WO2017197974A1 - Biometric characteristic-based security authentication method, device and electronic equipment - Google Patents
Biometric characteristic-based security authentication method, device and electronic equipment Download PDFInfo
- Publication number
- WO2017197974A1 WO2017197974A1 PCT/CN2017/077512 CN2017077512W WO2017197974A1 WO 2017197974 A1 WO2017197974 A1 WO 2017197974A1 CN 2017077512 W CN2017077512 W CN 2017077512W WO 2017197974 A1 WO2017197974 A1 WO 2017197974A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- public key
- authentication
- biometric
- certificate
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
- G06Q20/40145—Biometric identity checks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
- G06Q20/38215—Use of certificates or encrypted proofs of transaction rights
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Definitions
- the present invention relates to the field of electronic communications, and in particular, to a biometric-based security authentication method, apparatus, and electronic device.
- the specific process of identity authentication uses the existing fingerprint authentication technology as an example: when the user needs to perform authentication, the client first collects the user fingerprint through the fingerprint sensor, and then extracts the fingerprint feature code and the fingerprint feature saved in the fingerprint database. Identifying samples for feature matching.
- the comparison process has two modes: one is to match locally on the device, and then the comparison result is uploaded to the server; the other is to upload the fingerprint feature to the server and perform on the server. match. Finally, if the match is successful, the certificate passes.
- the existing fingerprint authentication technology does not define the security of the underlying implementation of the device and the transmission process, it may cause the matching result to be stolen or tampered by the attacker such as third-party malware on the device, or attacked by the attacker during the transmission process. Stealing or tampering, once falsified, a transaction that should have been cancelled due to the failure of the authentication, but the transaction succeeded because of the authentication, so the user's account security has great security risks.
- the embodiments of the present invention provide a biometric-based security authentication method, device, and electronic device, which are used to solve the problem of existing security risks in identity authentication.
- an embodiment of the present invention provides a biometric-based security authentication method, the method comprising: acquiring, by a terminal, a first biometric according to a received biometric authentication request; the terminal, the first biometric and pre And the second biometric feature is matched to generate a matching result; the terminal encrypts the matching result by using a private key of the security certificate of the terminal to obtain first ciphertext data, where the security certificate uniquely corresponds to the terminal;
- the terminal sends the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
- an embodiment of the present invention further provides a biometric-based security authentication apparatus, the apparatus comprising: a transceiver unit, configured to receive a biometric authentication request; a sensor, configured to acquire a first biometric; and a matching unit, And matching the first biometric with a preset second biometric to generate a matching result;
- a signature unit configured to encrypt, by using a private key of the security certificate of the terminal, the first ciphertext data, where the security certificate uniquely corresponds to the terminal;
- the transceiver unit is further configured to send the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
- an embodiment of the present invention provides an electronic device, including:
- At least one processor and,
- the memory stores instructions executable by the at least one processor, the instructions being The at least one processor executes to enable the at least one processor to perform the biometric-based secure authentication method provided by any of the embodiments of the present application described above.
- an embodiment of the present invention provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions, where the computer instructions are used to cause the computer to execute any of the above The biometric-based security authentication method described.
- an embodiment of the present invention provides a computer program product, the computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instruction is The computer, when executed, causes the computer to perform the biometric-based secure authentication method of any of the above.
- the embodiment of the present invention obtains an authentication request for a biometric sent by a server, acquires a first authentication information set according to the authentication request, and matches the first authentication information set with a second authentication information set in the secure storage area.
- the first authentication information set includes at least the collected first biometric feature
- the second authentication information set includes at least a preset second biometric feature;
- the matching public key is used to encrypt the matching result
- the signed matching result is sent to the server, so that the server generates the authentication result according to the matching result after the verification. It can be seen that by the signature protection of the matching result, the matching result can be ensured that the matching result is not stolen or tampered by the attacker during the transmission process, thereby obtaining the correct authentication result and ensuring the security of the user account.
- FIG. 1 is a schematic flowchart of a biometric-based security authentication method according to an embodiment of the present invention
- FIG. 2 is a schematic diagram of a security certificate distribution architecture according to an embodiment of the present invention.
- FIG. 3 is a schematic diagram of a biometric-based security authentication system according to an embodiment of the present invention.
- FIG. 4 is a schematic flowchart of a method for online security authentication based on biometrics according to an embodiment of the present invention
- FIG. 5 is a schematic flowchart of a method for offline security authentication based on biometrics according to an embodiment of the present invention
- FIG. 6 is a schematic diagram of a decryption process of an authentication end according to an embodiment of the present invention.
- FIG. 7 is a schematic diagram of a method for opening and binding a biometric-based pattern authentication according to an embodiment of the present invention.
- FIG. 8 is a schematic diagram of a security authentication process for a fingerprint authentication alternative password based on biometrics according to an embodiment of the present invention.
- FIG. 9 is a schematic diagram of a biometric-based security authentication apparatus according to an embodiment of the present invention.
- FIG. 10 is a schematic structural diagram of hardware of an electronic device according to an embodiment of the present invention.
- the terminal involved in the present invention may include a handheld device having a biometric authentication function, an in-vehicle device, a wearable device, a computing device, or other processing device connected to the wireless modem, and various forms of user equipment (User Equipment, UE for short) ), a mobile station (MS), a terminal, a terminal equipment, and the like.
- user equipment User Equipment, UE for short
- MS mobile station
- terminal a terminal equipment
- the present invention is simply referred to as a terminal.
- biometrics refer to features such as fingerprints, irises, faces, and voice prints.
- an embodiment of the present invention provides a schematic diagram of a biometric-based security authentication method.
- Step S101 The terminal acquires the first biometric according to the received biometric authentication request.
- Step S102 The terminal matches the first biometric with a preset second biometric to generate a matching result.
- Step S103 The terminal encrypts the matching result by using a private key of the security certificate of the terminal to obtain first ciphertext data, where the security certificate uniquely corresponds to the terminal.
- Step S104 The terminal sends the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
- the biometric to be authenticated included in the biometric authentication request is a feature such as a fingerprint, an iris, a voiceprint, or a face. Therefore, when the terminal receives the authentication request, the terminal sends a prompt information about the biometric collection to the user, and the user inputs After the biometric, the sensor collects the corresponding biometrics.
- the sensor can be integrated inside the terminal, or can be connected as a separate module to the terminal. The following content is further discussed in the context of the sensor inside the terminal.
- the matching result is encrypted.
- the specific method is to digitally sign the matching result by using the security certificate of each terminal, where the security certificate of the terminal is It is distributed by the certificate system according to the setting rules.
- the certificate authority authorizes the fingerprint service certificate registration system (RA), and the RA issues a certificate to the terminal manufacturer.
- the terminal manufacturer is responsible for issuing and managing the terminal's public key certificate, and the RA is no longer involved in the issuance.
- the RA may replace the security certificate of the terminal for each terminal by means of a virtual manufacturer.
- the terminal manufacturer's public key certificate for the terminal issuing terminal may include three types in the figure: a matching unit certificate, a signature unit certificate, and a sensor certificate.
- the signature unit certificate is required, its role is to verify Subsequent verification of the matching result is true and the matching result is signed and sent to the authentication end; and the matching unit certificate and the sensor certificate are optional, and the main purpose is to establish the first secure channel and the second secure channel to ensure secure communication.
- other authentication methods that are not lower than the TLS2.0 security level can be adopted instead.
- the terminal When the terminal has the security certificate issued by the certificate system, the first secure channel and the second secure channel are pre-established by using the matching unit certificate and the sensor certificate, and further, the terminal passes the first biometric collected by the sensor through the first secure channel. a matching unit sent to the terminal;
- the matching unit matches the first biometric with the preset second biometric, generates a matching result, and sends the matching result to the signature unit of the terminal through the second secure channel, the matching unit Storing the second biometric in the middle;
- the signature unit uses a hash function to generate a digest of the matching result by using the hash function, and then encrypts the digest using the security certificate of the terminal to obtain signature data, where the signature unit stores the terminal. Security certificate.
- the senor is used for collecting biometrics; the matching unit is configured to match the collected biometrics with the pre-stored biometrics to generate a matching result; the signature unit is used for digitally signing the matching result, and the matching unit and the signature unit are integrated.
- the purpose of adding a secure channel is to ensure that the transmission of biometrics such as fingerprints, or the matching success or the matching result of the failure are transmitted in the secure channel, ensuring that such sensitive data will not be transmitted during the transmission. Stealing or tampering to ensure communication security.
- the first secure channel and the second secure channel are established when the terminal is started, and the sensor and the matching unit complete one-way or two-way identity authentication and session key exchange by using a handshake protocol, thereby establishing the first secure channel. ;
- the matching unit and the signature unit complete one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the second secure channel.
- the establishment protocol of the secure channel is composed of a handshake protocol and a recording protocol.
- the handshake protocol is used to complete the two-way identity authentication and the session key exchange process between the matching unit and the signature unit, and is also used to complete the two-way identity authentication and session key exchange between the matching unit and the sensor. process.
- the recording protocol is used to complete the encrypted transmission of application data.
- the establishment protocol of the secure channel complies with the requirements of the TLS 1.2 and above specifications, or adopts other authentication methods that are not lower than the TLS1.2 security level.
- the purpose of this is to limit the terminal to use the signature unit to perform fingerprint signature verification, as well as to ensure the secure input and encryption processing of sensitive information such as the user identification code (PIN), and to support the sensor to encrypt and transmit the collected fingerprint data, and support the fingerprint template.
- the data is bound to the terminal and encrypted for storage.
- a terminal with biometric authentication can securely store keys, prohibit external direct access to keys, and prevent keys from being illegally injected, replaced, and used through effective security mechanisms, and ensure signature units and matching for secure authentication. The unit is not illegally attacked.
- FIG. 3 exemplarily shows an authentication system corresponding to online authentication and offline authentication, wherein the system includes: a fingerprint sensor and a fingerprint matching.
- the system includes: a fingerprint sensor and a fingerprint matching.
- fingerprint signature unit fingerprint signature unit
- terminal transceiver unit terminal transceiver unit
- application APP application server
- certificate authority specifically:
- the fingerprint sensor is responsible for fingerprint collection, and encrypts and transmits the collected fingerprint template information to the fingerprint service;
- the fingerprint matching unit is responsible for basic application functions such as fingerprint template information encryption storage, fingerprint operation, fingerprint comparison, etc.;
- the fingerprint signature unit is provided as a device security basis.
- the security authentication service is responsible for digitally signing key data such as the fingerprint comparison result;
- the terminal transceiver unit encapsulates the interface call related to the fingerprint authentication, and provides a unified interface for the upper layer application to call the underlying function;
- the application APP such as the payment gateway of the PC end
- the APP of the page or the mobile terminal mainly provides a user interaction interface, and calls the fingerprint function of the device by calling the application interface of the fingerprint service.
- the application APP can perform offline verification on the signed first ciphertext data, and authenticate the legality of the transaction and the user identity;
- the application server for example, the payment application background business system, is responsible for the initiation and response of the payment request. Pre-storing sensitive data such as user bank account, terminal identification and binding relationship, and performing online verification on the signed first data, and authenticating the legality of the transaction and the user identity.
- an embodiment of the present invention provides an online connection.
- the online authentication scenario that is, the terminal networking, performs biometric authentication through the background service system server, taking fingerprint authentication as an example.
- the method is applicable to an online payment scenario, and accesses the Internet through communication of the terminal.
- the processing and interaction process of each unit in the system is as follows:
- Step S201 the terminal starts the initialization work, that is, establishes the first secure channel and the second secure channel, that is, establishes a second secure channel between the signature list and the matching unit, and establishes a first secure channel between the matching unit and the sensor;
- Step S202 when the user needs fingerprint authentication for the order transaction, the application corresponding to the transaction issues an authentication request;
- Step S203 the sensor collects fingerprint information, and returns the fingerprint information to the matching unit through the first secure channel;
- Step S204 the matching unit performs operations such as fingerprint comparison and fingerprint storage to obtain a result of fingerprint matching
- Step S205 The matching unit sends the result to the signature unit through the second secure channel, requests the signature unit to perform signature, and the signature unit signs the fingerprint matching result.
- Step S206 the signature unit will send the first ciphertext data to the application
- Step S207 the application APP sends the first ciphertext data of the terminal to the background server of the application APP for verification;
- Step S208 The background server of the application APP verifies the first ciphertext data to confirm whether the matching result is trusted.
- Step S209 the background server of the application APP returns the authentication result to the application, and the application continues the subsequent transaction step according to the authentication result.
- the identity authentication needs to be performed first, that is, the user pre-stores the fingerprint template in the terminal, and then operates the application APP to determine the “biometric type”, and if it is “fingerprint authentication”, it continues; the “security level” is determined. , to verify whether the financial application requirements (level 2 or 3) are met, and if so, continue; determine the "background business random factor”, and verify whether it is consistent with the stored one. If yes, continue; if all the steps are successful, the authentication is passed, and the card number, device, and fingerprint are bound and stored in the background, and the activation is successful.
- the embodiment of the present invention provides a security authentication method in an offline authentication scenario, where offline authentication, that is, when the terminal is not in a network state, performs fingerprint authentication through the terminal's own application program.
- offline authentication that is, when the terminal is not in a network state, performs fingerprint authentication through the terminal's own application program.
- the non-contact near field communication of the terminal interacts with the POS terminal, and the processing and interaction process of each unit is as follows:
- Steps S301 to S306 are the same as steps S201 to S206 of the online authentication, and are not described again.
- Step S307 the application directly verifies the first ciphertext data to confirm whether the matching result is trusted, and performs subsequent operations according to the matching result.
- the matching unit and the signature unit operate in a secure operating environment, wherein the secure operating environment comprises a trusted execution environment TEE or a security chip, wherein the secure operating environment There are security levels set to meet different transaction permissions.
- the security level belongs to a higher level, meaning that the corresponding service range is a large transaction;
- the security level belongs to The lower level means that the corresponding business scope is a small transaction.
- the terminal matches the first biometric with the preset second biometric to generate a matching result, and further includes:
- the mobile phone terminal internally stores a plurality of fingerprints, wherein only one fingerprint has the right to pay, and when the software is implemented, a set identifier is added for the fingerprint with the payment authority, so that when the fingerprint matching is completed, again Determine whether the fingerprint has the right to pay, that is, determine whether the fingerprint has a set identifier, and if so, continue with the following steps; otherwise, the prompt does not have permission, the transaction is terminated, or a mobile phone terminal internally stores a user Multiple fingerprints, each fingerprint is used differently, because in the software implementation, the corresponding permissions are set for the user's fingerprint, that is, an array is added, and each different enumeration value in the array represents the permissions of different fingerprints.
- the private key of the security certificate of the terminal includes a private key of the terminal
- a public key certificate of the security certificate of the terminal includes a public key certificate of the terminal, and a public key certificate of the terminal manufacturer, where
- the public key certificate of the terminal is obtained by signing the public key of the terminal by using a private key of the terminal manufacturer, and the public key certificate of the terminal manufacturer is to sign the terminal manufacturer by using a private key of the authentication platform.
- the public key is obtained.
- the server or application of the application APP verifies the public key certificate of the terminal using the public key verification technology, and verifies the first ciphertext data.
- the specific steps for the verification are as follows:
- Step 1 retrieve the CA root public key: the background determines which CA root public key to use according to the authority key identifier in the vendor public key certificate;
- Step 2 Obtain the terminal manufacturer public key: use the CA root public key to verify the terminal manufacturer public key certificate in the background, and if the verification is correct, take out the terminal manufacturer public key in the certificate;
- Step 3 Obtain a signature unit public key: the background manufacturer public key is used to verify the signature unit public key certificate in the background, and if the verification is correct, the signature unit public key in the certificate is retrieved;
- Step 4 Verify the key data of the signature: the first ciphertext data of the signature is verified by the background using the signature unit public key.
- Step 5 If all the steps are successful, the signature verification is passed.
- the signature unit needs to digitally sign the fingerprint matching result provided by the matching unit, that is, first use the hash function to generate a summary of the key data, and then use the private key of the signature unit to encrypt the digest to generate a digital signature; the matching unit will sign
- the data is sent to the background together with the public key certificate; the backend service platform (online authentication mode) or the application (offline authentication mode) uses the public key technology to verify the legality of the signature data, thereby ensuring the signed first ciphertext
- the data is created by the signature unit on the terminal, that is, the signature unit cannot deny that the message was created, and the data has not been tampered with by the third party during the transmission.
- the terminal sends the public key certificate of the security certificate to the authentication end; after receiving the device authentication sent by the authentication end, the terminal sends the first ciphertext data to the authentication. end.
