,进而增加了信息的安全。The biometric template data of the first terminal and the second terminal are encrypted and stored in the database by the storage module 1002, and the first terminal and the second terminal do not store the fingerprint template information locally. Compared with the technology, the bio-template data is saved in the terminal, which saves the control of the terminal, and the database is encrypted by encrypting the bio-template data, thereby increasing the security of the information.
需要说明的是,上述装置还可以包括注册模块,与上述存储模块1002连接,设置为对上述第一终端和第二终端进行注册,具体注册的过程可以参考对应的方法实施例,此处不再赘述。It should be noted that the foregoing apparatus may further include a registration module, and is connected to the storage module 1002, and is configured to register the first terminal and the second terminal. The specific registration process may refer to the corresponding method embodiment, where Narration.
需要说明的是,上述装置可以位于安全服务器中,但并不限于此。It should be noted that the above device may be located in the security server, but is not limited thereto.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the above modules are in any combination. The forms are located in different processors.
实施例3Example 3
在本实施例中还提供了一种安全服务器,包括上述图8至图10中任一图所示的装置,该安全服务器可以为上述实施例1中图1所示的计算机终端,但并不限于此。In this embodiment, a security server is further provided, including the device shown in any one of the foregoing FIG. 8 to FIG. 10, and the security server may be the computer terminal shown in FIG. 1 in the foregoing Embodiment 1, but not Limited to this.
在本实施例中还提供了一种安全通信系统,包括本实施例中的安全服务器和第二终端,其中,第二终端设置为在安全服务器对第一生物模板数据验证成功的情况下,根据从数据库中获取的与第二终端对应的第二生物模板数据对第二终端采集的生物模板数据进行验证;其中,在验证成功的情况下,确定第二终端具备权限;和/或,在验证不成功的情况下,确定第二终端不具备权限。In this embodiment, a secure communication system is further provided, including the security server and the second terminal in the embodiment, wherein the second terminal is configured to be based on the case that the security server successfully authenticates the first biometric template data, according to The second biometric template data corresponding to the second terminal obtained from the database is used to verify the biometric template data collected by the second terminal; wherein, in the case that the verification is successful, determining that the second terminal has the authority; and/or, in the verification In the case of unsuccessful, it is determined that the second terminal does not have the authority.
对于该安全服务器以及术语的具体解释详见实施例2的解释,此处不再赘述。For a detailed explanation of the security server and terminology, refer to the explanation of Embodiment 2, and details are not described herein again.
实施例4Example 4
本发明的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:Embodiments of the present invention also provide a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
S1,接收第一终端发送的通信信息和第一生物模板数据;其中,第一 生物模板数据为第一终端采集的具有生物特征的身份识别数据;通信信息为第一终端与第二终端进行通信的信息;第一终端和第二终端为带有生物识别功能的终端;S1, receiving communication information sent by the first terminal and first biometric template data; wherein, first The biometric template data is biometric identification data collected by the first terminal; the communication information is information that the first terminal communicates with the second terminal; and the first terminal and the second terminal are terminals with biometric functions;
S2,根据预先存储在数据库中的与第一终端对应的生物模板数据,对第一生物模板数据进行验证;S2. Verify the first bio-template data according to the bio-template data corresponding to the first terminal that is pre-stored in the database.
S3,在验证成功的情况下,将通信信息发送给第二终端。S3. If the verification is successful, send the communication information to the second terminal.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
S4,在验证成功的情况下,根据通信信息,在数据库中查询与第二终端对应的第二生物模板数据;S4, in the case that the verification is successful, querying, according to the communication information, the second bio-template data corresponding to the second terminal in the database;
S5,将第二生物模板数据发送给第二终端,其中,第二生物模板数据用于第二终端接收到通信信息之后,对第二终端是否具备查看通信信息的权限进行验证。S5. The second biometric template data is sent to the second terminal, where the second biometric template data is used to verify whether the second terminal has the right to view the communication information after receiving the communication information by the second terminal.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
S6,将与第一终端对应的生物模板数据和第一终端的注册信息加密后保存在数据库中,以及与第二终端对应的第二生物模板数据和第二终端的注册信息加密后保存在数据库中。S6, the biometric template data corresponding to the first terminal and the registration information of the first terminal are encrypted and stored in the database, and the second biometric template data corresponding to the second terminal and the registration information of the second terminal are encrypted and saved in the database. in.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.
可选地,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For example, the specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执 行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they can be executed by computing devices The program code of the lines is implemented so that they can be stored in the storage device by the computing device, and in some cases, the steps shown or described can be performed in a different order than here, or they can be Each of the integrated circuit modules is fabricated separately, or a plurality of modules or steps thereof are fabricated into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims (11)

