WO2021184974A1 - Identity authentication method for privacy protection, and apparatus - Google Patents

Identity authentication method for privacy protection, and apparatus Download PDF

Info

Publication number
WO2021184974A1
WO2021184974A1 PCT/CN2021/074244 CN2021074244W WO2021184974A1 WO 2021184974 A1 WO2021184974 A1 WO 2021184974A1 CN 2021074244 W CN2021074244 W CN 2021074244W WO 2021184974 A1 WO2021184974 A1 WO 2021184974A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
encrypted
library file
user
unit
Prior art date
Application number
PCT/CN2021/074244
Other languages
French (fr)
Chinese (zh)
Inventor
王立彬
李亮
郑丹丹
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2021184974A1 publication Critical patent/WO2021184974A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • One or more embodiments of this specification relate to the field of computer technology, and in particular to an identity authentication method and device for protecting privacy.
  • the identity authentication method can be executed on the server side or directly on the client side.
  • the authentication process can be as follows: the client collects the user's biometrics (such as facial features, fingerprint features, or iris features), and compares the collected biometrics with pre-stored biometrics , Determine whether the user's identity authentication is passed based on the comparison result.
  • biometrics stored on the client are at risk of being stolen, so that the existing identity authentication methods executed by the client cannot realize the privacy protection of the user's biometrics.
  • One or more embodiments of this specification describe a privacy-protecting identity authentication method and device, which can improve the security of the user's biological characteristics.
  • a privacy-protecting identity authentication method including: obtaining the biological characteristics of the user to be authenticated; using the private encryption key to encrypt the biological characteristics of the user to be authenticated to obtain the encrypted characteristics;
  • the encrypted library file is decrypted to obtain the original library file; for the original library file, the second decryption key corresponding to the second encryption key is used to decrypt each encrypted record once to obtain the Each encrypted record decrypted at one time; comparing the encryption feature with each encrypted record after decrypting once, and if it matches any encrypted record after decrypting once, the identity authentication of the user to be authenticated passes.
  • a privacy-protecting identity authentication method including: obtaining the biological characteristics of the current user; using a private encryption key to encrypt the biological characteristics to obtain the encryption characteristics of the current user; and using a second encryption key Key, the encryption feature of the current user is re-encrypted to obtain the encrypted record of the current user; the encrypted record of the current user is output to the corresponding original library file; when the number of encrypted records in the original library file reaches the threshold , Encrypt the original library file to obtain an encrypted library file; send the encrypted library file to the client, so that the client decrypts the encrypted library file by decrypting each of the encrypted library files once.
  • An encrypted record is compared with the encryption feature of the user to be authenticated to realize the identity authentication of the user to be authenticated.
  • a privacy-protecting identity authentication device which includes: an obtaining unit for obtaining the biometric characteristics of a user to be authenticated; and an encryption unit for using the private encryption key to obtain information from the obtaining unit
  • the biological characteristics of the user to be authenticated are encrypted to obtain the encrypted characteristics; the decryption unit is used to decrypt the encrypted library file to obtain the original library file; the decryption unit is also used to obtain the original library file , Using the second decryption key corresponding to the second encryption key to decrypt each of the encrypted records once to obtain each encrypted record that has been decrypted once;
  • the encryption feature is compared with each encrypted record that has been decrypted once and obtained by the decryption unit, and if it matches any encrypted record that has been decrypted once, the identity authentication of the user to be authenticated passes.
  • a privacy-protecting identity authentication device including: an acquisition unit for acquiring the biological characteristics of the current user; an encryption unit for using a private encryption key to verify the biological characteristics The feature is encrypted to obtain the encryption feature of the current user; the encryption unit is also used to use the second encryption key to perform secondary encryption on the encryption feature of the current user to obtain the encryption record of the current user; the output unit is used to The encrypted record of the current user obtained by the encryption unit is output to the corresponding original library file; the encryption unit is also used to compare the original library file when the number of encrypted records in the original library file reaches a threshold.
  • Encrypting to obtain an encrypted library file a sending unit for sending the encrypted library file obtained by the encrypting unit to the client, so that the client decrypts the encrypted library file through the process
  • Each encrypted record decrypted at one time is compared with the encryption feature of the user to be authenticated to realize the identity authentication of the user to be authenticated.
  • a computer storage medium is provided with a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method of the first aspect or the method of the second aspect.
  • a computing device including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, the method of the first aspect or the method of the second aspect is implemented method.
  • the private encryption key is first used to encrypt the biological characteristics of the user to be authenticated to obtain the encrypted characteristics. After that, decrypt the encrypted library file stored in advance on the client, and decrypt each encrypted record in the original library file once to obtain the biological characteristics of each user encrypted only with the private encryption key.
  • the encryption feature is compared with the biological feature of each user encrypted only with the private encryption key, and based on the comparison result, it is determined whether the identity authentication of the user to be authenticated passes. Since this solution uses the encryption domain data comparison method when authenticating the user's identity, it can effectively improve the security of the user's biometrics. In addition, even if the user's biological characteristics are stolen, the user's biological characteristics stored in advance can be forced to become invalid by changing the private encryption key, thereby effectively avoiding fraudulent behaviors and improving user experience.
  • Figure 1 is a schematic diagram of the application scenario of the privacy-protecting identity authentication method provided in this specification
  • FIG. 3 is a flowchart of an identity authentication method for protecting privacy provided by another embodiment of this specification.
  • FIG. 4 is a schematic diagram of an identity authentication device for protecting privacy provided by an embodiment of this specification.
  • Fig. 5 is a schematic diagram of an identity authentication device for protecting privacy provided by another embodiment of this specification.
  • the existing identity authentication method executed by the client has the risk of the user's biometrics being stolen.
  • the applicant of this application considers to replace the direct comparison of the original data with the comparison of the encrypted domain data when authenticating the user's identity.
  • the specific implementation is as follows:
  • the server generates an encrypted library file and sends the encrypted library file to the client.
  • the encrypted library file here is obtained by encrypting the original library file.
  • the client first obtains the biological characteristics of the user to be authenticated. Using the above-mentioned private encryption key, the biological characteristics of the user to be authenticated are encrypted to obtain the encrypted characteristics. Then decrypt the encrypted library file to obtain the original library file. For the original library file, use the second decryption key corresponding to the second encryption key to decrypt each encrypted record once to obtain each encrypted record that has been decrypted once. The encryption feature is compared with each encrypted record that has been decrypted once, and if it matches any encrypted record that has been decrypted once, the identity authentication of the user to be authenticated passes.
  • Figure 1 is a schematic diagram of the application scenario of the privacy-protecting identity authentication method provided in this specification.
  • the server can obtain the user's biological characteristics, and sequentially perform encryption, encoding, and secondary encryption on the acquired biological characteristics to obtain an encrypted record. After that, the server can output the encrypted record to the original library file. When the number of encrypted records in the original library file reaches the threshold, the server can encrypt the original library file and can deliver the encrypted library file to the client. After receiving the encrypted library file, the client can decrypt the encrypted library file and decrypt each encrypted record in the original library file after decryption. After that, the identity authentication of the user to be authenticated is achieved by comparing each encrypted record that has been decrypted once with the encryption feature of the user to be authenticated.
  • Fig. 2 is a flowchart of an identity authentication method for protecting privacy provided by an embodiment of this specification.
  • the execution subject of the method may be the server in FIG. 1.
  • the method may include step 202 to step 212.
  • Step 202 Acquire the biometric characteristics of the current user.
  • the biometric characteristics of the current user can be obtained.
  • the biological characteristics here can include physiological characteristics and behavioral characteristics.
  • the physiological characteristics may include at least one of the following: facial characteristics, fingerprint characteristics, iris characteristics, and so on.
  • Behavioral characteristics can include voice characteristics and gait characteristics.
  • the acquisition process may be as follows: the server receives the face image collected by the client through the collection module (for example, a camera). After that, the face image can be input into the feature extraction model to obtain face features.
  • the feature extraction model here is set on the server, and it can include but is not limited to feature point detection algorithms such as SURF, SIFT, ORB, FAST, and Harris.
  • the aforementioned acquisition module may be a fingerprint sensor.
  • the corresponding fingerprint feature acquisition process can be as follows: the server receives the initial fingerprint information collected by the client through the fingerprint sensor. After that, a predetermined operation (for example, averaging) can be performed on the collected initial fingerprint information to obtain fingerprint characteristics.
  • Step 204 Use the private encryption key to encrypt the acquired biological characteristics to obtain the encryption characteristics of the current user.
  • the encryption algorithm used by the server here when encrypting can be a predefined encryption algorithm, such as expanding the encrypted data to a specified number of bits. It can also be any public encryption algorithm, such as the elgamal algorithm.
  • the premise is that the encryption algorithm needs to be negotiated in advance by the server and the client.
  • the server when the server performs encryption, it can generate corresponding parameters (ie, private encryption keys) for the encryption algorithm, so that the server performs encryption by using the negotiated encryption algorithm and the corresponding private encryption key.
  • the above parameter is referred to as a private encryption key because there is no corresponding decryption key for the private encryption key.
  • the server can use an encoding algorithm to encode the encryption feature to obtain an encoding result.
  • the encoding algorithm may be a base64 algorithm or the like. It is understandable that by performing this encoding step, the storage space occupied by the encryption feature can be saved.
  • Step 206 Use the second encryption key to perform secondary encryption on the encryption feature of the current user to obtain the encryption record of the current user.
  • the server can perform secondary encryption on it to obtain the encrypted record of the user.
  • the encryption algorithm used by the server for secondary encryption can be any public encryption algorithm, such as the elgamal algorithm.
  • the encryption algorithm used in the secondary encryption can also be negotiated in advance by the server and the client.
  • the server when the server performs secondary encryption, it can also generate the corresponding parameters (ie, the second encryption key) for the encryption algorithm, so that the server performs the secondary encryption by using the negotiated encryption algorithm and the corresponding second encryption key.
  • the second encryption key here corresponds to the second decryption key.
  • Step 208 Output the encrypted record of the current user to the corresponding original library file.
  • Step 210 When the number of encrypted records in the original library file reaches the threshold, encrypt the original library file to obtain an encrypted library file.
  • the server can output the user's encrypted record to the corresponding original library file.
  • the original library file can be generated in advance by the server. After that, it can be judged whether the number of encrypted records in the original library file reaches the threshold, and if so, the original library file can be encrypted to obtain the encrypted library file.
  • the encryption algorithm used for encrypting the original library file can also be any public encryption algorithm negotiated in advance by the server and the client.