- the method After the sending the first ciphertext data to the authentication end, the method includes:
- the authentication end parses the ciphertext data in the following manner:
- the authentication end obtains the public key of the terminal manufacturer according to the public key certificate of the terminal manufacturer and the public key of the pre-stored authentication platform;
- the authentication end obtains the public key of the terminal according to the public key of the terminal manufacturer and the public key certificate of the terminal;
- the authentication end obtains the public key of the terminal, determining that the device authentication of the terminal passes, and verifying the first ciphertext data by using the public key of the terminal, to obtain the matching result.
- the authentication end obtains the public key P MF of the terminal manufacturer according to the public key certificate of the terminal manufacturer and the public key of the pre-stored authentication platform by using a public key verification technology, and then according to the terminal.
- the public key of the manufacturer and the public key certificate of the terminal obtain the public key P D of the terminal, and when the public key of the terminal is obtained, the terminal can be regarded as a legal terminal, and the first ciphertext is further used by the public key of the terminal.
- the data is decrypted to obtain the matching result after decryption. If the matching is successful, the authentication end can follow the transaction step, otherwise the authentication end can prompt the transaction to fail and terminate the transaction.
- the terminal encrypts the key information by using the private key of the security certificate of the terminal to obtain second ciphertext data; the terminal sends the second ciphertext data to the authentication end.
- the key information includes at least one of a terminal identifier and a bank card account.
- the terminal uses the private key of the security certificate of the terminal to encrypt the key information
- the step S103 encrypts the matching result to obtain the first ciphertext data, and there is no strict execution order. That is to say, the two can be executed at the same time, that is, the matching result and the key information are encrypted together as a whole, and the ciphertext data obtained after the encryption is sent to the authentication end together, of course, step S103 may be performed first, and then the key information is encrypted. Or, the key information is encrypted first, and then step S103 is performed, and the specific execution sequence is determined according to actual needs.
- the terminal After the terminal sends the second ciphertext data to the authentication end, the terminal includes:
- the authentication end parses the ciphertext data in the following manner:
- the authentication end obtains the public key of the terminal manufacturer according to the public key certificate of the terminal manufacturer and the public key of the pre-stored authentication platform, according to the public key of the terminal manufacturer and the public key of the terminal
- the certificate obtains the public key of the terminal, and if the authentication end obtains the public key of the terminal, it determines that the device authentication of the terminal passes;
- the key information is the terminal identifier and the bank card account
- the private key of the terminal security certificate encrypts the terminal identifier and the bank card account to obtain the second ciphertext data, and then sends the second ciphertext data together with the first ciphertext data to the application.
- the server of the APP after decrypting the first ciphertext data and the second ciphertext data by the application APP server, further determines whether the decrypted second ciphertext data is consistent with the pre-stored terminal identifier and the bank card account number, and if found to be inconsistent, the same is determined. The transaction is illegal and the transaction is considered to be unsuccessful.
- the terminal's transaction is limited by the binding relationship between the terminal identifier and the bank account, because the binding relationship is a common transaction of the user, and if it is from another terminal, There may be a leakage of sensitive information of the user, which causes the illegal molecule to illegally use the sensitive data transaction at the remaining terminals, so it is further defined by the binding relationship.
- the embodiment of the present invention still takes the fingerprint as an example, and elaborates the process through the interaction process shown in FIG. 7 and FIG. 8, wherein FIG. 7 illustrates the opening and binding of the fingerprint authentication.
- FIG. 7 illustrates the opening and binding of the fingerprint authentication.
- the process, the specific steps are as follows:
- step S401 the application invokes the interface to obtain key information of the terminal, including: the terminal identifier, the user name, whether the terminal supports the fingerprint authentication function, whether the terminal opens the fingerprint, whether the terminal has entered the fingerprint, and the security level of the terminal.
- Step S402 the application passes the acquired terminal key information to the server of the application.
- Step S403 the server of the application determines whether the opening condition is met, including: terminal support The fingerprint service, the device meets the security level, the current card/user support opens the fingerprint payment, and the current card/user does not open the fingerprint function on the terminal (ie, there is no corresponding binding relationship). If yes, proceed to the next step;
- Step S404 the server of the application initiates a boot request
- Step S405 the application guides the user to open the fingerprint authentication. For example, after the user completes a transaction and determines that the device has the condition for opening the fingerprint authentication, the user may prompt the user to open the fingerprint authentication on the transaction success page;
- Step S406 after the user selects to open the fingerprint payment and agrees to the agreement, if the terminal has not entered the fingerprint, the user is prompted to go to the system setting to enter the fingerprint, or directly jump to the system setting for input; if entered, the application will user information/card number Provided to the background (the card number can be automatically obtained according to the currently completed transaction, otherwise the cardholder is required to input);
- Step S407 the background generates a service random factor, such as: a random number, a timestamp, and is saved in the database;
- Step S408 the background initiates a fingerprint authentication request, where the request includes a service random factor
- Step S409 the application displays a fingerprint verification interface
- Step S410 the application calls the fingerprint service interface to perform fingerprint input and verification, and the interface parameter includes a service random factor;
- step S411 the fingerprint service verifies the fingerprint input by the user, that is, whether it matches the fingerprint that has been entered on the terminal. If the system does not enter the fingerprint, you can also jump to the system fingerprint entry interface, and then return and verify after the entry is successful (depending on whether the system provides this function and user experience evaluation);
- Step S412 the fingerprint service returns key data such as the fingerprint verification result and the signature and certificate: if the verification fails, the application prompts the user to retry the fingerprint verification function, or cancels; if the verification is successful, the next step is continued;
- Step S413 the application sends the returned data and the user information/card number to the background;
- Step S414 the background verification is successful whether the signature data of the fingerprint verification result is correct. If the verification is successful, the data item is extracted and the identity legality is verified, including: determining whether the fingerprint verification result is successful, and the biological Whether the identification type is correct, whether the security level meets the requirements, whether the service random factor is consistent with the background storage, and the like. If the verification and certification are successful, the next step;
- Step S415 binding the user information/card number with the fingerprint ID, the user ID, and the terminal identifier, and storing them in the background;
- step S416 the user is prompted to successfully open the fingerprint authentication and bind.
- FIG. 8 shows a security authentication process of the fingerprint authentication replacement password, and the specific steps are as follows:
- Step S501 the user operates the application, and initiates an order payment request in the application
- Step S502 The application invokes the interface of the fingerprint service to obtain the key information of the terminal, including: the terminal identifier, the user ID, whether the terminal supports the fingerprint (that is, whether the device has the fingerprint sensor), whether the terminal has the fingerprint enabled, whether the device has entered the fingerprint, and the security of the device. grade.
- step S503 the application passes the returned terminal key information to the application server.
- Step S504 The server of the application determines, according to the key information of the device, whether the condition for using the fingerprint authentication to perform the payment/login is satisfied, including: the device supports, opens and inputs the fingerprint, the device meets the security level, and the corresponding user/card number of the device is opened for fingerprint authentication. (that is, there is a corresponding binding relationship), the order amount meets the limit condition, and the like. If yes, go to the next step;
- Step S505 the server of the application generates a service random factor, such as a random number, a timestamp, and saves it in a database;
- a service random factor such as a random number, a timestamp
- Step S506 the server of the application initiates a fingerprint authentication request, where the request includes a service random factor
- Step S507 the application displays a fingerprint verification interface
- Step S508 the application calls the fingerprint service interface to perform fingerprint input and verification, and the interface parameter includes a service random factor;
- Step S509 the fingerprint service verifies the fingerprint input by the user, that is, whether it matches the fingerprint that has been entered on the device;
- Step S510 the fingerprint service returns key data such as the fingerprint verification result, a signature, and a certificate: if the verification fails, the application prompts the user whether to retry the fingerprint verification function, or discards the fingerprint verification conversion. For the traditional payment/login method; if the verification is successful, continue to the next step;
- Step S511 the application sends the returned data and user information (such as a card number) to the background;
- Step S512 the server of the application verifies whether the signature data of the fingerprint verification result is correct. If the verification is successful, the data item is extracted and the identity and transaction legality are verified, including: determining whether the fingerprint verification result is successful, whether the biometric type is correct, and security Whether the level satisfies the current transaction amount, whether the service random factor is consistent with the background storage, and whether the fingerprint ID, the user ID and the device ID, and the card number/user information are consistent with the binding relationship of the background storage. If the verification and certification are successful, the next step;
- Step S513 after the server authentication of the application succeeds, the transaction authorization is authorized to the application.
- step S514 the application completes operations such as fingerprint payment or fingerprint login.
- the second embodiment of the present invention further provides a biometric-based security authentication device, which can execute the foregoing method embodiments.
- the apparatus provided by the embodiment of the present invention includes: a transceiver unit 401, a sensor 402, a matching unit 403, and a signature unit 404, where:
- the transceiver unit 401 is configured to receive a biometric authentication request.
- a sensor 402 configured to acquire a first biometric feature
- the matching unit 403 is configured to match the first biometric with the preset second biometric to generate a matching result
- the signing unit 404 is configured to encrypt the matching result by using a private key of the security certificate of the terminal to obtain first ciphertext data, where the security certificate uniquely corresponds to the terminal;
- the transceiver unit 401 is further configured to send the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
- the sensor 402 is specifically configured to: send the collected first biometric feature to the matching unit 403 through the first secure channel;
- the matching unit 403 is specifically configured to: match the first biometric with the preset second biometric, generate a matching result, and send the matching result to the signature unit 404 through the second secure channel, Storing the second biometric in the matching unit;
- the signature unit 404 is specifically configured to: first generate a match to the matching result by using a hash function. And a summary of the result, wherein the digest is encrypted by using the security certificate of the terminal to obtain signature data, where the security certificate of the terminal is stored in the signature unit.
- the senor 402 and the matching unit 403 perform one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the first secure channel;
- the matching unit 403 and the signature unit 404 complete one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the second secure channel.
- the method further includes: the matching unit and the signature unit are operated in a secure operating environment, where the secure operating environment includes a trusted execution environment TEE or a security chip, wherein the secure operating environment is set to meet The security level of different trading permissions.
- the secure operating environment includes a trusted execution environment TEE or a security chip, wherein the secure operating environment is set to meet The security level of different trading permissions.
- the matching unit 403 is further configured to:
- the method further includes: the private key of the security certificate of the terminal includes a private key of the terminal, and a public key certificate of the security certificate of the terminal includes a public key certificate of the terminal, and a public key certificate of the terminal manufacturer.
- the public key certificate of the terminal is obtained by signing the public key of the terminal by using the private key of the terminal manufacturer, and the public key certificate of the terminal manufacturer is the private key of the authentication platform, and the terminal is manufactured.
- the public key of the quotient is obtained.
- the transceiver unit 401 is specifically configured to: send, by the terminal, a public key certificate of the security certificate to the authentication end;
- the terminal After receiving the device authentication sent by the authentication end, the terminal sends the first ciphertext data to the authentication end;
- the terminal sends the public key certificate and the first ciphertext data of the security certificate to the authentication end, so that the authentication end authenticates whether the terminal is a legal terminal according to the public key certificate of the security certificate.
- the method further includes: an authentication end 405, configured to parse the ciphertext data in the following manner:
- the authentication end obtains the public key of the terminal, determining that the device authentication of the terminal passes, and verifying the first ciphertext data by using the public key of the terminal, to obtain the matching result.
- the signature unit 404 is further configured to:
- the key information is digitally signed by using the private key of the security certificate of the terminal to obtain second ciphertext data; and the second ciphertext data is sent to the authentication end.
- the authentication end 405 is further configured to:
- the key information includes at least one of a terminal identifier and a bank card account.
- the embodiment of the present invention obtains an authentication request for a biometric sent by a server, acquires a first authentication information set according to the authentication request, and sets a first authentication information set and a second authentication in the secure storage area.
- the information set is matched, the first authentication information set includes at least the collected first biometric feature, the second authentication information set includes at least a preset second biometric feature, and the second public key certificate is compared with the preset public key certificate.
- the key information is digitally signed, and the signature data is sent to the server or the terminal, so that the server or the terminal After the verification, the authentication result is generated according to key information such as the matching result after decryption.
- the digital signature protection of the matching comparison result by the public key certificate can authenticate the legitimacy of the sender (terminal), ensure that the key information to be signed is created by the legal terminal, prevent the transaction from being rejected, and ensure the matching comparison.
- the integrity of the attacker is not stolen or falsified during the transmission process, and the correct and legitimate authentication result is obtained, thereby ensuring the security of the user account.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
- FIG. 10 a hardware structure diagram of an electronic device 500 according to an embodiment of the present invention is shown in FIG.
- processors 510 and memory 520 one processor 510 is taken as an example in FIG.
- the electronic device that performs the biometric-based secure authentication method may further include: an input device 530 and an output device 540.
- the processor 510, the memory 520, the input device 530, and the output device 540 may be connected by a bus or other means, as exemplified by a bus connection in FIG.
- the memory 520 is a non-transitory computer readable storage medium, and can be used for storing a non-transitory software program, a non-transitory computer executable program, and a module, such as a program instruction/module having a biometric authentication method in the embodiment of the present invention.
- a module such as a program instruction/module having a biometric authentication method in the embodiment of the present invention.
- the processor 510 executes various functional applications and data processing of the server by running non-transitory software programs, instructions, and modules stored in the memory 520, that is, implementing the biometric-based secure authentication method in the foregoing method embodiments.
- the memory 520 may include a storage program area and an storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data created by use of the processing device operated according to the list item, and the like. .
- memory 520 can include high speed random access memory, and can also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device.
- memory 520 can optionally include memory remotely located relative to processor 510 that can be connected to the processing device of the list item operation over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
- Input device 530 can receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic device.
- the output device 540 can include a display device such as a display screen.
- the one or more modules are stored in the memory 520, and when executed by the one or more processors 510, perform a biometric-based secure authentication method in any of the above method embodiments.
- the above product can perform the method provided by the embodiment of the present invention, and has the corresponding functional modules and beneficial effects of the execution method.
- the above product can perform the method provided by the embodiment of the present invention, and has the corresponding functional modules and beneficial effects of the execution method.
- the electronic device of the embodiment of the invention exists in various forms, including but not limited to:
- Mobile communication devices These devices are characterized by mobile communication functions and are mainly aimed at providing voice and data communication.
- Such terminals include: smart phones (such as iPhone), multimedia phones, functional phones, and low-end phones.
- Ultra-mobile personal computer equipment This type of equipment belongs to the category of personal computers, has computing and processing functions, and generally has mobile Internet access.
- Such terminals include: PDAs, MIDs, and UMPC devices, such as the iPad.
- Portable entertainment devices These devices can display and play multimedia content. Such devices include: audio, video players (such as iPod), handheld game consoles, e-books, and smart toys and portable car navigation devices.
- the server consists of a processor, a hard disk, a memory, a system bus, etc.
- the server is similar to a general-purpose computer architecture, but because of the need to provide highly reliable services, processing power and stability High reliability in terms of reliability, security, scalability, and manageability.
- An embodiment of the present invention provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the biological Feature security authentication method.
- Embodiments of the present invention provide a computer program product, the computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, Causing the computer to perform the Biometric-based security authentication method.
- the device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Strategic Management (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Finance (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- General Business, Economics & Management (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Collating Specific Patterns (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Disclosed in the present invention are a biometric characteristic-based security authentication method, device and electronic equipment, said method comprising: a terminal obtaining a first biometric characteristic according to a received biometric authentication request; the terminal matching said first biometric characteristic to a pre-set second biometric characteristic, generating a match result; the terminal using a private key of the security credentials of the terminal to encrypt the match result and obtain first ciphertext data, said security credentials uniquely corresponding to said terminal; the terminal sending to an authenticator the first ciphertext data and public key credentials of the security credentials, said authenticator being a server or the terminal. The present invention is used to solve the problem of security risks in current identity authentication.
Description
本申请要求在2016年5月20日提交中华人民共和国知识产权局、申请号为201610343447.8,发明名称为“一种基于生物特征的安全认证方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on May 20, 2016, the Intellectual Property Office of the People's Republic of China, the application number is 201610343447.8, and the invention name is "a biometric-based security authentication method and device". This is incorporated herein by reference.
本发明涉及电子通讯领域,尤其涉及一种基于生物特征的安全认证方法、装置及电子设备。The present invention relates to the field of electronic communications, and in particular, to a biometric-based security authentication method, apparatus, and electronic device.
随着诸如智能手机、平板电脑、智能电视等智能终端的不断发展和利用,人们利用智能终端设备越来越多地进行交易、获取服务,然而其中不可避免地会涉及到身份认证的问题。比如,用户在进行网上交易的过程中,需要将用户的支付信息提交给服务器端以实现支付功能,再比如,用户在网上获取某种服务时,需要将用户账户信息提交给服务器端以实现登录和服务获取。With the continuous development and utilization of smart terminals such as smart phones, tablets, smart TVs, etc., people use smart terminal devices to conduct transactions and obtain services more and more, but inevitably involve the issue of identity authentication. For example, in the process of conducting an online transaction, the user needs to submit the payment information of the user to the server to implement the payment function. For example, when the user obtains a certain service on the Internet, the user account information needs to be submitted to the server to implement the login. And service acquisition.
