WO2020191547A1 - Biometric recognition method and apparatus - Google Patents

Biometric recognition method and apparatus Download PDF

Info

Publication number
WO2020191547A1
WO2020191547A1 PCT/CN2019/079339 CN2019079339W WO2020191547A1 WO 2020191547 A1 WO2020191547 A1 WO 2020191547A1 CN 2019079339 W CN2019079339 W CN 2019079339W WO 2020191547 A1 WO2020191547 A1 WO 2020191547A1
Authority
WO
WIPO (PCT)
Prior art keywords
biometric
template
matching
biometric template
data
Prior art date
Application number
PCT/CN2019/079339
Other languages
French (fr)
Chinese (zh)
Inventor
潘时林
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2019/079339 priority Critical patent/WO2020191547A1/en
Priority to CN201980006480.3A priority patent/CN111989693A/en
Publication of WO2020191547A1 publication Critical patent/WO2020191547A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition

Definitions

  • This application relates to the field of computer technology, in particular to a biometric identification method and device.
  • Biometric identification refers to the close integration of computers with high-tech methods such as optics, acoustics, biosensors, and biostatistics, and the use of inherent physical features (such as fingerprints, faces, or irises) or behavioral features (such as Biometrics such as handwriting, voice, or gait, etc.) are used for personal identification.
  • biometrics has been widely used as a convenient and relatively safe way of man-machine verification.
  • the terminal can use the biometrics to perform operations such as system unlocking or value transfer, in order to ensure data security, the biometric identification process must be implemented in the secure area of the terminal.
  • a Trusted Execution Environment TEE
  • the terminal can perform a biometric identification process under the TEE. Specifically, the terminal may first obtain the biological image under the TEE, and then extract the biological characteristic data in the biological image, and then match the biological characteristic data with the stored biological characteristic template to obtain the biological recognition result.
  • TEE Trusted Execution Environment
  • TEE has a limited degree of security and is relatively easy to be attacked by attackers. After the attacker breaks through the TEE, he can directly control the output of the biometric recognition result to pass the recognition without matching the biometric data; alternatively, he can replace the stored biometric template with another biometric template to If the biometric data is matched successfully, the biometric identification result output will be recognized as passed. As a result, the security of biometrics is low.
  • This application provides a biometric identification method and device, which can improve the security of biometric identification.
  • the technical solution is as follows:
  • a biometric identification method includes: acquiring a biometric image under a TEE; extracting biometric data in the biometric image under the TEE; and performing a secure element (Secure Element) , SE), matching all or part of the biometric data with a biometric template to obtain a biometric recognition result.
  • a secure element Secure Element
  • the biological image is an image containing biological characteristics.
  • the biological image may be at least one of a fingerprint image, a palmprint image, a human face image, or an iris image.
  • the biometric template may be at least one of a fingerprint template, a palm print template, a face template, or an iris template.
  • the biological image is acquired under the TEE and the biological characteristic data in the biological image is extracted. Since the security level of the TEE is higher than the ordinary execution environment (Rich Execution Environment, REE), the biological image and biological characteristics can be guaranteed Data security. Moreover, since the TEE uses the system processor when it is running, the computing power and storage capacity under the TTE are high, so it can ensure a high extraction speed of biometric data, thereby ensuring a high biometric identification speed. In addition, at least a part of the template matching is performed on the biometric data in the SE and the biometric recognition result is output. Since the security level of the SE is higher than the TEE, the biometric recognition function reaches a high security level.
  • matching all or part of the biometric data with the biometric template, and before obtaining the biometric result further includes: comparing the biometric data under the TEE All of the data is sent to the SE.
  • matching all or part of the biometric data with a biometric template to obtain a biometric recognition result includes: in the SE, matching all or part of the biometric data with a preset The biometric template is matched to obtain the biometric result.
  • the SE can completely complete the template matching of the biometric data to obtain the biometric recognition result, thereby greatly improving the security of biometric recognition.
  • matching all or part of the biometric data with the biometric template, and before obtaining the biometric result further includes: under the TEE, matching the At least a part of the biometric data is first matched with the first biometric template to obtain a first matching result; under the TEE, the first matching result and at least another part of the biometric data are combined Sent to the SE.
  • matching all or part of the biometric data with a biometric template to obtain a biometric recognition result includes: in the SE, matching at least another part of the biometric data A second matching is performed between the data and the second biometric template to obtain a second matching result, and the biometric recognition result is determined according to the first matching result and the second matching result.
  • both the first biometric template and the second biometric template belong to the preset biometric template
  • the second biometric template includes the part of the preset biometric template that is different from the first biometric template, namely
  • the second biometric template and the first biometric template may not be completely the same, for example, the first biometric template and the second biometric template may overlap.
  • the first biometric template and the second biometric template may be completely different, that is, the first biometric template and the second biometric template may be different parts of the preset biometric template, respectively.
  • the template matching of the biometric data can be completed by the combination of TEE and SE to obtain the biometric results, that is, the two-stage template matching is performed by TEE and SE, which can effectively ensure the template matching speed
  • TEE and SE which can effectively ensure the template matching speed
  • SE does not have a major impact, so that while improving the security of biometrics, it can ensure a high template matching speed, and then a high biometrics recognition speed.
  • the method further includes: acquiring the preset biological feature template; extracting the first biological feature template and the first biological feature template from the preset biological feature template 2. Biometric template.
  • the preset biometric template may be a complete biometric template generated after successful biometric registration.
  • the first biometric template can be stored in the TEE
  • the second biometric template is stored in the SE.
  • the method further includes: when the matching degree indicated by the first matching result is greater than or equal to the first matching degree, Trigger the second matching operation of the at least another part of the data with the second biometric template in the SE.
  • the degree of matching indicated by the first matching result is less than the first degree of matching, it is directly determined under the TEE that the biometric recognition result is not passed, and the biometric recognition operation is ended.
  • the matching degree indicated by the first matching result when the matching degree indicated by the first matching result is less than the first matching degree, it indicates that at least a part of the biometric data does not match the first biometric template, that is, the first biometric template is performed under TEE.
  • the matching degree of one-stage template matching is very low, so there is no need to perform the second-stage template matching in the SE at this time, and the biometric recognition can be determined directly under the TEE to end the biometric recognition operation. In this way, when recognizing a biological image without biological registration, it can be quickly determined that the biological recognition is not passed, so that the biological recognition time delay can be reduced when the input biological image is wrong.
  • the matching degree indicated by the first matching result is greater than or equal to the first matching degree, it indicates that at least a part of the biometric data matches the first biometric template, that is, the matching of the first paragraph of template matching performed under TEE
  • the degree is not very low, so at this time, the second-stage template matching can be continued in the SE, and the SE will output the final biometric results. In this way, the accuracy of biometric identification can be guaranteed.
  • first biological feature templates and multiple second biological feature templates there may be multiple first biological feature templates and multiple second biological feature templates, and the multiple first biological feature templates are in one-to-one correspondence with the multiple second biological feature templates.
  • a biological characteristic template and a second biological characteristic template belong to the same preset biological characteristic template.
  • first matching at least part of the biometric data with the first biometric template to obtain a first matching result includes: under the TEE, Perform a first match between the at least part of the data and each first biometric template of the plurality of first biometric templates to obtain a first matching result corresponding to each first biometric template.
  • the SE at least another part of the biometric data is subjected to a second matching with a second biometric template to obtain a second matching result, and according to the first matching result and the second matching result
  • the second matching result, determining the biometric recognition result includes: in the SE, according to the order of the plurality of matching degrees indicated by the plurality of first matching results corresponding to the plurality of first biometric templates, from high to low, Sort the plurality of second biometric templates; in the SE, according to the sort, sequentially perform a second match on the at least another part of the data with the plurality of second biometric templates; in the In SE, each time the second matching between the at least another part of data and a second biometric template is completed, a second matching result is obtained, and according to the second matching result and the first matching result, it is determined to correspond to The biometric recognition result of the second biometric template.
  • biometric recognition operation is ended in the SE. If the biometric recognition result of the second biometric template is recognized as not passed, then in the SE At least another part of the biometric data is continuously matched with the next second biometric template.
  • the pairs correspond to the multiple first biological feature templates in a one-to-one order.
  • the order of the plurality of second biometric templates represents the order of the plurality of second biometric templates and the biometric data from the most likely to successfully match to the least possible .
  • the biometric recognition result is determined once, and the biometric recognition operation is ended when the biometric recognition result is passed. In this way, when recognizing a biological image that has undergone biological registration, it can be quickly determined that the biological recognition has passed, so that the biological recognition time delay can be reduced when the input biological image is correct.
  • a biological recognition device in a second aspect, includes: a processor and an SE; the processor is configured to obtain a biological image and extract biological characteristic data in the biological image under a TEE; SE is used to match all or part of the biometric data with a biometric template to obtain a biometric recognition result.
  • the processor is further configured to send all of the biometric data to the SE under the TEE; correspondingly, the SE is configured to send all of the biometric data to the preset The set biometric template is matched to obtain the biometric recognition result.
  • the processor is further configured to perform a first matching of at least a part of the biometric data with a first biometric template under the TEE to obtain a first matching result; in the TEE Send the first matching result and at least another part of the biometric data to the SE; correspondingly, the SE is used to combine at least another part of the biometric data with the first Perform a second matching between two biometric templates to obtain a second matching result, and determine a biometric recognition result according to the first matching result and the second matching result; wherein, the second biometric template includes a preset biometric The part of the feature template that is different from the first biometric template.
  • the first biometric template and the second biometric template are respectively different parts of a preset biometric template.
  • the processor is further configured to obtain the preset biometric template; extract the first biometric template and the second biometric template from the preset biometric template.
  • the processor is further configured to, when the degree of matching indicated by the first matching result is greater than or equal to the first degree of matching, trigger the SE to perform the comparison between the at least another part of the data and the second biometric template. The second match.
  • the multiple first biological feature templates have a one-to-one correspondence with the multiple second biological feature templates, and correspond to one first biological feature.
  • the characteristic template and a second biological characteristic template belong to the same preset biological characteristic template;
  • the processor is further configured to combine the at least part of the data with the plurality of first biological characteristic templates under the TEE Perform first matching on each of the first biometric templates to obtain the first matching result corresponding to each of the first biometric templates; accordingly, the SE is used to correspond to the multiple first biometric templates
  • the plurality of second biometric templates are sorted in the descending order of the matching degrees indicated by the plurality of first matching results; according to the sorting, the at least another part of the data is sequenced with the plurality of A second biometric template for a second matching; each time the second matching between the at least another part of the data and a second biometric template is completed, a second matching result is obtained, based on the second matching result and the The first matching result determines the biometric recognition result
  • the biometric template is at least one of a fingerprint template, a face template, or an iris template.
  • a biometric identification device in a third aspect, includes: a TEE module and an SE module; the TEE module is used to obtain a biological image and extract biometric data in the biological image; the SE module, It is used to match all or part of the biometric data with a biometric template to obtain a biometric recognition result.
  • the TEE module is also used to send all of the biometric data to the SE module; correspondingly, the SE module is used to combine all of the biometric data with a preset biometric data.
  • the feature template is matched to obtain the biometric recognition result.
  • the TEE module is further configured to perform a first matching of at least a part of the biometric data with a first biometric template to obtain a first matching result; compare the first matching result with Sending at least another part of the biometric data to the SE module; correspondingly, the SE module is configured to perform a second matching of at least another part of the biometric data with a second biometric template, Obtain a second matching result, and determine a biometric recognition result according to the first matching result and the second matching result; wherein, the second biometric template includes a preset biometric template that is different from the first Part of the biometric template.
  • the first biometric template and the second biometric template are respectively different parts of a preset biometric template.
  • the device is further configured to obtain the preset biometric template; extract the first biometric template and the second biometric template from the preset biometric template.
  • the TEE module is further configured to trigger the SE module to compare the at least another part of the data with the second biometric template when the degree of matching indicated by the first matching result is greater than or equal to the first degree of matching. Perform a second match.
  • the multiple first biological feature templates have a one-to-one correspondence with the multiple second biological feature templates, and correspond to one first biological feature.
  • the characteristic template and a second biological characteristic template belong to the same preset biological characteristic template; the TEE module is also used to combine the at least part of the data with each first biological characteristic of the plurality of first biological characteristic templates.
  • the feature template performs first matching to obtain the first matching result corresponding to each of the first biological feature templates; accordingly, the SE module is configured to perform the first matching according to the multiple first biological feature templates corresponding to the multiple first biological feature templates.
  • the plurality of matching degrees indicated by the matching result are ordered from high to low, and the plurality of second biometric templates are sorted; according to the sorting, the at least another part of data is sequentially matched with the plurality of second biometrics.
  • the template performs a second matching; each time the second matching between the at least another part of data and a second biometric template is completed, a second matching result is obtained, and according to the second matching result and the first matching result, The biometric recognition result corresponding to the second biometric template is determined.
  • the biometric template is at least one of a fingerprint template, a face template, or an iris template.
  • a computer-readable storage medium stores instructions that, when run on a computer, cause the computer to execute the biometric identification method described in the first aspect.
  • a computer program product containing instructions, which when running on a computer, causes the computer to execute the biometric identification method described in the first aspect.
  • the technical solution provided by this application can at least bring about the following beneficial effects: after acquiring a biological image under the TEE, the biological characteristic data in the biological image is extracted under the TEE. Then, in the SE, all or part of the biometric data is matched with the biometric template to obtain the biometric recognition result. Since the security level of SE is higher than TEE, the biometric recognition function has reached a high security level. In addition, since the calculation of template matching of biometric data is not complicated, the processing pressure of SE is small, so it can ensure that the template matching speed is high, and thus the biometric identification speed can be ensured. In this way, the embodiment of the present application only slightly increases the time delay and does not affect the performance of the biometrics, so that the biometrics is protected with a high security level, thereby improving the security of the biometrics.
  • FIG. 1 is a schematic structural diagram of a system architecture provided by an embodiment of the present application.
  • FIG. 2 is a schematic structural diagram of a biometric identification device provided by an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of another biometric identification device provided by an embodiment of the present application.
  • FIG. 4 is a flowchart of a biometric identification method provided by an embodiment of the present application.
  • FIG. 5 is a flowchart of another biometric identification method provided by an embodiment of the present application.
  • FIG. 6 is a flowchart of another biometric identification method provided by an embodiment of the present application.
  • Figure 7 is a schematic diagram of a biometric template provided by an embodiment of the present application.
  • Fig. 8 is a schematic diagram of a biometric identification process provided by an embodiment of the present application.
  • the embodiments of this application can be applied to scenarios that require the use of biometrics, such as booting and unlocking scenarios, application identity authentication scenarios, etc.
  • the embodiments of this application introduce SE in the biometric identification process to perform template matching, so that the biometrics function can also be used. Reach a high security level, which can greatly improve the security of biometrics.
  • the acquisition of biological images and the extraction of biological characteristic data can be performed under TEE, and then at least a part of template matching is performed on the biological characteristic data in SE.
  • biometric recognition result it is possible to directly match all of the biometric data with a preset biometric template in the SE to obtain a biometric recognition result; or, first, under the TEE, at least part of the biometric data can be matched with The first biometric template performs first matching to obtain a first matching result, and then in SE, at least another part of the biometric data is subjected to a second matching with the second biometric template to obtain a second matching result, and According to the first matching result and the second matching result, the biometric recognition result is determined.
  • biometric speed and biometric performance ie, recognition rate and misrecognition rate
  • FIG. 1 is a schematic structural diagram of a system architecture provided by an embodiment of the present application.
  • the system architecture may include: REE, TEE, and SE.
  • REE and TEE are two parallel execution environments, which are isolated by hardware, and both are generated by the processor running necessary software, such as operating system software and security software.
  • the SE can be an independent dedicated security chip (such as a smart card, or an Embedded Secure Element (eSE), etc.), or it can be integrated into a System on Chip (SoC) in the form of a security unit (such as inSE, etc.) .
  • SoC System on Chip
  • the security level of SE is higher than TEE, and the security level of TEE is higher than REE.
  • the SE may be a secure processing unit (Secure Processing Unit, SPU).
  • SPU Secure Processing Unit
  • SE is a piece of hardware different from a processor, used to perform operations or processing with a higher security level, so its security is higher than TEE and REE.
  • REE is the operating environment of terminal operating systems such as Android or iOS, and includes modules such as client application (Client Application, CA), TEE function application programming interface (Application Programming Interface, API), TEE client API, and multimedia operating system components.
  • CA is a client application provided to users.
  • the TEE function API is a friendly interface provided to CA to access TEE core services (such as trusted storage and encryption algorithm services).
  • the TEE client API is a low-level communication interface provided to the CA to access the trusted application (Trusted Application, TA) in the TEE and to exchange data with the TA.
  • the multimedia operating system components include modules such as public device drivers and REE communication agent.
  • the REE communication agent provides message transmission between CA and TA.
  • TEE provides a safer and closed execution environment.
  • TEE is mainly composed of TA, TEE internal API, trusted operating system components, and trusted kernel.
  • TA runs on TEE to provide users with security services.
  • TA and TA communicate with each other through TEE internal API.
  • the trusted operating system components include TEE communication agents, trusted core frameworks, and trusted functions.
  • TEE communication agent and REE communication agent together realize the secure transmission of messages between CA and TA.
  • the trusted core framework provides TA with a secure operating system (Operating System, OS) function.
  • the trusted function module provides auxiliary facility support to application developers.
  • the trusted kernel mainly provides scheduling and other OS management functions to the trusted core framework and trusted function modules.
  • SE implements functions such as data secure storage, encryption and decryption operations through the Chip Operating System (COS).