  • the server when it encrypts the original library file, it can also generate corresponding parameters for the encryption algorithm (hereinafter referred to as the database encryption key), so that the server uses the negotiated encryption algorithm and the database encryption key to compare the original library file Encrypted.
  • the database encryption key corresponds to the database decryption key.
  • the number of generated encrypted library files can be multiple.
  • Step 212 Send the encrypted library file to the client, so that after decrypting the encrypted library file, the client compares each encrypted record that has been decrypted once with the encryption characteristics of the user to be authenticated to realize the user's information to be authenticated. Authentication.
  • the user's biometrics sent by the server to the client are encrypted with multiple layers, so this solution can effectively improve the security of the user's biometrics.
  • the following describes the user's identity authentication process based on the encrypted library file issued by the server on the client.
  • Fig. 3 is a flowchart of an identity authentication method for protecting privacy provided by another embodiment of this specification.
  • the execution subject of the method may be the client in FIG. 1.
  • the method may include step 302 to step 310.
  • Step 302 Obtain the biological characteristics of the user to be authenticated.
  • the biometric characteristics of the user to be authenticated can be obtained.
  • the biological characteristics here can include physiological characteristics and behavioral characteristics.
  • the physiological characteristics may include at least one of the following: facial characteristics, fingerprint characteristics, iris characteristics, and so on.
  • Behavioral characteristics can include voice characteristics and gait characteristics.
  • the acquisition process may be: the client terminal collects the face image of the user to be authenticated through a collection module (for example, a camera). After that, the face image can be input into the feature extraction model to obtain face features.
  • the feature extraction model here is set on the client, and it can include but is not limited to feature point detection algorithms such as SURF, SIFT, ORB, FAST, and Harris.
  • the aforementioned acquisition module may be a fingerprint sensor.
  • the corresponding fingerprint feature acquisition process may be: the client uses the fingerprint sensor to collect the initial fingerprint information of the user to be authenticated. After that, a predetermined operation (for example, averaging) can be performed on the collected initial fingerprint information to obtain fingerprint characteristics.
  • Step 304 Use the private encryption key to encrypt the biological characteristics of the user to be authenticated to obtain the encrypted characteristics.
  • the private encryption key here is the private encryption key used by the server to encrypt the user's biometrics once.
  • the encryption algorithm used here is also the predefined one used by the server for one-time encryption. Encryption algorithm or any public encryption algorithm. In other words, the encryption algorithm and private encryption key used in this step are the same as those in step 204.
  • Step 306 Decrypt the encrypted library file to obtain the original library file.
  • each encrypted library file may be sequentially read into the memory and decrypted here. After that, step 308 to step 310 are performed for each original library file obtained after decryption.
  • the key used to decrypt the encrypted library file is the aforementioned database decryption key, which may be generated by the server when generating the corresponding database encryption key for the encryption algorithm of the original library file.
  • the encryption algorithm as the elgamal algorithm as an example, since the corresponding decryption algorithm is the elgamal algorithm, when the database encryption key is generated, the database decryption key corresponding to the database encryption key can be generated at the same time.
  • Step 308 For the original library file, use the second decryption key corresponding to the second encryption key to decrypt each encrypted record once to obtain each encrypted record that has undergone one decryption.
  • the second decryption key here may be generated when the server generates the corresponding second encryption key for the encryption algorithm used in the secondary encryption.
  • the encryption algorithm as the elgamal algorithm as an example, since the corresponding decryption algorithm is the elgamal algorithm, when the second encryption key is generated, the second decryption key corresponding to the second encryption key can be generated at the same time.
  • each encrypted record that has been decrypted once is the encrypted feature of each user after the server uses the private encryption key to encrypt the biological characteristics of multiple users once.
  • the server can also decode them based on the decoding algorithm corresponding to the encoding algorithm to obtain the decoded encrypted records .
  • each encrypted record after decoding is the encrypted feature of each user after the server uses the private encryption key to encrypt the biological characteristics of multiple users once.
  • steps 302 to 304 and steps 306 to 308 can also be interchanged, or can be executed in parallel, which is not limited in this specification.
  • Step 310 Compare the encryption feature of the user to be authenticated with each encrypted record that has been decrypted once, and if it matches any encrypted record that has been decrypted once, the identity authentication of the user to be authenticated passes.
  • the step of comparing may specifically include: sequentially calculating the similarity between the encryption feature of the user to be authenticated and each encrypted record that has been decrypted once.
  • the similarity here can include but is not limited to cosine similarity, Euclidean distance, Manhattan distance, Pearson correlation coefficient, and so on. If the similarity with any encrypted record that has been decrypted once is greater than the threshold, it can be considered that the encryption feature of the user to be authenticated matches the encrypted record that has been decrypted once, and the identity of the user to be authenticated is authenticated.
  • the embodiment of this specification adopts the method of comparing encrypted domain data when authenticating the identity of the user to be authenticated, which can avoid storing the user’s original biological characteristics on the client side, thereby effectively improving the user’s biological characteristics. Characteristic security.
  • this solution adopts the method of comparing encrypted domain data, when the user's biological characteristics are stolen, the private encryption key can be changed to force the pre-stored user's biological characteristics to become invalid. In the case that the pre-stored user's biometrics are invalid, the comparison process will fail, which can effectively avoid fraudulent behaviors, thereby improving user experience.
  • an embodiment of this specification also provides a privacy-protecting identity authentication device, which is set on the client.
  • the client here maintains an encrypted library file, which is obtained by encrypting the original library file.
  • the device may include the following units.
  • the acquiring unit 402 is configured to acquire the biological characteristics of the user to be authenticated.
  • the biological characteristics here can include physiological characteristics and behavioral characteristics.
  • the physiological characteristics may include at least one of the following: facial characteristics, fingerprint characteristics, iris characteristics, and so on.
  • Behavioral characteristics can include voice characteristics and gait characteristics.
  • the encryption unit 404 is configured to use the private encryption key to encrypt the biological characteristics of the user to be authenticated obtained by the obtaining unit 402 to obtain the encrypted characteristics.
  • the decryption unit 406 is used to decrypt the encrypted library file to obtain the original library file.
  • the decryption unit 406 is also configured to use the second decryption key corresponding to the second encryption key to decrypt each encrypted record once for the original library file to obtain each encrypted record that has been decrypted once.
  • the comparison unit 408 is configured to compare the encryption feature obtained by the encryption unit 404 with each encrypted record obtained by the decryption unit 406 after one decryption, and if it matches any encrypted record after one decryption, the user to be authenticated The identity authentication passed.
  • the privacy-protecting identity authentication device provided by an embodiment of this specification can effectively improve the security of the user's biological characteristics.
  • an embodiment of this specification also provides a privacy-protecting identity authentication device, which is set on the server.
  • the device may include the following units.
  • the acquiring unit 502 is configured to acquire the biological characteristics of the current user.
  • the biological characteristics here can include physiological characteristics and behavioral characteristics.
  • the physiological characteristics may include at least one of the following: facial characteristics, fingerprint characteristics, iris characteristics, and so on.
  • Behavioral characteristics can include voice characteristics and gait characteristics.
  • the encryption unit 504 is configured to use the private encryption key to encrypt the biological characteristics obtained by the obtaining unit 502 to obtain the encryption characteristics of the current user.
  • the encryption unit 504 is also configured to use the second encryption key to perform secondary encryption on the encryption feature of the current user to obtain the encryption record of the current user.
  • the output unit 506 is configured to output the encrypted record of the current user obtained by the encryption unit 504 to the corresponding original library file.
  • the encryption unit 504 is further configured to encrypt the original library file to obtain the encrypted library file when the number of encrypted records in the original library file reaches the threshold.
  • the sending unit 508 is configured to send the encrypted library file obtained by the encrypting unit 504 to the client, so that after decrypting the encrypted library file, the client decrypts each encrypted record that has been decrypted once and the encryption characteristics of the user to be authenticated. The comparison is performed to realize the identity authentication of the user to be authenticated.
  • the device may further include: an encoding unit (not shown in the figure) for encoding the encryption feature of the current user according to an encoding algorithm to obtain an encoding result.
  • an encoding unit (not shown in the figure) for encoding the encryption feature of the current user according to an encoding algorithm to obtain an encoding result.
  • the encryption unit 504 may be specifically configured to: use the second encryption key to perform secondary encryption on the encoding result to obtain the encrypted record of the current user.
  • the privacy-protecting identity authentication device provided by an embodiment of this specification can effectively improve the security of the user's biological characteristics.
  • the embodiments of this specification provide a computer-readable storage medium on which a computer program is stored, and when the computer program is executed in a computer, the computer is caused to execute the method shown in FIG. 2 or FIG. 3.
  • the embodiments of the present specification provide a computing device, including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, the implementation shown in FIG. 2 or FIG. 3 is implemented. Indicates the method.
  • the steps of the method or algorithm described in conjunction with the disclosure of this specification can be implemented in a hardware manner, or can be implemented in a manner in which a processor executes software instructions.
  • Software instructions can be composed of corresponding software modules, which can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, mobile hard disk, CD-ROM or any other form of storage known in the art Medium.
  • An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and write information to the storage medium.
  • the storage medium may also be an integral part of the processor.
  • the processor and the storage medium may be located in the ASIC.
  • the ASIC may be located in the server.
  • the processor and the storage medium may also exist as discrete components in the server.
  • the functions described in the present invention can be implemented by hardware, software, firmware, or any combination thereof.
  • these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium.
  • the computer-readable medium includes a computer storage medium and a communication medium, where the communication medium includes any medium that facilitates the transfer of a computer program from one place to another.
  • the storage medium may be any available medium that can be accessed by a general-purpose or special-purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Collating Specific Patterns (AREA)

Abstract

Embodiments of the present description provide an identity authentication method for privacy protection and an apparatus. In the authentication method, a biological feature of a user to be authenticated is obtained; encryption is performed on the biological feature of the user to be authenticated using a private encryption key, and an encrypted feature is obtained; decryption is performed on an encrypted library file, and an original library file is obtained; with respect to the original library file, a second decryption key corresponding to a second encryption key is used and decryption is performed once on each encrypted record within said file, and encrypted records having undergone decryption once are obtained; the encrypted feature and the encrypted records having undergone decryption once are compared, and if the encrypted feature matches with any one among the encrypted records having undergone decryption once, then the user to be authenticated passes identity authentication. Thereby identity authentication can be implemented while performing privacy protection on a biological feature of a user.