关于身份认证的具体过程以现有的指纹认证技术举例来说:当用户需要进行认证时,首先客户端通过指纹传感器采集到用户指纹,然后提取指纹特征码,与指纹库中已保存的指纹特征识别样本进行特征匹配,该比对过程有两种模式:一种是在设备本地进行匹配,再将比对结果上传至服务器端;另一种是将指纹特征上传到服务器端,在服务器端进行匹配。最后如果匹配成功则认证通过。由于现有的指纹认证技术对于设备底层实现及传输过程的安全未做定义,所以就有可能导致匹配结果在设备上被第三方恶意软件等攻击者窃取或者篡改,或者在传输过程中被攻击者窃取或者篡改,一旦被篡改,假设一个本来认证失败应该被取消的交易,却因为认证通过导致交易成功,因此用户的账户安全就存在极大的安全隐患。
The specific process of identity authentication uses the existing fingerprint authentication technology as an example: when the user needs to perform authentication, the client first collects the user fingerprint through the fingerprint sensor, and then extracts the fingerprint feature code and the fingerprint feature saved in the fingerprint database. Identifying samples for feature matching. The comparison process has two modes: one is to match locally on the device, and then the comparison result is uploaded to the server; the other is to upload the fingerprint feature to the server and perform on the server. match. Finally, if the match is successful, the certificate passes. Because the existing fingerprint authentication technology does not define the security of the underlying implementation of the device and the transmission process, it may cause the matching result to be stolen or tampered by the attacker such as third-party malware on the device, or attacked by the attacker during the transmission process. Stealing or tampering, once falsified, a transaction that should have been cancelled due to the failure of the authentication, but the transaction succeeded because of the authentication, so the user's account security has great security risks.
考虑金融领域对于支付交易的高安全性要求,目前的身份认证技术仍存在较大的安全隐患,因此亟需一种改进之后的身份认证方法可以避免现有的安全漏洞。Considering the high security requirements of the financial field for payment transactions, the current identity authentication technology still has a large security risk. Therefore, an improved identity authentication method is needed to avoid existing security vulnerabilities.
发明内容Summary of the invention
本发明实施例提供一种基于生物特征的安全认证方法、装置及电子设备,用以解决现有身份认证存在安全隐患的问题。The embodiments of the present invention provide a biometric-based security authentication method, device, and electronic device, which are used to solve the problem of existing security risks in identity authentication.
第一方面,本发明实施例提供一种基于生物特征的安全认证方法,该方法包括:终端根据接收的生物特征认证请求,获取第一生物特征;所述终端将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果;所述终端使用所述终端的安全证书的私钥对所述匹配结果加密得到第一密文数据,所述安全证书唯一对应所述终端;In a first aspect, an embodiment of the present invention provides a biometric-based security authentication method, the method comprising: acquiring, by a terminal, a first biometric according to a received biometric authentication request; the terminal, the first biometric and pre And the second biometric feature is matched to generate a matching result; the terminal encrypts the matching result by using a private key of the security certificate of the terminal to obtain first ciphertext data, where the security certificate uniquely corresponds to the terminal;
所述终端向认证端发送所述第一密文数据及所述安全证书的公钥证书,所述认证端为服务器或所述终端。The terminal sends the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
第二方面,本发明实施例进一步地提供一种基于生物特征的安全认证装置,该装置包括:收发单元,用于接收的生物特征认证请求;传感器,用于获取第一生物特征;匹配单元,用于将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果;In a second aspect, an embodiment of the present invention further provides a biometric-based security authentication apparatus, the apparatus comprising: a transceiver unit, configured to receive a biometric authentication request; a sensor, configured to acquire a first biometric; and a matching unit, And matching the first biometric with a preset second biometric to generate a matching result;
签名单元,用于使用所述终端的安全证书的私钥对所述匹配结果加密得到第一密文数据,所述安全证书唯一对应所述终端;a signature unit, configured to encrypt, by using a private key of the security certificate of the terminal, the first ciphertext data, where the security certificate uniquely corresponds to the terminal;
收发单元,还用于向认证端发送所述第一密文数据及所述安全证书的公钥证书,所述认证端为服务器或所述终端。The transceiver unit is further configured to send the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
第三方面,本发明实施例提供一种电子设备,包括:In a third aspect, an embodiment of the present invention provides an electronic device, including:
至少一个处理器;以及,At least one processor; and,
与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein
所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所
述至少一个处理器执行,以使所述至少一个处理器能够执行上述本申请任意实施例提供的基于生物特征的安全认证方法。The memory stores instructions executable by the at least one processor, the instructions being
The at least one processor executes to enable the at least one processor to perform the biometric-based secure authentication method provided by any of the embodiments of the present application described above.
第四方面,本发明实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行上述任一项所述的基于生物特征的安全认证方法。In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions, where the computer instructions are used to cause the computer to execute any of the above The biometric-based security authentication method described.
第五方面,本发明实施例提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行上述任一项所述的基于生物特征的安全认证方法。In a fifth aspect, an embodiment of the present invention provides a computer program product, the computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instruction is The computer, when executed, causes the computer to perform the biometric-based secure authentication method of any of the above.
本发明实施例一方面获取服务器端发送的关于生物特征的认证请求;根据所述认证请求获取第一认证信息集合,并将第一认证信息集合与安全存储区中第二认证信息集合进行匹配,所述第一认证信息集合至少包括采集的第一生物特征,所述第二认证信息集合至少包括预设的第二生物特征;另一方面利用预置的公私钥对匹配结果进行加密,并将签名后的匹配结果发送至服务器端,以便所述服务器端根据验签后匹配结果生成认证结果。可见,通过对匹配结果的签名保护,就可以保证匹配结果在传输过程中不被攻击者窃取或者篡改,进而得出正确的认证结果,保证了用户账户的安全。The embodiment of the present invention obtains an authentication request for a biometric sent by a server, acquires a first authentication information set according to the authentication request, and matches the first authentication information set with a second authentication information set in the secure storage area. The first authentication information set includes at least the collected first biometric feature, and the second authentication information set includes at least a preset second biometric feature; on the other hand, the matching public key is used to encrypt the matching result, and The signed matching result is sent to the server, so that the server generates the authentication result according to the matching result after the verification. It can be seen that by the signature protection of the matching result, the matching result can be ensured that the matching result is not stolen or tampered by the attacker during the transmission process, thereby obtaining the correct authentication result and ensuring the security of the user account.
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying for inventive labor.
图1为本发明实施例提供一种基于生物特征的安全认证方法流程示意图;FIG. 1 is a schematic flowchart of a biometric-based security authentication method according to an embodiment of the present invention;
图2为本发明实施例提供一种安全证书分发架构;
2 is a schematic diagram of a security certificate distribution architecture according to an embodiment of the present invention;
图3为本发明实施例提供一种基于生物特征的安全认证系统;FIG. 3 is a schematic diagram of a biometric-based security authentication system according to an embodiment of the present invention; FIG.
图4为本发明实施例提供一种基于生物特征的联机安全认证方法流程示意图;4 is a schematic flowchart of a method for online security authentication based on biometrics according to an embodiment of the present invention;
图5为本发明实施例提供一种基于生物特征的脱机安全认证方法流程示意图;FIG. 5 is a schematic flowchart of a method for offline security authentication based on biometrics according to an embodiment of the present invention;
图6为本发明实施例提供一种认证端的解密过程;FIG. 6 is a schematic diagram of a decryption process of an authentication end according to an embodiment of the present invention;
图7为本发明实施例提供一种基于生物特征的纹认证的开通和绑定过程;FIG. 7 is a schematic diagram of a method for opening and binding a biometric-based pattern authentication according to an embodiment of the present invention;
图8为本发明实施例提供一种基于生物特征的指纹认证替代密码的安全认证过程;FIG. 8 is a schematic diagram of a security authentication process for a fingerprint authentication alternative password based on biometrics according to an embodiment of the present invention; FIG.
图9为本发明实施例提供一种基于生物特征的安全认证装置示意图;FIG. 9 is a schematic diagram of a biometric-based security authentication apparatus according to an embodiment of the present invention;
图10为本发明实施例提供的一种电子设备的硬件结构示意图。FIG. 10 is a schematic structural diagram of hardware of an electronic device according to an embodiment of the present invention.
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部份实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The present invention will be further described in detail with reference to the accompanying drawings, in which . All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部份实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The present invention will be further described in detail with reference to the accompanying drawings, in which . All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明所涉及到的终端可以包括具有生物特征认证功能的手持设备、车载设备、可穿戴设备、计算设备或连接到无线调制解调器的其它处理设备,以及各种形式的用户设备(User Equipment,简称UE),移动台(Mobile station,简称MS),终端(terminal),终端设备(Terminal Equipment)等等。为方便
描述,本发明简称为终端。其中,所谓生物特征指的是指纹、虹膜、人脸、声纹等特征。The terminal involved in the present invention may include a handheld device having a biometric authentication function, an in-vehicle device, a wearable device, a computing device, or other processing device connected to the wireless modem, and various forms of user equipment (User Equipment, UE for short) ), a mobile station (MS), a terminal, a terminal equipment, and the like. For convenience
Description, the present invention is simply referred to as a terminal. Among them, the so-called biometrics refer to features such as fingerprints, irises, faces, and voice prints.
实施例一Embodiment 1
参见图1所示,本发明实施例提供一种基于生物特征的安全认证方法流程示意图,具体地实现方法包括:As shown in FIG. 1 , an embodiment of the present invention provides a schematic diagram of a biometric-based security authentication method.
步骤S101,终端根据接收的生物特征认证请求,获取第一生物特征。Step S101: The terminal acquires the first biometric according to the received biometric authentication request.
步骤S102,所述终端将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果。Step S102: The terminal matches the first biometric with a preset second biometric to generate a matching result.
步骤S103,所述终端使用所述终端的安全证书的私钥对所述匹配结果加密得到第一密文数据,所述安全证书唯一对应所述终端。Step S103: The terminal encrypts the matching result by using a private key of the security certificate of the terminal to obtain first ciphertext data, where the security certificate uniquely corresponds to the terminal.
步骤S104,所述终端向认证端发送所述第一密文数据及所述安全证书的公钥证书,所述认证端为服务器或所述终端。Step S104: The terminal sends the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
其中,生物特征认证请求中包含的要认证的生物特征是指纹、虹膜、声纹或者人脸等特征,所以当终端收到认证请求之后,向用户发出关于该生物特征采集的提示信息,用户输入该生物特征之后,传感器采集相应的生物特征,当然,该传感器可以集成在终端的内部,也可以作为单独的模块与终端通过接口连接,如下内容以传感器在终端内部的情景进行进一步地论述。The biometric to be authenticated included in the biometric authentication request is a feature such as a fingerprint, an iris, a voiceprint, or a face. Therefore, when the terminal receives the authentication request, the terminal sends a prompt information about the biometric collection to the user, and the user inputs After the biometric, the sensor collects the corresponding biometrics. Of course, the sensor can be integrated inside the terminal, or can be connected as a separate module to the terminal. The following content is further discussed in the context of the sensor inside the terminal.
因为考虑到终端内部生成的匹配结果存在被篡改的风险,所以本发明实施例对匹配结果进行加密,具体做法是通过每个终端的安全证书对匹配结果进行数字签名,其中,终端的安全证书是通过证书系统按照设定规则分发得到的,例如图2所示,证书授权中心(CA)授权指纹服务证书注册系统(RA),由RA给终端制造商颁布证书。终端制造商负责自行颁发并管理终端的公钥证书,RA不再参与颁发。当然若终端制造商不具备证书管理的能力,可由RA通过虚拟厂商的方式代替为每个终端颁发终端的安全证书。另外,终端制造商为终端颁发终端的公钥证书可以包含图中的三种类型:匹配单元证书、签名单元证书、传感器证书。其中:签名单元证书为必需,其作用是为了验证
后续验证匹配结果的真伪并将匹配结果进行签名后发送给认证端;而匹配单元证书和传感器证书为可选,其作用主要是为了建立第一安全通道和第二安全通道,保证安全通信,当然也可以采取其他不低于TLS2.0安全级别的认证方式进行替代。In the embodiment of the present invention, the matching result is encrypted. The specific method is to digitally sign the matching result by using the security certificate of each terminal, where the security certificate of the terminal is It is distributed by the certificate system according to the setting rules. For example, as shown in FIG. 2, the certificate authority (CA) authorizes the fingerprint service certificate registration system (RA), and the RA issues a certificate to the terminal manufacturer. The terminal manufacturer is responsible for issuing and managing the terminal's public key certificate, and the RA is no longer involved in the issuance. Of course, if the terminal manufacturer does not have the capability of certificate management, the RA may replace the security certificate of the terminal for each terminal by means of a virtual manufacturer. In addition, the terminal manufacturer's public key certificate for the terminal issuing terminal may include three types in the figure: a matching unit certificate, a signature unit certificate, and a sensor certificate. Among them: the signature unit certificate is required, its role is to verify
Subsequent verification of the matching result is true and the matching result is signed and sent to the authentication end; and the matching unit certificate and the sensor certificate are optional, and the main purpose is to establish the first secure channel and the second secure channel to ensure secure communication. Of course, other authentication methods that are not lower than the TLS2.0 security level can be adopted instead.
当终端具有证书系统下发的安全证书时,利用匹配单元证书和传感器证书预先建立第一安全通道和第二安全通道,进一步地,所述终端将传感器采集的第一生物特征通过第一安全通道发送给所述终端的匹配单元;When the terminal has the security certificate issued by the certificate system, the first secure channel and the second secure channel are pre-established by using the matching unit certificate and the sensor certificate, and further, the terminal passes the first biometric collected by the sensor through the first secure channel. a matching unit sent to the terminal;
所述匹配单元将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果,并将所述匹配结果通过第二安全通道发送给所述终端的签名单元,所述匹配单元中存储有所述第二生物特征;The matching unit matches the first biometric with the preset second biometric, generates a matching result, and sends the matching result to the signature unit of the terminal through the second secure channel, the matching unit Storing the second biometric in the middle;
所述签名单元使用先使用哈希函数对所述匹配结果生成匹配结果的摘要,再使用所述终端的安全证书对所述摘要加密,得到签名数据,所述签名单元中存储有所述终端的安全证书。The signature unit uses a hash function to generate a digest of the matching result by using the hash function, and then encrypts the digest using the security certificate of the terminal to obtain signature data, where the signature unit stores the terminal. Security certificate.
可见,传感器用于采集生物特征;匹配单元用于将采集到的生物特征与预先存储的生物特征进行匹配,生成匹配结果;签名单元用于对匹配结果进行数字签名,匹配单元和签名单元为集成在终端内部的单元,增加安全通道的目的是保证无论是指纹等生物特征的传输,还是匹配成功或者是失败的匹配结果均在安全通道中传输,保证这类敏感数据不会在传输过程中被窃取或篡改,进而保证通信安全。It can be seen that the sensor is used for collecting biometrics; the matching unit is configured to match the collected biometrics with the pre-stored biometrics to generate a matching result; the signature unit is used for digitally signing the matching result, and the matching unit and the signature unit are integrated. In the internal unit of the terminal, the purpose of adding a secure channel is to ensure that the transmission of biometrics such as fingerprints, or the matching success or the matching result of the failure are transmitted in the secure channel, ensuring that such sensitive data will not be transmitted during the transmission. Stealing or tampering to ensure communication security.
其中,在终端启动时即建立第一安全通道和第二安全通道,所述传感器与所述匹配单元通过握手协议完成单向或者双向身份认证和会话密钥交换,从而建立所述第一安全通道;The first secure channel and the second secure channel are established when the terminal is started, and the sensor and the matching unit complete one-way or two-way identity authentication and session key exchange by using a handshake protocol, thereby establishing the first secure channel. ;
所述匹配单元与所述签名单元通过握手协议完成单向或者双向身份认证和会话密钥交换,从而建立所述第二安全通道。The matching unit and the signature unit complete one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the second secure channel.
具体地,安全通道的建立协议由握手协议和记录协议两部分组成。其中握手协议用于完成匹配单元和签名单元之间的双向身份认证和会话密钥的交换过程,也用于完成匹配单元和传感器之间的双向身份认证和会话密钥交换
过程。记录协议用于完成应用数据的加密传输。另外,安全通道的建立协议遵循TLS 1.2及以上版本规范要求,或采取其他不低于TLS1.2安全级别的认证方式。Specifically, the establishment protocol of the secure channel is composed of a handshake protocol and a recording protocol. The handshake protocol is used to complete the two-way identity authentication and the session key exchange process between the matching unit and the signature unit, and is also used to complete the two-way identity authentication and session key exchange between the matching unit and the sensor.
process. The recording protocol is used to complete the encrypted transmission of application data. In addition, the establishment protocol of the secure channel complies with the requirements of the TLS 1.2 and above specifications, or adopts other authentication methods that are not lower than the TLS1.2 security level.