  • COS Chip Operating System
  • SE can be packaged into various forms, such as smart cards, eSE, inSE, etc. are common.
  • SE can provide chip-level hardware protection and can resist various physical attacks.
  • the main functions of SE include: secure storage of keys, data encryption operations, and secure storage of information.
  • the secure storage of keys can establish a relatively complete key management system to ensure that keys cannot be read.
  • Data encryption operations include support for reliable security algorithms, ciphertext transmission of sensitive data, and anti-tampering of data transmission.
  • Information security storage refers to a strict file access authority mechanism and reliable authentication algorithms and processes.
  • FIG. 2 is a schematic structural diagram of a biometric identification device provided by an embodiment of the present application.
  • the biometric identification device may be a computer device 200.
  • the computer device includes at least one processor 201, a communication bus 202, a memory 203, at least one communication interface 204, and an SE208.
  • the at least one processor 201 is used to form the REE and TEE in the system architecture shown in FIG. 1.
  • the processors 201 and SE208 execute their respective software programs, including but not limited to system software, application software, or driver software.
  • the processor 201 may be at least one of a general-purpose central processing unit (CPU), a microprocessor, or a microcontroller, and may also include an application-specific integrated circuit (ASIC), or may be One or more integrated circuits used to control the execution of the program of this application.
  • the communication bus 202 may include a path for transferring information between the aforementioned components.
  • the memory 203 can be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, or it can be a random access memory (RAM) or can store information and instructions.
  • the memory 203 may exist independently and is connected to the processor 201 through the communication bus 202.
  • the memory 203 may also be integrated with the processor 201.
  • the communication interface 204 is any device such as a transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), and Wireless Local Area Networks (WLAN).
  • the processor 201 may include one or more CPUs, such as CPU0 and CPU1 as shown in FIG. 2.
  • the computer device may include multiple processors, such as the processor 201 and the processor 205 as shown in FIG. 2.
  • the processor 201 and the processor 205 form a large and small core architecture, that is, the processor 201 is a large core and the processor 20 is a small core.
  • Each of these processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
  • the processor here may refer to one or more devices, circuits, and/or processing cores for processing data (such as computer program instructions).
  • the computer device may further include an output device 206 and an input device 207.
  • the output device 206 communicates with the processor 201 and can display information in a variety of ways.
  • the output device 206 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector, etc.
  • the input device 207 communicates with the processor 201, and can receive user input in a variety of ways.
  • the input device 207 may be a mouse, a keyboard, a touch screen device, or a sensor device.
  • the above-mentioned computer equipment may be a general-purpose computer equipment or a special-purpose computer equipment.
  • the computer device may be a desktop computer, a portable computer, a web server, a PDA (Personal Digital Assistant, PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, or an embedded device.
  • PDA Personal Digital Assistant
  • the embodiments of this application do not Limit the type of computer equipment.
  • the memory 203 is used to store the program code 210 for executing the solution of the present application, and the processor 201 is used to execute the program code 210 stored in the memory 203.
  • the computer device can implement all operations performed under the TEE in the embodiment of FIG. 4 below through the processor 201 and the program code 210 in the memory 203.
  • the computer device can also implement all operations performed in the SE in the embodiment of FIG. 4 through the SE 208 and the program code 210 in the memory 203.
  • the program software run by the SE208 may not be stored in the memory 203, but stored inside the SE208, which is not limited in the embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of a biometric identification device provided by an embodiment of the present application.
  • the biometric identification device may include a TEE module 301 and an SE module 302.
  • the TEE module 301 is used to perform all operations to be performed under the TEE in the embodiment of FIG. 4 below
  • the SE module 302 is used to perform all the operations to be performed in the SE in the embodiment of FIG. 4 below.
  • the TEE module 301 and the SE module 302 can be implemented by software, hardware or a combination of both.
  • the TEE module 301 and the SE module 302 are implemented by software, these two modules can run on the processor 201 and the SE 208 in FIG. 2 respectively.
  • the biometric identification device provided in the above embodiment and the biometric identification method embodiment belong to the same concept, and the specific implementation process is detailed in the following method embodiment, which will not be elaborated here.
  • Fig. 4 is a flowchart of a biometric identification method provided by an embodiment of the present application.
  • the method includes: Step 401: Acquire a biological image under TEE.
  • the biological image is an image containing biological characteristics.
  • the biological image may be at least one of a fingerprint image, a palmprint image, a human face image, or an iris image.
  • the biological image can be acquired through the image acquisition device under the TEE.
  • the biological image can also be acquired through other methods under the TEE, which is not limited in the embodiment of the present application.
  • the image capture device is used to capture biological images.
  • the image capture device may be at least one of a fingerprint sensor, a collector, or a camera.
  • the fingerprint sensor may be, for example, an ultrasonic fingerprint sensor, a push fingerprint sensor, or an optical fingerprint sensor.
  • the fingerprint image can be sent to the memory space of the TA for biometric identification in the TEE through the serial peripheral interface (Serial Peripheral Interface, SPI)
  • SPI Serial Peripheral Interface
  • the face image can be sent to the memory space of the TA used for biometric identification in the TEE through the camera serial interface (CSI).
  • CSI camera serial interface
  • step 401 may be performed when the biometric identification service under the REE is started, that is, step 401 may be performed when the user uses the biometric identification service.
  • the biometric service may be booting and unlocking, application identity authentication, etc., which is not limited in the embodiment of the present application.
  • Step 402 Extract the biological characteristic data in the biological image under the TEE.
  • the biological feature data in the biological image is used to indicate the biological features contained in the biological image.
  • the biometric data can be the parameters (such as direction, curvature, and bifurcation points) of the minutiae feature points (such as the starting point, end point, joining point, and bifurcation point of lines) in the biological image. Location etc.).
  • the biological feature data may be attributes (such as size, position, distance, etc.) of facial contour points (such as iris, nose and corner of mouth, etc.) in the face image.
  • a feature extraction algorithm can be used under TEE to extract biological feature data in the biological image.
  • the biometric data in the biometric image can be extracted through TA for biometric recognition under TEE.
  • the feature extraction algorithm can be set in advance.
  • the feature extraction algorithm can be a fingerprint feature extraction algorithm
  • the feature extraction algorithm can be a face feature extraction algorithm.
  • the embodiments of this application can acquire biological images under TEE and extract the biological characteristic data in the biological images. Since TEE operates in isolation from REE and has a high security level, the security of biological images and biological data can be guaranteed. Moreover, since the TEE uses a processor when it is running, the computing power and storage capacity under the TTE are both high, so it can ensure that the extraction speed of biometric data is high, thereby ensuring that the biometric recognition speed is high.
  • Step 403 In the SE, all or part of the biometric data is matched with the biometric template to obtain a biometric recognition result.
  • the biometric template can be set in advance.
  • the biometric template can be at least one of a fingerprint template, a face template, or an iris template.
  • the biometric template may be a complete biometric template generated after the biometric registration is successful, that is, the biometric template may be a preset biometric Template; when matching the part of the biometric data with the biometric template, the biometric template can be part of the complete biometric template generated after the biometric registration is successful, that is, the biometric template can be a preset Part of the biometric template.
  • the template matching can be performed on the biometric data in the SE and the biometric results can be output.
  • the SE can provide chip-level hardware protection, it can resist various physical attacks and has a security level. It is higher than TEE, so the biometric recognition function reaches a high security level.
  • the processing pressure of SE is small, so it can ensure that the template matching speed is high, and thus the biometric identification speed can be ensured.
  • the embodiment of the present application provides a solution for supporting biometrics by using SE, which provides high security for biometrics without affecting the biometric performance (recognition rate and false recognition rate) while only slightly increasing the time delay.
  • Level of protection which can improve the security of biometrics.
  • step 403 when in SE, all of the biometric data is matched with the biometric template to obtain the biometric recognition result, step 403 can be implemented in the first possible implementation manner as follows; when in SE, When the part of the biometric data is matched with the biometric template, and the biometric recognition result is obtained, step 403 can be implemented in the following second possible implementation manner.
  • step 4031 may be performed before step 403: sending all the biometric data to the SE under the TEE.
  • the operation of step 403 may be step 4032: in SE, all of the biometric data is matched with a preset biometric template to obtain a biometric recognition result.
  • the SE completely completes the template matching of the biometric data to obtain the biometric recognition result, which can greatly improve the security of biometric recognition.
  • matching all of the biometric data with the preset biometric template is to match the biometrics indicated by the biometric data with the biometrics indicated by the preset biometric template. If the matching is successful, you can It is determined that the biometric recognition result is recognition passed, and if the matching fails, it can be determined that the biometric recognition result is recognition failed.
  • step 4033 may be performed before step 403: under TEE, perform a first matching of at least a part of the biometric data with the first biometric template to obtain The first matching result, and sending the first matching result and at least another part of the biometric data to the SE under the TEE.
  • the operation of step 403 may be step 4034: in SE, perform a second matching of at least another part of the biometric data with the second biometric template to obtain a second matching result, and according to the first matching result With the second matching result, the biometric recognition result is determined.
  • the template matching of the biometric data is completed by the combination of TEE and SE to obtain the biometric result, that is, the two-stage template matching is performed by TEE and SE.
  • This can effectively ensure that the template matching speed is not greatly affected by the use of SE, so that while improving the security of biometrics, it can ensure that the template matching speed is high, and then the biometrics recognition speed can be high.
  • the first biometric template and the second biometric template both belong to a preset biometric template, and the second biometric template includes a part of the preset biometric template that is different from the first biometric template.
  • the first biometric template may be stored in a memory under the TEE, for example, in the memory 203 of FIG.
  • the second biometric template may be stored in the SE.
  • the second biometric template and the first biometric template may not be completely the same, for example, there is overlap.
  • the first biometric template and the second biometric template can be completely different, that is, the first biometric template and the second biometric template can be different parts of the preset biometric template, for example, as shown in FIG. 7 As shown, the preset biometric template is A, and the preset biometric module A can be divided into two parts, one part is A1, the other part is A2, and then A1 is used as the first biometric module and A2 is used as the second biometric module. Feature template.
  • the proportion of the first biometric template in the preset biometric template can be greater than that of the second biometric template in the preset biometric template. In the proportion. Moreover, in order to ensure the safety of the second biometric template in the SE, the non-overlapping part of the second biometric template and the first biometric template needs to have sufficient data strength, that is, the first biometric template cannot be easily derived from the first biometric template. 2. Biometric template.
  • the first matching of at least part of the biometric data with the first biometric template means that the biometrics indicated by the at least part of the biometric data are indicated by the first biometric template.
  • the biological characteristics are matched, and the first matching result is obtained.
  • the first matching result is used to indicate the degree of matching between at least a part of the biometric data and the first biometric template.
  • all of the biometric data can be directly sent to the SE under the TEE; or, under the TEE, according to the first biological feature
  • the distribution rules of the template and the second biometric template in the preset biometric template From the biometric data, determine a part of the data corresponding to the first biometric template and a part of the data corresponding to the second biometric template. Part of the biometric data corresponding to the second biometric template is sent to the SE.
  • the second matching of at least another part of the biometric data with the second biometric template is to match the biometrics indicated by the at least another part of the biometric data with the second biometric template.
  • the indicated biological characteristics are matched, and the second matching result is obtained.
  • the second matching result is used to indicate the degree of matching between at least another part of the biometric data and the second biometric template.
  • the first weight corresponding to the TEE and the second weight corresponding to the SE can be used to compare the matching degree indicated by the first matching result with the first The matching degree indicated by the two matching results is weighted and averaged to obtain the target matching degree; if the target matching degree is greater than or equal to the second matching degree, the biometric recognition result is determined to pass; if the target matching degree is less than the second matching degree, the biological The recognition result is that the recognition fails.
  • the biometric recognition result can also be determined in other ways according to the first matching result and the second matching result, which is not limited in the embodiment of the present application.
  • the first weight corresponding to TEE and the second weight corresponding to SE can be set in advance. For example, it can be set according to the security level of TEE and SE, or can be set according to the security level of TEE and SE and the first biological The distribution rules of the feature template and the second biometric template in the preset biometric template are set.
  • the second matching degree can be set in advance, and the second matching degree can be set to be larger.
  • the target matching degree is greater than or equal to the second matching degree, it indicates that the biometric data closely matches the preset biometric template, and thus the biometric identification can be determined to pass.
  • the target matching degree is less than the second matching degree, it indicates that the biometric data does not match the preset biometric template, so it can be determined that the biometric recognition is not passed.
  • the first biometric template and the second biometric template can also be generated first.
  • a preset biometric template can be acquired, and the first biometric template and the second biometric template can be extracted from the preset biometric template.
  • a biometric registration instruction when obtaining a preset biometric template, when a biometric registration instruction is received, a biometric image can be collected, and then biometric data in the collected biometric image can be extracted as the preset biometric template.
  • the biometric registration instruction is used to instruct the registration of the biometric template.
  • the biometric registration instruction can be triggered by the user, and the user can be triggered by operations such as tap operation, sliding operation, voice operation, or gesture operation. There is no restriction on this.
  • the first biometric template can be stored in the TEE In the memory below, store the second biometric template in the SE.
  • Method 1 After obtaining the first matching result under TEE, determine whether the matching degree indicated by the first matching result is less than the first matching degree; when the matching degree indicated by the first matching result is less than the first matching degree, directly determine under TEE The biometric recognition result is that the recognition is not passed, and the biometric recognition operation is ended; when the matching degree indicated by the first matching result is greater than or equal to the first matching degree, the SE is triggered to connect at least another part of the biometric data with the first The second biometric template performs the second matching operation.
  • the first matching degree can be set in advance, and the first matching degree can be set to be small.
  • the matching degree indicated by the first matching result is less than the first matching degree, it indicates that at least a part of the biometric data does not match the first biometric template, that is, the matching degree of the first paragraph of template matching performed under TEE It is very low, so there is no need to perform the second-stage template matching in the SE at this time, and the biometric identification can be determined directly under the TEE to end the biometric identification operation. In this way, when recognizing a biological image without biological registration, it can be quickly determined that the biological recognition is not passed, so that the biological recognition time delay can be reduced when the input biological image is wrong.
  • the matching degree indicated by the first matching result is greater than or equal to the first matching degree, it indicates that at least a part of the biometric data matches the first biometric template, that is, the matching of the first paragraph of template matching performed under TEE
  • the degree is not very low, so at this time, the second-stage template matching can be continued in the SE, and the SE will output the final biometric results. In this way, the accuracy of biometric identification can be guaranteed.
  • a preset biometric template corresponding to the fingerprint of each finger among multiple fingers can be generated.
  • the multiple first biological feature templates and the multiple second biological feature templates have a one-to-one correspondence, corresponding to a first biological feature.
  • the characteristic template and a second biological characteristic template belong to the same preset biological characteristic template.
  • At least part of the biometric data is first matched with the first biometric template, and when the first matching result is obtained, at least part of the biometric data can be Part of the data is first matched with each first biometric template of the plurality of first biometric templates to obtain a first matching result corresponding to each first biometric template.
  • the biometric recognition operation is ended;
  • the SE is triggered to trigger at least one of the biometric data The other part of the data is subjected to a second matching operation with the second biometric template.
  • the speed of biometric identification can be further improved through the following method two.
  • Manner 2 In SE, the plurality of second biometric templates are sorted according to the order from high to low indicated by the plurality of first matching results corresponding to the plurality of first biometric templates; In SE, according to the sort, at least another part of the biometric data is sequentially matched with the plurality of second biometric templates; in SE, whenever at least another part of the biometric data is completed When a second matching result is obtained with a second biometric template, a second matching result is obtained.
  • the biometric result corresponding to the second biometric template is determined; if this second If the biometric result of the biometric template is recognized as passed, the biometric recognition operation is ended in the SE. If the biometric result of the second biometric template is not passed, then at least another part of the biometric data in the SE The data continues to be matched with the next second biometric template.
  • the multiple matching degrees corresponding to the multiple first biological feature templates are one-to-one.
  • the order of the plurality of second biometric templates represents the order of the plurality of second biometric templates and the biometric data from the most likely to successfully match to the least possible.
  • the biometric recognition result is determined once, and the biometric recognition operation is ended when the biometric recognition result is passed. In this way, when recognizing a biological image that has undergone biological registration, it can be quickly determined that the biological recognition has passed, so that the biological recognition time delay can be reduced when the input biological image is correct.
  • the SE can send the biometric result to the biometric service under the REE, so that the biometric service can perform the follow-up process based on the biometric result.
  • the SE can enable the system key service. For example, when the biometric identification result is passed, if the SE receives the system key acquisition sent by the biometric service Upon request, the stored system key can be returned to the biometric service so that the biometric service can use the system key to unlock and access system files; or, when the biometric result is passed, the SE can use the stored The system key unlocks the system file so that the biometric service can directly access the system file.
  • the biometric identification process may include the following steps (1) to (7).
  • the biological characteristic data in the biological image is extracted under the TEE.
  • the SE all or part of the biometric data is matched with the biometric template to obtain the biometric recognition result. Since the security level of SE is higher than TEE, the biometric recognition function has reached a high security level.
  • the processing pressure of SE is small, so it can ensure that the template matching speed is high, and thus the biometric identification speed can be ensured.
  • two-stage template matching can be performed by combining TEE and SE, that is, the first stage template matching can be performed on biometric data under TEE, and then the second stage of biometric data can be performed in SE.
  • Template matching can effectively ensure that the template matching speed will not be greatly affected by the use of SE. In this way, the embodiment of the present application only slightly increases the time delay and does not affect the performance of the biometrics, so that the biometrics is protected with a high security level, thereby improving the security of the biometrics.
  • the corresponding method flow can be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software When implemented by software, it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example: floppy disk, hard disk, tape), optical medium (for example: Digital Versatile Disc (DVD)), or semiconductor medium (for example: Solid State Disk (SSD) )Wait.