Description

保护隐私的身份认证方法及装置Identity authentication method and device for protecting privacy 技术领域Technical field
本说明书一个或多个实施例涉及计算机技术领域,尤其涉及一种保护隐私的身份认证方法及装置。One or more embodiments of this specification relate to the field of computer technology, and in particular to an identity authentication method and device for protecting privacy.
背景技术Background technique
随着互联网技术的不断发展,越来越多的用户选择在网页上操作,并获取服务提供商提供的各种服务。为了避免合法用户的账号被非法用户截取,服务提供商在为用户提供各种服务之前,需要对当前用户的身份进行认证。With the continuous development of Internet technology, more and more users choose to operate on web pages and obtain various services provided by service providers. In order to prevent the account of a legitimate user from being intercepted by an illegal user, the service provider needs to authenticate the identity of the current user before providing various services to the user.
目前,身份认证方法可以在服务端执行,也可以直接在客户端执行。当直接在客户端执行时,其认证过程可以如下:客户端采集用户的生物特征(如,人脸特征、指纹特征或者虹膜特征等),将采集的生物特征与预先存储的生物特征进行比对,基于比对结果确定用户的身份认证是否通过。然而存储在客户端的生物特征存在被盗风险,从而现有的由客户端执行的身份认证方法不能实现用户的生物特征的隐私保护。At present, the identity authentication method can be executed on the server side or directly on the client side. When executed directly on the client, the authentication process can be as follows: the client collects the user's biometrics (such as facial features, fingerprint features, or iris features), and compares the collected biometrics with pre-stored biometrics , Determine whether the user's identity authentication is passed based on the comparison result. However, the biometrics stored on the client are at risk of being stolen, so that the existing identity authentication methods executed by the client cannot realize the privacy protection of the user's biometrics.
因此,需要提供一种身份认证方法,以提高用户的生物特征的安全性。Therefore, it is necessary to provide an identity authentication method to improve the security of the user's biological characteristics.
发明内容Summary of the invention
本说明书一个或多个实施例描述了一种保护隐私的身份认证方法及装置,可以提高用户的生物特征的安全性。One or more embodiments of this specification describe a privacy-protecting identity authentication method and device, which can improve the security of the user's biological characteristics.
第一方面,提供了一种保护隐私的身份认证方法,包括:获取待认证用户的生物特征;使用所述私有加密密钥,对所述待认证用户的生物特征进行加密,得到加密特征;对所述加密库文件进行解密,得到所述原始库文件;对于所述原始库文件,使用所述第二加密密钥对应的第二解密密钥对其中的各条加密记录进行一次解密,得到经过一次解密的各条加密记录;将所述加密特征与经过一次解密的各条加密记录进行比对,若与经过一次解密的任一加密记录相匹配,则所述待认证用户的身份认证通过。In a first aspect, a privacy-protecting identity authentication method is provided, including: obtaining the biological characteristics of the user to be authenticated; using the private encryption key to encrypt the biological characteristics of the user to be authenticated to obtain the encrypted characteristics; The encrypted library file is decrypted to obtain the original library file; for the original library file, the second decryption key corresponding to the second encryption key is used to decrypt each encrypted record once to obtain the Each encrypted record decrypted at one time; comparing the encryption feature with each encrypted record after decrypting once, and if it matches any encrypted record after decrypting once, the identity authentication of the user to be authenticated passes.
第二方面,提供了一种保护隐私的身份认证方法,包括:获取当前用户的生物特征;使用私有加密密钥,对所述生物特征进行加密,得到当前用户的加密特征;使用第二加密密钥,对当前用户的加密特征进行二次加密,得到当前用户的加密记录;将当前 用户的加密记录输出至对应的原始库文件中;在所述原始库文件中加密记录的个数达到阈值时,对所述原始库文件进行加密,得到加密库文件;向客户端发送所述加密库文件,以使得所述客户端在对所述加密库文件进行解密后通过将其中的经过一次解密的各条加密记录与待认证用户的加密特征进行比对实现所述待认证用户的身份认证。In a second aspect, a privacy-protecting identity authentication method is provided, including: obtaining the biological characteristics of the current user; using a private encryption key to encrypt the biological characteristics to obtain the encryption characteristics of the current user; and using a second encryption key Key, the encryption feature of the current user is re-encrypted to obtain the encrypted record of the current user; the encrypted record of the current user is output to the corresponding original library file; when the number of encrypted records in the original library file reaches the threshold , Encrypt the original library file to obtain an encrypted library file; send the encrypted library file to the client, so that the client decrypts the encrypted library file by decrypting each of the encrypted library files once. An encrypted record is compared with the encryption feature of the user to be authenticated to realize the identity authentication of the user to be authenticated.
第三方面,提供了一种保护隐私的身份认证装置,包括:获取单元,用于获取待认证用户的生物特征;加密单元,用于使用所述私有加密密钥,对所述获取单元获取的所述待认证用户的生物特征进行加密,得到加密特征;解密单元,用于对所述加密库文件进行解密,得到所述原始库文件;所述解密单元,还用于对于所述原始库文件,使用所述第二加密密钥对应的第二解密密钥对其中的各条加密记录进行一次解密,得到经过一次解密的各条加密记录;比对单元,用于将所述加密单元得到的所述加密特征与所述解密单元得到的经过一次解密的各条加密记录进行比对,若与经过一次解密的任一加密记录相匹配,则所述待认证用户的身份认证通过。In a third aspect, a privacy-protecting identity authentication device is provided, which includes: an obtaining unit for obtaining the biometric characteristics of a user to be authenticated; and an encryption unit for using the private encryption key to obtain information from the obtaining unit The biological characteristics of the user to be authenticated are encrypted to obtain the encrypted characteristics; the decryption unit is used to decrypt the encrypted library file to obtain the original library file; the decryption unit is also used to obtain the original library file , Using the second decryption key corresponding to the second encryption key to decrypt each of the encrypted records once to obtain each encrypted record that has been decrypted once; The encryption feature is compared with each encrypted record that has been decrypted once and obtained by the decryption unit, and if it matches any encrypted record that has been decrypted once, the identity authentication of the user to be authenticated passes.
第四方面,提供了一种保护隐私的身份认证装置,包括:获取单元,用于获取当前用户的生物特征;加密单元,用于使用私有加密密钥,对所述获取单元获取的所述生物特征进行加密,得到当前用户的加密特征;所述加密单元,还用于使用第二加密密钥,对当前用户的加密特征进行二次加密,得到当前用户的加密记录;输出单元,用于将所述加密单元得到的当前用户的加密记录输出至对应的原始库文件中;所述加密单元,还用于在所述原始库文件中加密记录的个数达到阈值时,对所述原始库文件进行加密,得到加密库文件;发送单元,用于向客户端发送所述加密单元得到的所述加密库文件,以使得所述客户端在对所述加密库文件进行解密后通过将其中的经过一次解密的各条加密记录与待认证用户的加密特征进行比对实现所述待认证用户的身份认证。In a fourth aspect, a privacy-protecting identity authentication device is provided, including: an acquisition unit for acquiring the biological characteristics of the current user; an encryption unit for using a private encryption key to verify the biological characteristics The feature is encrypted to obtain the encryption feature of the current user; the encryption unit is also used to use the second encryption key to perform secondary encryption on the encryption feature of the current user to obtain the encryption record of the current user; the output unit is used to The encrypted record of the current user obtained by the encryption unit is output to the corresponding original library file; the encryption unit is also used to compare the original library file when the number of encrypted records in the original library file reaches a threshold. Encrypting to obtain an encrypted library file; a sending unit for sending the encrypted library file obtained by the encrypting unit to the client, so that the client decrypts the encrypted library file through the process Each encrypted record decrypted at one time is compared with the encryption feature of the user to be authenticated to realize the identity authentication of the user to be authenticated.
第五方面,提供了一种计算机存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行第一方面的方法或第二方面的方法。In a fifth aspect, a computer storage medium is provided with a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method of the first aspect or the method of the second aspect.
第六方面,提供了一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现第一方面的方法或第二方面的方法。In a sixth aspect, a computing device is provided, including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, the method of the first aspect or the method of the second aspect is implemented method.
本说明书一个或多个实施例提供的保护隐私的身份认证方法及装置,在对待认证用户的身份进行认证时,先使用私有加密密钥,对待认证用户的生物特征进行加密,得到加密特征。之后,对客户端预先存储的加密库文件进行解密,并对原始库文件中的各条加密记录进行一次解密,得到仅使用私有加密密钥加密后的各用户的生物特征。将加密特征与仅使用私有加密密钥加密后的各用户的生物特征进行比对,并基于比对结果, 确定待认证用户的身份认证是否通过。由于本方案在对用户的身份进行认证时采用加密域数据的比对方法,由此可以有效提高用户的生物特征的安全性。另外,即便用户的生物特征被盗取,可以通过变更私有加密密钥,而迫使预先存储的用户的生物特征失效,由此可以有效避免欺诈行为,进而可以提升用户体验。In the privacy-protecting identity authentication method and device provided by one or more embodiments of this specification, when the identity of the user to be authenticated is authenticated, the private encryption key is first used to encrypt the biological characteristics of the user to be authenticated to obtain the encrypted characteristics. After that, decrypt the encrypted library file stored in advance on the client, and decrypt each encrypted record in the original library file once to obtain the biological characteristics of each user encrypted only with the private encryption key. The encryption feature is compared with the biological feature of each user encrypted only with the private encryption key, and based on the comparison result, it is determined whether the identity authentication of the user to be authenticated passes. Since this solution uses the encryption domain data comparison method when authenticating the user's identity, it can effectively improve the security of the user's biometrics. In addition, even if the user's biological characteristics are stolen, the user's biological characteristics stored in advance can be forced to become invalid by changing the private encryption key, thereby effectively avoiding fraudulent behaviors and improving user experience.
附图说明Description of the drawings
为了更清楚地说明本说明书实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本说明书的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to explain the technical solutions of the embodiments of this specification more clearly, the following will briefly introduce the drawings needed in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the specification. A person of ordinary skill in the art can obtain other drawings based on these drawings without creative work.
图1为本说明书提供的保护隐私的身份认证方法的应用场景示意图;Figure 1 is a schematic diagram of the application scenario of the privacy-protecting identity authentication method provided in this specification;
图2为本说明书一个实施例提供的保护隐私的身份认证方法流程图;2 is a flowchart of an identity authentication method for protecting privacy provided by an embodiment of this specification;
图3为本说明书另一个实施例提供的保护隐私的身份认证方法流程图;FIG. 3 is a flowchart of an identity authentication method for protecting privacy provided by another embodiment of this specification;