这样做的目的是限定终端应使用签名单元进行指纹的签名认证,以及保证用户标识代码(PIN)等敏感信息的安全输入和加密处理,并且支持传感器对采集后的指纹数据加密传输,支持指纹模板数据与终端绑定后加密存储。具有生物特征认证的终端能够安全地存储密钥,禁止外部对密钥的直接访问,并通过有效的安全机制防止密钥被非法注入、替换和使用,并保证用于安全认证的签名单元和匹配单元不被非法攻击。The purpose of this is to limit the terminal to use the signature unit to perform fingerprint signature verification, as well as to ensure the secure input and encryption processing of sensitive information such as the user identification code (PIN), and to support the sensor to encrypt and transmit the collected fingerprint data, and support the fingerprint template. The data is bound to the terminal and encrypted for storage. A terminal with biometric authentication can securely store keys, prohibit external direct access to keys, and prevent keys from being illegally injected, replaced, and used through effective security mechanisms, and ensure signature units and matching for secure authentication. The unit is not illegally attacked.
因为认证端可以是服务器也可以是终端自身,所以就存在联机认证和脱机认证这样两种场景,当联机认证时,认证端就可以是应用APP对应的服务器;当脱机认证时,认证端就可以是终端内部的应用APP,以生物特征认证是指纹认证为例,图3示例性地示出了联机认证和脱机认证对应的认证系统,其中,该系统中包括:指纹传感器、指纹匹配单元、指纹签名单元、终端收发单元、应用的APP、应用的服务器、证书授权中心,具体地:Because the authentication end can be either the server or the terminal itself, there are two scenarios: online authentication and offline authentication. When online authentication, the authentication end can be the server corresponding to the application APP; when offline authentication, the authentication end It can be an application APP inside the terminal, and the biometric authentication is an example of fingerprint authentication. FIG. 3 exemplarily shows an authentication system corresponding to online authentication and offline authentication, wherein the system includes: a fingerprint sensor and a fingerprint matching. Unit, fingerprint signature unit, terminal transceiver unit, application APP, application server, certificate authority, specifically:
指纹传感器负责指纹采集,并将采集到的指纹模板信息加密传输给指纹服务;指纹匹配单元负责指纹模板信息加密存储、指纹运算、指纹比对等基础应用功能;指纹签名单元作为设备安全基础,提供安全认证服务,负责对指纹比对结果等关键数据进行数字签名;终端收发单元对指纹认证相关的接口调用进行封装,为上层应用程序调用底层功能提供统一的接口;应用APP,比如PC端的支付网关页面或者时移动端的APP,主要是提供用户交互界面,通过调用指纹服务的应用程序接口来调用设备的指纹功能。并且应用APP可以对签名后的第一密文数据进行脱机验签,并认证该笔交易和用户身份的合法性;应用的服务器,比如即支付应用后台业务系统,负责支付请求的发起和响应,预存储用户银行账户、终端标识及绑定关系等敏感数据,并且对签名后的第一数据进行联机验签,并认证该笔交易和用户身份的合法性。The fingerprint sensor is responsible for fingerprint collection, and encrypts and transmits the collected fingerprint template information to the fingerprint service; the fingerprint matching unit is responsible for basic application functions such as fingerprint template information encryption storage, fingerprint operation, fingerprint comparison, etc.; the fingerprint signature unit is provided as a device security basis. The security authentication service is responsible for digitally signing key data such as the fingerprint comparison result; the terminal transceiver unit encapsulates the interface call related to the fingerprint authentication, and provides a unified interface for the upper layer application to call the underlying function; the application APP, such as the payment gateway of the PC end The APP of the page or the mobile terminal mainly provides a user interaction interface, and calls the fingerprint function of the device by calling the application interface of the fingerprint service. And the application APP can perform offline verification on the signed first ciphertext data, and authenticate the legality of the transaction and the user identity; the application server, for example, the payment application background business system, is responsible for the initiation and response of the payment request. Pre-storing sensitive data such as user bank account, terminal identification and binding relationship, and performing online verification on the signed first data, and authenticating the legality of the transaction and the user identity.
基于图3所示的系统架构,如图4所示,本发明实施例提供了一种联机
认证场景下的安全认证方法,联机认证场景即终端联网状态下,通过后台业务系统服务器进行生物特征的认证,以指纹认证为例。该方法适用于线上支付场景,通过终端的通信接入互联网,系统中各单元的处理及交互过程如下:Based on the system architecture shown in FIG. 3, as shown in FIG. 4, an embodiment of the present invention provides an online connection.
In the authentication scenario, the online authentication scenario, that is, the terminal networking, performs biometric authentication through the background service system server, taking fingerprint authentication as an example. The method is applicable to an online payment scenario, and accesses the Internet through communication of the terminal. The processing and interaction process of each unit in the system is as follows:
步骤S201,终端启动初始化工作,即建立第一安全通道和第二安全通道,即建立签名单和匹配单元之间的第二安全通道,并建立匹配单元和传感器之间的第一安全通道;Step S201, the terminal starts the initialization work, that is, establishes the first secure channel and the second secure channel, that is, establishes a second secure channel between the signature list and the matching unit, and establishes a first secure channel between the matching unit and the sensor;
步骤S202,当用户进行订单交易需要指纹认证时,交易对应的应用程序发出认证请求;Step S202, when the user needs fingerprint authentication for the order transaction, the application corresponding to the transaction issues an authentication request;
步骤S203,传感器采集指纹信息,并通过第一安全通道,将指纹信息返回给匹配单元;Step S203, the sensor collects fingerprint information, and returns the fingerprint information to the matching unit through the first secure channel;
步骤S204,匹配单元进行指纹比对、指纹存储等操作,得到指纹匹配的结果;Step S204, the matching unit performs operations such as fingerprint comparison and fingerprint storage to obtain a result of fingerprint matching;
步骤S205,匹配单元通过第二安全通道,将结果发送给签名单元,请求签名单元进行签名,签名单元对指纹匹配结果进行签名;Step S205: The matching unit sends the result to the signature unit through the second secure channel, requests the signature unit to perform signature, and the signature unit signs the fingerprint matching result.
步骤S206,签名单元将将第一密文数据发送给应用程序;Step S206, the signature unit will send the first ciphertext data to the application;
步骤S207,应用APP将终端的第一密文数据等发送给应用APP的后台服务器进行验证;Step S207, the application APP sends the first ciphertext data of the terminal to the background server of the application APP for verification;
步骤S208,应用APP的后台服务器对第一密文数据进行验证,以确认匹配结果是否可信;Step S208: The background server of the application APP verifies the first ciphertext data to confirm whether the matching result is trusted.
步骤S209,应用APP的后台服务器将认证结果返回给应用程序,应用程序根据认证结果继续后续的交易步骤。Step S209, the background server of the application APP returns the authentication result to the application, and the application continues the subsequent transaction step according to the authentication result.
当然,在进行安全认证之前,需要先开通身份认证,即用户在终端预先保存指纹模板,然后操作应用APP,判断“生物识别类型”,若为“指纹认证”,则继续;判断“安全等级”,检验是否满足金融应用要求(等级2或3),若满足,则继续;判断“后台业务随机因子”,校验是否与已存储的一致。若满足,则继续;如果所有的步骤都成功,认证通过,后台将卡号、设备、指纹绑定存储,开通成功。
Of course, before performing security authentication, the identity authentication needs to be performed first, that is, the user pre-stores the fingerprint template in the terminal, and then operates the application APP to determine the “biometric type”, and if it is “fingerprint authentication”, it continues; the “security level” is determined. , to verify whether the financial application requirements (level 2 or 3) are met, and if so, continue; determine the "background business random factor", and verify whether it is consistent with the stored one. If yes, continue; if all the steps are successful, the authentication is passed, and the card number, device, and fingerprint are bound and stored in the background, and the activation is successful.
另外,如图5所示,本发明实施例提供了一种脱机认证场景下的安全认证方法,脱机认证即终端不联网状态下,通过终端自身的应用程序进行指纹认证。适用于线下支付场景,通过终端的非接触式近场通信与POS终端进行信息交互,具体各单元的处理及交互过程如下:In addition, as shown in FIG. 5, the embodiment of the present invention provides a security authentication method in an offline authentication scenario, where offline authentication, that is, when the terminal is not in a network state, performs fingerprint authentication through the terminal's own application program. Applicable to the offline payment scenario, the non-contact near field communication of the terminal interacts with the POS terminal, and the processing and interaction process of each unit is as follows:
步骤S301~步骤S306同联机认证的步骤S201~步骤S206,不再赘述。Steps S301 to S306 are the same as steps S201 to S206 of the online authentication, and are not described again.
步骤S307,应用程序直接验证第一密文数据,以确认匹配结果是否可信,并根据匹配结果进行后续操作。Step S307, the application directly verifies the first ciphertext data to confirm whether the matching result is trusted, and performs subsequent operations according to the matching result.
为了进一步地保证安全认证的可靠性,所述匹配单元与所述签名单元在安全运行环境中运行,其中,所述安全运行环境包括可信执行环境TEE或者安全芯片,其中,所述安全运行环境中设置有满足不同交易权限的安全等级。当匹配单元在TEE中且签名单元在安全芯片中时,则安全级别属于较高级别,意味着对应业务范围为大额交易;当比对单元和签名单元都在TEE中时,则安全级别属于较低级别,意味着对应的业务范围为小额交易。In order to further ensure the reliability of the security authentication, the matching unit and the signature unit operate in a secure operating environment, wherein the secure operating environment comprises a trusted execution environment TEE or a security chip, wherein the secure operating environment There are security levels set to meet different transaction permissions. When the matching unit is in the TEE and the signature unit is in the security chip, the security level belongs to a higher level, meaning that the corresponding service range is a large transaction; when the comparison unit and the signature unit are both in the TEE, the security level belongs to The lower level means that the corresponding business scope is a small transaction.
进一步地,所述终端将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果,还包括:Further, the terminal matches the first biometric with the preset second biometric to generate a matching result, and further includes:
若所述第一生物特征与预设的第二生物特征匹配,则获取匹配的第二生物特征的权限;生成关于所述认证请求对应的待认证业务与所述第二生物特征的权限是否匹配的结果。Obtaining a right of the matched second biometric if the first biometric is matched with the preset second biometric; and generating whether the right to be authenticated and the second biometric corresponding to the authentication request match the result of.
比如说,手机终端内部保存了多个指纹,其中,只有一个指纹是拥有付款的权限的,软件实现时,为具有付款权限的指纹增加一个设定的标识,这样,当指纹匹配完成时,再次判断该指纹是否拥有付款的权限,即判断该指纹是否有设定的标识,若有的话继续后面的步骤,否则,则提示没有权限,交易终止,又或者是,手机终端内部保存了一个用户的多个指纹,每个指纹用途不同,因为在软件实现时,为该用户的所以指纹设置对应的权限,即增加一个数组,数组中每个不同的枚举值代表不同的指纹的权限,当收到关于所述认证请求对应的待认证业务后,分析该业务对应的枚举值,然后当指纹匹配完成时,分析该指纹对应的枚举值与该业务对应的枚举值是否一致,进
而确定该指纹是否有处理该笔业务的权限,这样可以有效地避免误操作,比如家庭成员中孩子会经常使用父母的手机,有存在误交易的风险,所以此时可以为每个指纹设定交易权限,当然也可以是其它权限,如登录权限等。For example, the mobile phone terminal internally stores a plurality of fingerprints, wherein only one fingerprint has the right to pay, and when the software is implemented, a set identifier is added for the fingerprint with the payment authority, so that when the fingerprint matching is completed, again Determine whether the fingerprint has the right to pay, that is, determine whether the fingerprint has a set identifier, and if so, continue with the following steps; otherwise, the prompt does not have permission, the transaction is terminated, or a mobile phone terminal internally stores a user Multiple fingerprints, each fingerprint is used differently, because in the software implementation, the corresponding permissions are set for the user's fingerprint, that is, an array is added, and each different enumeration value in the array represents the permissions of different fingerprints. After receiving the to-be-authenticated service corresponding to the authentication request, analyzing the enumeration value corresponding to the service, and then, when the fingerprint matching is completed, analyzing whether the enumeration value corresponding to the fingerprint is consistent with the enumeration value corresponding to the service,
And determining whether the fingerprint has the right to handle the business, this can effectively avoid misoperations, such as children in the family members often use the parent's mobile phone, there is a risk of mis-transaction, so you can set for each fingerprint at this time Trading permissions, of course, can also be other permissions, such as login permissions.
进一步地,所述终端的安全证书的私钥包括所述终端的私钥、所述终端的安全证书的公钥证书包括所述终端的公钥证书、所述终端制造商的公钥证书,其中,所述终端的公钥证书为使用所述终端制造商的私钥签名所述终端的公钥得到,所述终端制造商的公钥证书为使用认证平台的私钥签名所述终端制造商的公钥得到。Further, the private key of the security certificate of the terminal includes a private key of the terminal, and a public key certificate of the security certificate of the terminal includes a public key certificate of the terminal, and a public key certificate of the terminal manufacturer, where The public key certificate of the terminal is obtained by signing the public key of the terminal by using a private key of the terminal manufacturer, and the public key certificate of the terminal manufacturer is to sign the terminal manufacturer by using a private key of the authentication platform. The public key is obtained.
如图6所示,在签名认证处理中,应用APP的服务器或者应用程序使用公钥验证技术验证终端的公钥证书,并且验证第一密文数据。具体地验签的步骤如下:As shown in FIG. 6, in the signature authentication process, the server or application of the application APP verifies the public key certificate of the terminal using the public key verification technology, and verifies the first ciphertext data. The specific steps for the verification are as follows:
步骤一,检索CA根公钥:后台根据厂商公钥证书中的颁发机构密钥标识符确定使用哪一个CA根公钥;Step 1: Retrieve the CA root public key: the background determines which CA root public key to use according to the authority key identifier in the vendor public key certificate;
步骤二,获取终端制造商公钥:后台使用CA根公钥验证终端制造商公钥证书,验证正确则取出证书中的终端制造商公钥;Step 2: Obtain the terminal manufacturer public key: use the CA root public key to verify the terminal manufacturer public key certificate in the background, and if the verification is correct, take out the terminal manufacturer public key in the certificate;
步骤三,获取签名单元公钥:后台使用终端制造商公钥验证签名单元公钥证书,验证正确则取出证书中的签名单元公钥;Step 3: Obtain a signature unit public key: the background manufacturer public key is used to verify the signature unit public key certificate in the background, and if the verification is correct, the signature unit public key in the certificate is retrieved;
步骤四,验证签名的关键数据:后台使用签名单元公钥验证签名的第一密文数据。Step 4: Verify the key data of the signature: the first ciphertext data of the signature is verified by the background using the signature unit public key.
步骤五,如果所有的步骤都成功,签名验证通过。Step 5. If all the steps are successful, the signature verification is passed.
其中,签名单元需对匹配单元提供的指纹比对结果进行数字签名,即先使用哈希函数生成关键数据的摘要,再使用签名单元的私钥对摘要进行加密从而生成数字签名;匹配单元将签名数据和公钥证书一起发送给后台;后端业务平台(联机认证模式下)或应用程序(脱机认证模式下)使用公钥技术验证签名数据的合法性,从而保证被签名的第一密文数据是由终端上的签名单元创建的,即签名单元无法否认创建过该消息、该数据在传输过程中并未被第三方篡改过。
The signature unit needs to digitally sign the fingerprint matching result provided by the matching unit, that is, first use the hash function to generate a summary of the key data, and then use the private key of the signature unit to encrypt the digest to generate a digital signature; the matching unit will sign The data is sent to the background together with the public key certificate; the backend service platform (online authentication mode) or the application (offline authentication mode) uses the public key technology to verify the legality of the signature data, thereby ensuring the signed first ciphertext The data is created by the signature unit on the terminal, that is, the signature unit cannot deny that the message was created, and the data has not been tampered with by the third party during the transmission.
进一步地,所述终端发送所述安全证书的公钥证书给所述认证端;所述终端在收到所述认证端发送的设备认证通过后,发送所述第一密文数据给所述认证端。Further, the terminal sends the public key certificate of the security certificate to the authentication end; after receiving the device authentication sent by the authentication end, the terminal sends the first ciphertext data to the authentication. end.