Abstract

Disclosed are a biometric recognition method and apparatus, belonging to the technical field of computers. The method comprises: after acquiring, under a TEE, a biometric image, extracting, under the TEE, biometric feature data from the biometric image; and then matching, in an SE, all of or part of the biometric feature data with a biometric feature template to obtain a biometric recognition result. In the present application, since the security level of an SE is higher than a TEE, the biometric recognition function reaches a high security level. In addition, since the calculation of template matching of biometric feature data is not complicated, and the processing pressure of the SE is relatively small, it can be ensured that the template matching speed is relatively high, and thus, it can be ensured that the biometric recognition speed is relatively high. In this way, by means of the present application, where the delay is only increased slightly and biometric recognition performance is not affected, biometric recognition achieves protection with a high security level, so that the security of biometric recognition can be improved.

Description

生物识别方法及装置Biometric identification method and device 技术领域Technical field
本申请涉及计算机技术领域,特别涉及一种生物识别方法及装置。This application relates to the field of computer technology, in particular to a biometric identification method and device.
背景技术Background technique
生物识别是指通过将计算机与光学、声学、生物传感器和生物统计学原理等高科技手段密切结合,利用人体固有的诸如生理特征(如指纹、人脸、或虹膜等)、或行为特征(如笔迹、声音、或步态等)等生物特征来进行个人身份的鉴定。随着计算机技术的发展,生物识别已经作为一种便捷又相对安全的人机验证方式被广泛使用。Biometric identification refers to the close integration of computers with high-tech methods such as optics, acoustics, biosensors, and biostatistics, and the use of inherent physical features (such as fingerprints, faces, or irises) or behavioral features (such as Biometrics such as handwriting, voice, or gait, etc.) are used for personal identification. With the development of computer technology, biometrics has been widely used as a convenient and relatively safe way of man-machine verification.
由于用户的生物特征是用户不可更换的资产,且终端可以使用生物特征来进行系统解锁、或数值转移等操作,所以为了保证数据安全,生物识别过程要求在终端的安全区域中实现。目前,终端中可以设置有可信执行环境(Trusted Execution Environment,TEE),终端可以在TEE下进行生物识别过程。具体地,终端可以在TEE下,先获取生物图像,再提取该生物图像中的生物特征数据,然后将该生物特征数据与存储的生物特征模板进行匹配,得到生物识别结果。Since the user's biometrics are the user's non-replaceable assets, and the terminal can use the biometrics to perform operations such as system unlocking or value transfer, in order to ensure data security, the biometric identification process must be implemented in the secure area of the terminal. Currently, a Trusted Execution Environment (TEE) can be set in the terminal, and the terminal can perform a biometric identification process under the TEE. Specifically, the terminal may first obtain the biological image under the TEE, and then extract the biological characteristic data in the biological image, and then match the biological characteristic data with the stored biological characteristic template to obtain the biological recognition result.
然而,TEE的安全程度有限,还是比较容易被攻击者攻击。当攻击者攻破TEE后,就可以在不对该生物特征数据进行匹配的情况下,直接控制输出的生物识别结果为识别通过;或者,可以将存储的生物特征模板替换为其它的生物特征模板,以使该生物特征数据匹配成功,继而输出的生物识别结果就会为识别通过。如此,导致生物识别的安全性较低。However, TEE has a limited degree of security and is relatively easy to be attacked by attackers. After the attacker breaks through the TEE, he can directly control the output of the biometric recognition result to pass the recognition without matching the biometric data; alternatively, he can replace the stored biometric template with another biometric template to If the biometric data is matched successfully, the biometric identification result output will be recognized as passed. As a result, the security of biometrics is low.
发明内容Summary of the invention
本申请提供了一种生物识别方法及装置,可以提高生物识别的安全性。所述技术方案如下:This application provides a biometric identification method and device, which can improve the security of biometric identification. The technical solution is as follows:
第一方面,提供了一种生物识别方法,其特征在于,所述方法包括:在TEE下获取生物图像;在所述TEE下提取所述生物图像中的生物特征数据;在安全元件(Secure Element,SE)中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。In a first aspect, a biometric identification method is provided, characterized in that the method includes: acquiring a biometric image under a TEE; extracting biometric data in the biometric image under the TEE; and performing a secure element (Secure Element) , SE), matching all or part of the biometric data with a biometric template to obtain a biometric recognition result.
需要说明的是,生物图像为包含有生物特征的图像,例如,该生物图像可以为指纹图像、掌纹图像、人脸图像或虹膜图像等中的至少一个。此时该生物特征模板可以为指纹模板、掌纹模板、人脸模板或虹膜模板中的至少一个。It should be noted that the biological image is an image containing biological characteristics. For example, the biological image may be at least one of a fingerprint image, a palmprint image, a human face image, or an iris image. At this time, the biometric template may be at least one of a fingerprint template, a palm print template, a face template, or an iris template.
在本申请实施例中,在TEE下获取生物图像并提取该生物图像中的生物特征数据,由于TEE的安全级别高于普通执行环境(Rich Execution Environment,REE),所以可以保证生物图像和生物特征数据的安全。并且,由于TEE运行时是使用系统处理器,因而TTE下的计算能力和存储能力都较高,所以可以保证生物特征数据的提取速度较高,从而保证生物识别速度较高。另外,在SE中对生物特征数据进行至少一部分模板匹配并输出生物识别结果,由于SE的安全级别高于TEE,所以使得生物识别功能达到了高安全级别。并且,由于生物特征数据的模板匹配的计算复杂不高,SE的处理压力较小,所以可以保证模板匹配速度较高, 从而可以保证生物识别速度较高。如此,提供了一种用SE支持生物识别的方案,在仅略微增加时延,且不影响生物识别性能(识别率和误识率)的情况下,使得生物识别得到了高安全级别的保护,从而可以提高生物识别的安全性。In the embodiment of the application, the biological image is acquired under the TEE and the biological characteristic data in the biological image is extracted. Since the security level of the TEE is higher than the ordinary execution environment (Rich Execution Environment, REE), the biological image and biological characteristics can be guaranteed Data security. Moreover, since the TEE uses the system processor when it is running, the computing power and storage capacity under the TTE are high, so it can ensure a high extraction speed of biometric data, thereby ensuring a high biometric identification speed. In addition, at least a part of the template matching is performed on the biometric data in the SE and the biometric recognition result is output. Since the security level of the SE is higher than the TEE, the biometric recognition function reaches a high security level. In addition, since the calculation of template matching of biometric data is not complicated, the processing pressure of SE is small, so it can ensure that the template matching speed is high, and thus the biometric recognition speed can be ensured. In this way, a solution to support biometric identification with SE is provided, which only slightly increases the time delay and does not affect the biometric performance (recognition rate and false recognition rate), so that biometric identification is protected by a high security level. Thereby, the security of biometric identification can be improved.
一种可能的实现方式中,所述在SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果之前,还包括:在所述TEE下将所述生物特征数据的全部发送至所述SE。相应地,所述在SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果,包括:在所述SE中,将所述生物特征数据的全部与预设的生物特征模板进行匹配,得到生物识别结果。在本申请实施例中,可以由SE全部完成对该生物特征数据的模板匹配来得到生物识别结果,从而可以大大提高生物识别的安全性。In a possible implementation manner, in the SE, matching all or part of the biometric data with the biometric template, and before obtaining the biometric result, further includes: comparing the biometric data under the TEE All of the data is sent to the SE. Correspondingly, in the SE, matching all or part of the biometric data with a biometric template to obtain a biometric recognition result includes: in the SE, matching all or part of the biometric data with a preset The biometric template is matched to obtain the biometric result. In the embodiment of the present application, the SE can completely complete the template matching of the biometric data to obtain the biometric recognition result, thereby greatly improving the security of biometric recognition.
另一种可能的实现方式中,所述在SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果之前,还包括:在所述TEE下,将所述生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果;在所述TEE下将所述第一匹配结果和将所述生物特征数据中的至少另一部分数据发送至所述SE。相应地,所述在SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果,包括:在所述SE中,将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据所述第一匹配结果和所述第二匹配结果,确定生物识别结果。In another possible implementation manner, in the SE, matching all or part of the biometric data with the biometric template, and before obtaining the biometric result, further includes: under the TEE, matching the At least a part of the biometric data is first matched with the first biometric template to obtain a first matching result; under the TEE, the first matching result and at least another part of the biometric data are combined Sent to the SE. Correspondingly, in the SE, matching all or part of the biometric data with a biometric template to obtain a biometric recognition result includes: in the SE, matching at least another part of the biometric data A second matching is performed between the data and the second biometric template to obtain a second matching result, and the biometric recognition result is determined according to the first matching result and the second matching result.
需要说明的是,第一生物特征模板和第二生物特征模板均属于预设的生物特征模板,且第二生物特征模板包括预设的生物特征模板中不同于第一生物特征模板的部分,即第二生物特征模板和第一生物特征模板可以不完全相同,例如,第一生物特征模板和第二生物特征模板可以有所重叠。再例如,第一生物特征模板和第二生物特征模板可以完全不同,即第一生物特征模板和第二生物特征模板可以分别为预设的生物特征模板中的不同部分。It should be noted that both the first biometric template and the second biometric template belong to the preset biometric template, and the second biometric template includes the part of the preset biometric template that is different from the first biometric template, namely The second biometric template and the first biometric template may not be completely the same, for example, the first biometric template and the second biometric template may overlap. For another example, the first biometric template and the second biometric template may be completely different, that is, the first biometric template and the second biometric template may be different parts of the preset biometric template, respectively.
在本申请实施例中,可以由TEE和SE结合完成对该生物特征数据的模板匹配来得到生物识别结果,即是由TEE和SE来进行两段式的模板匹配,如此可以有效保证模板匹配速度不因使用SE而产生较大的影响,从而在提高生物识别的安全性的同时,可以保证模板匹配速度较高,继而可以保证生物识别速度较高。In the embodiment of this application, the template matching of the biometric data can be completed by the combination of TEE and SE to obtain the biometric results, that is, the two-stage template matching is performed by TEE and SE, which can effectively ensure the template matching speed The use of SE does not have a major impact, so that while improving the security of biometrics, it can ensure a high template matching speed, and then a high biometrics recognition speed.
值得注意的是,所述在TEE下获取生物图像之前,还包括:获取所述预设的生物特征模板;从所述预设的生物特征模板中提取所述第一生物特征模板和所述第二生物特征模板。It is worth noting that, before acquiring the biological image under TEE, the method further includes: acquiring the preset biological feature template; extracting the first biological feature template and the first biological feature template from the preset biological feature template 2. Biometric template.
需要说明的是,预设的生物特征模板可以为在生物注册成功后生成的完整的生物特征模板。从预设的生物特征模板中提取第一生物特征模板和第二生物特征模板后,为了保证第一生物特征模板和第二生物特征模板的安全,可以将第一生物特征模板存储于TEE下的存储器中,将第二生物特征模板存储于SE中。It should be noted that the preset biometric template may be a complete biometric template generated after successful biometric registration. After extracting the first biometric template and the second biometric template from the preset biometric templates, in order to ensure the safety of the first biometric template and the second biometric template, the first biometric template can be stored in the TEE In the memory, the second biometric template is stored in the SE.
进一步地,将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配之前,还包括:当所述第一匹配结果指示的匹配度大于或等于第一匹配度时,触发在所述SE中,将所述至少另一部分数据与第二生物特征模板进行第二匹配的操作。当所述第一匹配结果指示的匹配度小于第一匹配度时,在所述TEE下直接确定生物识别结果为识别不通过,结束生物识别操作。Further, before performing the second matching of at least another part of the biometric data with the second biometric template, the method further includes: when the matching degree indicated by the first matching result is greater than or equal to the first matching degree, Trigger the second matching operation of the at least another part of the data with the second biometric template in the SE. When the degree of matching indicated by the first matching result is less than the first degree of matching, it is directly determined under the TEE that the biometric recognition result is not passed, and the biometric recognition operation is ended.
在本申请实施例中,当第一匹配结果指示的匹配度小于第一匹配度时,表明该生物特征数据中的至少一部分数据与第一生物特征模板很不匹配,即在TEE下进行的第一段模板匹配的匹配程度非常低,因而此时无需在SE中进行第二段模板匹配,可以直接在TEE下确定生 物识别不通过,结束生物识别操作。如此,当对一个没有进行生物注册的生物图像进行识别时,就可以很快确定出生物识别不通过,从而可以减小在输入的生物图像错误的情况下的生物识别时延。In the embodiment of the present application, when the matching degree indicated by the first matching result is less than the first matching degree, it indicates that at least a part of the biometric data does not match the first biometric template, that is, the first biometric template is performed under TEE. The matching degree of one-stage template matching is very low, so there is no need to perform the second-stage template matching in the SE at this time, and the biometric recognition can be determined directly under the TEE to end the biometric recognition operation. In this way, when recognizing a biological image without biological registration, it can be quickly determined that the biological recognition is not passed, so that the biological recognition time delay can be reduced when the input biological image is wrong.
当第一匹配结果指示的匹配度大于或等于第一匹配度时,表明该生物特征数据中的至少一部分数据与第一生物特征模板较为匹配,即在TEE下进行的第一段模板匹配的匹配程度不是非常低,因而此时可以继续在SE中进行第二段模板匹配,并由SE进行最终的生物识别结果的输出。如此,可以保证生物识别的准确率。When the matching degree indicated by the first matching result is greater than or equal to the first matching degree, it indicates that at least a part of the biometric data matches the first biometric template, that is, the matching of the first paragraph of template matching performed under TEE The degree is not very low, so at this time, the second-stage template matching can be continued in the SE, and the SE will output the final biometric results. In this way, the accuracy of biometric identification can be guaranteed.
需要说明的是,可以存在多个第一生物特征模板和多个第二生物特征模板,所述多个第一生物特征模板与所述多个第二生物特征模板一一对应,对应的一个第一生物特征模板与一个第二生物特征模板属于同一个预设的生物特征模板。It should be noted that there may be multiple first biological feature templates and multiple second biological feature templates, and the multiple first biological feature templates are in one-to-one correspondence with the multiple second biological feature templates. A biological characteristic template and a second biological characteristic template belong to the same preset biological characteristic template.
这种情况下,进一步地,在所述TEE下,将所述生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果,包括:在所述TEE下,将所述至少一部分数据与所述多个第一生物特征模板中的每个第一生物特征模板进行第一匹配,得到所述每个第一生物特征模板对应的第一匹配结果。相应地,所述在所述SE中,将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据所述第一匹配结果和所述第二匹配结果,确定生物识别结果,包括:在所述SE中,按照所述多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对所述多个第二生物特征模板进行排序;在所述SE中,按照所述排序,将所述至少另一部分数据依次与所述多个第二生物特征模板进行第二匹配;在所述SE中,每当完成所述至少另一部分数据与一个第二生物特征模板的第二匹配时,得到一个第二匹配结果,根据所述第二匹配结果和所述第一匹配结果,确定对应于所述第二生物特征模板的生物识别结果。如果所述第二生物特征模板的生物识别结果为识别通过,则在所述SE中结束生物识别操作,如果所述第二生物特征模板的生物识别结果为识别不通过,则在所述SE中将所述生物特征数据中的至少另一部分数据继续与下一个第二生物特征模板进行第二匹配。In this case, further, under the TEE, first matching at least part of the biometric data with the first biometric template to obtain a first matching result includes: under the TEE, Perform a first match between the at least part of the data and each first biometric template of the plurality of first biometric templates to obtain a first matching result corresponding to each first biometric template. Correspondingly, in the SE, at least another part of the biometric data is subjected to a second matching with a second biometric template to obtain a second matching result, and according to the first matching result and the second matching result The second matching result, determining the biometric recognition result, includes: in the SE, according to the order of the plurality of matching degrees indicated by the plurality of first matching results corresponding to the plurality of first biometric templates, from high to low, Sort the plurality of second biometric templates; in the SE, according to the sort, sequentially perform a second match on the at least another part of the data with the plurality of second biometric templates; in the In SE, each time the second matching between the at least another part of data and a second biometric template is completed, a second matching result is obtained, and according to the second matching result and the first matching result, it is determined to correspond to The biometric recognition result of the second biometric template. If the biometric recognition result of the second biometric template is recognized as passed, then the biometric recognition operation is ended in the SE. If the biometric recognition result of the second biometric template is recognized as not passed, then in the SE At least another part of the biometric data is continuously matched with the next second biometric template.
在本申请实施例中,按照该多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对与该多个第一生物特征模板一一对应的多个第二生物特征模板进行排序后,该多个第二生物特征模板的顺序即代表该多个第二生物特征模板与该生物特征数据从最可能匹配成功到最不可能匹配成功的顺序。之后,是按照该排序,每完成该生物特征数据与一个第二生物特征模板的第二匹配,就确定一次生物识别结果,且在本次生物识别结果为识别通过时,就结束生物识别操作。如此,在对一个已进行生物注册的生物图像进行识别时,就可以很快确定出生物识别通过,从而可以减小在输入的生物图像正确的情况下的生物识别时延。In the embodiment of the present application, in the order of the multiple matching degrees indicated by the multiple first matching results corresponding to the multiple first biometric templates, the pairs correspond to the multiple first biological feature templates in a one-to-one order. After sorting the plurality of second biometric templates, the order of the plurality of second biometric templates represents the order of the plurality of second biometric templates and the biometric data from the most likely to successfully match to the least possible . After that, according to the sorting, every time the second matching between the biometric data and a second biometric template is completed, the biometric recognition result is determined once, and the biometric recognition operation is ended when the biometric recognition result is passed. In this way, when recognizing a biological image that has undergone biological registration, it can be quickly determined that the biological recognition has passed, so that the biological recognition time delay can be reduced when the input biological image is correct.
第二方面,提供了一种生物识别装置,所述装置包括:处理器和SE;所述处理器,用于在TEE下,获取生物图像,提取所述生物图像中的生物特征数据;所述SE,用于将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。In a second aspect, a biological recognition device is provided, the device includes: a processor and an SE; the processor is configured to obtain a biological image and extract biological characteristic data in the biological image under a TEE; SE is used to match all or part of the biometric data with a biometric template to obtain a biometric recognition result.
可选地,所述处理器,还用于在所述TEE下将所述生物特征数据的全部发送至所述SE;相应地,所述SE,用于将所述生物特征数据的全部与预设的生物特征模板进行匹配,得到生物识别结果。Optionally, the processor is further configured to send all of the biometric data to the SE under the TEE; correspondingly, the SE is configured to send all of the biometric data to the preset The set biometric template is matched to obtain the biometric recognition result.
可选地,所述处理器,还用于在所述TEE下,将所述生物特征数据中的至少一部分数据 与第一生物特征模板进行第一匹配,得到第一匹配结果;在所述TEE下将所述第一匹配结果和将所述生物特征数据中的至少另一部分数据发送至所述SE;相应地,所述SE,用于将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据所述第一匹配结果和所述第二匹配结果,确定生物识别结果;其中,所述第二生物特征模板包括预设的生物特征模板中不同于所述第一生物特征模板的部分。Optionally, the processor is further configured to perform a first matching of at least a part of the biometric data with a first biometric template under the TEE to obtain a first matching result; in the TEE Send the first matching result and at least another part of the biometric data to the SE; correspondingly, the SE is used to combine at least another part of the biometric data with the first Perform a second matching between two biometric templates to obtain a second matching result, and determine a biometric recognition result according to the first matching result and the second matching result; wherein, the second biometric template includes a preset biometric The part of the feature template that is different from the first biometric template.