图4为本说明书一个实施例提供的保护隐私的身份认证装置示意图;4 is a schematic diagram of an identity authentication device for protecting privacy provided by an embodiment of this specification;
图5为本说明书另一个实施例提供的保护隐私的身份认证装置示意图。Fig. 5 is a schematic diagram of an identity authentication device for protecting privacy provided by another embodiment of this specification.
具体实施方式Detailed ways
下面结合附图,对本说明书提供的方案进行描述。The following describes the solutions provided in this specification with reference to the accompanying drawings.
在描述本说明书提供的方案之前,先对本方案的发明构思作以下说明。Before describing the solution provided in this specification, the following description of the inventive concept of this solution is provided.
如前所述,现有的由客户端执行的身份认证方法存在用户的生物特征被盗的风险。为了提高用户的生物特征的安全性,本申请的申请人考虑在对用户的身份进行认证时,用加密域数据的比对替换原始数据的直接比对。具体实现方式如下:As mentioned above, the existing identity authentication method executed by the client has the risk of the user's biometrics being stolen. In order to improve the security of the user's biological characteristics, the applicant of this application considers to replace the direct comparison of the original data with the comparison of the encrypted domain data when authenticating the user's identity. The specific implementation is as follows:
首先,服务端生成加密库文件,并将加密库文件下发至客户端。这里的加密库文件通过对原始库文件进行加密得到。该原始库文件中记录有多条加密记录,其中的每条加密记录至少通过对一个用户的生物特征先使用私有加密密钥进行一次加密,再使用第二加密密钥进行二次加密得到。First, the server generates an encrypted library file and sends the encrypted library file to the client. The encrypted library file here is obtained by encrypting the original library file. There are multiple encrypted records recorded in the original library file, and each of the encrypted records is obtained by at least one encryption of a user's biological characteristics using a private encryption key, and then a second encryption using a second encryption key.
之后,在对待认证用户的身份进行认证的过程中,客户端先获取待认证用户的生物特征。使用上述私有加密密钥,对待认证用户的生物特征进行加密,得到加密特征。 再对加密库文件进行解密,得到原始库文件。对于原始库文件,使用第二加密密钥对应的第二解密密钥对其中的各条加密记录进行一次解密,得到经过一次解密的各条加密记录。将加密特征与经过一次解密的各条加密记录进行比对,若与经过一次解密的任一加密记录相匹配,则待认证用户的身份认证通过。After that, in the process of authenticating the identity of the user to be authenticated, the client first obtains the biological characteristics of the user to be authenticated. Using the above-mentioned private encryption key, the biological characteristics of the user to be authenticated are encrypted to obtain the encrypted characteristics. Then decrypt the encrypted library file to obtain the original library file. For the original library file, use the second decryption key corresponding to the second encryption key to decrypt each encrypted record once to obtain each encrypted record that has been decrypted once. The encryption feature is compared with each encrypted record that has been decrypted once, and if it matches any encrypted record that has been decrypted once, the identity authentication of the user to be authenticated passes.
以上就是本说明书提供的发明构思,基于该发明构思就可以得到本方案,以下对本方案进行详细阐述。The above is the inventive concept provided in this specification, and the solution can be obtained based on the inventive concept. The solution will be described in detail below.
图1为本说明书提供的保护隐私的身份认证方法的应用场景示意图。图1中,服务端可以获取用户的生物特征,并对获取的生物特征依次执行加密、编码以及二次加密等处理,得到加密记录。之后,服务端可以将加密记录输出至原始库文件中。在原始库文件中加密记录的个数达到阈值时,服务端可以对原始库文件进行加密,并且可以将加密库文件下发至客户端。客户端接收到加密库文件之后,可以对加密库文件进行解密,并对解密后的原始库文件中的各条加密记录进行一次解密。之后,通过将其中的经过一次解密的各条加密记录与待认证用户的加密特征进行比对实现待认证用户的身份认证。Figure 1 is a schematic diagram of the application scenario of the privacy-protecting identity authentication method provided in this specification. In Figure 1, the server can obtain the user's biological characteristics, and sequentially perform encryption, encoding, and secondary encryption on the acquired biological characteristics to obtain an encrypted record. After that, the server can output the encrypted record to the original library file. When the number of encrypted records in the original library file reaches the threshold, the server can encrypt the original library file and can deliver the encrypted library file to the client. After receiving the encrypted library file, the client can decrypt the encrypted library file and decrypt each encrypted record in the original library file after decryption. After that, the identity authentication of the user to be authenticated is achieved by comparing each encrypted record that has been decrypted once with the encryption feature of the user to be authenticated.
以下结合图2对图1中服务端生成加密库文件的过程进行详细说明。The process of generating the encrypted library file on the server side in FIG. 1 will be described in detail below with reference to FIG. 2.
图2为本说明书一个实施例提供的保护隐私的身份认证方法流程图。所述方法的执行主体可以为图1中的服务端。如图2所示,所述方法可以包括步骤202~步骤212。Fig. 2 is a flowchart of an identity authentication method for protecting privacy provided by an embodiment of this specification. The execution subject of the method may be the server in FIG. 1. As shown in FIG. 2, the method may include step 202 to step 212.
步骤202,获取当前用户的生物特征。Step 202: Acquire the biometric characteristics of the current user.
如,可以是在用户注册会员时,获取当前用户的生物特征。这里的生物特征可以包括生理特征和行为特征。其中,生理特征可以包括以下至少一种:人脸特征、指纹特征和虹膜特征等。行为特征可以包括声音特征和步态特征等。For example, when the user registers as a member, the biometric characteristics of the current user can be obtained. The biological characteristics here can include physiological characteristics and behavioral characteristics. Among them, the physiological characteristics may include at least one of the following: facial characteristics, fingerprint characteristics, iris characteristics, and so on. Behavioral characteristics can include voice characteristics and gait characteristics.
以生物特征为人脸特征为例来说,该获取过程可以为:服务端接收客户端通过采集模块(如,摄像头)所采集的人脸图像。之后,可以将该人脸图像输入特征提取模型,得到人脸特征。这里的特征提取模型设置于服务端,其可以包括但不限于SURF、SIFT、ORB、FAST以及Harris等特征点检测算法。Taking the biological feature as a face feature as an example, the acquisition process may be as follows: the server receives the face image collected by the client through the collection module (for example, a camera). After that, the face image can be input into the feature extraction model to obtain face features. The feature extraction model here is set on the server, and it can include but is not limited to feature point detection algorithms such as SURF, SIFT, ORB, FAST, and Harris.
应理解,上述只是针对人脸特征的获取过程的说明,在生物特征为指纹特征时,上述采集模块可以为指纹感应器。其相应的指纹特征的获取过程可以为:服务端接收客户端通过指纹感应器所采集的初始指纹信息。之后,可以对采集到的初始指纹信息进行预定运算(如,求平均),得到指纹特征。It should be understood that the foregoing is only an illustration of the process of obtaining facial features, and when the biological feature is a fingerprint feature, the aforementioned acquisition module may be a fingerprint sensor. The corresponding fingerprint feature acquisition process can be as follows: the server receives the initial fingerprint information collected by the client through the fingerprint sensor. After that, a predetermined operation (for example, averaging) can be performed on the collected initial fingerprint information to obtain fingerprint characteristics.
步骤204,使用私有加密密钥,对获取的生物特征进行加密,得到当前用户的加密 特征。Step 204: Use the private encryption key to encrypt the acquired biological characteristics to obtain the encryption characteristics of the current user.
需要说明的是,这里服务端在进行加密时所使用的加密算法,可以为预定义的加密算法,如,将被加密数据扩展至指定位数等。也可以为任一公开加密算法,如elgamal算法等。前提是该加密算法需由服务端和客户端预先协商得到。此外,服务端在进行加密时,可以针对该加密算法生成对应的参数(即私有加密密钥),从而服务端通过使用协商的加密算法以及对应的私有加密密钥进行加密。本说明书中,之所以将上述参数称为私有加密密钥,是因为该私有加密密钥不存在对应的解密密钥。It should be noted that the encryption algorithm used by the server here when encrypting can be a predefined encryption algorithm, such as expanding the encrypted data to a specified number of bits. It can also be any public encryption algorithm, such as the elgamal algorithm. The premise is that the encryption algorithm needs to be negotiated in advance by the server and the client. In addition, when the server performs encryption, it can generate corresponding parameters (ie, private encryption keys) for the encryption algorithm, so that the server performs encryption by using the negotiated encryption algorithm and the corresponding private encryption key. In this specification, the above parameter is referred to as a private encryption key because there is no corresponding decryption key for the private encryption key.
可以理解的是,服务端针对上述加密算法所生成的私有加密密钥是保密的,不对外公开。It is understandable that the private encryption key generated by the server for the above encryption algorithm is kept secret and will not be disclosed to the outside world.
可选地,对于上述加密特征,服务端可以采用编码算法,对该加密特征进行编码,得到编码结果。在一个例子中,该编码算法可以为base64算法等。可以理解的是,通过执行该编码的步骤,可以节约加密特征所占用的存储空间。Optionally, for the aforementioned encryption feature, the server can use an encoding algorithm to encode the encryption feature to obtain an encoding result. In an example, the encoding algorithm may be a base64 algorithm or the like. It is understandable that by performing this encoding step, the storage space occupied by the encryption feature can be saved.
步骤206,使用第二加密密钥,对当前用户的加密特征进行二次加密,得到当前用户的加密记录。Step 206: Use the second encryption key to perform secondary encryption on the encryption feature of the current user to obtain the encryption record of the current user.
对于上述加密特征,或者加密特征的编码结果,服务端可以对其进行二次加密,得到用户的加密记录。这里服务端进行二次加密时所使用的加密算法可以为任一公开加密算法,如elgamal算法等。这里二次加密时所使用的加密算法也可以由服务端和客户端预先协商得到。同样地,服务端在进行二次加密时,也可以针对加密算法生成对应的参数(即第二加密密钥),从而服务端通过使用协商的加密算法以及对应的第二加密密钥进行二次加密。需要说明的是,这里的第二加密密钥与第二解密密钥相对应。For the aforementioned encryption feature, or the result of the encryption feature, the server can perform secondary encryption on it to obtain the encrypted record of the user. Here, the encryption algorithm used by the server for secondary encryption can be any public encryption algorithm, such as the elgamal algorithm. The encryption algorithm used in the secondary encryption can also be negotiated in advance by the server and the client. Similarly, when the server performs secondary encryption, it can also generate the corresponding parameters (ie, the second encryption key) for the encryption algorithm, so that the server performs the secondary encryption by using the negotiated encryption algorithm and the corresponding second encryption key. encryption. It should be noted that the second encryption key here corresponds to the second decryption key.
步骤208,将当前用户的加密记录输出至对应的原始库文件中。Step 208: Output the encrypted record of the current user to the corresponding original library file.
步骤210,在原始库文件中加密记录的个数达到阈值时,对原始库文件进行加密,得到加密库文件。Step 210: When the number of encrypted records in the original library file reaches the threshold, encrypt the original library file to obtain an encrypted library file.