所述发送所述第一密文数据给所述认证端之后,包括:After the sending the first ciphertext data to the authentication end, the method includes:
所述认证端通过以下方式解析密文数据:The authentication end parses the ciphertext data in the following manner:
所述认证端根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述终端制造商的公钥;The authentication end obtains the public key of the terminal manufacturer according to the public key certificate of the terminal manufacturer and the public key of the pre-stored authentication platform;
所述认证端根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥;The authentication end obtains the public key of the terminal according to the public key of the terminal manufacturer and the public key certificate of the terminal;
若所述认证端获得所述终端的公钥则确定所述终端的设备认证通过,并使用所述终端的公钥验证所述第一密文数据,得到所述匹配结果。And if the authentication end obtains the public key of the terminal, determining that the device authentication of the terminal passes, and verifying the first ciphertext data by using the public key of the terminal, to obtain the matching result.
如图6所示,认证端利用公钥验证技术根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述终端制造商的公钥PMF,然后根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥PD,当得到终端的公钥就可以认为该终端是合法终端,进一步地用终端的公钥对第一密文数据进行解密,得到解密之后的匹配结果,若为匹配成功,认证端可以后续的交易步骤,否则认证端就可以提示交易失败,终止交易。As shown in FIG. 6, the authentication end obtains the public key P MF of the terminal manufacturer according to the public key certificate of the terminal manufacturer and the public key of the pre-stored authentication platform by using a public key verification technology, and then according to the terminal. The public key of the manufacturer and the public key certificate of the terminal obtain the public key P D of the terminal, and when the public key of the terminal is obtained, the terminal can be regarded as a legal terminal, and the first ciphertext is further used by the public key of the terminal. The data is decrypted to obtain the matching result after decryption. If the matching is successful, the authentication end can follow the transaction step, otherwise the authentication end can prompt the transaction to fail and terminate the transaction.
进一步地,所述终端使用所述终端的安全证书的私钥对关键信息进行加密,得到第二密文数据;所述终端将所述第二密文数据发送给所述认证端。其中,所述关键信息至少包含终端标识、银行卡账号中的一种。Further, the terminal encrypts the key information by using the private key of the security certificate of the terminal to obtain second ciphertext data; the terminal sends the second ciphertext data to the authentication end. The key information includes at least one of a terminal identifier and a bank card account.
需要说明的是,上述步骤中终端使用所述终端的安全证书的私钥对关键信息进行加密与步骤S103中对所述匹配结果加密得到第一密文数据之间并没有严格的执行顺序,也就是说二者可以同时执行,即对匹配结果和关键信息作为整体一起进行加密,将加密之后得到的密文数据一起发送至认证端,当然也可以先执行步骤S103,再对关键信息进行加密,又或者先对关键信息进行加密,再执行步骤S103,具体的执行顺序根据实际需要确定。It should be noted that, in the foregoing step, the terminal uses the private key of the security certificate of the terminal to encrypt the key information, and the step S103 encrypts the matching result to obtain the first ciphertext data, and there is no strict execution order. That is to say, the two can be executed at the same time, that is, the matching result and the key information are encrypted together as a whole, and the ciphertext data obtained after the encryption is sent to the authentication end together, of course, step S103 may be performed first, and then the key information is encrypted. Or, the key information is encrypted first, and then step S103 is performed, and the specific execution sequence is determined according to actual needs.
进一步地,所述终端将所述第二密文数据发送给所述认证端之后,包括:
Further, after the terminal sends the second ciphertext data to the authentication end, the terminal includes:
所述认证端通过以下方式解析密文数据:The authentication end parses the ciphertext data in the following manner:
所述认证端根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述终端制造商的公钥,根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥,若所述认证端获得所述终端的公钥则确定所述终端的设备认证通过;The authentication end obtains the public key of the terminal manufacturer according to the public key certificate of the terminal manufacturer and the public key of the pre-stored authentication platform, according to the public key of the terminal manufacturer and the public key of the terminal The certificate obtains the public key of the terminal, and if the authentication end obtains the public key of the terminal, it determines that the device authentication of the terminal passes;
使用所述终端的公钥验证所述第一密文数据,得到所述匹配结果;Verifying the first ciphertext data by using the public key of the terminal to obtain the matching result;
若所述匹配结果为匹配成功,则使用所述终端的公钥验证所述第二密文数据,得到所述关键信息;If the matching result is that the matching is successful, verifying the second ciphertext data by using the public key of the terminal to obtain the key information;
确定所述关键信息是否符合预设的认证规则,生成生物特征认证结果发送给所述终端。Determining whether the key information meets a preset authentication rule, and generating a biometric authentication result is sent to the terminal.
例如关键信息是终端标识和银行卡账号,则终端安全证书的私钥对终端标识和银行卡账号进行加密得到第二密文数据,然后将第二密文数据连同第一密文数据发送给应用APP的服务器,应用APP的服务器解密第一密文数据和第二密文数据后,进一步判定解密得到的第二密文数据是否与预存的终端标识和银行卡账号一致,若发现不一致,同样认定该笔交易是不合法的,认定交易失败,之所以这样做是因为用终端标识和银行账号的绑定关系限定终端的交易,因为这种绑定关系是用户常用交易,若是来自其它终端,则有可能存在因为用户敏感信息的泄露,使得非法分子在其余终端非法使用敏感数据交易,所以进一步地通过绑定关系进行限定。For example, the key information is the terminal identifier and the bank card account, and the private key of the terminal security certificate encrypts the terminal identifier and the bank card account to obtain the second ciphertext data, and then sends the second ciphertext data together with the first ciphertext data to the application. The server of the APP, after decrypting the first ciphertext data and the second ciphertext data by the application APP server, further determines whether the decrypted second ciphertext data is consistent with the pre-stored terminal identifier and the bank card account number, and if found to be inconsistent, the same is determined. The transaction is illegal and the transaction is considered to be unsuccessful. The reason for this is that the terminal's transaction is limited by the binding relationship between the terminal identifier and the bank account, because the binding relationship is a common transaction of the user, and if it is from another terminal, There may be a leakage of sensitive information of the user, which causes the illegal molecule to illegally use the sensitive data transaction at the remaining terminals, so it is further defined by the binding relationship.
为了更加系统地描述上述安全认证地过程,本发明实施例仍然以指纹为例,通过图7和图8所示的交互过程,详细阐述这一过程,其中图7阐述指纹认证的开通和绑定过程,具体步骤如下:In order to describe the above process of security authentication more systematically, the embodiment of the present invention still takes the fingerprint as an example, and elaborates the process through the interaction process shown in FIG. 7 and FIG. 8, wherein FIG. 7 illustrates the opening and binding of the fingerprint authentication. The process, the specific steps are as follows:
步骤S401,应用程序调用接口获取终端关键信息,包括:终端标识、用户名、终端是否支持指纹认证功能、终端是否开启指纹、终端是否已录入指纹以及终端的安全等级。In step S401, the application invokes the interface to obtain key information of the terminal, including: the terminal identifier, the user name, whether the terminal supports the fingerprint authentication function, whether the terminal opens the fingerprint, whether the terminal has entered the fingerprint, and the security level of the terminal.
步骤S402,应用程序将获取的终端关键信息传递给应用程序的服务器。Step S402, the application passes the acquired terminal key information to the server of the application.
步骤S403,应用程序的服务器判断是否满足开通条件,包括:终端支持
指纹服务、设备满足安全等级、当前卡片/用户支持开通指纹支付、当前卡片/用户未在该终端上开通指纹功能(即不存在相应绑定关系)等。若满足,则进入下一步骤;Step S403, the server of the application determines whether the opening condition is met, including: terminal support
The fingerprint service, the device meets the security level, the current card/user support opens the fingerprint payment, and the current card/user does not open the fingerprint function on the terminal (ie, there is no corresponding binding relationship). If yes, proceed to the next step;
步骤S404,应用程序的服务器发起引导开通请求;Step S404, the server of the application initiates a boot request;
步骤S405,应用程序引导用户开通指纹认证,比如:在用户完成了一笔交易且判断该设备具备开通指纹认证的条件之后,可在交易成功页面提示用户开通指纹认证;Step S405, the application guides the user to open the fingerprint authentication. For example, after the user completes a transaction and determines that the device has the condition for opening the fingerprint authentication, the user may prompt the user to open the fingerprint authentication on the transaction success page;
步骤S406,用户选择开通指纹支付并同意协议后,若终端尚未录入指纹,则提示用户前往系统设置录入指纹,或者直接跳转至系统设置进行录入;若已录入,则应用程序将用户信息/卡号提供给后台(卡号可以根据当前已完成交易自动获取,否则需要持卡人输入);Step S406, after the user selects to open the fingerprint payment and agrees to the agreement, if the terminal has not entered the fingerprint, the user is prompted to go to the system setting to enter the fingerprint, or directly jump to the system setting for input; if entered, the application will user information/card number Provided to the background (the card number can be automatically obtained according to the currently completed transaction, otherwise the cardholder is required to input);
步骤S407,后台生成业务随机因子,如:随机数、时间戳,并保存在数据库中;Step S407, the background generates a service random factor, such as: a random number, a timestamp, and is saved in the database;
步骤S408,后台发起指纹认证请求,请求中包含业务随机因子;Step S408, the background initiates a fingerprint authentication request, where the request includes a service random factor;
步骤S409,应用程序显示指纹验证界面;Step S409, the application displays a fingerprint verification interface;
步骤S410,应用程序调用指纹服务接口进行指纹输入和验证,接口参数包含业务随机因子;Step S410, the application calls the fingerprint service interface to perform fingerprint input and verification, and the interface parameter includes a service random factor;
步骤S411,指纹服务对用户输入的指纹进行验证,即:验证其是否与终端上已录入的指纹相匹配。若系统未录入指纹,还可跳转至系统指纹录入界面,录入成功后再返回并进行验证(取决于系统是否提供该功能以及用户体验评估);In step S411, the fingerprint service verifies the fingerprint input by the user, that is, whether it matches the fingerprint that has been entered on the terminal. If the system does not enter the fingerprint, you can also jump to the system fingerprint entry interface, and then return and verify after the entry is successful (depending on whether the system provides this function and user experience evaluation);
步骤S412,指纹服务返回指纹验证结果等关键数据及签名、证书:如果验证失败,应用程序提示用户是否重试指纹验证功能,或者取消;如果验证成功,继续下一步;Step S412, the fingerprint service returns key data such as the fingerprint verification result and the signature and certificate: if the verification fails, the application prompts the user to retry the fingerprint verification function, or cancels; if the verification is successful, the next step is continued;
步骤S413,应用程序将返回的数据和用户信息/卡号发送给后台;Step S413, the application sends the returned data and the user information/card number to the background;
步骤S414,后台验证指纹验证结果的签名数据是否正确,如果验签成功,则提取数据项并认证身份合法性,包括:判断指纹验证结果是否成功、生物
识别类型是否正确、安全等级是否满足要求、业务随机因子是否与后台存储一致等。若验签及认证均成功,则下一步;Step S414, the background verification is successful whether the signature data of the fingerprint verification result is correct. If the verification is successful, the data item is extracted and the identity legality is verified, including: determining whether the fingerprint verification result is successful, and the biological
Whether the identification type is correct, whether the security level meets the requirements, whether the service random factor is consistent with the background storage, and the like. If the verification and certification are successful, the next step;
步骤S415,将用户信息/卡号与指纹ID、用户ID和终端标识进行绑定并存储在后台;Step S415, binding the user information/card number with the fingerprint ID, the user ID, and the terminal identifier, and storing them in the background;
步骤S416,提示用户已成功开通指纹认证并绑定。In step S416, the user is prompted to successfully open the fingerprint authentication and bind.
进一步地,当服务器完成指纹开通过程之后,图8示出了指纹认证替代密码的安全认证过程,具体步骤如下:Further, after the server completes the fingerprint opening process, FIG. 8 shows a security authentication process of the fingerprint authentication replacement password, and the specific steps are as follows:
步骤S501,用户操作应用程序,在应用程序发起订单支付请求;Step S501, the user operates the application, and initiates an order payment request in the application;
步骤S502,应用程序调用指纹服务的接口获取终端关键信息,包括:终端标识、用户ID、终端是否支持指纹(即设备是否具备指纹传感器)、终端是否开启指纹、设备是否已录入指纹以及设备的安全等级。Step S502: The application invokes the interface of the fingerprint service to obtain the key information of the terminal, including: the terminal identifier, the user ID, whether the terminal supports the fingerprint (that is, whether the device has the fingerprint sensor), whether the terminal has the fingerprint enabled, whether the device has entered the fingerprint, and the security of the device. grade.
步骤S503,应用程序将返回的终端关键信息传递给应用程序的服务器。In step S503, the application passes the returned terminal key information to the application server.
步骤S504,应用程序的服务器根据设备关键信息判断是否满足使用指纹认证来进行支付/登录的条件,包括:设备支持、开启并录入了指纹、设备满足安全等级、设备对应用户/卡号开通了指纹认证(即存在相应绑定关系)、订单金额满足限额条件等。若满足,则进入下一步;Step S504: The server of the application determines, according to the key information of the device, whether the condition for using the fingerprint authentication to perform the payment/login is satisfied, including: the device supports, opens and inputs the fingerprint, the device meets the security level, and the corresponding user/card number of the device is opened for fingerprint authentication. (that is, there is a corresponding binding relationship), the order amount meets the limit condition, and the like. If yes, go to the next step;
步骤S505,应用程序的服务器生成业务随机因子,如:随机数、时间戳,并保存在数据库中;Step S505, the server of the application generates a service random factor, such as a random number, a timestamp, and saves it in a database;
步骤S506,应用程序的服务器发起指纹认证请求,请求中包含业务随机因子;Step S506, the server of the application initiates a fingerprint authentication request, where the request includes a service random factor;
步骤S507,应用程序显示指纹验证界面;Step S507, the application displays a fingerprint verification interface;
步骤S508,应用程序调用指纹服务接口进行指纹输入和验证,接口参数包含业务随机因子;Step S508, the application calls the fingerprint service interface to perform fingerprint input and verification, and the interface parameter includes a service random factor;
步骤S509,指纹服务对用户输入的指纹进行验证,即:验证其是否与设备上已录入的指纹相匹配;Step S509, the fingerprint service verifies the fingerprint input by the user, that is, whether it matches the fingerprint that has been entered on the device;
步骤S510,指纹服务返回指纹验证结果等关键数据及签名、证书:如果验证失败,应用程序提示用户是否重试指纹验证功能,或者放弃指纹验证转
为传统支付/登录方式;如果验证成功,继续下一步;Step S510, the fingerprint service returns key data such as the fingerprint verification result, a signature, and a certificate: if the verification fails, the application prompts the user whether to retry the fingerprint verification function, or discards the fingerprint verification conversion.
For the traditional payment/login method; if the verification is successful, continue to the next step;
步骤S511,应用程序将返回的数据和用户信息(如卡号)发送给后台;Step S511, the application sends the returned data and user information (such as a card number) to the background;
步骤S512,应用程序的服务器验证指纹验证结果的签名数据是否正确,如果验签成功,则提取数据项并认证身份及交易合法性,包括:判断指纹验证结果是否成功,生物识别类型是否正确,安全等级是否满足当前交易金额,业务随机因子是否与后台存储一致,指纹ID、用户ID和设备ID以及卡号/用户信息是否与后台存储的绑定关系一致。若验签及认证均成功,则下一步;Step S512, the server of the application verifies whether the signature data of the fingerprint verification result is correct. If the verification is successful, the data item is extracted and the identity and transaction legality are verified, including: determining whether the fingerprint verification result is successful, whether the biometric type is correct, and security Whether the level satisfies the current transaction amount, whether the service random factor is consistent with the background storage, and whether the fingerprint ID, the user ID and the device ID, and the card number/user information are consistent with the binding relationship of the background storage. If the verification and certification are successful, the next step;
步骤S513,应用程序的服务器认证成功后向应用程序授权交易合法。Step S513, after the server authentication of the application succeeds, the transaction authorization is authorized to the application.
步骤S514,应用程序完成指纹支付或者指纹登录等操作。In step S514, the application completes operations such as fingerprint payment or fingerprint login.
实施例二,本发明实施例还提供一种基于生物特征的安全认证装置,该装置可执行上述方法实施例。本发明实施例提供的装置如图9所示,包括:收发单元401、传感器402、匹配单元403、签名单元404,其中:The second embodiment of the present invention further provides a biometric-based security authentication device, which can execute the foregoing method embodiments. As shown in FIG. 9, the apparatus provided by the embodiment of the present invention includes: a transceiver unit 401, a sensor 402, a matching unit 403, and a signature unit 404, where:
收发单元401,用于接收生物特征认证请求;The transceiver unit 401 is configured to receive a biometric authentication request.