可选地,所述第一生物特征模板和所述第二生物特征模板分别为预设的生物特征模板中的不同部分。Optionally, the first biometric template and the second biometric template are respectively different parts of a preset biometric template.
可选地,所述处理器,还用于获取所述预设的生物特征模板;从所述预设的生物特征模板中提取所述第一生物特征模板和所述第二生物特征模板。Optionally, the processor is further configured to obtain the preset biometric template; extract the first biometric template and the second biometric template from the preset biometric template.
可选地,所述处理器,还用于当所述第一匹配结果指示的匹配度大于或等于第一匹配度时,触发所述SE将所述至少另一部分数据与第二生物特征模板进行第二匹配。Optionally, the processor is further configured to, when the degree of matching indicated by the first matching result is greater than or equal to the first degree of matching, trigger the SE to perform the comparison between the at least another part of the data and the second biometric template. The second match.
可选地,存在多个第一生物特征模板和多个第二生物特征模板,所述多个第一生物特征模板与所述多个第二生物特征模板一一对应,对应的一个第一生物特征模板与一个第二生物特征模板属于同一个预设的生物特征模板;所述处理器,还用于在所述TEE下,将所述至少一部分数据与所述多个第一生物特征模板中的每个第一生物特征模板进行第一匹配,得到所述每个第一生物特征模板对应的第一匹配结果;相应地,所述SE,用于按照所述多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对所述多个第二生物特征模板进行排序;按照所述排序,将所述至少另一部分数据依次与所述多个第二生物特征模板进行第二匹配;每当完成所述至少另一部分数据与一个第二生物特征模板的第二匹配时,得到一个第二匹配结果,根据所述第二匹配结果和所述第一匹配结果,确定对应于所述第二生物特征模板的生物识别结果。Optionally, there are multiple first biological feature templates and multiple second biological feature templates, and the multiple first biological feature templates have a one-to-one correspondence with the multiple second biological feature templates, and correspond to one first biological feature. The characteristic template and a second biological characteristic template belong to the same preset biological characteristic template; the processor is further configured to combine the at least part of the data with the plurality of first biological characteristic templates under the TEE Perform first matching on each of the first biometric templates to obtain the first matching result corresponding to each of the first biometric templates; accordingly, the SE is used to correspond to the multiple first biometric templates The plurality of second biometric templates are sorted in the descending order of the matching degrees indicated by the plurality of first matching results; according to the sorting, the at least another part of the data is sequenced with the plurality of A second biometric template for a second matching; each time the second matching between the at least another part of the data and a second biometric template is completed, a second matching result is obtained, based on the second matching result and the The first matching result determines the biometric recognition result corresponding to the second biometric template.
可选地,所述生物特征模板为指纹模板、人脸模板或虹膜模板中的至少一个。Optionally, the biometric template is at least one of a fingerprint template, a face template, or an iris template.
第三方面,提供了一种生物识别装置,所述装置包括:TEE模块和SE模块;所述TEE模块,用于获取生物图像,提取所述生物图像中的生物特征数据;所述SE模块,用于将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。In a third aspect, a biometric identification device is provided, the device includes: a TEE module and an SE module; the TEE module is used to obtain a biological image and extract biometric data in the biological image; the SE module, It is used to match all or part of the biometric data with a biometric template to obtain a biometric recognition result.
可选地,所述TEE模块,还用于将所述生物特征数据的全部发送至所述SE模块;相应地,所述SE模块,用于将所述生物特征数据的全部与预设的生物特征模板进行匹配,得到生物识别结果。Optionally, the TEE module is also used to send all of the biometric data to the SE module; correspondingly, the SE module is used to combine all of the biometric data with a preset biometric data. The feature template is matched to obtain the biometric recognition result.
可选地,所述TEE模块,还用于将所述生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果;将所述第一匹配结果和将所述生物特征数据中的至少另一部分数据发送至所述SE模块;相应地,所述SE模块,用于将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据所述第一匹配结果和所述第二匹配结果,确定生物识别结果;其中,所述第二生物特征模板包括预设的生物特征模板中不同于所述第一生物特征模板的部分。Optionally, the TEE module is further configured to perform a first matching of at least a part of the biometric data with a first biometric template to obtain a first matching result; compare the first matching result with Sending at least another part of the biometric data to the SE module; correspondingly, the SE module is configured to perform a second matching of at least another part of the biometric data with a second biometric template, Obtain a second matching result, and determine a biometric recognition result according to the first matching result and the second matching result; wherein, the second biometric template includes a preset biometric template that is different from the first Part of the biometric template.
可选地,所述第一生物特征模板和所述第二生物特征模板分别为预设的生物特征模板中的不同部分。Optionally, the first biometric template and the second biometric template are respectively different parts of a preset biometric template.
可选地,所述装置,还用于获取所述预设的生物特征模板;从所述预设的生物特征模板中提取所述第一生物特征模板和所述第二生物特征模板。Optionally, the device is further configured to obtain the preset biometric template; extract the first biometric template and the second biometric template from the preset biometric template.
可选地,所述TEE模块,还用于当所述第一匹配结果指示的匹配度大于或等于第一匹配 度时,触发所述SE模块将所述至少另一部分数据与第二生物特征模板进行第二匹配。Optionally, the TEE module is further configured to trigger the SE module to compare the at least another part of the data with the second biometric template when the degree of matching indicated by the first matching result is greater than or equal to the first degree of matching. Perform a second match.
可选地,存在多个第一生物特征模板和多个第二生物特征模板,所述多个第一生物特征模板与所述多个第二生物特征模板一一对应,对应的一个第一生物特征模板与一个第二生物特征模板属于同一个预设的生物特征模板;所述TEE模块,还用于将所述至少一部分数据与所述多个第一生物特征模板中的每个第一生物特征模板进行第一匹配,得到所述每个第一生物特征模板对应的第一匹配结果;相应地,所述SE模块,用于按照所述多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对所述多个第二生物特征模板进行排序;按照所述排序,将所述至少另一部分数据依次与所述多个第二生物特征模板进行第二匹配;每当完成所述至少另一部分数据与一个第二生物特征模板的第二匹配时,得到一个第二匹配结果,根据所述第二匹配结果和所述第一匹配结果,确定对应于所述第二生物特征模板的生物识别结果。Optionally, there are multiple first biological feature templates and multiple second biological feature templates, and the multiple first biological feature templates have a one-to-one correspondence with the multiple second biological feature templates, and correspond to one first biological feature. The characteristic template and a second biological characteristic template belong to the same preset biological characteristic template; the TEE module is also used to combine the at least part of the data with each first biological characteristic of the plurality of first biological characteristic templates. The feature template performs first matching to obtain the first matching result corresponding to each of the first biological feature templates; accordingly, the SE module is configured to perform the first matching according to the multiple first biological feature templates corresponding to the multiple first biological feature templates. The plurality of matching degrees indicated by the matching result are ordered from high to low, and the plurality of second biometric templates are sorted; according to the sorting, the at least another part of data is sequentially matched with the plurality of second biometrics. The template performs a second matching; each time the second matching between the at least another part of data and a second biometric template is completed, a second matching result is obtained, and according to the second matching result and the first matching result, The biometric recognition result corresponding to the second biometric template is determined.
可选地,所述生物特征模板为指纹模板、人脸模板或虹膜模板中的至少一个。Optionally, the biometric template is at least one of a fingerprint template, a face template, or an iris template.
第四方面,提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述第一方面所述的生物识别方法。In a fourth aspect, a computer-readable storage medium is provided, and the computer-readable storage medium stores instructions that, when run on a computer, cause the computer to execute the biometric identification method described in the first aspect.
第五方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面所述的生物识别方法。In a fifth aspect, a computer program product containing instructions is provided, which when running on a computer, causes the computer to execute the biometric identification method described in the first aspect.
上述第二方面、第三方面、第四方面和第五方面所获得的技术效果与上述第一方面中对应的技术手段获得的技术效果近似,在这里不再赘述。The technical effects obtained by the foregoing second, third, fourth, and fifth aspects are similar to those obtained by the corresponding technical means in the foregoing first aspect, and will not be repeated here.
本申请提供的技术方案至少可以带来以下有益效果:在TEE下获取生物图像后,在TEE下提取该生物图像中的生物特征数据。之后,在SE中,将该生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。由于SE的安全级别高于TEE,所以使得生物识别功能达到了高安全级别。并且,由于生物特征数据的模板匹配的计算复杂不高,SE的处理压力较小,所以可以保证模板匹配速度较高,从而可以保证生物识别速度较高。如此,本申请实施例在仅略微增加时延,且不影响生物识别性能的情况下,使得生物识别得到了高安全级别的保护,从而可以提高生物识别的安全性。The technical solution provided by this application can at least bring about the following beneficial effects: after acquiring a biological image under the TEE, the biological characteristic data in the biological image is extracted under the TEE. Then, in the SE, all or part of the biometric data is matched with the biometric template to obtain the biometric recognition result. Since the security level of SE is higher than TEE, the biometric recognition function has reached a high security level. In addition, since the calculation of template matching of biometric data is not complicated, the processing pressure of SE is small, so it can ensure that the template matching speed is high, and thus the biometric identification speed can be ensured. In this way, the embodiment of the present application only slightly increases the time delay and does not affect the performance of the biometrics, so that the biometrics is protected with a high security level, thereby improving the security of the biometrics.
附图说明Description of the drawings
图1是本申请实施例提供的一种系统架构的结构示意图;FIG. 1 is a schematic structural diagram of a system architecture provided by an embodiment of the present application;
图2是本申请实施例提供的一种生物识别装置的结构示意图;2 is a schematic structural diagram of a biometric identification device provided by an embodiment of the present application;
图3是本申请实施例提供的另一种生物识别装置的结构示意图;FIG. 3 is a schematic structural diagram of another biometric identification device provided by an embodiment of the present application;
图4是本申请实施例提供的一种生物识别方法的流程图;Figure 4 is a flowchart of a biometric identification method provided by an embodiment of the present application;
图5是本申请实施例提供的另一种生物识别方法的流程图;Figure 5 is a flowchart of another biometric identification method provided by an embodiment of the present application;
图6是本申请实施例提供的又一种生物识别方法的流程图;FIG. 6 is a flowchart of another biometric identification method provided by an embodiment of the present application;
图7是本申请实施例提供的一种生物特征模板的示意图;Figure 7 is a schematic diagram of a biometric template provided by an embodiment of the present application;
图8是本申请实施例提供的一种生物识别过程的示意图。Fig. 8 is a schematic diagram of a biometric identification process provided by an embodiment of the present application.
具体实施方式detailed description
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请的实施方式作进一步地详细描述。在对本申请实施例进行详细地解释说明之前,对本申请实施例涉及的应 用场景和系统架构予以说明。In order to make the objectives, technical solutions, and advantages of the present application clearer, the implementation manners of the present application will be further described in detail below in conjunction with the accompanying drawings. Before explaining the embodiments of the present application in detail, the application scenarios and system architectures involved in the embodiments of the present application are described.
下面对本申请实施例涉及的应用场景进行说明。本申请实施例可以应用于开机解锁场景、应用的身份鉴权场景等需要使用生物识别功能的场景中,本申请实施例通过在生物识别过程中引入SE来进行模板匹配,使得生物识别功能也能达到高安全级别,从而可以大大提高生物识别的安全性。本申请实施例中,可以在TEE下进行生物图像的获取和生物特征数据的提取,然后在SE中对生物特征数据进行至少一部分模板匹配。具体地,可以直接在SE中,将该生物特征数据的全部与预设的生物特征模板进行匹配,得到生物识别结果;或者,可以先在TEE下,将该生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果,再在SE中,将该生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据第一匹配结果和第二匹配结果,确定生物识别结果。如此,在满足高安全生物识别数据保护的同时,不影响生物识别速度和生物识别性能(即识别率和误识率),从而可以满足用户需求,不影响用户体验。The following describes the application scenarios involved in the embodiments of the present application. The embodiments of this application can be applied to scenarios that require the use of biometrics, such as booting and unlocking scenarios, application identity authentication scenarios, etc. The embodiments of this application introduce SE in the biometric identification process to perform template matching, so that the biometrics function can also be used. Reach a high security level, which can greatly improve the security of biometrics. In the embodiment of the present application, the acquisition of biological images and the extraction of biological characteristic data can be performed under TEE, and then at least a part of template matching is performed on the biological characteristic data in SE. Specifically, it is possible to directly match all of the biometric data with a preset biometric template in the SE to obtain a biometric recognition result; or, first, under the TEE, at least part of the biometric data can be matched with The first biometric template performs first matching to obtain a first matching result, and then in SE, at least another part of the biometric data is subjected to a second matching with the second biometric template to obtain a second matching result, and According to the first matching result and the second matching result, the biometric recognition result is determined. In this way, while satisfying high-security biometric data protection, it does not affect the biometric speed and biometric performance (ie, recognition rate and misrecognition rate), so that user needs can be met without affecting user experience.
下面对本申请实施例涉及的系统架构进行说明。图1是本申请实施例提供的一种系统架构的结构示意图。参见图1,该系统架构可以包括:REE、TEE和SE。REE和TEE是并行的两种执行环境,两者通过硬件进行隔离,二者均由处理器运行必要的软件,如操作系统软件和安全软件来生成。SE可以为独立专用安全芯片(如智能卡、或嵌入式安全模块(Embedded Secure Element,eSE)等),也可以以安全单元的形式集成到片上系统(System on Chip,SoC)中(如inSE等)。SE的安全级别高于TEE,TEE的安全级别高于REE。例如,SE可以是一个安全的处理单元(Secure Processing Unit,SPU)。再例如,SE是不同于处理器的一个硬件,用于执行安全级别更高的运算或处理,因此其安全性高于TEE和REE。The following describes the system architecture involved in the embodiments of the present application. FIG. 1 is a schematic structural diagram of a system architecture provided by an embodiment of the present application. Referring to Figure 1, the system architecture may include: REE, TEE, and SE. REE and TEE are two parallel execution environments, which are isolated by hardware, and both are generated by the processor running necessary software, such as operating system software and security software. The SE can be an independent dedicated security chip (such as a smart card, or an Embedded Secure Element (eSE), etc.), or it can be integrated into a System on Chip (SoC) in the form of a security unit (such as inSE, etc.) . The security level of SE is higher than TEE, and the security level of TEE is higher than REE. For example, the SE may be a secure processing unit (Secure Processing Unit, SPU). For another example, SE is a piece of hardware different from a processor, used to perform operations or processing with a higher security level, so its security is higher than TEE and REE.
REE是安卓或iOS等终端操作系统的运行环境,包含客户端应用(Client Application,CA)、TEE功能应用程序编程接口(Application Programming Interface,API)、TEE客户端API及多媒体操作系统部件等模块。CA是提供给用户使用的客户端应用。TEE功能API是提供给CA的用以访问TEE核心服务(如可信存储及加密算法等服务)的友好接口。TEE客户端API是提供给CA用以访问TEE中的可信应用(Trusted Application,TA)及与TA进行数据交换的底层通信接口。多媒体操作系统部件包含公共设备驱动及REE通信代理等模块,REE通信代理提供CA与TA之间的消息传送。REE is the operating environment of terminal operating systems such as Android or iOS, and includes modules such as client application (Client Application, CA), TEE function application programming interface (Application Programming Interface, API), TEE client API, and multimedia operating system components. CA is a client application provided to users. The TEE function API is a friendly interface provided to CA to access TEE core services (such as trusted storage and encryption algorithm services). The TEE client API is a low-level communication interface provided to the CA to access the trusted application (Trusted Application, TA) in the TEE and to exchange data with the TA. The multimedia operating system components include modules such as public device drivers and REE communication agent. The REE communication agent provides message transmission between CA and TA.
相对于开放环境的REE,TEE提供了一个较安全的封闭的执行环境,TEE主要由TA、TEE内部API、可信操作系统部件和可信内核等组成。TA运行于TEE,用于给用户提供安全服务,TA与TA之间通过TEE内部API进行通信。可信操作系统部件包含TEE通信代理、可信核心框架和可信功能等模块。TEE通信代理与REE通信代理一起实现CA与TA之间的消息的安全传送。可信核心框架向TA提供安全操作系统(Operating System,OS)功能。可信功能模块向应用开发者提供辅助设施支撑。可信内核主要向可信核心框架和可信功能模块提供调度和其他OS管理功能。Compared with the open environment REE, TEE provides a safer and closed execution environment. TEE is mainly composed of TA, TEE internal API, trusted operating system components, and trusted kernel. TA runs on TEE to provide users with security services. TA and TA communicate with each other through TEE internal API. The trusted operating system components include TEE communication agents, trusted core frameworks, and trusted functions. TEE communication agent and REE communication agent together realize the secure transmission of messages between CA and TA. The trusted core framework provides TA with a secure operating system (Operating System, OS) function. The trusted function module provides auxiliary facility support to application developers. The trusted kernel mainly provides scheduling and other OS management functions to the trusted core framework and trusted function modules.
SE通过芯片操作系统(Chip Operating System,COS)实现数据安全存储、加解密运算等功能。SE可封装成各种形式,常见的有智能卡、eSE、inSE等。SE可以提供芯片级的硬件保护,能够抵抗物理上的各种攻击,SE的主要功能包括:密钥的安全存储、数据加密运算和信息的安全存放。密钥的安全存储可建立相对完善的密钥管理体系,保证密钥不可被读取。数据加密运算包括对于可靠的安全算法的支持、敏感数据密文传输和数据传输防篡改等。信息安全存放指的是严格的文件访问权限机制和可靠的认证算法和流程。SE implements functions such as data secure storage, encryption and decryption operations through the Chip Operating System (COS). SE can be packaged into various forms, such as smart cards, eSE, inSE, etc. are common. SE can provide chip-level hardware protection and can resist various physical attacks. The main functions of SE include: secure storage of keys, data encryption operations, and secure storage of information. The secure storage of keys can establish a relatively complete key management system to ensure that keys cannot be read. Data encryption operations include support for reliable security algorithms, ciphertext transmission of sensitive data, and anti-tampering of data transmission. Information security storage refers to a strict file access authority mechanism and reliable authentication algorithms and processes.
接下来对本申请实施例提供的生物识别装置进行说明。一种可能的实施方式中,图1所示的系统架构可以通过图2所示的生物识别装置实现。具体地,图2是本申请实施例提供的一种生物识别装置的结构示意图,该生物识别装置可以为计算机设备200。参见图2,该计算机设备包括至少一个处理器201,通信总线202,存储器203、至少一个通信接口204以及SE208。该至少一个处理器201用以形成图1所示的系统架构中的REE和TEE。可选地,处理器201和SE208分别执行各自的软件程序,包括但不限于系统软件、应用软件或驱动软件。Next, the biometric identification device provided by the embodiment of the present application will be described. In a possible implementation manner, the system architecture shown in FIG. 1 may be implemented by the biometric identification device shown in FIG. 2. Specifically, FIG. 2 is a schematic structural diagram of a biometric identification device provided by an embodiment of the present application. The biometric identification device may be a computer device 200. Referring to FIG. 2, the computer device includes at least one processor 201, a communication bus 202, a memory 203, at least one communication interface 204, and an SE208. The at least one processor 201 is used to form the REE and TEE in the system architecture shown in FIG. 1. Optionally, the processors 201 and SE208 execute their respective software programs, including but not limited to system software, application software, or driver software.