在得到用户的加密记录之后,服务端可以将用户的加密记录输出至对应的原始库文件中。该原始库文件可以由服务端预先生成。之后,可以判断原始库文件中的加密记录的个数是否达到阈值,若是,则可以对原始库文件进行加密,得到加密库文件。After obtaining the user's encrypted record, the server can output the user's encrypted record to the corresponding original library file. The original library file can be generated in advance by the server. After that, it can be judged whether the number of encrypted records in the original library file reaches the threshold, and if so, the original library file can be encrypted to obtain the encrypted library file.
需要说明的是,这里对原始库文件加密所使用的加密算法也可以为由服务端和客户端预先协商得到的任一公开加密算法。此外,服务端在对原始库文件进行加密时,也可以针对加密算法生成对应的参数(以下称数据库加密密钥),从而服务端通过使用协 商的加密算法以及数据库加密密钥,对原始库文件进行加密。该数据库加密密钥与数据库解密密钥相对应。It should be noted that the encryption algorithm used for encrypting the original library file can also be any public encryption algorithm negotiated in advance by the server and the client. In addition, when the server encrypts the original library file, it can also generate corresponding parameters for the encryption algorithm (hereinafter referred to as the database encryption key), so that the server uses the negotiated encryption algorithm and the database encryption key to compare the original library file Encrypted. The database encryption key corresponds to the database decryption key.
还需要说明的是,在实际应用中,所生成的加密库文件的个数可以为多个。It should also be noted that in practical applications, the number of generated encrypted library files can be multiple.
步骤212,向客户端发送加密库文件,以使得客户端在对加密库文件进行解密后通过将其中的经过一次解密的各条加密记录与待认证用户的加密特征进行比对实现待认证用户的身份认证。Step 212: Send the encrypted library file to the client, so that after decrypting the encrypted library file, the client compares each encrypted record that has been decrypted once with the encryption characteristics of the user to be authenticated to realize the user's information to be authenticated. Authentication.
由上可以看出,本说明书实施例中,服务端下发至客户端的用户的生物特征是经过多层加密的,从而本方案可以有效提高用户的生物特征的安全性。It can be seen from the above that, in the embodiment of this specification, the user's biometrics sent by the server to the client are encrypted with multiple layers, so this solution can effectively improve the security of the user's biometrics.
以下对客户端基于服务端下发的加密库文件,对用户的身份认证过程进行说明。The following describes the user's identity authentication process based on the encrypted library file issued by the server on the client.
图3为本说明书另一个实施例提供的保护隐私的身份认证方法流程图。所述方法的执行主体可以为图1中的客户端。如图3所示,所述方法可以包括步骤302~步骤310。Fig. 3 is a flowchart of an identity authentication method for protecting privacy provided by another embodiment of this specification. The execution subject of the method may be the client in FIG. 1. As shown in FIG. 3, the method may include step 302 to step 310.
步骤302,获取待认证用户的生物特征。Step 302: Obtain the biological characteristics of the user to be authenticated.
如,可以是在待认证用户向客户端请求某种服务(如,支付服务)时,获取待认证用户的生物特征。这里的生物特征可以包括生理特征和行为特征。其中,生理特征可以包括以下至少一种:人脸特征、指纹特征和虹膜特征等。行为特征可以包括声音特征和步态特征等。For example, when the user to be authenticated requests a certain service (such as a payment service) from the client, the biometric characteristics of the user to be authenticated can be obtained. The biological characteristics here can include physiological characteristics and behavioral characteristics. Among them, the physiological characteristics may include at least one of the following: facial characteristics, fingerprint characteristics, iris characteristics, and so on. Behavioral characteristics can include voice characteristics and gait characteristics.
以生物特征为人脸特征为例来说,该获取过程可以为:客户端通过采集模块(如,摄像头)采集待认证用户的人脸图像。之后,可以将该人脸图像输入特征提取模型,得到人脸特征。这里的特征提取模型设置于客户端,其可以包括但不限于SURF、SIFT、ORB、FAST以及Harris等特征点检测算法。Taking the biometric feature as the face feature as an example, the acquisition process may be: the client terminal collects the face image of the user to be authenticated through a collection module (for example, a camera). After that, the face image can be input into the feature extraction model to obtain face features. The feature extraction model here is set on the client, and it can include but is not limited to feature point detection algorithms such as SURF, SIFT, ORB, FAST, and Harris.
应理解,上述只是针对人脸特征的获取过程的说明,在生物特征为指纹特征时,上述采集模块可以为指纹感应器。其相应的指纹特征的获取过程可以为:客户端通过指纹感应器采集待认证用户的初始指纹信息。之后,可以对采集到的初始指纹信息进行预定运算(如,求平均),得到指纹特征。It should be understood that the foregoing is only an illustration of the process of obtaining facial features, and when the biological feature is a fingerprint feature, the aforementioned acquisition module may be a fingerprint sensor. The corresponding fingerprint feature acquisition process may be: the client uses the fingerprint sensor to collect the initial fingerprint information of the user to be authenticated. After that, a predetermined operation (for example, averaging) can be performed on the collected initial fingerprint information to obtain fingerprint characteristics.
步骤304,使用私有加密密钥,对待认证用户的生物特征进行加密,得到加密特征。Step 304: Use the private encryption key to encrypt the biological characteristics of the user to be authenticated to obtain the encrypted characteristics.
这里的私有加密密钥即为服务端在对用户的生物特征进行一次加密时所使用的私有加密密钥,此外,这里所使用的加密算法也为服务端在一次加密时所使用的预定义的加密算法或者任一公开加密算法。也就是说,该步骤中所使用的加密算法和私有加密密 钥与步骤204相同。The private encryption key here is the private encryption key used by the server to encrypt the user's biometrics once. In addition, the encryption algorithm used here is also the predefined one used by the server for one-time encryption. Encryption algorithm or any public encryption algorithm. In other words, the encryption algorithm and private encryption key used in this step are the same as those in step 204.
步骤306,对加密库文件进行解密,得到原始库文件。Step 306: Decrypt the encrypted library file to obtain the original library file.
应理解,当加密库文件的个数为多个时,这里可以是依次将每个加密库文件读取到内存并解密。之后,针对解密后得到的每个原始库文件执行步骤308-步骤310。It should be understood that when the number of encrypted library files is more than one, each encrypted library file may be sequentially read into the memory and decrypted here. After that, step 308 to step 310 are performed for each original library file obtained after decryption.
步骤306中,对加密库文件进行解密所使用的密钥即为上述数据库解密密钥,其可以是由服务端在针对原始库文件的加密算法,生成对应的数据库加密密钥时生成。以加密算法为elgamal算法为例来说,由于其相应的解密算法为elgamal算法,因此,在生成数据库加密密钥时,可以同时生成数据库加密密钥对应的数据库解密密钥。In step 306, the key used to decrypt the encrypted library file is the aforementioned database decryption key, which may be generated by the server when generating the corresponding database encryption key for the encryption algorithm of the original library file. Taking the encryption algorithm as the elgamal algorithm as an example, since the corresponding decryption algorithm is the elgamal algorithm, when the database encryption key is generated, the database decryption key corresponding to the database encryption key can be generated at the same time.
步骤308,对于原始库文件,使用第二加密密钥对应的第二解密密钥对其中的各条加密记录进行一次解密,得到经过一次解密的各条加密记录。Step 308: For the original library file, use the second decryption key corresponding to the second encryption key to decrypt each encrypted record once to obtain each encrypted record that has undergone one decryption.
这里的第二解密密钥可以是由服务端在针对二次加密时所使用的加密算法,生成对应的第二加密密钥时生成。以加密算法为elgamal算法为例来说,由于其相应的解密算法为elgamal算法,因此,在生成第二加密密钥时,可以同时生成第二加密密钥对应的第二解密密钥。The second decryption key here may be generated when the server generates the corresponding second encryption key for the encryption algorithm used in the secondary encryption. Taking the encryption algorithm as the elgamal algorithm as an example, since the corresponding decryption algorithm is the elgamal algorithm, when the second encryption key is generated, the second decryption key corresponding to the second encryption key can be generated at the same time.
需要说明的是,当服务端未执行编码的步骤时,经过一次解密的各条加密记录即为服务端使用私有加密密钥,对多个用户的生物特征进行一次加密后的各用户的加密特征。而当服务端还执行编码的步骤时,服务端在得到上述经过一次解密的各条加密记录之后,还可以基于编码算法对应的解码算法,对其进行解码,从而得到解码后的各条加密记录。进而解码后的各条加密记录即为服务端使用私有加密密钥,对多个用户的生物特征进行一次加密后的各用户的加密特征。It should be noted that when the server does not perform the encoding step, each encrypted record that has been decrypted once is the encrypted feature of each user after the server uses the private encryption key to encrypt the biological characteristics of multiple users once. . When the server also performs the encoding step, after obtaining the above-mentioned encrypted records that have been decrypted once, the server can also decode them based on the decoding algorithm corresponding to the encoding algorithm to obtain the decoded encrypted records . Furthermore, each encrypted record after decoding is the encrypted feature of each user after the server uses the private encryption key to encrypt the biological characteristics of multiple users once.
需要说明的是,在实际应用中,上述步骤302-步骤304与步骤306-步骤308的执行顺序也可以互换,或者也可以并行执行,本说明书对此不作限定。It should be noted that in practical applications, the execution order of the above steps 302 to 304 and steps 306 to 308 can also be interchanged, or can be executed in parallel, which is not limited in this specification.
步骤310,将待认证用户的加密特征与经过一次解密的各条加密记录进行比对,若与经过一次解密的任一加密记录相匹配,则待认证用户的身份认证通过。Step 310: Compare the encryption feature of the user to be authenticated with each encrypted record that has been decrypted once, and if it matches any encrypted record that has been decrypted once, the identity authentication of the user to be authenticated passes.
在一个示例中,上述比对的步骤具体可以包括:依次计算待认证用户的加密特征与经过一次解密的各条加密记录之间的相似度。这里的相似度可以包括但不限于余弦相似度、欧氏距离、曼哈顿距离以及皮尔逊相关系数等等。若与经过一次解密的任一加密记录之间的相似度大于阈值,则可以认为待认证用户的加密特征与该经过一次解密的加密记录相匹配,从而待认证用户的身份认证通过。In an example, the step of comparing may specifically include: sequentially calculating the similarity between the encryption feature of the user to be authenticated and each encrypted record that has been decrypted once. The similarity here can include but is not limited to cosine similarity, Euclidean distance, Manhattan distance, Pearson correlation coefficient, and so on. If the similarity with any encrypted record that has been decrypted once is greater than the threshold, it can be considered that the encryption feature of the user to be authenticated matches the encrypted record that has been decrypted once, and the identity of the user to be authenticated is authenticated.
由上可以得出,本说明书实施例在对待认证用户的身份进行认证时,采用加密域数据的比对方法,由此可以避免在客户端存储用户的原始生物特征,从而可以有效提高用户的生物特征的安全性。此外,由于本方案采用加密域数据的比对方法,从而在用户的生物特征被盗取时,可以通过变更私有加密密钥,迫使预先存储的用户的生物特征失效。在预先存储的用户的生物特征失效的情况下,比对过程就会失败,这可以有效避免欺诈行为,进而可以提升用户体验。It can be concluded from the above that the embodiment of this specification adopts the method of comparing encrypted domain data when authenticating the identity of the user to be authenticated, which can avoid storing the user’s original biological characteristics on the client side, thereby effectively improving the user’s biological characteristics. Characteristic security. In addition, because this solution adopts the method of comparing encrypted domain data, when the user's biological characteristics are stolen, the private encryption key can be changed to force the pre-stored user's biological characteristics to become invalid. In the case that the pre-stored user's biometrics are invalid, the comparison process will fail, which can effectively avoid fraudulent behaviors, thereby improving user experience.