传感器402,用于获取第一生物特征;a sensor 402, configured to acquire a first biometric feature;
匹配单元403,用于将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果;The matching unit 403 is configured to match the first biometric with the preset second biometric to generate a matching result;
签名单元404,用于使用所述终端的安全证书的私钥对所述匹配结果加密得到第一密文数据,所述安全证书唯一对应所述终端;The signing unit 404 is configured to encrypt the matching result by using a private key of the security certificate of the terminal to obtain first ciphertext data, where the security certificate uniquely corresponds to the terminal;
收发单元401,还用于向认证端发送所述第一密文数据及所述安全证书的公钥证书,所述认证端为服务器或所述终端。The transceiver unit 401 is further configured to send the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
进一步地,所述传感器402具体用于:将采集的第一生物特征通过第一安全通道发送给所述匹配单元403;Further, the sensor 402 is specifically configured to: send the collected first biometric feature to the matching unit 403 through the first secure channel;
所述匹配单元403具体用于:将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果,并将所述匹配结果通过第二安全通道发送给所述签名单元404,所述匹配单元中存储有所述第二生物特征;The matching unit 403 is specifically configured to: match the first biometric with the preset second biometric, generate a matching result, and send the matching result to the signature unit 404 through the second secure channel, Storing the second biometric in the matching unit;
所述签名单元404具体用于:先使用哈希函数对所述匹配结果生成匹配
结果的摘要,再使用所述终端的安全证书对所述摘要加密,得到签名数据,所述签名单元中存储有所述终端的安全证书。The signature unit 404 is specifically configured to: first generate a match to the matching result by using a hash function.
And a summary of the result, wherein the digest is encrypted by using the security certificate of the terminal to obtain signature data, where the security certificate of the terminal is stored in the signature unit.
进一步地,所述传感器402与所述匹配单元403通过握手协议完成单向或者双向身份认证和会话密钥交换,从而建立所述第一安全通道;Further, the sensor 402 and the matching unit 403 perform one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the first secure channel;
所述匹配单元403与所述签名单元404通过握手协议完成单向或者双向身份认证和会话密钥交换,从而建立所述第二安全通道。The matching unit 403 and the signature unit 404 complete one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the second secure channel.
进一步地,还包括:所述匹配单元与所述签名单元在安全运行环境中运行,其中,所述安全运行环境包括可信执行环境TEE或者安全芯片,其中,所述安全运行环境中设置有满足不同交易权限的安全等级。Further, the method further includes: the matching unit and the signature unit are operated in a secure operating environment, where the secure operating environment includes a trusted execution environment TEE or a security chip, wherein the secure operating environment is set to meet The security level of different trading permissions.
进一步地,所述匹配单元403还用于:Further, the matching unit 403 is further configured to:
若所述第一生物特征与预设的第二生物特征匹配,则获取匹配的第二生物特征的权限;生成关于所述认证请求对应的待认证业务与所述第二生物特征的权限是否匹配的结果。Obtaining a right of the matched second biometric if the first biometric is matched with the preset second biometric; and generating whether the right to be authenticated and the second biometric corresponding to the authentication request match the result of.
其中,还包括:所述终端的安全证书的私钥包括所述终端的私钥、所述终端的安全证书的公钥证书包括所述终端的公钥证书、所述终端制造商的公钥证书,其中,所述终端的公钥证书为使用所述终端制造商的私钥签名所述终端的公钥得到,所述终端制造商的公钥证书为使用认证平台的私钥签名所述终端制造商的公钥得到。The method further includes: the private key of the security certificate of the terminal includes a private key of the terminal, and a public key certificate of the security certificate of the terminal includes a public key certificate of the terminal, and a public key certificate of the terminal manufacturer. Wherein the public key certificate of the terminal is obtained by signing the public key of the terminal by using the private key of the terminal manufacturer, and the public key certificate of the terminal manufacturer is the private key of the authentication platform, and the terminal is manufactured. The public key of the quotient is obtained.
进一步地,所述收发单元401具体用于:所述终端发送所述安全证书的公钥证书给所述认证端;Further, the transceiver unit 401 is specifically configured to: send, by the terminal, a public key certificate of the security certificate to the authentication end;
所述终端在收到所述认证端发送的设备认证通过后,发送所述第一密文数据给所述认证端;After receiving the device authentication sent by the authentication end, the terminal sends the first ciphertext data to the authentication end;
或者,所述终端发送所述安全证书的公钥证书和第一密文数据给所述认证端,以使所述认证端根据安全证书的公钥证书认证所述终端是否为合法终端。Or the terminal sends the public key certificate and the first ciphertext data of the security certificate to the authentication end, so that the authentication end authenticates whether the terminal is a legal terminal according to the public key certificate of the security certificate.
进一步地,还包括:认证端405,用于通过以下方式解析密文数据:Further, the method further includes: an authentication end 405, configured to parse the ciphertext data in the following manner:
根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述
终端制造商的公钥;Obtaining the public key certificate according to the terminal manufacturer and the public key of the pre-stored authentication platform
The public key of the terminal manufacturer;
根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥;Obtaining a public key of the terminal according to the public key of the terminal manufacturer and a public key certificate of the terminal;
若所述认证端获得所述终端的公钥则确定所述终端的设备认证通过,并使用所述终端的公钥验证所述第一密文数据,得到所述匹配结果。And if the authentication end obtains the public key of the terminal, determining that the device authentication of the terminal passes, and verifying the first ciphertext data by using the public key of the terminal, to obtain the matching result.
进一步地,所述签名单元404还用于:Further, the signature unit 404 is further configured to:
使用所述终端的安全证书的私钥对关键信息进行数字签名,得到第二密文数据;将所述第二密文数据发送给所述认证端。The key information is digitally signed by using the private key of the security certificate of the terminal to obtain second ciphertext data; and the second ciphertext data is sent to the authentication end.
当终端将所述第二密文数据发送给所述认证端之后,所述认证端405还用于:After the terminal sends the second ciphertext data to the authentication end, the authentication end 405 is further configured to:
通过以下方式解析密文数据:Analyze ciphertext data in the following ways:
根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述终端制造商的公钥,根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥,若所述认证端获得所述终端的公钥则确定所述终端的设备认证通过;Obtaining, by the terminal manufacturer's public key certificate and the pre-stored public key of the authentication platform, the public key of the terminal manufacturer, obtaining the public key according to the terminal manufacturer's public key and the terminal's public key certificate a public key of the terminal, if the authentication end obtains the public key of the terminal, determining that the device authentication of the terminal passes;
使用所述终端的公钥验证所述第一密文数据,得到所述匹配结果;Verifying the first ciphertext data by using the public key of the terminal to obtain the matching result;
若所述匹配结果为匹配成功,则使用所述终端的公钥验证所述第二密文数据,得到所述关键信息;If the matching result is that the matching is successful, verifying the second ciphertext data by using the public key of the terminal to obtain the key information;
确定所述关键信息是否符合预设的认证规则,生成生物特征认证结果发送给所述终端。Determining whether the key information meets a preset authentication rule, and generating a biometric authentication result is sent to the terminal.
其中,所述关键信息至少包含终端标识、银行卡账号中的一种。The key information includes at least one of a terminal identifier and a bank card account.
综上所述,本发明实施例一方面获取服务器端发送的关于生物特征的认证请求;根据所述认证请求获取第一认证信息集合,并将第一认证信息集合与安全存储区中第二认证信息集合进行匹配,所述第一认证信息集合至少包括采集的第一生物特征,所述第二认证信息集合至少包括预设的第二生物特征;另一方面利用预置的公钥证书对比对结果等关键信息进行数字签名,并将签名数据发送至服务器端或者所述终端,以便所述服务器端或者所述终端
验签后根据解密后匹配比对结果等关键信息生成认证结果。可见,通过公钥证书对匹配比对结果的数字签名保护,就可以认证发送方(终端)的合法性,保证被签名的关键信息是由合法终端创建的、防止交易抵赖发生、保证匹配比对结果在传输过程中不被攻击者窃取或者篡改的完整性,进而得出正确合法的认证结果,保证了用户账户的安全。In summary, the embodiment of the present invention obtains an authentication request for a biometric sent by a server, acquires a first authentication information set according to the authentication request, and sets a first authentication information set and a second authentication in the secure storage area. The information set is matched, the first authentication information set includes at least the collected first biometric feature, the second authentication information set includes at least a preset second biometric feature, and the second public key certificate is compared with the preset public key certificate. Resulting, the key information is digitally signed, and the signature data is sent to the server or the terminal, so that the server or the terminal
After the verification, the authentication result is generated according to key information such as the matching result after decryption. It can be seen that the digital signature protection of the matching comparison result by the public key certificate can authenticate the legitimacy of the sender (terminal), ensure that the key information to be signed is created by the legal terminal, prevent the transaction from being rejected, and ensure the matching comparison. As a result, the integrity of the attacker is not stolen or falsified during the transmission process, and the correct and legitimate authentication result is obtained, thereby ensuring the security of the user account.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
实施例三Embodiment 3
基于相同构思,参见图10,为本发明实施例提供的一种电子设备500的硬件结构示意图,如图10所示,包括:Based on the same concept, referring to FIG. 10, a hardware structure diagram of an electronic device 500 according to an embodiment of the present invention is shown in FIG.
一个或多个处理器510以及存储器520,图8中以一个处理器510为例。
One or more processors 510 and memory 520, one processor 510 is taken as an example in FIG.
执行基于生物特征的安全认证方法的电子设备还可以包括:输入装置530和输出装置540。The electronic device that performs the biometric-based secure authentication method may further include: an input device 530 and an output device 540.
处理器510、存储器520、输入装置530和输出装置540可以通过总线或者其他方式连接,图5中以通过总线连接为例。The processor 510, the memory 520, the input device 530, and the output device 540 may be connected by a bus or other means, as exemplified by a bus connection in FIG.
存储器520作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序、非暂态计算机可执行程序以及模块,如本发明实施例中的具有生物特征认证方法的程序指令/模块(例如,附图9所示的匹配单元403、签名单元404)。处理器510通过运行存储在存储器520中的非暂态软件程序、指令以及模块,从而执行服务器的各种功能应用以及数据处理,即实现上述方法实施例中的基于生物特征的安全认证方法。The memory 520 is a non-transitory computer readable storage medium, and can be used for storing a non-transitory software program, a non-transitory computer executable program, and a module, such as a program instruction/module having a biometric authentication method in the embodiment of the present invention. (For example, the matching unit 403, the signature unit 404 shown in FIG. 9). The processor 510 executes various functional applications and data processing of the server by running non-transitory software programs, instructions, and modules stored in the memory 520, that is, implementing the biometric-based secure authentication method in the foregoing method embodiments.
存储器520可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储根据列表项操作的处理装置的使用所创建的数据等。此外,存储器520可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施例中,存储器520可选包括相对于处理器510远程设置的存储器,这些远程存储器可以通过网络连接至列表项操作的处理装置。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 520 may include a storage program area and an storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data created by use of the processing device operated according to the list item, and the like. . Moreover, memory 520 can include high speed random access memory, and can also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 520 can optionally include memory remotely located relative to processor 510 that can be connected to the processing device of the list item operation over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
输入装置530可接收输入的数字或字符信息,以及产生与电子设备的用户设置以及功能控制有关的键信号输入。输出装置540可包括显示屏等显示设备。 Input device 530 can receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic device. The output device 540 can include a display device such as a display screen.
所述一个或者多个模块存储在所述存储器520中,当被所述一个或者多个处理器510执行时,执行上述任意方法实施例中的基于生物特征的安全认证方法。The one or more modules are stored in the memory 520, and when executed by the one or more processors 510, perform a biometric-based secure authentication method in any of the above method embodiments.
上述产品可执行本发明实施例所提供的方法,具备执行方法相应的功能模块和有益效果。未在本实施例中详尽描述的技术细节,可参见本发明实施例所提供的方法。
The above product can perform the method provided by the embodiment of the present invention, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the method provided by the embodiments of the present invention.
本发明实施例的电子设备以多种形式存在,包括但不限于:The electronic device of the embodiment of the invention exists in various forms, including but not limited to:
(1)移动通信设备:这类设备的特点是具备移动通信功能,并且以提供话音、数据通信为主要目标。这类终端包括:智能手机(例如iPhone)、多媒体手机、功能性手机,以及低端手机等。(1) Mobile communication devices: These devices are characterized by mobile communication functions and are mainly aimed at providing voice and data communication. Such terminals include: smart phones (such as iPhone), multimedia phones, functional phones, and low-end phones.
(2)超移动个人计算机设备:这类设备属于个人计算机的范畴,有计算和处理功能,一般也具备移动上网特性。这类终端包括:PDA、MID和UMPC设备等,例如iPad。(2) Ultra-mobile personal computer equipment: This type of equipment belongs to the category of personal computers, has computing and processing functions, and generally has mobile Internet access. Such terminals include: PDAs, MIDs, and UMPC devices, such as the iPad.
(3)便携式娱乐设备:这类设备可以显示和播放多媒体内容。该类设备包括:音频、视频播放器(例如iPod),掌上游戏机,电子书,以及智能玩具和便携式车载导航设备。(3) Portable entertainment devices: These devices can display and play multimedia content. Such devices include: audio, video players (such as iPod), handheld game consoles, e-books, and smart toys and portable car navigation devices.
(4)服务器:提供计算服务的设备,服务器的构成包括处理器、硬盘、内存、系统总线等,服务器和通用的计算机架构类似,但是由于需要提供高可靠的服务,因此在处理能力、稳定性、可靠性、安全性、可扩展性、可管理性等方面要求较高。(4) Server: A device that provides computing services. The server consists of a processor, a hard disk, a memory, a system bus, etc. The server is similar to a general-purpose computer architecture, but because of the need to provide highly reliable services, processing power and stability High reliability in terms of reliability, security, scalability, and manageability.
(5)其他具有数据交互功能的电子装置。(5) Other electronic devices with data interaction functions.
实施例四Embodiment 4
本发明实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行上述任一项所述的基于生物特征的安全认证方法。An embodiment of the present invention provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the biological Feature security authentication method.
实施例五Embodiment 5
本发明实施例提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行上述任一项所述的
基于生物特征的安全认证方法。Embodiments of the present invention provide a computer program product, the computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, Causing the computer to perform the
Biometric-based security authentication method.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While the preferred embodiment of the invention has been described, it will be understood that Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。
It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention
Claims (25)
- 一种基于生物特征的安全认证方法,其特征在于,该方法包括:A biometric-based security authentication method, the method comprising:终端根据接收的生物特征认证请求,获取第一生物特征;The terminal acquires the first biometric according to the received biometric authentication request;所述终端将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果;The terminal matches the first biometric with a preset second biometric to generate a matching result;所述终端使用所述终端的安全证书的私钥对所述匹配结果加密得到第一密文数据,所述安全证书唯一对应所述终端;The terminal encrypts the matching result by using a private key of the security certificate of the terminal to obtain first ciphertext data, where the security certificate uniquely corresponds to the terminal;所述终端向认证端发送所述第一密文数据及所述安全证书的公钥证书,所述认证端为服务器或所述终端。The terminal sends the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
- 如权利要求1所述的方法,其特征在于,所述获取第一生物特征,包括:The method of claim 1 wherein said obtaining said first biometric comprises:所述终端将传感器采集的第一生物特征通过第一安全通道发送给所述终端的匹配单元;Transmitting, by the terminal, the first biometric collected by the sensor to the matching unit of the terminal by using the first secure channel;所述终端将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果,包括The terminal matches the first biometric with a preset second biometric to generate a matching result, including所述匹配单元将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果,并将所述匹配结果通过第二安全通道发送给所述终端的签名单元,所述匹配单元中加密存储有所述第二生物特征;The matching unit matches the first biometric with the preset second biometric, generates a matching result, and sends the matching result to the signature unit of the terminal through the second secure channel, the matching unit The second encryption is stored in the second biometric;所述终端使用所述终端的安全证书对所述匹配结果加密得到第一密文数据,包括:The terminal encrypts the matching result to obtain the first ciphertext data by using the security certificate of the terminal, including:所述签名单元先使用哈希函数对所述匹配结果生成匹配结果的摘要,再使用所述终端的安全证书对所述摘要加密,得到签名数据,所述签名单元中存储有所述终端的安全证书。The signature unit first generates a digest of the matching result by using a hash function, and then encrypts the digest using the security certificate of the terminal to obtain signature data, where the signature unit stores the security of the terminal. certificate.
- 如权利要求2所述的方法,其特征在于,所述获取第一生物特征之前,还包括:The method of claim 2, wherein before the acquiring the first biometric, the method further comprises:所述传感器与所述匹配单元通过握手协议完成单向或者双向身份认证和 会话密钥交换,从而建立所述第一安全通道;The sensor and the matching unit complete one-way or two-way identity authentication by using a handshake protocol and Separating a session key to establish the first secure channel;所述匹配单元与所述签名单元通过握手协议完成单向或者双向身份认证和会话密钥交换,从而建立所述第二安全通道。The matching unit and the signature unit complete one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the second secure channel.