  1. 一种安全通信方法,包括:A secure communication method, including:
    接收第一终端发送的通信信息和第一生物模板数据;其中,所述第一生物模板数据为所述第一终端采集的具有生物特征的身份识别数据;所述通信信息为所述第一终端与第二终端进行通信的信息;所述第一终端和所述第二终端为带有生物识别功能的终端;Receiving the communication information and the first biometric template data sent by the first terminal, where the first biometric template data is biometric identification data collected by the first terminal; the communication information is the first terminal Information for communicating with the second terminal; the first terminal and the second terminal are terminals with biometric functions;
    根据预先存储在数据库中的与所述第一终端对应的生物模板数据,对所述第一生物模板数据进行验证;The first biometric template data is verified according to the biometric template data corresponding to the first terminal pre-stored in the database;
    在验证成功的情况下,将所述通信信息发送给所述第二终端。In case the verification is successful, the communication information is sent to the second terminal.
  2. 根据权利要求1所述的方法,其中,在根据预先存储在数据库中的与所述第一终端对应的生物模板数据,对所述第一生物模板数据进行验证之后,还包括:The method according to claim 1, wherein after the first biometric template data is verified according to the biometric template data corresponding to the first terminal stored in the database, the method further includes:
    在验证成功的情况下,根据所述通信信息,在所述数据库中查询与所述第二终端对应的第二生物模板数据;If the verification is successful, querying, according to the communication information, the second bio-template data corresponding to the second terminal in the database;
    将所述第二生物模板数据发送给所述第二终端,其中,所述第二生物模板数据用于所述第二终端接收到所述通信信息之后,对所述第二终端是否具备查看所述通信信息的权限进行验证。Transmitting the second biometric template data to the second terminal, where the second biometric template data is used by the second terminal after receiving the communication information, and whether the second terminal has a viewing location The authority to communicate information is verified.
  3. 根据权利要求2所述的方法,其中,所述第二终端接收到所述通信信息之后,对所述第二终端是否具备查看所述通信信息的权限进行验证包括:The method according to claim 2, wherein after the second terminal receives the communication information, verifying whether the second terminal has the right to view the communication information comprises:
    所述第二终端根据所述第二生物模板数据对所述第二终端采集的生物模板数据进行验证;其中,在验证成功的情况下,确定所述第二终端具备所述权限;和/或,在验证不成功的情况下,确定所述第二终端不具备所述权限。The second terminal verifies the biometric template data collected by the second terminal according to the second biometric template data; wherein, if the verification is successful, determining that the second terminal has the permission; and/or If the verification is unsuccessful, it is determined that the second terminal does not have the permission.
  4. 根据权利要求1所述的方法,其中,在接收第一终端发送的通信信息和生物模板数据之前,所述方法还包括: The method of claim 1, wherein before receiving the communication information and the biometric template data sent by the first terminal, the method further comprises:
    将与所述第一终端对应的生物模板数据和所述第一终端的注册信息加密后保存在所述数据库中,以及与所述第二终端对应的第二生物模板数据和所述第二终端的注册信息加密后保存在所述数据库中。Encrypting the biometric template data corresponding to the first terminal and the registration information of the first terminal in the database, and second biometric template data and the second terminal corresponding to the second terminal The registration information is encrypted and saved in the database.
  5. 根据权利要求1所述的方法,其中,所述生物特征包括以下至少之一:指纹特征、眼纹特征、虹膜特征、人脸特征。The method of claim 1, wherein the biometrics comprise at least one of: a fingerprint feature, an eye pattern feature, an iris feature, a face feature.
  6. 一种安全通信装置,包括:A secure communication device comprising:
    接收模块,设置为接收第一终端发送的通信信息和第一生物模板数据;其中,所述第一生物模板数据为所述第一终端采集的具有生物特征的身份识别数据;所述通信信息为所述第一终端与第二终端进行通信的信息;所述第一终端和所述第二终端为带有生物识别功能的终端;The receiving module is configured to receive the communication information sent by the first terminal and the first biometric template data, where the first biometric template data is biometric identification data collected by the first terminal; the communication information is Information that the first terminal communicates with the second terminal; the first terminal and the second terminal are terminals with a biometric function;
    验证模块,设置为根据预先存储在数据库中的与所述第一终端对应的生物模板数据,对所述第一生物模板数据进行验证;The verification module is configured to verify the first bio-template data according to the bio-template data corresponding to the first terminal pre-stored in the database;
    发送模块,设置为在验证成功的情况下,将所述通信信息发送给所述第二终端。And a sending module, configured to send the communication information to the second terminal if the verification is successful.
  7. 根据权利要求6所述的装置,其中,所述装置还包括:查询模块,设置为在验证成功的情况下,根据所述通信信息,在所述数据库中查询与所述第二终端对应的第二生物模板数据;The apparatus according to claim 6, wherein the apparatus further comprises: a query module configured to, in the case that the verification is successful, query the database for a number corresponding to the second terminal according to the communication information Second biological template data;
    所述发送模块,还设置为将所述第二生物模板数据发送给所述第二终端,其中,所述第二生物模板数据用于所述第二终端接收到所述通信信息之后,对所述第二终端是否具备查看所述通信信息的权限进行验证。The sending module is further configured to send the second biometric template data to the second terminal, where the second biometric template data is used by the second terminal after receiving the communication information, Whether the second terminal has the right to view the communication information for verification.
  8. 根据权利要求6所述的装置,其中,所述装置还包括:The apparatus of claim 6 wherein said apparatus further comprises:
    存储模块,设置为将与所述第一终端对应的生物模板数据和所述第一终端的注册信息加密后保存在所述数据库中,以及与所述第二终 端对应的第二生物模板数据和所述第二终端的注册信息加密后保存在所述数据库中。a storage module, configured to encrypt the biometric template data corresponding to the first terminal and the registration information of the first terminal, and save the data in the database, and the second terminal The second biometric template data corresponding to the end and the registration information of the second terminal are encrypted and saved in the database.
  9. 根据权利要求6所述的装置,其中,所述生物特征包括以下至少之一:指纹特征、眼纹特征、虹膜特征、人脸特征。The apparatus of claim 6, wherein the biometrics comprise at least one of: a fingerprint feature, an eye pattern feature, an iris feature, and a face feature.
  10. 一种安全服务器,包括:权利要求6至9中任一项所述的装置。A security server comprising: the apparatus of any one of claims 6 to 9.
  11. 一种安全通信系统,包括权利要求10所述的安全服务器和第二终端;其中,所述第二终端设置为在所述安全服务器对所述第一生物模板数据验证成功的情况下,根据从所述数据库中获取的与所述第二终端对应的第二生物模板数据对所述第二终端采集的生物模板数据进行验证;其中,在验证成功的情况下,确定所述第二终端具备查看所述通信信息的权限;和/或,在验证不成功的情况下,确定所述第二终端不具备所述权限。 A secure communication system comprising the security server and the second terminal of claim 10; wherein the second terminal is configured to be based on the success of the security server verifying the first biometric template data The second biometric template data corresponding to the second terminal obtained in the database is used to verify the biometric template data collected by the second terminal; wherein, if the verification is successful, determining that the second terminal has the view The authority of the communication information; and/or, if the verification is unsuccessful, determining that the second terminal does not have the authority.
PCT/CN2016/108763 2016-04-22 2016-12-07 Secure communication method and device, system, and secure server WO2017181691A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610255559.8 2016-04-22
CN201610255559.8A CN107306258A (en) 2016-04-22 2016-04-22 Safety communicating method and device, system and security server