处理器201可以是一个通用中央处理器(Central Processing Unit,CPU)、微处理器、或微控制器中至少一个,也可以包括特定应用集成电路(application-specific integrated circuit,ASIC),或者可以是一个或多个用于控制本申请方案程序执行的集成电路。通信总线202可包括一通路,用于在上述组件之间传送信息。存储器203可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其它类型的静态存储设备,也可以是随机存取存储器(random access memory,RAM)或者可存储信息和指令的其它类型的动态存储设备,也可以是电可擦可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、只读光盘(Compact Disc Read-Only Memory,CD-ROM)或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备,或者是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。存储器203可以是独立存在,并通过通信总线202与处理器201相连接。存储器203也可以和处理器201集成在一起。通信接口204是任何收发器一类的装置,用于与其它设备或通信网络通信,如以太网,无线接入网(Radio Access Network,RAN)、无线局域网(Wireless Local Area Networks,WLAN)等。The processor 201 may be at least one of a general-purpose central processing unit (CPU), a microprocessor, or a microcontroller, and may also include an application-specific integrated circuit (ASIC), or may be One or more integrated circuits used to control the execution of the program of this application. The communication bus 202 may include a path for transferring information between the aforementioned components. The memory 203 can be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, or it can be a random access memory (RAM) or can store information and instructions. Other types of dynamic storage devices can also be Electrically Erasable Programmable Read-Only Memory (EEPROM), CD-ROM (Compact Disc Read-Only Memory, CD-ROM) or other optical disk storage , CD storage (including compressed CDs, laser disks, CDs, digital universal CDs, Blu-ray CDs, etc.), disk storage media or other magnetic storage devices, or can be used to carry or store desired program codes in the form of instructions or data structures And any other media that can be accessed by the computer, but not limited to this. The memory 203 may exist independently and is connected to the processor 201 through the communication bus 202. The memory 203 may also be integrated with the processor 201. The communication interface 204 is any device such as a transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), and Wireless Local Area Networks (WLAN).
在具体实现中,作为一种实施例,处理器201可以包括一个或多个CPU,如图2中所示的CPU0和CPU1。在具体实现中,作为一种实施例,计算机设备可以包括多个处理器,如图2中所示的处理器201和处理器205。例如处理器201和处理器205形成大小核架构,即处理器201是大核,处理器20是小核。这些处理器中的每一个可以是一个单核处理器(single-CPU),也可以是一个多核处理器(multi-CPU)。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(如计算机程序指令)的处理核。In specific implementation, as an embodiment, the processor 201 may include one or more CPUs, such as CPU0 and CPU1 as shown in FIG. 2. In specific implementation, as an embodiment, the computer device may include multiple processors, such as the processor 201 and the processor 205 as shown in FIG. 2. For example, the processor 201 and the processor 205 form a large and small core architecture, that is, the processor 201 is a large core and the processor 20 is a small core. Each of these processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). The processor here may refer to one or more devices, circuits, and/or processing cores for processing data (such as computer program instructions).
在具体实现中,作为一种实施例,计算机设备还可以包括输出设备206和输入设备207。输出设备206和处理器201通信,可以以多种方式来显示信息。例如,输出设备206可以是液晶显示器(liquid crystal display,LCD)、发光二级管(light emitting diode,LED)显示设备、阴极射线管(cathode ray tube,CRT)显示设备或投影仪(projector)等。输入设备207和处理器201通信,可以以多种方式接收用户的输入。例如,输入设备207可以是鼠标、键盘、触摸屏设备或传感设备等。In a specific implementation, as an embodiment, the computer device may further include an output device 206 and an input device 207. The output device 206 communicates with the processor 201 and can display information in a variety of ways. For example, the output device 206 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector, etc. . The input device 207 communicates with the processor 201, and can receive user input in a variety of ways. For example, the input device 207 may be a mouse, a keyboard, a touch screen device, or a sensor device.
上述的计算机设备可以是一个通用计算机设备或一个专用计算机设备。在具体实现中,计算机设备可以是台式机、便携式电脑、网络服务器、掌上电脑(Personal Digital Assistant,PDA)、移动手机、平板电脑、无线终端设备、通信设备或嵌入式设备,本申请实施例不限定计算机设备的类型。其中,存储器203用于存储执行本申请方案的程序代码210,处理器201用于执行存储器203中存储的程序代码210。该计算机设备可以通过处理器201以及存储器203中的程序代码210,来实现下文图4实施例中在TEE下执行的所有操作。该计算机设备还可以通过SE208以及存储器203中的程序代码210,来实现图4实施例中在SE中执行的所 有操作。或者,可替换地,SE208运行的程序软件可以不存储在存储器203中,而是存储在SE208内部,本申请实施例不做限定。The above-mentioned computer equipment may be a general-purpose computer equipment or a special-purpose computer equipment. In a specific implementation, the computer device may be a desktop computer, a portable computer, a web server, a PDA (Personal Digital Assistant, PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, or an embedded device. The embodiments of this application do not Limit the type of computer equipment. The memory 203 is used to store the program code 210 for executing the solution of the present application, and the processor 201 is used to execute the program code 210 stored in the memory 203. The computer device can implement all operations performed under the TEE in the embodiment of FIG. 4 below through the processor 201 and the program code 210 in the memory 203. The computer device can also implement all operations performed in the SE in the embodiment of FIG. 4 through the SE 208 and the program code 210 in the memory 203. Or, alternatively, the program software run by the SE208 may not be stored in the memory 203, but stored inside the SE208, which is not limited in the embodiment of the present application.
一种可能的实施方式中,图1所示的系统架构中的TEE和SE可以分别作为一个功能模块来实现各自的功能。具体地,图3是本申请实施例提供的一种生物识别装置的结构示意图,参见图3,该生物识别装置可以包括TEE模块301和SE模块302。TEE模块301用于执行下文图4实施例中在TEE下所要执行的所有操作,SE模块302用于执行下文图4实施例中在SE中所要执行的所有操作。可选地,TEE模块301和SE模块302可以由软件、硬件或者两者的结合实现。当TEE模块301和SE模块302由软件实现时,这两个模块可以分别运行于图2中的处理器201和SE208上。上述实施例提供的生物识别装置与生物识别方法实施例属于同一构思,其具体实现过程详见下述方法实施例,这里不进行详细阐述。In a possible implementation manner, the TEE and SE in the system architecture shown in FIG. 1 can be used as a functional module to implement their respective functions. Specifically, FIG. 3 is a schematic structural diagram of a biometric identification device provided by an embodiment of the present application. Referring to FIG. 3, the biometric identification device may include a TEE module 301 and an SE module 302. The TEE module 301 is used to perform all operations to be performed under the TEE in the embodiment of FIG. 4 below, and the SE module 302 is used to perform all the operations to be performed in the SE in the embodiment of FIG. 4 below. Optionally, the TEE module 301 and the SE module 302 can be implemented by software, hardware or a combination of both. When the TEE module 301 and the SE module 302 are implemented by software, these two modules can run on the processor 201 and the SE 208 in FIG. 2 respectively. The biometric identification device provided in the above embodiment and the biometric identification method embodiment belong to the same concept, and the specific implementation process is detailed in the following method embodiment, which will not be elaborated here.
接下来对本申请实施例提供的生物识别方法进行说明。图4是本申请实施例提供的一种生物识别方法的流程图。参见图4,该方法包括:步骤401:在TEE下获取生物图像。需要说明的是,生物图像为包含有生物特征的图像,例如,该生物图像可以为指纹图像、掌纹图像、人脸图像或虹膜图像等中的至少一个。具体地,可以在TEE下通过图像采集装置采集生物图像,当然,也可以在TEE下通过其它方式获取生物图像,本申请实施例对此不作限定。Next, the biometric identification method provided by the embodiment of the present application will be described. Fig. 4 is a flowchart of a biometric identification method provided by an embodiment of the present application. Referring to Fig. 4, the method includes: Step 401: Acquire a biological image under TEE. It should be noted that the biological image is an image containing biological characteristics. For example, the biological image may be at least one of a fingerprint image, a palmprint image, a human face image, or an iris image. Specifically, the biological image can be acquired through the image acquisition device under the TEE. Of course, the biological image can also be acquired through other methods under the TEE, which is not limited in the embodiment of the present application.
需要说明的是,图像采集装置用于采集生物图像,如图像采集装置可以为指纹传感器、采集器或摄像头等中的至少一个,指纹传感器例如可以是超声指纹传感器、按压式指纹传感器或光学指纹传感器。在一种可能的实施方式中,指纹传感器在采集到指纹图像后,可以将该指纹图像通过串行外设接口(Serial Peripheral Interface,SPI)发送到TEE中用于进行生物识别的TA的内存空间中;摄像头在采集到人脸图像后,可以将该人脸图像通过相机串行接口(Camera Serial Interface,CSI)发送到TEE中用于进行生物识别的TA的内存空间中。值得注意的是,本申请实施例可以在REE下的生物识别服务启动的时候来进行步骤401,即可以在用户使用生物识别服务的时候来进行步骤401。该生物识别服务可以为开机解锁、应用的身份鉴权等,本申请实施例对此不作限定。It should be noted that the image capture device is used to capture biological images. For example, the image capture device may be at least one of a fingerprint sensor, a collector, or a camera. The fingerprint sensor may be, for example, an ultrasonic fingerprint sensor, a push fingerprint sensor, or an optical fingerprint sensor. . In a possible implementation, after the fingerprint sensor collects the fingerprint image, the fingerprint image can be sent to the memory space of the TA for biometric identification in the TEE through the serial peripheral interface (Serial Peripheral Interface, SPI) In: After the camera collects the face image, the face image can be sent to the memory space of the TA used for biometric identification in the TEE through the camera serial interface (CSI). It is worth noting that, in the embodiment of the present application, step 401 may be performed when the biometric identification service under the REE is started, that is, step 401 may be performed when the user uses the biometric identification service. The biometric service may be booting and unlocking, application identity authentication, etc., which is not limited in the embodiment of the present application.
步骤402:在TEE下提取该生物图像中的生物特征数据。需要说明的是,该生物图像中的生物特征数据用于指示该生物图像中包含的生物特征。例如,当该生物图像为指纹图像时,该生物特征数据可以为该生物图像中的细节特征点(如纹线的起点、终点、结合点和分叉点等)的参数(如方向、曲率和位置等)。又例如,当该生物图像为人脸图像时,该生物特征数据可以为人脸图像中的面部轮廓点(如眼虹膜、鼻翼和嘴角等)的属性(如大小、位置和距离等)。Step 402: Extract the biological characteristic data in the biological image under the TEE. It should be noted that the biological feature data in the biological image is used to indicate the biological features contained in the biological image. For example, when the biometric image is a fingerprint image, the biometric data can be the parameters (such as direction, curvature, and bifurcation points) of the minutiae feature points (such as the starting point, end point, joining point, and bifurcation point of lines) in the biological image. Location etc.). For another example, when the biological image is a face image, the biological feature data may be attributes (such as size, position, distance, etc.) of facial contour points (such as iris, nose and corner of mouth, etc.) in the face image.
具体地,可以在TEE下使用特征提取算法来提取该生物图像中的生物特征数据。并且,可以在TEE下通过用于进行生物识别的TA来提取该生物图像中的生物特征数据。需要说明的是,该特征提取算法可以预先进行设置。例如,当该生物图像为指纹图像时,该特征提取算法可以为指纹特征提取算法,当该生物图像为人脸图像时,该特征提取算法可以为人脸特征提取算法。Specifically, a feature extraction algorithm can be used under TEE to extract biological feature data in the biological image. Furthermore, the biometric data in the biometric image can be extracted through TA for biometric recognition under TEE. It should be noted that the feature extraction algorithm can be set in advance. For example, when the biological image is a fingerprint image, the feature extraction algorithm can be a fingerprint feature extraction algorithm, and when the biological image is a face image, the feature extraction algorithm can be a face feature extraction algorithm.
值得说明的是,本申请实施例可以在TEE下获取生物图像并提取该生物图像中的生物特征数据,由于TEE与REE隔离运行,安全级别较高,所以可以保证生物图像和生物特征数据的安全。并且,由于TEE运行时是使用处理器,因而TTE下的计算能力和存储能力都较高,所以可以保证生物特征数据的提取速度较高,从而保证生物识别速度较高。It is worth noting that the embodiments of this application can acquire biological images under TEE and extract the biological characteristic data in the biological images. Since TEE operates in isolation from REE and has a high security level, the security of biological images and biological data can be guaranteed. . Moreover, since the TEE uses a processor when it is running, the computing power and storage capacity under the TTE are both high, so it can ensure that the extraction speed of biometric data is high, thereby ensuring that the biometric recognition speed is high.
步骤403:在SE中,将该生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。需要说明的是,生物特征模板可以预先进行设置,如该生物特征模板可以为指纹模板、人脸模板或虹膜模板等中的至少一个。并且,当是将该生物特征数据的全部与生物特征模板进行匹配时,该生物特征模板可以是在生物注册成功后生成的完整的生物特征模板,即该生物特征模板可以是预设的生物特征模板;当是将该生物特征数据的部分与生物特征模板进行匹配时,该生物特征模板可以是在生物注册成功后生成的完整的生物特征模板中的一部分,即该生物特征模板可以是预设的生物特征模板中的一部分。Step 403: In the SE, all or part of the biometric data is matched with the biometric template to obtain a biometric recognition result. It should be noted that the biometric template can be set in advance. For example, the biometric template can be at least one of a fingerprint template, a face template, or an iris template. And, when matching all of the biometric data with the biometric template, the biometric template may be a complete biometric template generated after the biometric registration is successful, that is, the biometric template may be a preset biometric Template; when matching the part of the biometric data with the biometric template, the biometric template can be part of the complete biometric template generated after the biometric registration is successful, that is, the biometric template can be a preset Part of the biometric template.
值得说明的是,本申请实施例中可以在SE中对生物特征数据进行至少一部分模板匹配并输出生物识别结果,由于SE可以提供芯片级的硬件保护,能够抵抗物理上的各种攻击,安全级别高于TEE,所以使得生物识别功能达到了高安全级别。并且,由于生物特征数据的模板匹配的计算复杂不高,SE的处理压力较小,所以可以保证模板匹配速度较高,从而可以保证生物识别速度较高。如此,本申请实施例提供了一种用SE支持生物识别的方案,在仅略微增加时延,且不影响生物识别性能(识别率和误识率)的情况下,使得生物识别得到了高安全级别的保护,从而可以提高生物识别的安全性。It is worth noting that in the embodiment of this application, at least a part of the template matching can be performed on the biometric data in the SE and the biometric results can be output. Since the SE can provide chip-level hardware protection, it can resist various physical attacks and has a security level. It is higher than TEE, so the biometric recognition function reaches a high security level. In addition, since the calculation of template matching of biometric data is not complicated, the processing pressure of SE is small, so it can ensure that the template matching speed is high, and thus the biometric identification speed can be ensured. In this way, the embodiment of the present application provides a solution for supporting biometrics by using SE, which provides high security for biometrics without affecting the biometric performance (recognition rate and false recognition rate) while only slightly increasing the time delay. Level of protection, which can improve the security of biometrics.
具体地,当在SE中,是将该生物特征数据的全部与生物特征模板进行匹配,得到生物识别结果时,步骤403可以通过如下第一种可能的实现方式实现;当在SE中,是将该生物特征数据的部分与生物特征模板进行匹配,得到生物识别结果时,步骤403可以通过如下第二种可能的实现方式实现。Specifically, when in SE, all of the biometric data is matched with the biometric template to obtain the biometric recognition result, step 403 can be implemented in the first possible implementation manner as follows; when in SE, When the part of the biometric data is matched with the biometric template, and the biometric recognition result is obtained, step 403 can be implemented in the following second possible implementation manner.
第一种可能的实现方式中,参见图5,可以在步骤403之前,先执行步骤4031:在TEE下将该生物特征数据的全部发送至SE。相应地,步骤403的操作可以为步骤4032:在SE中,将该生物特征数据的全部与预设的生物特征模板进行匹配,得到生物识别结果。需要说明的是,第一种可能的实现方式中,是由SE全部完成对该生物特征数据的模板匹配来得到生物识别结果,从而可以大大提高生物识别的安全性。另外,将该生物特征数据的全部与预设的生物特征模板进行匹配,即是将该生物特征数据指示的生物特征与预设的生物特征模板指示的生物特征进行匹配,如果匹配成功,则可以确定生物识别结果为识别通过,如果匹配失败,则可以确定生物识别结果为识别不通过。In the first possible implementation manner, referring to FIG. 5, step 4031 may be performed before step 403: sending all the biometric data to the SE under the TEE. Correspondingly, the operation of step 403 may be step 4032: in SE, all of the biometric data is matched with a preset biometric template to obtain a biometric recognition result. It should be noted that, in the first possible implementation manner, the SE completely completes the template matching of the biometric data to obtain the biometric recognition result, which can greatly improve the security of biometric recognition. In addition, matching all of the biometric data with the preset biometric template is to match the biometrics indicated by the biometric data with the biometrics indicated by the preset biometric template. If the matching is successful, you can It is determined that the biometric recognition result is recognition passed, and if the matching fails, it can be determined that the biometric recognition result is recognition failed.
第二种可能的实现方式中,参见图6,可以在步骤403之前,先执行步骤4033:在TEE下,将该生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果,且在TEE下将第一匹配结果和该生物特征数据中的至少另一部分数据发送至SE。相应地,步骤403的操作可以为步骤4034:在SE中,将该生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据第一匹配结果和第二匹配结果,确定生物识别结果。In the second possible implementation manner, referring to FIG. 6, step 4033 may be performed before step 403: under TEE, perform a first matching of at least a part of the biometric data with the first biometric template to obtain The first matching result, and sending the first matching result and at least another part of the biometric data to the SE under the TEE. Correspondingly, the operation of step 403 may be step 4034: in SE, perform a second matching of at least another part of the biometric data with the second biometric template to obtain a second matching result, and according to the first matching result With the second matching result, the biometric recognition result is determined.
需要说明的是,第二种可能的实现方式中,是由TEE和SE结合完成对该生物特征数据的模板匹配来得到生物识别结果,即是由TEE和SE来进行两段式的模板匹配,如此可以有效保证模板匹配速度不因使用SE而产生较大的影响,从而在提高生物识别的安全性的同时,可以保证模板匹配速度较高,继而可以保证生物识别速度较高。另外,第一生物特征模板和第二生物特征模板均属于预设的生物特征模板,且第二生物特征模板包括预设的生物特征模板中不同于第一生物特征模板的部分。第一生物特征模板可以存储于TEE下的存储器,例如图2的存储器203中,第二生物特征模板可以存储于SE中。第二生物特征模板和第一生物特征模板可以不完全相同,例如存在重叠。再者,第一生物特征模板和第二生物特征模板可 以完全不同,即第一生物特征模板和第二生物特征模板可以分别为预设的生物特征模板中的不同部分,例如,如图7所示,预设的生物特征模板为A,可以将预设的生物特征模块A划分为两部分,一部分为A1,另一部分为A2,然后将A1作为第一生物特征模块,将A2作为第二生物特征模板。由于TEE下的计算能力和存储能力都高于SE,所以为了提高模板匹配速度,第一生物特征模板在预设的生物特征模板中的比重可以大于第二生物特征模板在预设的生物特征模板中的比重。并且,为了保证SE中的第二生物特征模板的安全,第二生物特征模板与第一生物特征模板中不重叠的部分需要具有足够的数据强度,即根据第一生物特征模板不能轻易推导出第二生物特征模板。It should be noted that in the second possible implementation manner, the template matching of the biometric data is completed by the combination of TEE and SE to obtain the biometric result, that is, the two-stage template matching is performed by TEE and SE. This can effectively ensure that the template matching speed is not greatly affected by the use of SE, so that while improving the security of biometrics, it can ensure that the template matching speed is high, and then the biometrics recognition speed can be high. In addition, the first biometric template and the second biometric template both belong to a preset biometric template, and the second biometric template includes a part of the preset biometric template that is different from the first biometric template. The first biometric template may be stored in a memory under the TEE, for example, in the memory 203 of FIG. 2, and the second biometric template may be stored in the SE. The second biometric template and the first biometric template may not be completely the same, for example, there is overlap. Furthermore, the first biometric template and the second biometric template can be completely different, that is, the first biometric template and the second biometric template can be different parts of the preset biometric template, for example, as shown in FIG. 7 As shown, the preset biometric template is A, and the preset biometric module A can be divided into two parts, one part is A1, the other part is A2, and then A1 is used as the first biometric module and A2 is used as the second biometric module. Feature template. Since the computing power and storage capacity under TEE are higher than SE, in order to improve the template matching speed, the proportion of the first biometric template in the preset biometric template can be greater than that of the second biometric template in the preset biometric template. In the proportion. Moreover, in order to ensure the safety of the second biometric template in the SE, the non-overlapping part of the second biometric template and the first biometric template needs to have sufficient data strength, that is, the first biometric template cannot be easily derived from the first biometric template. 2. Biometric template.
