WO2022027948A1 - Client, cloud server and identity recognition method therefor, system, and computer storage medium - Google Patents

Client, cloud server and identity recognition method therefor, system, and computer storage medium Download PDF

Info

Publication number
WO2022027948A1
WO2022027948A1 PCT/CN2021/075547 CN2021075547W WO2022027948A1 WO 2022027948 A1 WO2022027948 A1 WO 2022027948A1 CN 2021075547 W CN2021075547 W CN 2021075547W WO 2022027948 A1 WO2022027948 A1 WO 2022027948A1
Authority
WO
WIPO (PCT)
Prior art keywords
extraction algorithm
feature value
client
cloud server
library
Prior art date
Application number
PCT/CN2021/075547
Other languages
French (fr)
Chinese (zh)
Inventor
周雍恺
于文海
钱进
乔萧雅
刘国宝
孙权
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2022027948A1 publication Critical patent/WO2022027948A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • G06V40/12Fingerprints or palmprints
    • G06V40/1365Matching; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • G06V40/16Human faces, e.g. facial parts, sketches or expressions
    • G06V40/172Classification, e.g. identification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/50Maintenance of biometric data or enrolment thereof
    • G06V40/53Measures to keep reference information secret, e.g. cancellable biometrics

Definitions

  • biometrics such as face, fingerprint, etc.
  • biometrics have gradually become mainstream identification methods due to their close relationship with individual identities.
  • applications in important financial scenarios such as withdrawals, payments, and mobile banking logins.
  • Most of the current biometric identification systems directly collect and store the original plaintext images of biometrics (such as the original images of faces and fingerprints).
  • This solution can achieve good biometric matching, but at the same time there is a huge security
  • Hidden dangers and privacy compliance issues because once biometric data is leaked, it cannot be changed or destroyed, and biometrics are related to user privacy. Directly collecting and storing plaintext original images will pose compliance risks.
  • an identification method performed by a client, the method comprising: collecting biometric information of a user; using a first extraction algorithm pre-stored in the client to extract information from the biometric information extracting a first feature value; sending a first comparison request message containing the first feature value to a cloud server; receiving a second extraction algorithm from the cloud server, where the second extraction algorithm is the first extraction algorithm using the second extraction algorithm to extract a second feature value from the biometric information; and sending a registration message containing the second feature value to the cloud server for storing the second feature value .
  • the above-mentioned identification method may further include deleting the first extraction algorithm.
  • the first comparison request message and the registration message are both encrypted and transmitted.
  • the first comparison request message further includes the identification number of the first extraction algorithm
  • the registration message further includes the identification number of the second extraction algorithm
  • the second extraction algorithm is received from the cloud server. algorithm.
  • the above identification method may further include: collecting second biometric information of the user; extracting from the second biometric information by using the second extraction algorithm in the client a third feature value; and sending a second comparison request message containing the third feature value and the identification number of the second extraction algorithm to the cloud server.
  • a client for identity identification comprising: a collection device for collecting biometric information of a user; an extraction device for using pre-stored information in the client
  • the first extraction algorithm extracts the first feature value from the biological feature information; the sending device is used to send the first comparison request message containing the first feature value to the cloud server; and the receiving device is used for in the
  • a second extraction algorithm is received from the cloud server, and the second extraction algorithm is an updated version of the first extraction algorithm, wherein the extraction device is further configured to use the second extraction algorithm from the extracting a second feature value from the biometric information, and the sending device is further configured to send a registration message including the second feature value to the cloud server so as to store the second feature value.
  • the above client may further include a deletion device for deleting the first extraction algorithm.
  • the sending device is configured to encrypt and transmit the first comparison request message and the registration message.
  • the first comparison request message further includes the identification number of the first extraction algorithm
  • the registration message also includes the identification number of the second extraction algorithm
  • the receiving device is configured to receive from the cloud server after the comparison is passed and when there is a second extraction algorithm with a newer version than the first extraction algorithm the second extraction algorithm.
  • the collection device is further configured to collect the second biometric information of the user; the extraction device is further configured to use the second biometric information in the client An extraction algorithm extracts a third feature value from the second biometric information; and the sending device is further configured to send a second comparison request message containing the third feature value and the identification number of the second extraction algorithm sent to the cloud server.