- 如权利要求2所述的方法,其特征在于,还包括:The method of claim 2, further comprising:所述匹配单元与所述签名单元在安全运行环境中运行,其中,所述安全运行环境包括可信执行环境TEE或者安全芯片,其中,所述安全运行环境中设置有满足不同交易权限的安全等级。The matching unit and the signature unit are operated in a secure operating environment, wherein the secure operating environment includes a trusted execution environment TEE or a security chip, wherein the security operating environment is provided with a security level that satisfies different transaction rights. .
- 如权利要求1所述的方法,其特征在于,所述终端将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果,还包括:The method of claim 1, wherein the terminal matches the first biometric with a preset second biometric to generate a matching result, further comprising:若所述第一生物特征与预设的第二生物特征匹配,则获取匹配的第二生物特征的权限;Obtaining a right of the matched second biometric if the first biometric matches the preset second biometric;生成关于所述认证请求对应的待认证业务与所述第二生物特征的权限是否匹配的结果。A result of whether the right to be authenticated corresponding to the authentication request matches the authority of the second biometric is generated.
- 如权利要求1~5任一所述的方法,其特征在于,还包括:The method according to any one of claims 1 to 5, further comprising:所述终端的安全证书的私钥包括所述终端的私钥、所述终端的安全证书的公钥证书包括所述终端的公钥证书、所述终端制造商的公钥证书,其中,所述终端的公钥证书为使用所述终端制造商的私钥签名所述终端的公钥得到,所述终端制造商的公钥证书为使用认证平台的私钥签名所述终端制造商的公钥得到。The private key of the security certificate of the terminal includes a private key of the terminal, and a public key certificate of the security certificate of the terminal, including a public key certificate of the terminal, and a public key certificate of the terminal manufacturer, where the The public key certificate of the terminal is obtained by signing the public key of the terminal by using the private key of the terminal manufacturer, and the public key certificate of the terminal manufacturer is used to sign the public key of the terminal manufacturer by using the private key of the authentication platform. .
- 如权利要求6所述的方法,其特征在于,所述终端发送所述第一密文数据及所述安全证书的公钥证书,包括:The method according to claim 6, wherein the terminal sends the first ciphertext data and the public key certificate of the security certificate, including:所述终端发送所述安全证书的公钥证书给所述认证端;Sending, by the terminal, the public key certificate of the security certificate to the authentication end;所述终端在收到所述认证端发送的设备认证通过后,发送所述第一密文数据给所述认证端;After receiving the device authentication sent by the authentication end, the terminal sends the first ciphertext data to the authentication end;或者,所述终端发送所述安全证书的公钥证书和第一密文数据给所述认证端,以使所述认证端根据安全证书的公钥证书认证所述终端是否为合法终端。 Or the terminal sends the public key certificate and the first ciphertext data of the security certificate to the authentication end, so that the authentication end authenticates whether the terminal is a legal terminal according to the public key certificate of the security certificate.
- 如权利要求6所述的方法,其特征在于,所述发送所述第一密文数据给所述认证端之后,还包括:The method according to claim 6, wherein after the sending the first ciphertext data to the authentication end, the method further comprises:所述认证端通过以下方式解析密文数据:The authentication end parses the ciphertext data in the following manner:所述认证端根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述终端制造商的公钥;The authentication end obtains the public key of the terminal manufacturer according to the public key certificate of the terminal manufacturer and the public key of the pre-stored authentication platform;所述认证端根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥;The authentication end obtains the public key of the terminal according to the public key of the terminal manufacturer and the public key certificate of the terminal;若所述认证端获得所述终端的公钥则确定所述终端的设备认证通过,并使用所述终端的公钥验证所述第一密文数据,得到所述匹配结果。And if the authentication end obtains the public key of the terminal, determining that the device authentication of the terminal passes, and verifying the first ciphertext data by using the public key of the terminal, to obtain the matching result.
- 如权利要求6所述的方法,其特征在于,还包括:The method of claim 6 further comprising:所述终端使用所述终端的安全证书的私钥对关键信息进行加密,得到第二密文数据;The terminal encrypts the key information by using a private key of the security certificate of the terminal to obtain second ciphertext data;所述终端将所述第二密文数据发送给所述认证端。The terminal sends the second ciphertext data to the authentication end.
- 如权利要求9所述的方法,其特征在于,所述终端将所述第二密文数据发送给所述认证端之后,还包括:The method according to claim 9, wherein after the terminal sends the second ciphertext data to the authentication end, the method further includes:所述认证端通过以下方式解析密文数据:The authentication end parses the ciphertext data in the following manner:所述认证端根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述终端制造商的公钥,根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥,若所述认证端获得所述终端的公钥则确定所述终端的设备认证通过;The authentication end obtains the public key of the terminal manufacturer according to the public key certificate of the terminal manufacturer and the public key of the pre-stored authentication platform, according to the public key of the terminal manufacturer and the public key of the terminal The certificate obtains the public key of the terminal, and if the authentication end obtains the public key of the terminal, it determines that the device authentication of the terminal passes;使用所述终端的公钥验证所述第一密文数据,得到所述匹配结果;Verifying the first ciphertext data by using the public key of the terminal to obtain the matching result;若所述匹配结果为匹配成功,则使用所述终端的公钥验证所述第二密文数据,得到所述关键信息;If the matching result is that the matching is successful, verifying the second ciphertext data by using the public key of the terminal to obtain the key information;确定所述关键信息是否符合预设的认证规则,生成生物特征认证结果发送给所述终端。Determining whether the key information meets a preset authentication rule, and generating a biometric authentication result is sent to the terminal.
- 如权利要求9~10任一所述的方法,其特征在于,所述关键信息至少包含终端标识、银行卡账号中的一种。 The method according to any one of claims 9 to 10, wherein the key information comprises at least one of a terminal identifier and a bank card account number.
- 一种基于生物特征的安全认证装置,其特征在于,该装置包括:A biometric-based safety authentication device, characterized in that the device comprises:收发单元,用于接收的生物特征认证请求;a transceiver unit, configured to receive the biometric authentication request;传感器,用于获取第一生物特征;a sensor for acquiring a first biometric feature;匹配单元,用于将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果;a matching unit, configured to match the first biometric with a preset second biometric to generate a matching result;签名单元,用于使用所述终端的安全证书的私钥对所述匹配结果加密得到第一密文数据,所述安全证书唯一对应所述终端;a signature unit, configured to encrypt, by using a private key of the security certificate of the terminal, the first ciphertext data, where the security certificate uniquely corresponds to the terminal;收发单元,还用于向认证端发送所述第一密文数据及所述安全证书的公钥证书,所述认证端为服务器或所述终端。The transceiver unit is further configured to send the first ciphertext data and the public key certificate of the security certificate to the authentication end, where the authentication end is a server or the terminal.
- 如权利要求12所述的装置,其特征在于,所述传感器具体用于:将采集的第一生物特征通过第一安全通道发送给所述匹配单元;The device according to claim 12, wherein the sensor is specifically configured to: send the collected first biometric feature to the matching unit through a first secure channel;所述匹配单元具体用于:将所述第一生物特征与预设的第二生物特征进行匹配,生成匹配结果,并将所述匹配结果通过第二安全通道发送给所述签名单元,所述匹配单元中存储有所述第二生物特征;The matching unit is specifically configured to: match the first biometric with a preset second biometric, generate a matching result, and send the matching result to the signature unit by using a second secure channel, where Storing the second biometric in the matching unit;所述签名单元具体用于:先使用哈希函数对所述匹配结果生成匹配结果的摘要,再使用所述终端的安全证书对所述摘要加密,得到签名数据,所述签名单元中存储有所述终端的安全证书。The signature unit is specifically configured to: first generate a digest of the matching result by using a hash function, and then encrypt the digest using the security certificate of the terminal to obtain signature data, where the signature unit stores The security certificate of the terminal.
- 如权利要求13所述的装置,其特征在于,所述传感器与所述匹配单元通过握手协议完成单向或者双向身份认证和会话密钥交换,从而建立所述第一安全通道;The device according to claim 13, wherein the sensor and the matching unit complete one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the first secure channel;所述匹配单元与所述签名单元通过握手协议完成单向或者双向身份认证和会话密钥交换,从而建立所述第二安全通道。The matching unit and the signature unit complete one-way or two-way identity authentication and session key exchange through a handshake protocol, thereby establishing the second secure channel.
- 如权利要求13所述的装置,其特征在于,还包括:The device of claim 13 further comprising:所述匹配单元与所述签名单元在安全运行环境中运行,其中,所述安全运行环境包括可信执行环境TEE或者安全芯片,其中,所述安全运行环境中设置有满足不同交易权限的安全等级。The matching unit and the signature unit are operated in a secure operating environment, wherein the secure operating environment includes a trusted execution environment TEE or a security chip, wherein the security operating environment is provided with a security level that satisfies different transaction rights. .
- 如权利要求12所述的装置,其特征在于,所述匹配单元还用于: The device according to claim 12, wherein the matching unit is further configured to:若所述第一生物特征与预设的第二生物特征匹配,则获取匹配的第二生物特征的权限;Obtaining a right of the matched second biometric if the first biometric matches the preset second biometric;生成关于所述认证请求对应的待认证业务与所述第二生物特征的权限是否匹配的结果。A result of whether the right to be authenticated corresponding to the authentication request matches the authority of the second biometric is generated.
- 如权利要求12~16任一所述的装置,其特征在于,还包括:The device according to any one of claims 12 to 16, further comprising:所述终端的安全证书的私钥包括所述终端的私钥、所述终端的安全证书的公钥证书包括所述终端的公钥证书、所述终端制造商的公钥证书,其中,所述终端的公钥证书为使用所述终端制造商的私钥签名所述终端的公钥得到,所述终端制造商的公钥证书为使用认证平台的私钥签名所述终端制造商的公钥得到。The private key of the security certificate of the terminal includes a private key of the terminal, and a public key certificate of the security certificate of the terminal, including a public key certificate of the terminal, and a public key certificate of the terminal manufacturer, where the The public key certificate of the terminal is obtained by signing the public key of the terminal by using the private key of the terminal manufacturer, and the public key certificate of the terminal manufacturer is used to sign the public key of the terminal manufacturer by using the private key of the authentication platform. .
- 如权利要求17所述的装置,其特征在于,所述收发单元具体用于:The device according to claim 17, wherein the transceiver unit is specifically configured to:所述终端发送所述安全证书的公钥证书给所述认证端;Sending, by the terminal, the public key certificate of the security certificate to the authentication end;所述终端在收到所述认证端发送的设备认证通过后,发送所述第一密文数据给所述认证端;After receiving the device authentication sent by the authentication end, the terminal sends the first ciphertext data to the authentication end;或者,所述终端发送所述安全证书的公钥证书和第一密文数据给所述认证端,以使所述认证端根据安全证书的公钥证书认证所述终端是否为合法终端。Or the terminal sends the public key certificate and the first ciphertext data of the security certificate to the authentication end, so that the authentication end authenticates whether the terminal is a legal terminal according to the public key certificate of the security certificate.
- 如权利要求18所述的装置,其特征在于,还包括:The device of claim 18, further comprising:认证端,用于通过以下方式解析密文数据:The authentication end is used to parse the ciphertext data in the following manner:根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述终端制造商的公钥;Obtaining, by the terminal manufacturer's public key certificate and the pre-stored public key of the authentication platform, the public key of the terminal manufacturer;根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥;Obtaining a public key of the terminal according to the public key of the terminal manufacturer and a public key certificate of the terminal;若所述认证端获得所述终端的公钥则确定所述终端的设备认证通过,并使用所述终端的公钥验证所述第一密文数据,得到所述匹配结果。And if the authentication end obtains the public key of the terminal, determining that the device authentication of the terminal passes, and verifying the first ciphertext data by using the public key of the terminal, to obtain the matching result.
- 如权利要求18所述的装置,其特征在于,所述签名单元还用于:The device according to claim 18, wherein the signature unit is further configured to:使用所述终端的安全证书的私钥对关键信息进行加密,得到第二密文数 据;将所述第二密文数据发送给所述认证端。Encrypting the key information by using the private key of the security certificate of the terminal to obtain the second ciphertext number And sending the second ciphertext data to the authentication end.
- 如权利要求20所述的装置,其特征在于,终端将所述第二密文数据发送给所述认证端之后,所述认证端还用于:The device according to claim 20, wherein after the terminal sends the second ciphertext data to the authentication end, the authentication end is further configured to:通过以下方式解析密文数据:Analyze ciphertext data in the following ways:根据所述终端制造商的公钥证书和预存的所述认证平台的公钥获得所述终端制造商的公钥,根据所述终端制造商的公钥和所述终端的公钥证书获得所述终端的公钥,若所述认证端获得所述终端的公钥则确定所述终端的设备认证通过;Obtaining, by the terminal manufacturer's public key certificate and the pre-stored public key of the authentication platform, the public key of the terminal manufacturer, obtaining the public key according to the terminal manufacturer's public key and the terminal's public key certificate a public key of the terminal, if the authentication end obtains the public key of the terminal, determining that the device authentication of the terminal passes;使用所述终端的公钥验证所述第一密文数据,得到所述匹配结果;Verifying the first ciphertext data by using the public key of the terminal to obtain the matching result;若所述匹配结果为匹配成功,则使用所述终端的公钥验证所述第二密文数据,得到所述关键信息;If the matching result is that the matching is successful, verifying the second ciphertext data by using the public key of the terminal to obtain the key information;确定所述关键信息是否符合预设的认证规则,生成生物特征认证结果发送给所述终端。Determining whether the key information meets a preset authentication rule, and generating a biometric authentication result is sent to the terminal.
- 如权利要求20~21任一所述的装置,其特征在于,所述关键信息至少包含终端标识、银行卡账号中的一种。The device according to any one of claims 20 to 21, wherein the key information comprises at least one of a terminal identifier and a bank card account number.
- 一种电子设备,其特征在于,包括:An electronic device, comprising:至少一个处理器;以及,At least one processor; and,与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行权利要求1至11任一所述的方法。The memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the method of any one of claims 1 to 11. .
- 一种非暂态计算机存储介质,其特征在于,所述非暂态计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令用于使所述计算机执行权利要求1至11任一项所述的方法。A non-transitory computer storage medium, characterized in that the non-transitory computer readable storage medium stores computer executable instructions for causing the computer to perform any of claims 1 to The method described in the item.