需要说明的是,将该生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,即是将该生物特征数据中的至少一部分数据指示的生物特征与第一生物特征模板指示的生物特征进行匹配,得到第一匹配结果。第一匹配结果用于指示该生物特征数据中的至少一部分数据与第一生物特征模板之间的匹配度。其中,在TEE下将该生物特征数据中的至少另一部分数据发送至SE时,可以在TEE下直接将该生物特征数据的全部发送至SE;或者,也可以在TEE下,根据第一生物特征模板和第二生物特征模板在预设的生物特征模板中的分布规则,从该生物特征数据中确定与第一生物特征模板对应的一部分数据和与第二生物特征模板对应的一部分数据,将该生物特征数据中与第二生物特征模板对应的一部分数据发送至SE。It should be noted that the first matching of at least part of the biometric data with the first biometric template means that the biometrics indicated by the at least part of the biometric data are indicated by the first biometric template. The biological characteristics are matched, and the first matching result is obtained. The first matching result is used to indicate the degree of matching between at least a part of the biometric data and the first biometric template. Wherein, when sending at least another part of the biometric data to the SE under the TEE, all of the biometric data can be directly sent to the SE under the TEE; or, under the TEE, according to the first biological feature The distribution rules of the template and the second biometric template in the preset biometric template. From the biometric data, determine a part of the data corresponding to the first biometric template and a part of the data corresponding to the second biometric template. Part of the biometric data corresponding to the second biometric template is sent to the SE.
需要说明的是,将该生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,即是将该生物特征数据中的至少另一部分数据指示的生物特征与第二生物特征模板指示的生物特征进行匹配,得到第二匹配结果。第二匹配结果用于指示该生物特征数据中的至少另一部分数据与第二生物特征模板之间的匹配度。其中,在SE中,根据第一匹配结果和第二匹配结果,确定生物识别结果时,可以按照TEE对应的第一权重和SE对应的第二权重,将第一匹配结果指示的匹配度与第二匹配结果指示的匹配度进行加权平均,得到目标匹配度;如果目标匹配度大于或等于第二匹配度,则确定生物识别结果为识别通过;如果目标匹配度小于第二匹配度,则确定生物识别结果为识别不通过。当然,也可以在SE中,根据第一匹配结果和第二匹配结果,通过其它方式确定生物识别结果,本申请实施例对此不作限定。需要说明的是,TEE对应的第一权重和SE对应的第二权重可以预先进行设置,如可以根据TEE和SE的安全级别来进行设置,或者,可以根据TEE和SE的安全级别以及第一生物特征模板和第二生物特征模板在预设的生物特征模板中的分布规则来进行设置。It should be noted that the second matching of at least another part of the biometric data with the second biometric template is to match the biometrics indicated by the at least another part of the biometric data with the second biometric template. The indicated biological characteristics are matched, and the second matching result is obtained. The second matching result is used to indicate the degree of matching between at least another part of the biometric data and the second biometric template. Among them, in SE, when determining the biometric result according to the first matching result and the second matching result, the first weight corresponding to the TEE and the second weight corresponding to the SE can be used to compare the matching degree indicated by the first matching result with the first The matching degree indicated by the two matching results is weighted and averaged to obtain the target matching degree; if the target matching degree is greater than or equal to the second matching degree, the biometric recognition result is determined to pass; if the target matching degree is less than the second matching degree, the biological The recognition result is that the recognition fails. Of course, in the SE, the biometric recognition result can also be determined in other ways according to the first matching result and the second matching result, which is not limited in the embodiment of the present application. It should be noted that the first weight corresponding to TEE and the second weight corresponding to SE can be set in advance. For example, it can be set according to the security level of TEE and SE, or can be set according to the security level of TEE and SE and the first biological The distribution rules of the feature template and the second biometric template in the preset biometric template are set.
另外,第二匹配度可以预先进行设置,且第二匹配度可以设置的较大。当目标匹配度大于或等于第二匹配度时,表明该生物特征数据与预设的生物特征模板很匹配,因而可以确定生物识别通过。当目标匹配度小于第二匹配度时,表明该生物特征数据与预设的生物特征模板不太匹配,因而可以确定生物识别不通过。In addition, the second matching degree can be set in advance, and the second matching degree can be set to be larger. When the target matching degree is greater than or equal to the second matching degree, it indicates that the biometric data closely matches the preset biometric template, and thus the biometric identification can be determined to pass. When the target matching degree is less than the second matching degree, it indicates that the biometric data does not match the preset biometric template, so it can be determined that the biometric recognition is not passed.
进一步地,在第二种可能的实现方式之前,还可以先生成第一生物特征模板和第二生物特征模板。具体地,可以获取预设的生物特征模板,从预设的生物特征模板中提取第一生物特征模板和第二生物特征模板。其中,获取预设的生物特征模板时,可以在接收到生物注册指令时,采集生物图像,然后提取采集到的生物图像中的生物特征数据作为预设的生物特征模板。需要说明的是,生物注册指令用于指示进行生物特征模板的注册,生物注册指令可以由用户触发,且用户可以通过点击操作、滑动操作、语音操作、或手势操作等操作触发,本申请实施例对此不作限定。Further, before the second possible implementation manner, the first biometric template and the second biometric template can also be generated first. Specifically, a preset biometric template can be acquired, and the first biometric template and the second biometric template can be extracted from the preset biometric template. Wherein, when obtaining a preset biometric template, when a biometric registration instruction is received, a biometric image can be collected, and then biometric data in the collected biometric image can be extracted as the preset biometric template. It should be noted that the biometric registration instruction is used to instruct the registration of the biometric template. The biometric registration instruction can be triggered by the user, and the user can be triggered by operations such as tap operation, sliding operation, voice operation, or gesture operation. There is no restriction on this.
另外,从预设的生物特征模板中提取第一生物特征模板和第二生物特征模板后,为了保证第一生物特征模板和第二生物特征模板的安全,可以将第一生物特征模板存储于TEE下的存储器中,将第二生物特征模板存储于SE中。In addition, after extracting the first biometric template and the second biometric template from the preset biometric templates, in order to ensure the safety of the first biometric template and the second biometric template, the first biometric template can be stored in the TEE In the memory below, store the second biometric template in the SE.
值得注意的是,为了减小生物识别时延,提高用户体验,在上述第二种可能的实现方式下,还可以通过如下方式一和/或方式二来进一步提高生物识别速度。方式一:在TEE下得到第一匹配结果后,判断第一匹配结果指示的匹配度是否小于第一匹配度;当第一匹配结果指示的匹配度小于第一匹配度时,在TEE下直接确定生物识别结果为识别不通过,结束生物识别操作;当第一匹配结果指示的匹配度是否大于或等于第一匹配度时,触发在SE中,将该生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配的操作。It is worth noting that, in order to reduce the time delay of biometrics and improve user experience, in the second possible implementation manner described above, the following method 1 and/or method 2 can be used to further improve the speed of biometric identification. Method 1: After obtaining the first matching result under TEE, determine whether the matching degree indicated by the first matching result is less than the first matching degree; when the matching degree indicated by the first matching result is less than the first matching degree, directly determine under TEE The biometric recognition result is that the recognition is not passed, and the biometric recognition operation is ended; when the matching degree indicated by the first matching result is greater than or equal to the first matching degree, the SE is triggered to connect at least another part of the biometric data with the first The second biometric template performs the second matching operation.
需要说明的是,第一匹配度可以预先进行设置,且第一匹配度可以设置的很小。当第一匹配结果指示的匹配度小于第一匹配度时,表明该生物特征数据中的至少一部分数据与第一生物特征模板很不匹配,即在TEE下进行的第一段模板匹配的匹配程度非常低,因而此时无需在SE中进行第二段模板匹配,可以直接在TEE下确定生物识别不通过,结束生物识别操作。如此,当对一个没有进行生物注册的生物图像进行识别时,就可以很快确定出生物识别不通过,从而可以减小在输入的生物图像错误的情况下的生物识别时延。It should be noted that the first matching degree can be set in advance, and the first matching degree can be set to be small. When the matching degree indicated by the first matching result is less than the first matching degree, it indicates that at least a part of the biometric data does not match the first biometric template, that is, the matching degree of the first paragraph of template matching performed under TEE It is very low, so there is no need to perform the second-stage template matching in the SE at this time, and the biometric identification can be determined directly under the TEE to end the biometric identification operation. In this way, when recognizing a biological image without biological registration, it can be quickly determined that the biological recognition is not passed, so that the biological recognition time delay can be reduced when the input biological image is wrong.
当第一匹配结果指示的匹配度大于或等于第一匹配度时,表明该生物特征数据中的至少一部分数据与第一生物特征模板较为匹配,即在TEE下进行的第一段模板匹配的匹配程度不是非常低,因而此时可以继续在SE中进行第二段模板匹配,并由SE进行最终的生物识别结果的输出。如此,可以保证生物识别的准确率。When the matching degree indicated by the first matching result is greater than or equal to the first matching degree, it indicates that at least a part of the biometric data matches the first biometric template, that is, the matching of the first paragraph of template matching performed under TEE The degree is not very low, so at this time, the second-stage template matching can be continued in the SE, and the SE will output the final biometric results. In this way, the accuracy of biometric identification can be guaranteed.
值得注意的是,生物注册成功后生成的预设的生物特征模板往往有多个,如可以生成多个手指中每个手指的指纹对应的预设的生物特征模板。这种情况下,会存在多个第一生物特征模板和多个第二生物特征模板,该多个第一生物特征模板与该多个第二生物特征模板一一对应,对应的一个第一生物特征模板与一个第二生物特征模板属于同一个预设的生物特征模板。这种情况下,在TEE下,将该生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果时,可以在TEE下,将该生物特征数据中的至少一部分数据与该多个第一生物特征模板中的每个第一生物特征模板进行第一匹配,得到每个第一生物特征模板对应的第一匹配结果。It is worth noting that there are often multiple preset biometric templates generated after successful biometric registration. For example, a preset biometric template corresponding to the fingerprint of each finger among multiple fingers can be generated. In this case, there will be multiple first biological feature templates and multiple second biological feature templates. The multiple first biological feature templates and the multiple second biological feature templates have a one-to-one correspondence, corresponding to a first biological feature. The characteristic template and a second biological characteristic template belong to the same preset biological characteristic template. In this case, under TEE, at least part of the biometric data is first matched with the first biometric template, and when the first matching result is obtained, at least part of the biometric data can be Part of the data is first matched with each first biometric template of the plurality of first biometric templates to obtain a first matching result corresponding to each first biometric template.
相应地,方式一中可以当该多个第一生物特征模板对应的多个第一匹配结果均小于第一匹配度时,在TEE下直接确定生物识别结果为识别不通过,结束生物识别操作;当该多个第一生物特征模板对应的多个第一匹配结果存在所指示的匹配度大于或等于第一匹配度的第一匹配结果时,触发在SE中,将该生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配的操作。Correspondingly, in the first manner, when the plurality of first matching results corresponding to the plurality of first biometric templates are all less than the first matching degree, it is directly determined under the TEE that the biometric recognition result is the recognition failure, and the biometric recognition operation is ended; When the plurality of first matching results corresponding to the plurality of first biometric templates has a first matching result whose indicated matching degree is greater than or equal to the first matching degree, the SE is triggered to trigger at least one of the biometric data The other part of the data is subjected to a second matching operation with the second biometric template.
相应地,还可以通过如下方式二来进一步提高生物识别速度。方式二:在SE中,按照该多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对该多个第二生物特征模板进行排序;在SE中,按照该排序,将该生物特征数据中的至少另一部分数据依次与该多个第二生物特征模板进行第二匹配;在SE中,每当完成该生物特征数据中的至少另一部分数据与一个第二生物特征模板的第二匹配时,得到一个第二匹配结果,根据这个第二匹配结果和第一匹配结果,确定对应于这个第二生物特征模板的生物识别结果;如果这个第二生物特征模板的生物识别结果为识别通过,则在SE中结束生物识别操作,如果这个第二生物特征模板的生物识别结果为识别不通过,则在SE中将该生物特征数据中的 至少另一部分数据继续与下一个第二生物特征模板进行第二匹配。Correspondingly, the speed of biometric identification can be further improved through the following method two. Manner 2: In SE, the plurality of second biometric templates are sorted according to the order from high to low indicated by the plurality of first matching results corresponding to the plurality of first biometric templates; In SE, according to the sort, at least another part of the biometric data is sequentially matched with the plurality of second biometric templates; in SE, whenever at least another part of the biometric data is completed When a second matching result is obtained with a second biometric template, a second matching result is obtained. According to the second matching result and the first matching result, the biometric result corresponding to the second biometric template is determined; if this second If the biometric result of the biometric template is recognized as passed, the biometric recognition operation is ended in the SE. If the biometric result of the second biometric template is not passed, then at least another part of the biometric data in the SE The data continues to be matched with the next second biometric template.
需要说明的是,按照该多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对与该多个第一生物特征模板一一对应的多个第二生物特征模板进行排序后,该多个第二生物特征模板的顺序即代表该多个第二生物特征模板与该生物特征数据从最可能匹配成功到最不可能匹配成功的顺序。之后,是按照该排序,每完成该生物特征数据与一个第二生物特征模板的第二匹配,就确定一次生物识别结果,且在本次生物识别结果为识别通过时,就结束生物识别操作。如此,在对一个已进行生物注册的生物图像进行识别时,就可以很快确定出生物识别通过,从而可以减小在输入的生物图像正确的情况下的生物识别时延。It should be noted that, according to the order of the multiple matching degrees indicated by the multiple first matching results corresponding to the multiple first biometric templates, the multiple matching degrees corresponding to the multiple first biological feature templates are one-to-one. After the second biometric templates are sorted, the order of the plurality of second biometric templates represents the order of the plurality of second biometric templates and the biometric data from the most likely to successfully match to the least possible. After that, according to the sorting, every time the second matching between the biometric data and a second biometric template is completed, the biometric recognition result is determined once, and the biometric recognition operation is ended when the biometric recognition result is passed. In this way, when recognizing a biological image that has undergone biological registration, it can be quickly determined that the biological recognition has passed, so that the biological recognition time delay can be reduced when the input biological image is correct.
值得注意的是,在SE中得到了生物识别结果后,SE可以将该生物识别结果发送至REE下的生物识别服务,以便该生物识别服务可以根据该生物识别结果进行后续流程。一种可能的实施方式中,当生物识别结果为识别通过时,SE可以使能系统密钥服务,如当生物识别结果为识别通过时,如果SE接收到该生物识别服务发送的系统密钥获取请求,则可以将存储的系统密钥返回给该生物识别服务,以便该生物识别服务可以使用该系统密钥解锁并访问系统文件;或者,当生物识别结果为识别通过时,SE可以使用存储的系统密钥解锁系统文件,以便该生物识别服务可以直接访问系统文件。It is worth noting that after obtaining the biometric result in the SE, the SE can send the biometric result to the biometric service under the REE, so that the biometric service can perform the follow-up process based on the biometric result. In a possible implementation manner, when the biometric identification result is passed, the SE can enable the system key service. For example, when the biometric identification result is passed, if the SE receives the system key acquisition sent by the biometric service Upon request, the stored system key can be returned to the biometric service so that the biometric service can use the system key to unlock and access system files; or, when the biometric result is passed, the SE can use the stored The system key unlocks the system file so that the biometric service can directly access the system file.
为了便于理解,下面结合图8来对本申请实施例提供的生物识别过程进行举例说明。示例地,参见图8,该生物识别过程可以包括如下步骤(1)-步骤(7)。(1)在TEE下通过图像采集装置获取生物图像;(2)在TEE下提取该生物图像中的生物特征数据;(3)在TEE下,将该生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果;(4)在TEE下将第一匹配结果和将该生物特征数据中的至少另一部分数据发送至SE;(5)在SE中,将该生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果;(6)在SE中,根据第一匹配结果和第二匹配结果,确定生物识别结果;(7)在SE中,将该生物识别结果发送至REE下的生物识别服务,且当生物识别结果为识别通过时,使能系统密钥服务。For ease of understanding, the biometric identification process provided by the embodiment of the present application will be described with reference to FIG. 8 as an example. For example, referring to FIG. 8, the biometric identification process may include the following steps (1) to (7). (1) Acquire biological images through an image acquisition device under TEE; (2) Extract biological characteristic data in the biological image under TEE; (3) Under TEE, at least part of the biological characteristic data is combined with the first The first matching result of the biometric template is performed to obtain the first matching result; (4) The first matching result and at least another part of the biometric data are sent to the SE under the TEE; (5) In the SE, the At least another part of the biometric data is second matched with the second biometric template to obtain the second matching result; (6) In SE, the biometric recognition result is determined according to the first matching result and the second matching result; ( 7) In SE, send the biometric identification result to the biometric identification service under REE, and enable the system key service when the biometric identification result is passed.
在本申请实施例中,在TEE下获取生物图像后,在TEE下提取该生物图像中的生物特征数据。之后,在SE中,将该生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。由于SE的安全级别高于TEE,所以使得生物识别功能达到了高安全级别。并且,由于生物特征数据的模板匹配的计算复杂不高,SE的处理压力较小,所以可以保证模板匹配速度较高,从而可以保证生物识别速度较高。此外,本申请实施例可以由TEE和SE结合来进行两段式的模板匹配,即可以先在TEE下对生物特征数据进行第一段模板匹配,再在SE中对生物特征数据进行第二段模板匹配,从而可以有效保证模板匹配速度不因使用SE而产生较大的影响。如此,本申请实施例在仅略微增加时延,且不影响生物识别性能的情况下,使得生物识别得到了高安全级别的保护,从而可以提高生物识别的安全性。In the embodiment of the present application, after the biological image is acquired under the TEE, the biological characteristic data in the biological image is extracted under the TEE. Then, in the SE, all or part of the biometric data is matched with the biometric template to obtain the biometric recognition result. Since the security level of SE is higher than TEE, the biometric recognition function has reached a high security level. In addition, since the calculation of template matching of biometric data is not complicated, the processing pressure of SE is small, so it can ensure that the template matching speed is high, and thus the biometric identification speed can be ensured. In addition, in this embodiment of the application, two-stage template matching can be performed by combining TEE and SE, that is, the first stage template matching can be performed on biometric data under TEE, and then the second stage of biometric data can be performed in SE. Template matching can effectively ensure that the template matching speed will not be greatly affected by the use of SE. In this way, the embodiment of the present application only slightly increases the time delay and does not affect the performance of the biometrics, so that the biometrics is protected with a high security level, thereby improving the security of the biometrics.
在上述实施例中,相应的方法流程可以全部或部分地通过软件、硬件、固件或者其任意结合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机 指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如:同轴电缆、光纤、数据用户线(Digital Subscriber Line,DSL))或无线(例如:红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如:软盘、硬盘、磁带)、光介质(例如:数字通用光盘(Digital Versatile Disc,DVD))、或者半导体介质(例如:固态硬盘(Solid State Disk,SSD))等。In the foregoing embodiments, the corresponding method flow can be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server, or data center via wired (for example: coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless (for example: infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example: floppy disk, hard disk, tape), optical medium (for example: Digital Versatile Disc (DVD)), or semiconductor medium (for example: Solid State Disk (SSD) )Wait.
以上所述为本申请提供的实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above-mentioned examples provided for this application are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the protection scope of this application. Inside.