  • an identity recognition method executed by a cloud server, the method comprising: receiving a first comparison request message including a first feature value from a client, the first feature value is obtained by using The first extraction algorithm pre-stored in the client is extracted from the collected biometric information of the user; the first characteristic value is compared with the characteristic value library in the cloud server; after the comparison is passed And when there is a second extraction algorithm with a newer version than the first extraction algorithm, send the second extraction algorithm to the client; receive a registration message including the second feature value from the client, the first extraction algorithm The second feature value is extracted from the previously collected biometric information using the second extraction algorithm; and the second feature value is stored in the feature value library.
  • the first comparison request message and the registration message are both encrypted and transmitted.
  • the first comparison request message further includes the identification number of the first extraction algorithm
  • the registration message further includes the identification number of the second extraction algorithm
  • the above identification method may further include: after storing the second characteristic value in the characteristic value library, removing the first characteristic value from the characteristic value library the corresponding record.
  • the feature value library includes a first sub-feature value library corresponding to the first extraction algorithm and a second sub-feature value library corresponding to the second extraction algorithm an eigenvalue library, wherein records corresponding to the first eigenvalues are stored in the first sub-eigenvalue library, and records corresponding to the second eigenvalues are stored in the second sub-eigenvalue library .
  • a cloud server comprising: a receiving device for receiving a first comparison request message including a first feature value from a client, the first feature value is Extracted from the collected biometric information of the user by using the first extraction algorithm pre-stored in the client; a comparison device, configured to compare the first characteristic value with the characteristic value library in the cloud server pair; a sending device for sending the second extraction algorithm to the client after the comparison is passed and when there is a second extraction algorithm with a newer version than the first extraction algorithm; and a storage device for storing a second characteristic value in the characteristic value library, wherein the receiving means is further configured to receive a registration message from the client comprising the second characteristic value, the second characteristic value being obtained using the The second extraction algorithm is extracted from the previously collected biometric information.
  • the first comparison request message and the registration message are both encrypted and transmitted.
  • the first comparison request message further includes the identification number of the first extraction algorithm
  • the registration message further includes the identification number of the second extraction algorithm
  • the above cloud server may further include: a removing device, configured to remove from the eigenvalue library after storing the second eigenvalue in the eigenvalue library The record corresponding to the first eigenvalue is described.
  • the feature value library includes a first sub-feature value library corresponding to the first extraction algorithm and a second sub-feature corresponding to the second extraction algorithm A value library, wherein records corresponding to the first feature values are stored in the first sub-feature value library, and records corresponding to the second feature values are stored in the second sub-feature value library.
  • the removing device is further configured to delete the corresponding data of the first extraction algorithm when the number of records in the first sub-feature value library decreases to 0 Associated modules.
  • a computer storage medium comprising instructions that, when executed, perform the aforementioned identification method.
  • an identification system which includes the aforementioned client and a cloud server.
  • the identification scheme does not directly store the plaintext of biological information or the original image (such as the original image of the face and fingerprint), but adopts the transmission and storage method.
  • the method of biometric feature value thereby protecting the original biometric information from leakage.
  • the authenticity of the identity can also be determined.
  • the eigenvalue is obviously much less recognizable to the naked eye, so that the biological privacy of the individual can be protected to a certain extent.
  • the identity recognition solution of one or more embodiments of the present invention can be insensitive to the user without requiring the user to collect biometric information again when the extraction algorithm is upgraded.
  • the client does not need to maintain and store multiple sets of biometric extraction algorithms, and almost does not increase the burden of processing and storage on the client, so that the identity recognition solution of one or more embodiments of the present invention can ensure the privacy of biometrics.
  • the availability and ease of use of algorithm upgrades are realized.
  • FIG. 1 shows a schematic flowchart of an identification method performed by a client according to an embodiment of the present invention
  • FIG. 2 shows a schematic structural diagram of a client for identity identification according to an embodiment of the present invention
  • FIG. 3 shows a schematic flowchart of an identification method performed by a cloud server according to an embodiment of the present invention.
  • FIG. 4 shows a schematic structural diagram of a cloud server for identity identification according to an embodiment of the present invention
  • FIG. 5 shows a smooth upgrade scheme of an identity recognition system in an algorithm update scenario according to an embodiment of the present invention.