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括所述计算 机可执行指令,当所述计算机可执行指令被计算机执行时,使所述计算机执行权利要求1至11任一项所述的方法。 A computer program product, comprising: a computing program stored on a non-transitory computer readable storage medium, the computer program comprising the computing The machine is executable to cause the computer to perform the method of any one of claims 1 to 11 when the computer executable instructions are executed by a computer.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610343447.8A CN105959287A (en) | 2016-05-20 | 2016-05-20 | Biological feature based safety certification method and device |
CN201610343447.8 | 2016-05-20 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017197974A1 true WO2017197974A1 (en) | 2017-11-23 |
Family
ID=56909347
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/077512 WO2017197974A1 (en) | 2016-05-20 | 2017-03-21 | Biometric characteristic-based security authentication method, device and electronic equipment |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN105959287A (en) |
TW (1) | TWI667585B (en) |
WO (1) | WO2017197974A1 (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110796446A (en) * | 2019-10-18 | 2020-02-14 | 飞天诚信科技股份有限公司 | Key injection method, key injection device, electronic equipment and computer-readable storage medium |
CN111954211A (en) * | 2020-09-07 | 2020-11-17 | 北京计算机技术及应用研究所 | Novel authentication key negotiation system of mobile terminal |
EP3707627A4 (en) * | 2017-11-06 | 2020-11-18 | Visa International Service Association | Biometric sensor on portable device |
CN112019479A (en) * | 2019-05-29 | 2020-12-01 | 福州云豆网络科技有限公司 | Internet of things-based online bank user login encryption system |
CN112036861A (en) * | 2020-08-31 | 2020-12-04 | 深圳市兆珑科技有限公司 | Safety device |
CN112468969A (en) * | 2020-12-11 | 2021-03-09 | 北京中交国通智能交通系统技术有限公司 | ETC security authentication equipment authorization method, device and system based on position information |
EP3674936A4 (en) * | 2017-08-23 | 2021-04-21 | Tae Sik Yoon | Authentication terminal, authentication device and authentication method and system using authentication terminal and authentication device |
CN112953970A (en) * | 2021-04-01 | 2021-06-11 | 国民认证科技(北京)有限公司 | Identity authentication method and identity authentication system |
CN113127930A (en) * | 2021-05-17 | 2021-07-16 | 阳光电源股份有限公司 | Charging data processing method, device and computer readable storage medium |
CN113742705A (en) * | 2021-08-30 | 2021-12-03 | 北京一砂信息技术有限公司 | Method and system for realizing IFAA (Interface authentication and Access Association) number based authentication service |
CN113918906A (en) * | 2020-07-07 | 2022-01-11 | 瑞昱半导体股份有限公司 | Authentication data transmission method and system |
CN114710289A (en) * | 2022-06-02 | 2022-07-05 | 确信信息股份有限公司 | Internet of things terminal secure registration and access method and system |
CN114786177A (en) * | 2022-04-07 | 2022-07-22 | 武汉联影医疗科技有限公司 | Edge node access processing method, mobile terminal and edge node |
CN114782022A (en) * | 2022-05-11 | 2022-07-22 | 保利长大工程有限公司 | Construction digital monitoring method and equipment based on identity authentication and storage medium |
US20220245631A1 (en) * | 2020-03-23 | 2022-08-04 | Tencent Technology (Shenzhen) Company Limited | Authentication method and apparatus of biometric payment device, computer device, and storage medium |
US20220318813A1 (en) * | 2021-04-01 | 2022-10-06 | Fulian Precision Electronics (Tianjin) Co., Ltd. | Method for processing bank transactions and electronic device using method |
CN115242396A (en) * | 2022-06-06 | 2022-10-25 | 东信和平科技股份有限公司 | Unmanned aerial vehicle authentication method and system, electronic equipment and storage medium |
CN115941183A (en) * | 2023-02-27 | 2023-04-07 | 紫光同芯微电子有限公司 | Biological information processing method and related device |
CN117240625A (en) * | 2023-11-14 | 2023-12-15 | 武汉海昌信息技术有限公司 | Tamper-resistant data processing method and device and electronic equipment |
Families Citing this family (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105959287A (en) * | 2016-05-20 | 2016-09-21 | 中国银联股份有限公司 | Biological feature based safety certification method and device |
CN107092819B (en) * | 2017-03-08 | 2020-04-14 | Oppo广东移动通信有限公司 | Fingerprint input inspection method and device |
CN106897164B (en) * | 2017-03-08 | 2020-08-14 | Oppo广东移动通信有限公司 | Fingerprint input control method and device |
CN107025389B (en) * | 2017-03-14 | 2020-08-07 | Oppo广东移动通信有限公司 | Fingerprint input method and terminal |
CN107038584A (en) * | 2017-04-12 | 2017-08-11 | 杭州纳戒科技有限公司 | Stored value card management method and system |
CN107016537A (en) * | 2017-04-12 | 2017-08-04 | 杭州纳戒科技有限公司 | Stored value card management method and device |
CN109716854B (en) * | 2017-05-31 | 2021-12-31 | 华为技术有限公司 | Connection establishing method, device, system and medium |
CN107358698A (en) * | 2017-07-17 | 2017-11-17 | 惠州Tcl移动通信有限公司 | A kind of unlocking method and system based on mobile terminal fingerprint recognition |
CN107392055A (en) * | 2017-07-20 | 2017-11-24 | 深圳市金立通信设备有限公司 | A kind of dual system safety chip control method, terminal, computer-readable recording medium and the dual system framework based on safety chip |
JP7013193B2 (en) | 2017-10-10 | 2022-01-31 | キヤノン株式会社 | System, system control method, voice control device, voice control device control method, and program |
JP7066380B2 (en) * | 2017-11-17 | 2022-05-13 | キヤノン株式会社 | Systems, methods in systems, information processing equipment, methods in information processing equipment, and programs |
CN108038694B (en) * | 2017-12-11 | 2019-03-29 | 飞天诚信科技股份有限公司 | A kind of fiscard and its working method with fingerprint authentication function |
CN108563934B (en) * | 2018-03-09 | 2020-07-10 | 青岛海信移动通信技术股份有限公司 | Fingerprint unlocking method and device |
CN108833379A (en) * | 2018-05-31 | 2018-11-16 | 中国工商银行股份有限公司 | A kind of data encryption and transmission method and device |
CN109194624B (en) * | 2018-08-09 | 2021-03-26 | 顾宏超 | Method for authenticating use of engineering machinery equipment, equipment and storage medium thereof |
TWI747052B (en) * | 2018-10-24 | 2021-11-21 | 大陸商廣州印芯半導體技術有限公司 | Optical sensor with encryption function and image data encryption method |
CN109547451B (en) * | 2018-11-30 | 2021-05-25 | 四川长虹电器股份有限公司 | TEE-based trusted authentication service authentication method |
CN109508562B (en) * | 2018-11-30 | 2022-03-25 | 四川长虹电器股份有限公司 | TEE-based trusted remote verification method |
CN109688149B (en) * | 2018-12-29 | 2022-02-15 | 中国银联股份有限公司 | Identity authentication method and device |
CN109766681A (en) * | 2019-01-11 | 2019-05-17 | 苏州国芯科技有限公司 | User ID authentication method, device, fingerprint logger and readable storage medium storing program for executing |
CN110011985A (en) * | 2019-03-19 | 2019-07-12 | 阿里巴巴集团控股有限公司 | For operating the method and system of internet of things equipment |
WO2019120321A2 (en) | 2019-03-29 | 2019-06-27 | Alibaba Group Holding Limited | Cryptographic key management based on identity information |
JP2020521341A (en) | 2019-03-29 | 2020-07-16 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | Cryptographic key management based on identification information |
EP3622665B1 (en) | 2019-03-29 | 2021-07-28 | Advanced New Technologies Co., Ltd. | Cryptography chip with identity verification |
KR102234825B1 (en) * | 2019-03-29 | 2021-04-02 | 어드밴스드 뉴 테크놀로지스 씨오., 엘티디. | Secure execution of cryptographic operations |
CN111934853B (en) * | 2019-05-13 | 2023-08-01 | 科大国盾量子技术股份有限公司 | Personal identity authentication method and system based on biological recognition technology and wearable device |
CN110677260B (en) | 2019-09-29 | 2023-04-21 | 京东方科技集团股份有限公司 | Authentication method, device, electronic equipment and storage medium |
CN111027979B (en) * | 2019-12-11 | 2021-06-29 | 支付宝(杭州)信息技术有限公司 | Method and device for opening, collecting and settling double off-line payment |
CN111526166B (en) * | 2020-07-03 | 2020-12-15 | 支付宝(杭州)信息技术有限公司 | Information verification method, device and equipment |
CN111784355B (en) * | 2020-07-17 | 2023-03-10 | 支付宝(杭州)信息技术有限公司 | Transaction security verification method and device based on edge calculation |
CN111784549B (en) * | 2020-07-23 | 2024-02-02 | 嘉兴长润线业有限公司 | Real estate information interaction system and method thereof |
CN111899029A (en) * | 2020-08-13 | 2020-11-06 | 北京字节跳动网络技术有限公司 | Identity verification method and device for electronic payment |
CN112184243A (en) * | 2020-09-28 | 2021-01-05 | 中国建设银行股份有限公司 | Transaction method, device, equipment and storage medium based on biological recognition |
CN113409043A (en) * | 2020-11-17 | 2021-09-17 | 葛云霞 | Information security method combining internet finance and biological recognition and cloud platform |
CN113297552B (en) | 2021-02-05 | 2023-11-17 | 中国银联股份有限公司 | Verification method based on biological characteristic ID chain, verification system and user terminal thereof |
CN115834074B (en) * | 2022-10-18 | 2023-07-21 | 支付宝(杭州)信息技术有限公司 | Identity authentication method, device and equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101741843A (en) * | 2009-12-10 | 2010-06-16 | 北京握奇数据系统有限公司 | Method, device and system for realizing user authentication by utilizing public key infrastructure |
US20130308838A1 (en) * | 2012-05-18 | 2013-11-21 | Apple Inc. | Efficient Texture Comparison |
CN104135368A (en) * | 2014-05-30 | 2014-11-05 | 哈尔滨工程大学 | A method for protecting data of an electronic chart |
CN105959287A (en) * | 2016-05-20 | 2016-09-21 | 中国银联股份有限公司 | Biological feature based safety certification method and device |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1514635A (en) * | 2003-04-29 | 2004-07-21 | 叶丰平 | Method of realizing mobile electronic business using finger print intelligence terminal and intelligent hand set |
TW200816068A (en) * | 2006-09-27 | 2008-04-01 | Ming-Chih Tsai | A transaction payment method by using handheld communication devices |
CN102081821B (en) * | 2009-11-27 | 2013-08-14 | 中国银联股份有限公司 | IC (integrated circuit) card paying system and method as well as multi-application IC card and payment terminal |
US20130054473A1 (en) * | 2011-08-23 | 2013-02-28 | Htc Corporation | Secure Payment Method, Mobile Device and Secure Payment System |
US20150095238A1 (en) * | 2013-09-30 | 2015-04-02 | Apple Inc. | Online payments using a secure element of an electronic device |
CN105227537A (en) * | 2014-06-16 | 2016-01-06 | 华为技术有限公司 | Method for authenticating user identity, terminal and service end |
CN104102876A (en) * | 2014-07-17 | 2014-10-15 | 北京握奇智能科技有限公司 | Device for safeguarding operational security of client side |
CN104660614A (en) * | 2015-03-16 | 2015-05-27 | 联想(北京)有限公司 | Authentication method, electronic equipment and server |
-
2016
- 2016-05-20 CN CN201610343447.8A patent/CN105959287A/en active Pending
-
2017
- 2017-03-21 WO PCT/CN2017/077512 patent/WO2017197974A1/en active Application Filing
- 2017-05-19 TW TW106116582A patent/TWI667585B/en active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101741843A (en) * | 2009-12-10 | 2010-06-16 | 北京握奇数据系统有限公司 | Method, device and system for realizing user authentication by utilizing public key infrastructure |
US20130308838A1 (en) * | 2012-05-18 | 2013-11-21 | Apple Inc. | Efficient Texture Comparison |
CN104135368A (en) * | 2014-05-30 | 2014-11-05 | 哈尔滨工程大学 | A method for protecting data of an electronic chart |
CN105959287A (en) * | 2016-05-20 | 2016-09-21 | 中国银联股份有限公司 | Biological feature based safety certification method and device |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3674936A4 (en) * | 2017-08-23 | 2021-04-21 | Tae Sik Yoon | Authentication terminal, authentication device and authentication method and system using authentication terminal and authentication device |
US11290279B2 (en) | 2017-08-23 | 2022-03-29 | Tae Sik Yoon | Authentication terminal, authentication device and authentication method and system using authentication terminal and authentication device |
US11463257B2 (en) | 2017-11-06 | 2022-10-04 | Visa International Service Association | Biometric sensor on portable device |
EP3707627A4 (en) * | 2017-11-06 | 2020-11-18 | Visa International Service Association | Biometric sensor on portable device |
CN112019479A (en) * | 2019-05-29 | 2020-12-01 | 福州云豆网络科技有限公司 | Internet of things-based online bank user login encryption system |
CN110796446A (en) * | 2019-10-18 | 2020-02-14 | 飞天诚信科技股份有限公司 | Key injection method, key injection device, electronic equipment and computer-readable storage medium |
CN110796446B (en) * | 2019-10-18 | 2022-05-03 | 飞天诚信科技股份有限公司 | Key injection method, key injection device, electronic equipment and computer-readable storage medium |
US20220245631A1 (en) * | 2020-03-23 | 2022-08-04 | Tencent Technology (Shenzhen) Company Limited | Authentication method and apparatus of biometric payment device, computer device, and storage medium |
CN113918906A (en) * | 2020-07-07 | 2022-01-11 | 瑞昱半导体股份有限公司 | Authentication data transmission method and system |
CN112036861A (en) * | 2020-08-31 | 2020-12-04 | 深圳市兆珑科技有限公司 | Safety device |
CN112036861B (en) * | 2020-08-31 | 2024-05-10 | 百富计算机技术(深圳)有限公司 | Safety equipment |
CN111954211B (en) * | 2020-09-07 | 2023-05-02 | 北京计算机技术及应用研究所 | Novel authentication key negotiation system of mobile terminal |
CN111954211A (en) * | 2020-09-07 | 2020-11-17 | 北京计算机技术及应用研究所 | Novel authentication key negotiation system of mobile terminal |
CN112468969A (en) * | 2020-12-11 | 2021-03-09 | 北京中交国通智能交通系统技术有限公司 | ETC security authentication equipment authorization method, device and system based on position information |
CN112953970A (en) * | 2021-04-01 | 2021-06-11 | 国民认证科技(北京)有限公司 | Identity authentication method and identity authentication system |
US20220318813A1 (en) * | 2021-04-01 | 2022-10-06 | Fulian Precision Electronics (Tianjin) Co., Ltd. | Method for processing bank transactions and electronic device using method |
CN113127930A (en) * | 2021-05-17 | 2021-07-16 | 阳光电源股份有限公司 | Charging data processing method, device and computer readable storage medium |
CN113742705A (en) * | 2021-08-30 | 2021-12-03 | 北京一砂信息技术有限公司 | Method and system for realizing IFAA (Interface authentication and Access Association) number based authentication service |
CN113742705B (en) * | 2021-08-30 | 2024-05-24 | 北京一砂信息技术有限公司 | Method and system for realizing authentication service based on IFAA numbers |
CN114786177A (en) * | 2022-04-07 | 2022-07-22 | 武汉联影医疗科技有限公司 | Edge node access processing method, mobile terminal and edge node |
CN114786177B (en) * | 2022-04-07 | 2023-05-30 | 武汉联影医疗科技有限公司 | Edge node access processing method, mobile terminal and edge node |
CN114782022B (en) * | 2022-05-11 | 2022-12-06 | 保利长大工程有限公司 | Construction digital monitoring method and equipment based on identity authentication and storage medium |
CN114782022A (en) * | 2022-05-11 | 2022-07-22 | 保利长大工程有限公司 | Construction digital monitoring method and equipment based on identity authentication and storage medium |
CN114710289B (en) * | 2022-06-02 | 2022-09-02 | 确信信息股份有限公司 | Internet of things terminal security registration and access method and system |
CN114710289A (en) * | 2022-06-02 | 2022-07-05 | 确信信息股份有限公司 | Internet of things terminal secure registration and access method and system |
CN115242396A (en) * | 2022-06-06 | 2022-10-25 | 东信和平科技股份有限公司 | Unmanned aerial vehicle authentication method and system, electronic equipment and storage medium |
CN115941183A (en) * | 2023-02-27 | 2023-04-07 | 紫光同芯微电子有限公司 | Biological information processing method and related device |
CN115941183B (en) * | 2023-02-27 | 2023-10-13 | 紫光同芯微电子有限公司 | Biological information processing method and related device |
CN117240625A (en) * | 2023-11-14 | 2023-12-15 | 武汉海昌信息技术有限公司 | Tamper-resistant data processing method and device and electronic equipment |
CN117240625B (en) * | 2023-11-14 | 2024-01-12 | 武汉海昌信息技术有限公司 | Tamper-resistant data processing method and device and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN105959287A (en) | 2016-09-21 |
TWI667585B (en) | 2019-08-01 |
TW201741922A (en) | 2017-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017197974A1 (en) | Biometric characteristic-based security authentication method, device and electronic equipment | |
CN110677418B (en) | Trusted voiceprint authentication method and device, electronic equipment and storage medium | |
CN107070667B (en) | Identity authentication method | |
EP3312750B1 (en) | Information processing device, information processing system, and information processing method | |
CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
CN108809659B (en) | Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system | |
US20180082050A1 (en) | Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device | |
JP2018532301A (en) | User authentication method and apparatus | |
JP6401784B2 (en) | Payment authentication system, method and apparatus | |
CN103477666B (en) | Mobile device is connected, is connected to vehicle and the cloud service of internet | |
CN112425114B (en) | Password manager protected by public key-private key pair | |
WO2017071496A1 (en) | Method and device for realizing session identifier synchronization | |
US20140298412A1 (en) | System and Method for Securing a Credential via User and Server Verification | |
CN110990827A (en) | Identity information verification method, server and storage medium | |
US11044604B2 (en) | Method and system for protecting and utilizing internet identity, using smartphone | |
CN109150535A (en) | A kind of identity identifying method, equipment, computer readable storage medium and device | |
JP2016096547A (en) | Method for non-repudiation, and payment managing server and user terminal therefor | |
JP2012530311A5 (en) | ||
RU2011153984A (en) | TRUSTED AUTHORITY ADMINISTRATOR (TIM) | |
US9124571B1 (en) | Network authentication method for secure user identity verification | |
KR102012262B1 (en) | Key management method and fido authenticator software authenticator | |
US20210320790A1 (en) | Terminal registration system and terminal registration method | |
TW201108696A (en) | Account identification system, method and peripheral device of performing function thereof | |
US10333707B1 (en) | Systems and methods for user authentication | |
KR101659847B1 (en) | Method for two channel authentication using smart phone |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17798539 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17798539 Country of ref document: EP Kind code of ref document: A1 |