与上述保护隐私的身份认证方法对应地,本说明书一个实施例还提供的一种保护隐私的身份认证装置,该装置设置于客户端。这里的客户端维护有加密库文件,该加密库文件通过对原始库文件进行加密得到。原始库文件中记录有多条加密记录,其中的每条加密记录至少通过对一个用户的生物特征先使用私有加密密钥进行一次加密,再使用第二加密密钥进行二次加密得到。如图4所示,该装置可以包括以下单元。Corresponding to the above-mentioned privacy-protecting identity authentication method, an embodiment of this specification also provides a privacy-protecting identity authentication device, which is set on the client. The client here maintains an encrypted library file, which is obtained by encrypting the original library file. There are multiple encrypted records recorded in the original library file, and each of the encrypted records is obtained at least by first encrypting a user's biological characteristics with a private encryption key once, and then using a second encryption key for a second encryption. As shown in Figure 4, the device may include the following units.
获取单元402,用于获取待认证用户的生物特征。The acquiring unit 402 is configured to acquire the biological characteristics of the user to be authenticated.
这里的生物特征可以包括生理特征和行为特征。其中,生理特征可以包括以下至少一种:人脸特征、指纹特征和虹膜特征等。行为特征可以包括声音特征和步态特征等。The biological characteristics here can include physiological characteristics and behavioral characteristics. Among them, the physiological characteristics may include at least one of the following: facial characteristics, fingerprint characteristics, iris characteristics, and so on. Behavioral characteristics can include voice characteristics and gait characteristics.
加密单元404,用于使用私有加密密钥,对获取单元402获取的待认证用户的生物特征进行加密,得到加密特征。The encryption unit 404 is configured to use the private encryption key to encrypt the biological characteristics of the user to be authenticated obtained by the obtaining unit 402 to obtain the encrypted characteristics.
解密单元406,用于对加密库文件进行解密,得到原始库文件。The decryption unit 406 is used to decrypt the encrypted library file to obtain the original library file.
解密单元406,还用于对于原始库文件,使用第二加密密钥对应的第二解密密钥对其中的各条加密记录进行一次解密,得到经过一次解密的各条加密记录。The decryption unit 406 is also configured to use the second decryption key corresponding to the second encryption key to decrypt each encrypted record once for the original library file to obtain each encrypted record that has been decrypted once.
比对单元408,用于将加密单元404得到的加密特征与解密单元406得到的经过一次解密的各条加密记录进行比对,若与经过一次解密的任一加密记录相匹配,则待认证用户的身份认证通过。The comparison unit 408 is configured to compare the encryption feature obtained by the encryption unit 404 with each encrypted record obtained by the decryption unit 406 after one decryption, and if it matches any encrypted record after one decryption, the user to be authenticated The identity authentication passed.
本说明书上述实施例装置的各功能模块的功能,可以通过上述方法实施例的各步骤来实现,因此,本说明书一个实施例提供的装置的具体工作过程,在此不复赘述。The function of each functional module of the device in the above-mentioned embodiment of this specification can be realized by the steps of the above-mentioned method embodiment. Therefore, the specific working process of the device provided in an embodiment of this specification will not be repeated here.
本说明书一个实施例提供的保护隐私的身份认证装置,可以有效提高用户的生物特征的安全性。The privacy-protecting identity authentication device provided by an embodiment of this specification can effectively improve the security of the user's biological characteristics.
与上述保护隐私的身份认证方法对应地,本说明书一个实施例还提供的一种保护隐私的身份认证装置,该装置设置于服务端。如图5所示,该装置可以包括以下单元。Corresponding to the aforementioned privacy-protecting identity authentication method, an embodiment of this specification also provides a privacy-protecting identity authentication device, which is set on the server. As shown in Figure 5, the device may include the following units.
获取单元502,用于获取当前用户的生物特征。The acquiring unit 502 is configured to acquire the biological characteristics of the current user.
这里的生物特征可以包括生理特征和行为特征。其中,生理特征可以包括以下至少一种:人脸特征、指纹特征和虹膜特征等。行为特征可以包括声音特征和步态特征等。The biological characteristics here can include physiological characteristics and behavioral characteristics. Among them, the physiological characteristics may include at least one of the following: facial characteristics, fingerprint characteristics, iris characteristics, and so on. Behavioral characteristics can include voice characteristics and gait characteristics.
加密单元504,用于使用私有加密密钥,对获取单元502获取的生物特征进行加密,得到当前用户的加密特征。The encryption unit 504 is configured to use the private encryption key to encrypt the biological characteristics obtained by the obtaining unit 502 to obtain the encryption characteristics of the current user.
加密单元504,还用于使用第二加密密钥,对当前用户的加密特征进行二次加密,得到当前用户的加密记录。The encryption unit 504 is also configured to use the second encryption key to perform secondary encryption on the encryption feature of the current user to obtain the encryption record of the current user.
输出单元506,用于将加密单元504得到的当前用户的加密记录输出至对应的原始库文件中。The output unit 506 is configured to output the encrypted record of the current user obtained by the encryption unit 504 to the corresponding original library file.
加密单元504,还用于在原始库文件中加密记录的个数达到阈值时,对原始库文件进行加密,得到加密库文件。The encryption unit 504 is further configured to encrypt the original library file to obtain the encrypted library file when the number of encrypted records in the original library file reaches the threshold.
发送单元508,用于向客户端发送加密单元504得到的加密库文件,以使得客户端在对加密库文件进行解密后通过将其中的经过一次解密的各条加密记录与待认证用户的加密特征进行比对实现待认证用户的身份认证。The sending unit 508 is configured to send the encrypted library file obtained by the encrypting unit 504 to the client, so that after decrypting the encrypted library file, the client decrypts each encrypted record that has been decrypted once and the encryption characteristics of the user to be authenticated. The comparison is performed to realize the identity authentication of the user to be authenticated.
可选地,该装置还可以包括:编码单元(图中未示出),用于根据编码算法,对当前用户的加密特征进行编码,得到编码结果。Optionally, the device may further include: an encoding unit (not shown in the figure) for encoding the encryption feature of the current user according to an encoding algorithm to obtain an encoding result.
加密单元504具体可以用于:使用第二加密密钥,对编码结果进行二次加密,得到当前用户的加密记录。The encryption unit 504 may be specifically configured to: use the second encryption key to perform secondary encryption on the encoding result to obtain the encrypted record of the current user.
本说明书上述实施例装置的各功能模块的功能,可以通过上述方法实施例的各步骤来实现,因此,本说明书一个实施例提供的装置的具体工作过程,在此不复赘述。The function of each functional module of the device in the above-mentioned embodiment of this specification can be realized by the steps of the above-mentioned method embodiment. Therefore, the specific working process of the device provided in an embodiment of this specification will not be repeated here.
本说明书一个实施例提供的保护隐私的身份认证装置,可以有效提高用户的生物特征的安全性。The privacy-protecting identity authentication device provided by an embodiment of this specification can effectively improve the security of the user's biological characteristics.
另一方面,本说明书的实施例提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行图2或图3所示的方法。On the other hand, the embodiments of this specification provide a computer-readable storage medium on which a computer program is stored, and when the computer program is executed in a computer, the computer is caused to execute the method shown in FIG. 2 or FIG. 3.
另一方面,本说明书的实施例提供一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现图2或图3所示的方法。On the other hand, the embodiments of the present specification provide a computing device, including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, the implementation shown in FIG. 2 or FIG. 3 is implemented. Indicates the method.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部 分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于设备实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
结合本说明书公开内容所描述的方法或者算法的步骤可以硬件的方式来实现,也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、移动硬盘、CD-ROM或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外,该ASIC可以位于服务器中。当然,处理器和存储介质也可以作为分立组件存在于服务器中。The steps of the method or algorithm described in conjunction with the disclosure of this specification can be implemented in a hardware manner, or can be implemented in a manner in which a processor executes software instructions. Software instructions can be composed of corresponding software modules, which can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, mobile hard disk, CD-ROM or any other form of storage known in the art Medium. An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium may also be an integral part of the processor. The processor and the storage medium may be located in the ASIC. In addition, the ASIC may be located in the server. Of course, the processor and the storage medium may also exist as discrete components in the server.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。Those skilled in the art should be aware that, in one or more of the above examples, the functions described in the present invention can be implemented by hardware, software, firmware, or any combination thereof. When implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium. The computer-readable medium includes a computer storage medium and a communication medium, where the communication medium includes any medium that facilitates the transfer of a computer program from one place to another. The storage medium may be any available medium that can be accessed by a general-purpose or special-purpose computer.
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps described in the claims can be performed in a different order than in the embodiments and still achieve desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or sequential order shown in order to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
以上所述的具体实施方式,对本说明书的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本说明书的具体实施方式而已,并不用于限定本说明书的保护范围,凡在本说明书的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本说明书的保护范围之内。The specific implementations described above further describe the purpose, technical solutions and beneficial effects of this specification. It should be understood that the above are only specific implementations of this specification and are not intended to limit the description of this specification. The scope of protection, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of this specification shall be included in the scope of protection of this specification.