  • FIG. 6 shows the identification process of the identification system according to an embodiment of the present invention.
  • FIG. 1 shows a schematic flowchart of an identity recognition method 1000 performed by a client according to an embodiment of the present invention. As shown in Figure 1, method 1000 includes the following steps:
  • step S110 collect the biometric information of the user
  • step S120 a first feature value is extracted from the biometric information by using a first extraction algorithm pre-stored in the client;
  • step S130 a first comparison request message containing the first feature value is sent to the cloud server;
  • step S140 a second extraction algorithm is received from the cloud server, and the second extraction algorithm is an updated version of the first extraction algorithm
  • step S150 using the second extraction algorithm to extract a second feature value from the biometric information
  • step S160 a registration message containing the second characteristic value is sent to the cloud server so as to store the second characteristic value.
  • the term "client” is also referred to as a client, and refers to a device or device corresponding to a cloud server that provides local services to clients.
  • the client has some basic functions, including a collection function of collecting biometric information of a user, and extracting data of feature values from the collected biometric information by using an extraction algorithm pre-stored in the client processing functions, etc.
  • the client may be a user's smart device, including but not limited to, the user's mobile phone, a laptop computer, and a head-mounted device.
  • cloud server is also referred to as a remote server, which refers to a device or device corresponding to a "client” that provides remote services for the client.
  • the cloud server can provide the client with an online comparison function, which is to compare the feature value received from the client with the feature value library in the cloud server.
  • the cloud server can also send the updated extraction algorithm to the client after the comparison is passed and there is an updated version of the extraction algorithm.
  • biometric information refers to any information inherent in the human body that can be used for personal identification, including, but not limited to, physiological characteristics (eg, fingerprints, iris, facial features, DNA, etc.) and Behavioral characteristics (gait, keystroke habits, etc.).
  • feature value refers to an attribute extracted or calculated from biometric information by a specific algorithm, such as an extraction algorithm.
  • extraction algorithm also known as “biometric recognition algorithm” refers to an algorithm capable of extracting or calculating feature values from biometric information.
  • the extraction algorithm may be adjusted and updated according to the actual situation, so in one or more embodiments, the extraction algorithm may have different versions, for example, to be distinguished by identification numbers.
  • the client may collect the biometric information of the user in various ways.
  • the client can collect the user's fingerprint information through a pre-installed fingerprint identification module.
  • the client may collect the user's facial information through a camera.
  • the client can obtain the user's biometric information with the assistance of a third-party device, for example, through a light-reflecting diode that transmits infrared light into a small piece of skin and obtains the user's biometric information (such as the skin) by measuring the wavelength of the reflected light. thickness, cortical structure, etc.), and thereby confirm the identity of the person.
  • a first feature value is extracted from the biometric information by using a first extraction algorithm pre-stored in the client.
  • first the terms “first”, “second” and “third” are used for descriptive distinction purposes only, and should not be construed as indicating or implying relative importance. It can be understood that although the “first extraction algorithm” and the “second extraction algorithm” are both extraction algorithms, they are different from each other, and thus are distinguished by the terms “first” and “second”. The analogy can be made for "first eigenvalue”, “second eigenvalue”, and “third eigenvalue”.
  • the client only needs to store one version of the extraction algorithm.
  • the client can use the second extraction algorithm to replace the first extraction algorithm, so as to avoid maintaining multiple sets of different versions of biometric identification algorithms or extraction algorithms at the same time.
  • the algorithm reduces the complexity and storage burden of the client.
  • a first comparison request message including the first feature value is sent to the cloud server.
  • the first feature value is encrypted and distributed first, and then transmitted to the cloud server over a secure channel.
  • the first comparison request message further includes an identification number or version number of the first extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number of the extraction algorithm in the first comparison request message, the cloud server can know which version of the extraction algorithm is used to calculate the feature value contained in the comparison request message. obtained, and thus select an appropriate library of eigenvalues for comparison.
  • the eigenvalue comparison algorithm of the cloud server will perform a 1:1 or 1:N comparison between the eigenvalue and the eigenvalue library, so as to verify and judge the verification value this time. Whether the distance from the registered feature value is within a threshold interval.