Claims (24)

  1. 一种生物识别方法,其特征在于,所述方法包括:A biometric identification method, characterized in that the method includes:
    在可信执行环境TEE下获取生物图像;Acquire biological images under the trusted execution environment TEE;
    在所述TEE下提取所述生物图像中的生物特征数据;Extracting biometric data in the biological image under the TEE;
    在安全元件SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。In the secure element SE, all or part of the biometric data is matched with the biometric template to obtain the biometric identification result.
  2. 如权利要求1所述的方法,其特征在于,所述在安全元件SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果之前,还包括:The method according to claim 1, characterized in that, in the secure element SE, matching all or part of the biometric data with a biometric template, before obtaining a biometric result, further comprising:
    在所述TEE下将所述生物特征数据的全部发送至所述SE;Sending all of the biometric data to the SE under the TEE;
    相应地,所述在安全元件SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果,包括:Correspondingly, in the secure element SE, matching all or part of the biometric data with a biometric template to obtain a biometric recognition result includes:
    在所述SE中,将所述生物特征数据的全部与预设的生物特征模板进行匹配,得到生物识别结果。In the SE, all of the biometric data is matched with a preset biometric template to obtain a biometric recognition result.
  3. 如权利要求1所述的方法,其特征在于,所述在安全元件SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果之前,还包括:The method according to claim 1, characterized in that, in the secure element SE, matching all or part of the biometric data with a biometric template, before obtaining a biometric result, further comprising:
    在所述TEE下,将所述生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果;Under the TEE, perform a first match on at least a part of the biometric data with a first biometric template to obtain a first matching result;
    在所述TEE下将所述第一匹配结果和将所述生物特征数据中的至少另一部分数据发送至所述SE;Sending the first matching result and at least another part of the biometric data to the SE under the TEE;
    相应地,所述在安全元件SE中,将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果,包括:Correspondingly, in the secure element SE, matching all or part of the biometric data with a biometric template to obtain a biometric recognition result includes:
    在所述SE中,将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据所述第一匹配结果和所述第二匹配结果,确定生物识别结果;In the SE, a second matching is performed on at least another part of the biometric data with a second biometric template to obtain a second matching result, and according to the first matching result and the second matching result To determine the biometric results;
    其中,所述第二生物特征模板包括预设的生物特征模板中不同于所述第一生物特征模板的部分。Wherein, the second biometric template includes a part of the preset biometric template that is different from the first biometric template.
  4. 如权利要求3所述的方法,其特征在于,所述第一生物特征模板和所述第二生物特征模板分别为预设的生物特征模板中的不同部分。The method according to claim 3, wherein the first biometric template and the second biometric template are different parts of a preset biometric template.
  5. 如权利要求3或4所述的方法,其特征在于,所述在可信执行环境TEE下获取生物图像之前,还包括:The method according to claim 3 or 4, characterized in that, before acquiring the biological image under the trusted execution environment TEE, the method further comprises:
    获取所述预设的生物特征模板;Acquiring the preset biometric template;
    从所述预设的生物特征模板中提取所述第一生物特征模板和所述第二生物特征模板。Extract the first biometric template and the second biometric template from the preset biometric template.
  6. 如权利要求3-5中任一项所述的方法,其特征在于,所述在所述SE中,将所述生物 特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配之前,还包括:The method according to any one of claims 3-5, wherein, in the SE, before performing a second matching of at least another part of the biometric data with a second biometric template ,Also includes:
    当所述第一匹配结果指示的匹配度大于或等于第一匹配度时,触发在所述SE中,将所述至少另一部分数据与第二生物特征模板进行第二匹配的操作。When the degree of matching indicated by the first matching result is greater than or equal to the first degree of matching, a second matching operation of the at least another part of data with the second biometric template is triggered in the SE.
  7. 如权利要求3-6中任一项所述的方法,其特征在于,存在多个第一生物特征模板和多个第二生物特征模板,所述多个第一生物特征模板与所述多个第二生物特征模板一一对应,对应的一个第一生物特征模板与一个第二生物特征模板属于同一个预设的生物特征模板;The method according to any one of claims 3-6, wherein there are multiple first biological feature templates and multiple second biological feature templates, and the multiple first biological feature templates and the multiple The second biometric template has a one-to-one correspondence, and a corresponding first biometric template and a second biometric template belong to the same preset biometric template;
    所述在所述TEE下,将所述生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果,包括:The first matching of at least a part of the biometric data with a first biometric template under the TEE to obtain a first matching result includes:
    在所述TEE下,将所述至少一部分数据与所述多个第一生物特征模板中的每个第一生物特征模板进行第一匹配,得到所述每个第一生物特征模板对应的第一匹配结果;Under the TEE, perform a first match between the at least part of the data and each first biometric template of the plurality of first biometric templates to obtain the first biometric template corresponding to each first biometric template. Match result
    相应地,所述在所述SE中,将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据所述第一匹配结果和所述第二匹配结果,确定生物识别结果,包括:Correspondingly, in the SE, at least another part of the biometric data is subjected to a second matching with a second biometric template to obtain a second matching result, and according to the first matching result and the second matching result The second matching result to determine the biometric recognition result includes:
    在所述SE中,按照所述多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对所述多个第二生物特征模板进行排序;In the SE, sort the plurality of second biometric templates according to the order of the plurality of matching degrees indicated by the plurality of first matching results corresponding to the plurality of first biometric templates;
    在所述SE中,按照所述排序,将所述至少另一部分数据依次与所述多个第二生物特征模板进行第二匹配;In the SE, according to the sorting, the at least another part of the data is sequentially matched with the plurality of second biometric templates;
    在所述SE中,每当完成所述至少另一部分数据与一个第二生物特征模板的第二匹配时,得到一个第二匹配结果,根据所述第二匹配结果和所述第一匹配结果,确定对应于所述第二生物特征模板的生物识别结果。In the SE, each time the second matching between the at least another part of data and a second biometric template is completed, a second matching result is obtained. According to the second matching result and the first matching result, The biometric recognition result corresponding to the second biometric template is determined.
  8. 如权利要求1-7中任一项所述的方法,其特征在于,所述生物特征模板为指纹模板、人脸模板或虹膜模板中的至少一个。The method according to any one of claims 1-7, wherein the biometric template is at least one of a fingerprint template, a face template, or an iris template.
  9. 一种生物识别装置,其特征在于,所述装置包括:处理器和安全元件SE;A biometric identification device, characterized in that the device comprises: a processor and a secure element SE;
    所述处理器,用于在可信执行环境TEE下,获取生物图像,提取所述生物图像中的生物特征数据;The processor is configured to obtain a biological image under a trusted execution environment TEE, and extract the biological characteristic data in the biological image;
    所述SE,用于将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。The SE is used to match all or part of the biometric data with a biometric template to obtain a biometric recognition result.
  10. 如权利要求9所述的装置,其特征在于,The device of claim 9, wherein:
    所述处理器,还用于在所述TEE下将所述生物特征数据的全部发送至所述SE;The processor is further configured to send all of the biometric data to the SE under the TEE;
    相应地,所述SE,用于将所述生物特征数据的全部与预设的生物特征模板进行匹配,得到生物识别结果。Correspondingly, the SE is used to match all of the biometric data with a preset biometric template to obtain a biometric recognition result.
  11. 如权利要求9所述的装置,其特征在于,The device of claim 9, wherein:
    所述处理器,还用于在所述TEE下,将所述生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果;在所述TEE下将所述第一匹配结果和将所述 生物特征数据中的至少另一部分数据发送至所述SE;The processor is further configured to perform a first matching of at least a part of the biometric data with a first biometric template under the TEE to obtain a first matching result; under the TEE, the A first matching result and sending at least another part of the biometric data to the SE;
    相应地,所述SE,用于将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据所述第一匹配结果和所述第二匹配结果,确定生物识别结果;其中,所述第二生物特征模板包括预设的生物特征模板中不同于所述第一生物特征模板的部分。Correspondingly, the SE is used to perform a second matching of at least another part of the biometric data with a second biometric template to obtain a second matching result, and according to the first matching result and the first matching result 2. The matching result is to determine the biometric recognition result; wherein the second biometric template includes a part of the preset biometric template that is different from the first biometric template.
  12. 如权利要求11所述的装置,其特征在于,所述第一生物特征模板和所述第二生物特征模板分别为预设的生物特征模板中的不同部分。The device of claim 11, wherein the first biometric template and the second biometric template are different parts of a preset biometric template.
  13. 如权利要求11或12所述的装置,其特征在于,The device according to claim 11 or 12, wherein:
    所述处理器,还用于获取所述预设的生物特征模板;从所述预设的生物特征模板中提取所述第一生物特征模板和所述第二生物特征模板。The processor is further configured to obtain the preset biometric template; extract the first biometric template and the second biometric template from the preset biometric template.
  14. 如权利要求11-13中任一项所述的装置,其特征在于,The device according to any one of claims 11-13, wherein:
    所述处理器,还用于当所述第一匹配结果指示的匹配度大于或等于第一匹配度时,触发所述SE将所述至少另一部分数据与第二生物特征模板进行第二匹配。The processor is further configured to trigger the SE to perform a second match between the at least another part of data and a second biometric template when the degree of matching indicated by the first matching result is greater than or equal to the first degree of matching.
  15. 如权利要求11-14中任一项所述的装置,其特征在于,存在多个第一生物特征模板和多个第二生物特征模板,所述多个第一生物特征模板与所述多个第二生物特征模板一一对应,对应的一个第一生物特征模板与一个第二生物特征模板属于同一个预设的生物特征模板;The device according to any one of claims 11-14, wherein there are multiple first biological feature templates and multiple second biological feature templates, and the multiple first biological feature templates and the multiple The second biometric template has a one-to-one correspondence, and a corresponding first biometric template and a second biometric template belong to the same preset biometric template;
    所述处理器,还用于在所述TEE下,将所述至少一部分数据与所述多个第一生物特征模板中的每个第一生物特征模板进行第一匹配,得到所述每个第一生物特征模板对应的第一匹配结果;The processor is further configured to perform a first match between the at least a part of the data and each first biometric template of the plurality of first biometric templates under the TEE to obtain each first biometric template. A first matching result corresponding to a biometric template;
    相应地,所述SE,用于按照所述多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对所述多个第二生物特征模板进行排序;按照所述排序,将所述至少另一部分数据依次与所述多个第二生物特征模板进行第二匹配;每当完成所述至少另一部分数据与一个第二生物特征模板的第二匹配时,得到一个第二匹配结果,根据所述第二匹配结果和所述第一匹配结果,确定对应于所述第二生物特征模板的生物识别结果。Correspondingly, the SE is configured to compare the plurality of second biometric templates according to the order of the plurality of matching degrees indicated by the plurality of first matching results corresponding to the plurality of first biometric templates. Sorting; according to the sorting, the at least another part of data is sequentially matched with the plurality of second biometric templates; each time the second matching of the at least another part of data with a second biometric template is completed During matching, a second matching result is obtained, and a biometric recognition result corresponding to the second biometric template is determined according to the second matching result and the first matching result.
  16. 如权利要求9-15中任一项所述的装置,其特征在于,所述生物特征模板为指纹模板、人脸模板或虹膜模板中的至少一个。The device according to any one of claims 9-15, wherein the biometric template is at least one of a fingerprint template, a face template, or an iris template.
  17. 一种生物识别装置,其特征在于,所述装置包括:可行执行环境TEE模块和安全元件SE模块;A biometric identification device, characterized in that the device includes: a feasible execution environment TEE module and a secure element SE module;
    所述TEE模块,用于获取生物图像,提取所述生物图像中的生物特征数据;The TEE module is used to obtain biological images and extract biological characteristic data in the biological images;
    所述SE模块,用于将所述生物特征数据的全部或部分与生物特征模板进行匹配,得到生物识别结果。The SE module is used to match all or part of the biometric data with a biometric template to obtain a biometric recognition result.
  18. 如权利要求17所述的装置,其特征在于,The device of claim 17, wherein:
    所述TEE模块,还用于将所述生物特征数据的全部发送至所述SE模块;The TEE module is also used to send all of the biometric data to the SE module;
    相应地,所述SE模块,用于将所述生物特征数据的全部与预设的生物特征模板进行匹配,得到生物识别结果。Correspondingly, the SE module is used to match all of the biometric data with a preset biometric template to obtain a biometric recognition result.
  19. 如权利要求17所述的装置,其特征在于,The device of claim 17, wherein:
    所述TEE模块,还用于将所述生物特征数据中的至少一部分数据与第一生物特征模板进行第一匹配,得到第一匹配结果;将所述第一匹配结果和将所述生物特征数据中的至少另一部分数据发送至所述SE模块;The TEE module is further configured to perform a first match between at least a part of the biometric data and a first biometric template to obtain a first matching result; and compare the first matching result with the biometric data At least another part of the data in is sent to the SE module;
    相应地,所述SE模块,用于将所述生物特征数据中的至少另一部分数据与第二生物特征模板进行第二匹配,得到第二匹配结果,并根据所述第一匹配结果和所述第二匹配结果,确定生物识别结果;其中,所述第二生物特征模板包括预设的生物特征模板中不同于所述第一生物特征模板的部分。Correspondingly, the SE module is configured to perform a second matching of at least another part of the biometric data with a second biometric template to obtain a second matching result, and according to the first matching result and the The second matching result determines the biometric recognition result; wherein the second biometric template includes a part of the preset biometric template that is different from the first biometric template.
  20. 如权利要求19所述的装置,其特征在于,所述第一生物特征模板和所述第二生物特征模板分别为预设的生物特征模板中的不同部分。The device of claim 19, wherein the first biometric template and the second biometric template are different parts of a preset biometric template.
  21. 如权利要求19或20所述的装置,其特征在于,The device according to claim 19 or 20, wherein:
    所述装置,还用于获取所述预设的生物特征模板;从所述预设的生物特征模板中提取所述第一生物特征模板和所述第二生物特征模板。The device is also used to obtain the preset biometric template; extract the first biometric template and the second biometric template from the preset biometric template.
  22. 如权利要求19-21中任一项所述的装置,其特征在于,The device according to any one of claims 19-21, wherein:
    所述TEE模块,还用于当所述第一匹配结果指示的匹配度大于或等于第一匹配度时,触发所述SE模块将所述至少另一部分数据与第二生物特征模板进行第二匹配。The TEE module is further configured to trigger the SE module to perform a second match between the at least another part of data and a second biometric template when the degree of matching indicated by the first matching result is greater than or equal to the first degree of matching .
  23. 如权利要求19-22中任一项所述的装置,其特征在于,存在多个第一生物特征模板和多个第二生物特征模板,所述多个第一生物特征模板与所述多个第二生物特征模板一一对应,对应的一个第一生物特征模板与一个第二生物特征模板属于同一个预设的生物特征模板;The device according to any one of claims 19-22, wherein there are a plurality of first biometric templates and a plurality of second biometric templates, and the plurality of first biometric templates and the plurality of The second biometric template has a one-to-one correspondence, and a corresponding first biometric template and a second biometric template belong to the same preset biometric template;
    所述TEE模块,还用于将所述至少一部分数据与所述多个第一生物特征模板中的每个第一生物特征模板进行第一匹配,得到所述每个第一生物特征模板对应的第一匹配结果;The TEE module is further configured to perform a first match between the at least a part of the data and each first biometric template of the plurality of first biometric templates to obtain the corresponding First match result;
    相应地,所述SE模块,用于按照所述多个第一生物特征模板对应的多个第一匹配结果指示的多个匹配度由高到低的顺序,对所述多个第二生物特征模板进行排序;按照所述排序,将所述至少另一部分数据依次与所述多个第二生物特征模板进行第二匹配;每当完成所述至少另一部分数据与一个第二生物特征模板的第二匹配时,得到一个第二匹配结果,根据所述第二匹配结果和所述第一匹配结果,确定对应于所述第二生物特征模板的生物识别结果。Correspondingly, the SE module is configured to compare the plurality of second biometrics in the descending order of the matching degrees indicated by the plurality of first matching results corresponding to the plurality of first biometric templates. The templates are sorted; according to the sorting, the at least another part of data is sequentially matched with the plurality of second biometric templates; each time the first part of the at least another part of data and a second biometric template is completed In the second matching, a second matching result is obtained, and a biometric recognition result corresponding to the second biometric template is determined according to the second matching result and the first matching result.
  24. 如权利要求17-23中任一项所述的装置,其特征在于,所述生物特征模板为指纹模板、人脸模板或虹膜模板中的至少一个。The device according to any one of claims 17-23, wherein the biometric template is at least one of a fingerprint template, a face template, or an iris template.
PCT/CN2019/079339 2019-03-22 2019-03-22 Biometric recognition method and apparatus WO2020191547A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2019/079339 WO2020191547A1 (en) 2019-03-22 2019-03-22 Biometric recognition method and apparatus
CN201980006480.3A CN111989693A (en) 2019-03-22 2019-03-22 Biometric identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/079339 WO2020191547A1 (en) 2019-03-22 2019-03-22 Biometric recognition method and apparatus