Publications (1)

Publication Number Publication Date
WO2017181691A1 true WO2017181691A1 (en) 2017-10-26

Family

ID=60115717

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/108763 WO2017181691A1 (en) 2016-04-22 2016-12-07 Secure communication method and device, system, and secure server

Country Status (2)

Country Link
CN (1) CN107306258A (en)
WO (1) WO2017181691A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519284A (en) * 2019-08-30 2019-11-29 维沃移动通信有限公司 A kind of method for sending information, processing method, transmitting terminal and server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664898A (en) * 2012-04-28 2012-09-12 鹤山世达光电科技有限公司 Fingerprint identification-based encrypted transmission method, fingerprint identification-based encrypted transmission device and fingerprint identification-based encrypted transmission system
CN102833244A (en) * 2012-08-21 2012-12-19 鹤山世达光电科技有限公司 Communication method for authentication by fingerprint information
CN102869009A (en) * 2012-09-28 2013-01-09 东莞宇龙通信科技有限公司 Communication encryption application method and communication system
CN103108293A (en) * 2013-01-24 2013-05-15 东莞宇龙通信科技有限公司 Information identifying method and system thereof
CN104579911A (en) * 2013-10-29 2015-04-29 上海斐讯数据通信技术有限公司 Information sending method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664898A (en) * 2012-04-28 2012-09-12 鹤山世达光电科技有限公司 Fingerprint identification-based encrypted transmission method, fingerprint identification-based encrypted transmission device and fingerprint identification-based encrypted transmission system
CN102833244A (en) * 2012-08-21 2012-12-19 鹤山世达光电科技有限公司 Communication method for authentication by fingerprint information
CN102869009A (en) * 2012-09-28 2013-01-09 东莞宇龙通信科技有限公司 Communication encryption application method and communication system
CN103108293A (en) * 2013-01-24 2013-05-15 东莞宇龙通信科技有限公司 Information identifying method and system thereof
CN104579911A (en) * 2013-10-29 2015-04-29 上海斐讯数据通信技术有限公司 Information sending method and device

Also Published As

Publication number Publication date
CN107306258A (en) 2017-10-31

Similar Documents

Publication Publication Date Title
US9589399B2 (en) Credential quality assessment engine systems and methods
US20180205728A1 (en) Biometric Device Pairing
US8739266B2 (en) Universal authentication token
AU2013205396B2 (en) Methods and Systems for Conducting Smart Card Transactions
US11194895B2 (en) Method and apparatus for authenticating biometric information
CN110086608A (en) User authen method, device, computer equipment and computer readable storage medium
US20170142087A1 (en) Device authentication agent
CN107196901B (en) Identity registration and authentication method and device
CN105681269A (en) Privacy preserving set-based biometric authentication
US10755237B2 (en) Method for creating, registering, revoking authentication information and server using the same
CN108900536B (en) Authentication method, authentication device, computer equipment and storage medium
JP2018205906A5 (en)
CN106295290B (en) Method, device and system for generating authentication information based on fingerprint information
US20240096160A1 (en) Distributed Voting Platform
WO2019010669A1 (en) Method, apparatus and system for identity validity verification
CN113591057A (en) Biological characteristic off-line identity recognition method and system
CN104038509A (en) Fingerprint authentication cloud system
WO2017181691A1 (en) Secure communication method and device, system, and secure server
WO2005054977A2 (en) A method and system to electronically identify and verify an individual presenting himself for such identification and verification
US20180060558A1 (en) Method of authenticating a user at a security device
US20230084042A1 (en) A method, a system and a biometric server for controlling access of users to desktops in an organization
TWI696963B (en) Ticket issuing and admission verification system and method, and user terminal device used in ticket issuing and admission verification system
BR102020003183A2 (en) METHOD FOR AUTHENTICATING A USER IN A DIGITAL TACHOGRAPH OF A VEHICLE THROUGH A MOBILE DEVICE, DIGITAL TACHOGRAPH, MOBILE DEVICE AND DATABASE DEVICE
JP2004234041A (en) Fingerprint matching device
CN111353144A (en) Identity authentication method and device

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16899271

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16899271

Country of ref document: EP

Kind code of ref document: A1