  • the feature value is sent in the comparison request message, rather than the biometric information or the original image directly, which can protect the biological privacy of individuals to a certain extent.
  • biometric identification algorithm or extraction algorithm of the system When the biometric identification algorithm or extraction algorithm of the system is updated, as a client, in one embodiment, multiple sets of biometric identification algorithms of different versions need to be maintained, which increases the complexity of the system and increases the storage burden of the client. In addition, in order to calculate the feature value under the new algorithm, the client has to collect the biometric information of the entity again, which will bring an unfriendly user experience.
  • a second extraction algorithm is received from the cloud server, and the second extraction algorithm is an updated version of the first extraction algorithm. That is to say, when there are multiple sets of different versions of biometric identification algorithms, the client does not need to maintain multiple sets of algorithms locally, but only needs to receive them from the cloud server, thereby reducing the cost of algorithm update and upgrade.
  • the upgrade of the extraction algorithm is performed at the moment when the client initiates a new verification comparison. That is, after the cloud server receives the comparison request message, it will determine whether there is an updated version of the biometric feature extraction algorithm used by the client. If there is an updated version and the feature value in the comparison request message is successfully matched, the cloud server will The version of the algorithm is sent to the client.
  • step S150 the client uses a second extraction algorithm to extract a second feature value from the biometric information.
  • the client still uses the user's biometric information collected in step S110 (instead of re-collecting the user's biometric information) as the basis of the second extraction algorithm to calculate the second characteristic value.
  • the client calculates the feature value (eg, the second feature value) of the new version by using the biometric information that has passed the comparison of the old version as the biometric information registered in the new version, so as to achieve a "non-sensing" upgrade.
  • a registration message including the second characteristic value is sent to the cloud server so as to store the second characteristic value.
  • the first comparison request message and the registration message are both encrypted and transmitted.
  • the registration message may further include an identification number or version number of the second extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm.
  • the cloud server can register the second feature value in the feature value library (sub-library) corresponding to the version, Facilitate appropriate comparisons in the future.
  • the identification method 1000 performed by the client also includes deleting the first extraction algorithm.
  • the client deletes the first extraction algorithm and retains only the second extraction algorithm. The effect is that the client maintains only one version of the algorithm, which reduces the complexity.
  • the identification method 1000 performed by the client may further include: collecting second biometric information of the user; using the second extraction algorithm in the client to extract information from the second biometric information extracting a third feature value; and sending a second comparison request message containing the third feature value and the identification number of the second extraction algorithm to the cloud server.
  • the cloud server can select an appropriate eigenvalue (sub) library to compare with the third eigenvalue, which reduces the complexity of the comparison.
  • a secure multi-party computation (Secure Multi-Party Computation, MPC or SMPC) method is used to store and identify the secret state, and such a security protection level can be higher.
  • MPC Secure Multi-Party Computation
  • SMPC Simple Multi-Party Computation
  • the so-called secure multi-party computing is to solve the collaborative computing problem of privacy protection between a group of distrusting participants. Other members involved in the calculation.
  • Each secure multi-party computing participating node has the same status, can initiate collaborative computing tasks, or choose to participate in computing tasks initiated by other parties. Routing addressing and computing logic transmission are controlled by the hub node, looking for relevant data to transmit computing logic at the same time.
  • Each secure multi-party computing node completes data extraction and calculation in the local database according to the calculation logic, and routes the output calculation result to the designated node, so that the multi-party node completes the collaborative computing task and outputs the unique result.
  • all data of all parties is local and not provided to other nodes. Under the condition of ensuring data privacy, the calculation results are fed back to the entire computing task system, so that all parties can get correct data feedback.
  • the identity recognition method 1000 executed by the client can also realize that the user is insensitive when the extraction algorithm is updated, and at the same time, it hardly increases the burden of processing and storage on the client. , so that the biometric recognition system based on feature value can ensure the privacy of biometric features, and at the same time can realize the availability and ease of use of algorithm upgrade.
  • FIG. 2 shows a schematic structural diagram of a client 2000 for identity recognition according to an embodiment of the present invention.
  • the client 2000 includes a collecting device 210 , an extracting device 220 , a sending device 230 and a receiving device 240 .