Publications (1)

Publication Number Publication Date
WO2020191547A1 true WO2020191547A1 (en) 2020-10-01

Family

ID=72610456

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/079339 WO2020191547A1 (en) 2019-03-22 2019-03-22 Biometric recognition method and apparatus

Country Status (2)

Country Link
CN (1) CN111989693A (en)
WO (1) WO2020191547A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114629837A (en) * 2022-03-18 2022-06-14 澜途集思(深圳)数字科技有限公司 Ecological biological identification method based on NoC algorithm

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105989490A (en) * 2014-08-12 2016-10-05 神盾股份有限公司 Electronic device and fingerprint recognition control method
CN107113170A (en) * 2017-03-13 2017-08-29 深圳市汇顶科技股份有限公司 Biometric templates preservation, verification method and biometric devices, terminal
CN107211026A (en) * 2015-03-22 2017-09-26 苹果公司 It is intended to the method and apparatus of checking for the user authentication in mobile device and the mankind
WO2017185926A1 (en) * 2016-04-27 2017-11-02 中国银联股份有限公司 Mobile payment method and apparatus
CN107483213A (en) * 2017-08-23 2017-12-15 北京华大智宝电子系统有限公司 A kind of method of safety certification, relevant apparatus and system
CN108389049A (en) * 2018-01-08 2018-08-10 北京握奇智能科技有限公司 Identity identifying method, device and mobile terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105989490A (en) * 2014-08-12 2016-10-05 神盾股份有限公司 Electronic device and fingerprint recognition control method
CN107211026A (en) * 2015-03-22 2017-09-26 苹果公司 It is intended to the method and apparatus of checking for the user authentication in mobile device and the mankind
WO2017185926A1 (en) * 2016-04-27 2017-11-02 中国银联股份有限公司 Mobile payment method and apparatus
CN107113170A (en) * 2017-03-13 2017-08-29 深圳市汇顶科技股份有限公司 Biometric templates preservation, verification method and biometric devices, terminal
CN107483213A (en) * 2017-08-23 2017-12-15 北京华大智宝电子系统有限公司 A kind of method of safety certification, relevant apparatus and system
CN108389049A (en) * 2018-01-08 2018-08-10 北京握奇智能科技有限公司 Identity identifying method, device and mobile terminal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114629837A (en) * 2022-03-18 2022-06-14 澜途集思(深圳)数字科技有限公司 Ecological biological identification method based on NoC algorithm

Also Published As

Publication number Publication date
CN111989693A (en) 2020-11-24

Similar Documents

Publication Publication Date Title
JP6518694B2 (en) Method and system for performing identity verification
Li et al. Unobservable re-authentication for smartphones.
US9043941B2 (en) Biometric authentication device, biometric authentication system, biometric authentication method, and recording medium
US20210004451A1 (en) Step-up authentication
JP5701997B2 (en) User identification and authentication in mobile commerce
TW201712584A (en) Electronic device access control using biometric technologies
CN104077576A (en) Fingerprint recognition method and terminal device having fingerprint recognition function
WO2018205468A1 (en) Biometric transaction processing method, electronic device and storage medium
US9536131B1 (en) Fingerprint recognition methods and electronic device
US20170289153A1 (en) Secure archival and recovery of multifactor authentication templates
US11552944B2 (en) Server, method for controlling server, and terminal device
WO2020220212A1 (en) Biological feature recognition method and electronic device
EP4248341A1 (en) Method and apparatus for user recognition
US11875605B2 (en) User authentication for an information handling system using a secured stylus
WO2020191547A1 (en) Biometric recognition method and apparatus
KR101659226B1 (en) Method and system for remote biometric verification using fully homomorphic encryption
US10902106B2 (en) Authentication and authentication mode determination method, apparatus, and electronic device
US11869294B2 (en) Providing digital identifications generated for checkpoint validation based on biometric identification
US11776303B2 (en) Biometric gallery management using wireless identifiers
Chen et al. ISO/IEC standards for on-card biometric comparison
CN113409051B (en) Risk identification method and device for target service
US20220366028A1 (en) Method and sysem for fingerprint verification and enrollment with secure storage of templates
US20200143026A1 (en) Biometric recognition method and device
CN115379447A (en) Identity authentication method and mobile terminal
CN116738411A (en) Multi-mode registration method and identity recognition method based on biological feature recognition

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19921711

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19921711

Country of ref document: EP

Kind code of ref document: A1