Claims (12)

  1. 一种保护隐私的身份认证方法,通过客户端执行;所述客户端维护有加密库文件,该加密库文件通过对原始库文件进行加密得到;所述原始库文件中记录有多条加密记录,其中的每条加密记录至少通过对一个用户的生物特征先使用私有加密密钥进行一次加密,再使用第二加密密钥进行二次加密得到;所述方法包括:A privacy-protecting identity authentication method, executed by a client; the client maintains an encrypted library file, which is obtained by encrypting the original library file; the original library file records multiple encrypted records, Each of the encrypted records is obtained by at least one encryption of a user's biological characteristics using a private encryption key, and then a second encryption using a second encryption key; the method includes:
    获取待认证用户的生物特征;Obtain the biological characteristics of the user to be authenticated;
    使用所述私有加密密钥,对所述待认证用户的生物特征进行加密,得到加密特征;Use the private encryption key to encrypt the biological characteristics of the user to be authenticated to obtain encrypted characteristics;
    对所述加密库文件进行解密,得到所述原始库文件;Decrypt the encrypted library file to obtain the original library file;
    对于所述原始库文件,使用所述第二加密密钥对应的第二解密密钥对其中的各条加密记录进行一次解密,得到经过一次解密的各条加密记录;For the original library file, use a second decryption key corresponding to the second encryption key to decrypt each encrypted record once to obtain each encrypted record that has been decrypted once;
    将所述加密特征与经过一次解密的各条加密记录进行比对,若与经过一次解密的任一加密记录相匹配,则所述待认证用户的身份认证通过。The encryption feature is compared with each encrypted record that has been decrypted once, and if it matches any encrypted record that has been decrypted once, the identity authentication of the user to be authenticated passes.
  2. 根据权利要求1所述的方法,所述生物特征包括生理特征和行为特征;所述生理特征包括以下至少一种:人脸特征、指纹特征和虹膜特征;所述行为特征包括声音特征和步态特征。The method according to claim 1, wherein the biological characteristics include physiological characteristics and behavioral characteristics; the physiological characteristics include at least one of the following: facial characteristics, fingerprint characteristics, and iris characteristics; the behavioral characteristics include voice characteristics and gait feature.
  3. 一种保护隐私的身份认证方法,通过服务端执行;所述方法包括:A privacy-protecting identity authentication method, executed by the server; the method includes:
    获取当前用户的生物特征;Obtain the current user's biological characteristics;
    使用私有加密密钥,对所述生物特征进行加密,得到当前用户的加密特征;Use a private encryption key to encrypt the biological characteristics to obtain the encryption characteristics of the current user;
    使用第二加密密钥,对当前用户的加密特征进行二次加密,得到当前用户的加密记录;Use the second encryption key to perform secondary encryption on the encryption feature of the current user to obtain the encryption record of the current user;
    将当前用户的加密记录输出至对应的原始库文件中;Output the encrypted record of the current user to the corresponding original library file;
    在所述原始库文件中加密记录的个数达到阈值时,对所述原始库文件进行加密,得到加密库文件;When the number of encrypted records in the original library file reaches a threshold, encrypt the original library file to obtain an encrypted library file;
    向客户端发送所述加密库文件,以使得所述客户端在对所述加密库文件进行解密后通过将其中的经过一次解密的各条加密记录与待认证用户的加密特征进行比对实现所述待认证用户的身份认证。Send the encrypted library file to the client, so that the client, after decrypting the encrypted library file, compares each encrypted record that has been decrypted once with the encryption characteristics of the user to be authenticated. Describe the identity authentication of the user to be authenticated.
  4. 根据权利要求3所述的方法,在所述使用第二加密密钥,对当前用户的加密特征进行二次加密之前,还包括:The method according to claim 3, before said using the second encryption key to perform secondary encryption on the encryption features of the current user, the method further comprises:
    根据编码算法,对所述当前用户的加密特征进行编码,得到编码结果;Encoding the encryption feature of the current user according to the encoding algorithm to obtain an encoding result;
    所述使用第二加密密钥,对当前用户的加密特征进行二次加密,包括:The using the second encryption key to perform secondary encryption on the encryption feature of the current user includes:
    使用所述第二加密密钥,对所述编码结果进行二次加密,得到当前用户的加密记录。Use the second encryption key to perform secondary encryption on the encoding result to obtain an encrypted record of the current user.
  5. 根据权利要求3或4任一项所述的方法,所述生物特征包括生理特征和行为特征;所述生理特征包括以下至少一种:人脸特征、指纹特征和虹膜特征;所述行为特征包括声音特征和步态特征。The method according to any one of claims 3 or 4, wherein the biological characteristics include physiological characteristics and behavioral characteristics; the physiological characteristics include at least one of the following: facial characteristics, fingerprint characteristics, and iris characteristics; the behavioral characteristics include Voice characteristics and gait characteristics.
  6. 一种保护隐私的身份认证装置,设置于客户端;所述客户端维护有加密库文件,该加密库文件通过对原始库文件进行加密得到;所述原始库文件中记录有多条加密记录,其中的每条加密记录至少通过对一个用户的生物特征先使用私有加密密钥进行一次加密,再使用第二加密密钥进行二次加密得到;所述装置包括:A privacy-protecting identity authentication device is set on a client terminal; the client terminal maintains an encrypted library file obtained by encrypting the original library file; the original library file records multiple encrypted records, Each of the encrypted records is obtained at least by first encrypting the biological characteristics of a user using a private encryption key, and then using a second encryption key to perform secondary encryption; the device includes:
    获取单元,用于获取待认证用户的生物特征;The obtaining unit is used to obtain the biological characteristics of the user to be authenticated;
    加密单元,用于使用所述私有加密密钥,对所述获取单元获取的所述待认证用户的生物特征进行加密,得到加密特征;An encryption unit, configured to use the private encryption key to encrypt the biological characteristics of the user to be authenticated acquired by the acquisition unit to obtain encrypted characteristics;
    解密单元,用于对所述加密库文件进行解密,得到所述原始库文件;The decryption unit is used to decrypt the encrypted library file to obtain the original library file;
    所述解密单元,还用于对于所述原始库文件,使用所述第二加密密钥对应的第二解密密钥对其中的各条加密记录进行一次解密,得到经过一次解密的各条加密记录;The decryption unit is further configured to use a second decryption key corresponding to the second encryption key to decrypt each encrypted record once for the original library file to obtain each encrypted record that has been decrypted once. ;
    比对单元,用于将所述加密单元得到的所述加密特征与所述解密单元得到的经过一次解密的各条加密记录进行比对,若与经过一次解密的任一加密记录相匹配,则所述待认证用户的身份认证通过。The comparison unit is configured to compare the encryption feature obtained by the encryption unit with each encrypted record obtained by the decryption unit after one decryption, and if it matches any encrypted record after one decryption, then The identity authentication of the user to be authenticated passes.
  7. 根据权利要求6所述的装置,所述生物特征包括生理特征和行为特征;所述生理特征包括以下至少一种:人脸特征、指纹特征和虹膜特征;所述行为特征包括声音特征和步态特征。The device according to claim 6, wherein the biological characteristics include physiological characteristics and behavioral characteristics; the physiological characteristics include at least one of the following: facial characteristics, fingerprint characteristics, and iris characteristics; the behavioral characteristics include voice characteristics and gait feature.
  8. 一种保护隐私的身份认证装置,设置于服务端;所述装置包括:A privacy-protecting identity authentication device, which is set on the server; the device includes:
    获取单元,用于获取当前用户的生物特征;The acquiring unit is used to acquire the biological characteristics of the current user;
    加密单元,用于使用私有加密密钥,对所述获取单元获取的所述生物特征进行加密,得到当前用户的加密特征;An encryption unit, configured to use a private encryption key to encrypt the biological characteristics acquired by the acquisition unit to obtain the encryption characteristics of the current user;
    所述加密单元,还用于使用第二加密密钥,对当前用户的加密特征进行二次加密,得到当前用户的加密记录;The encryption unit is further configured to use the second encryption key to perform secondary encryption on the encryption feature of the current user to obtain the encryption record of the current user;
    输出单元,用于将所述加密单元得到的当前用户的加密记录输出至对应的原始库文件中;The output unit is configured to output the encrypted record of the current user obtained by the encryption unit to the corresponding original library file;
    所述加密单元,还用于在所述原始库文件中加密记录的个数达到阈值时,对所述原始库文件进行加密,得到加密库文件;The encryption unit is further configured to encrypt the original library file to obtain an encrypted library file when the number of encrypted records in the original library file reaches a threshold;
    发送单元,用于向客户端发送所述加密单元得到的所述加密库文件,以使得所述客户端在对所述加密库文件进行解密后通过将其中的经过一次解密的各条加密记录与待 认证用户的加密特征进行比对实现所述待认证用户的身份认证。The sending unit is configured to send the encrypted library file obtained by the encryption unit to the client, so that the client decrypts the encrypted library file by combining the encrypted records that have been decrypted once with The encryption features of the user to be authenticated are compared to realize the identity authentication of the user to be authenticated.
  9. 根据权利要求8所述的装置,还包括:The device according to claim 8, further comprising:
    编码单元,用于根据编码算法,对所述当前用户的加密特征进行编码,得到编码结果;An encoding unit, used to encode the encryption feature of the current user according to an encoding algorithm to obtain an encoding result;
    所述加密单元具体用于:The encryption unit is specifically used for:
    使用所述第二加密密钥,对所述编码结果进行二次加密,得到当前用户的加密记录。Use the second encryption key to perform secondary encryption on the encoding result to obtain an encrypted record of the current user.
  10. 根据权利要求8或9任一项所述的装置,所述生物特征包括生理特征和行为特征;所述生理特征包括以下至少一种:人脸特征、指纹特征和虹膜特征;所述行为特征包括声音特征和步态特征。The device according to any one of claims 8 or 9, wherein the biological characteristics include physiological characteristics and behavioral characteristics; the physiological characteristics include at least one of the following: facial characteristics, fingerprint characteristics, and iris characteristics; the behavioral characteristics include Voice characteristics and gait characteristics.
  11. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-2中任一项所述的方法或权利要求3-5中任一项所述的方法。A computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method described in any one of claims 1-2 or any one of claims 3-5 The method described in one item.
  12. 一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-2中任一项所述的方法或权利要求3-5所述的方法。A computing device, comprising a memory and a processor, the memory is stored with executable code, and when the processor executes the executable code, the method or claim in any one of claims 1-2 is implemented The method described in 3-5.
PCT/CN2021/074244 2020-03-19 2021-01-28 Identity authentication method for privacy protection, and apparatus WO2021184974A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010198198.4 2020-03-19
CN202010198198.4A CN111382409A (en) 2020-03-19 2020-03-19 Identity authentication method and device for protecting privacy

Publications (1)

Publication Number Publication Date
WO2021184974A1 true WO2021184974A1 (en) 2021-09-23

Family

ID=71217350

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/074244 WO2021184974A1 (en) 2020-03-19 2021-01-28 Identity authentication method for privacy protection, and apparatus

Country Status (2)

Country Link
CN (1) CN111382409A (en)
WO (1) WO2021184974A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111382409A (en) * 2020-03-19 2020-07-07 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy
CN112000940B (en) * 2020-09-11 2022-07-12 支付宝(杭州)信息技术有限公司 User identification method, device and equipment under privacy protection
CN112948795B (en) * 2021-02-19 2022-04-12 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101984576A (en) * 2010-10-22 2011-03-09 北京工业大学 Method and system for authenticating anonymous identity based on face encryption
CN108965222A (en) * 2017-12-08 2018-12-07 翟红鹰 Identity identifying method, system and computer readable storage medium
CN110119608A (en) * 2014-03-27 2019-08-13 阿里巴巴集团控股有限公司 A kind of biological information processing method, biological information store method and device
CN110287670A (en) * 2019-06-26 2019-09-27 北京芯安微电子技术有限公司 A kind of biological information and identity information correlating method, system and equipment
CN111382409A (en) * 2020-03-19 2020-07-07 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130107837A (en) * 2012-03-23 2013-10-02 전자부품연구원 A security system and a method for communicating data having biometric data
CN105227537A (en) * 2014-06-16 2016-01-06 华为技术有限公司 Method for authenticating user identity, terminal and service end
CN106612259B (en) * 2015-10-26 2021-03-05 创新先进技术有限公司 Identity recognition, business processing and biological characteristic information processing method and equipment
CN107305660B (en) * 2016-04-24 2021-02-02 张家界航空工业职业技术学院 Mobile phone financial transaction method and mobile phone double-set bank card
CN107707528B (en) * 2017-09-04 2020-06-30 北京京东尚科信息技术有限公司 Method and device for isolating user information
CN109086014B (en) * 2018-08-22 2021-03-16 上海旷沃科技有限公司 Method and system for realizing safe printing of file by using biometric identification technology
CN110858249B (en) * 2018-08-24 2021-11-16 中移(杭州)信息技术有限公司 Database file encryption method, database file decryption method and related devices
CN109815666B (en) * 2018-12-26 2020-12-25 航天信息股份有限公司 Identity authentication method and device based on FIDO protocol, storage medium and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101984576A (en) * 2010-10-22 2011-03-09 北京工业大学 Method and system for authenticating anonymous identity based on face encryption
CN110119608A (en) * 2014-03-27 2019-08-13 阿里巴巴集团控股有限公司 A kind of biological information processing method, biological information store method and device
CN108965222A (en) * 2017-12-08 2018-12-07 翟红鹰 Identity identifying method, system and computer readable storage medium
CN110287670A (en) * 2019-06-26 2019-09-27 北京芯安微电子技术有限公司 A kind of biological information and identity information correlating method, system and equipment
CN111382409A (en) * 2020-03-19 2020-07-07 支付宝(杭州)信息技术有限公司 Identity authentication method and device for protecting privacy

Also Published As

Publication number Publication date
CN111382409A (en) 2020-07-07

Similar Documents

Publication Publication Date Title
US11108546B2 (en) Biometric verification of a blockchain database transaction contributor
CN112926092B (en) Privacy-protecting identity information storage and identity authentication method and device
CN111466097B (en) Server-assisted privacy preserving biometric comparison
JP6921066B2 (en) Methods and devices to achieve session identifier synchronization
WO2021184974A1 (en) Identity authentication method for privacy protection, and apparatus
US9935947B1 (en) Secure and reliable protection and matching of biometric templates across multiple devices using secret sharing
JP4938678B2 (en) Secure calculation of similarity measures
Gomez-Barrero et al. Privacy-preserving comparison of variable-length data with application to biometric template protection
US8745405B2 (en) Dynamic seed and key generation from biometric indicia
US20200014538A1 (en) Methods and systems to facilitate authentication of a user
US7925055B2 (en) Biometric template similarity based on feature locations
US20160219046A1 (en) System and method for multi-modal biometric identity verification
US9485098B1 (en) System and method of user authentication using digital signatures
US20100138667A1 (en) Authentication using stored biometric data
JP2012044670A (en) User authentication method based on utilization of biometric identification techniques, and related architecture
CN112948795B (en) Identity authentication method and device for protecting privacy
CN111541713A (en) Identity authentication method and device based on block chain and user signature
CN111401901A (en) Authentication method and device of biological payment device, computer device and storage medium
US11681787B1 (en) Ownership validation for cryptographic asset contracts using irreversibly transformed identity tokens
Penn et al. Customisation of paillier homomorphic encryption for efficient binary biometric feature vector matching
CN112800477A (en) Data encryption and decryption system and method based on biological characteristic value
EP2192513A1 (en) Authentication using stored biometric data
CN114547589A (en) Privacy-protecting user registration and user authentication method and device
Uzun et al. Cryptographic key derivation from biometric inferences for remote authentication
JP6151627B2 (en) Biometric authentication system, biometric authentication method, and computer program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21770808

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21770808

Country of ref document: EP

Kind code of ref document: A1