  • the collecting device 210 is used for collecting the biometric information of the user; the extracting device 220 is used for extracting the first feature value from the biometric information by using the first extraction algorithm pre-stored in the client; the sending device 230 is used for extracting the first feature value from the biometric information; Sending a first comparison request message including the first feature value to the cloud server; and the receiving device 240 is configured to receive a second extraction algorithm from the cloud server, where the second extraction algorithm is part of the first extraction algorithm The updated version, wherein the extracting means 220 is further configured to extract a second feature value from the biometric information by using the second extraction algorithm, and the sending device 230 is further configured to A registration message is sent to the cloud server for storing the second characteristic value.
  • the term "client” is also referred to as a client, and refers to a device or device corresponding to a cloud server that provides local services to clients.
  • the client has some basic functions, including a collection function of collecting biometric information of a user, and extracting data of feature values from the collected biometric information by using an extraction algorithm pre-stored in the client processing functions, etc.
  • the client may be a user's smart device, including but not limited to, the user's mobile phone, a laptop computer, and a head-mounted device.
  • cloud server is also referred to as a remote server, which refers to a device or device corresponding to a "client” that provides remote services for the client.
  • the cloud server can provide the client with an online comparison function, which is to compare the feature value received from the client with the feature value library in the cloud server.
  • the cloud server can also send the updated extraction algorithm to the client after the comparison is passed and there is an updated version of the extraction algorithm.
  • biometric information refers to any information inherent in the human body that can be used for personal identification, including, but not limited to, physiological characteristics (eg, fingerprints, iris, facial features, DNA, etc.) and Behavioral characteristics (gait, keystroke habits, etc.).
  • feature value refers to an attribute extracted or calculated from biometric information by a specific algorithm, such as an extraction algorithm.
  • extraction algorithm also known as “biometric recognition algorithm” refers to an algorithm capable of extracting or calculating feature values from biometric information.
  • the extraction algorithm may be adjusted and updated according to the actual situation, so in one or more embodiments, the extraction algorithm may have different versions, for example, to be distinguished by identification numbers.
  • the collecting device 210 may collect the biometric information of the user in various ways.
  • the collection device 210 may collect the user's fingerprint information through a pre-installed fingerprint identification module.
  • the collecting device 210 may collect the facial information of the user through a camera.
  • the collection device 210 can obtain the user's biometric information with the assistance of a third-party device, for example, by using a light-reflecting diode to inject infrared light into a small piece of skin, and obtain the user's biometric information by measuring the wavelength of the reflected light, and obtain the user's biometric information. to confirm the identity of the person.
  • the extraction device 220 uses the first extraction algorithm pre-stored in the client 2000 to extract the first feature value from the biological feature information.
  • first the terms “first”, “second” and “third” are used for descriptive distinction purposes only, and should not be construed as indicating or implying relative importance. It can be understood that although the “first extraction algorithm” and the “second extraction algorithm” are both extraction algorithms, they are different from each other, and thus are distinguished by the terms “first” and “second”. The analogy can be made for "first eigenvalue”, “second eigenvalue”, and “third eigenvalue”.
  • the client 2000 only needs to store one version of the extraction algorithm.
  • the client 2000 can use the second extraction algorithm to replace the first extraction algorithm, so as to avoid simultaneously maintaining multiple sets of different versions of the biometric identification algorithm or
  • the extraction algorithm reduces the complexity and storage burden of the client 2000.
  • the sending device 230 sends the first comparison request message including the first feature value to the cloud server.
  • the first feature value is encrypted and distributed first, and then transmitted to the cloud server over a secure channel.
  • the first comparison request message in addition to the first feature value, further includes an identification number or version number of the first extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number of the extraction algorithm in the first comparison request message, the cloud server can know which version of the extraction algorithm is used to calculate the feature value contained in the comparison request message. obtained, and thus select an appropriate library of eigenvalues for comparison.
  • the eigenvalue comparison algorithm of the cloud server will perform a 1:1 or 1:N comparison between the eigenvalue and the eigenvalue library, so as to verify and judge the verification value this time. Whether the distance from the registered feature value is within a threshold interval. For example, face verification is a 1:1 comparison.
  • Its identity verification mode is essentially a process of quickly comparing the current face with the portrait database, and determining whether it matches, which can be simply understood as Prove that you are who you are. That is, we first tell the face recognition system that I am Zhang San, and then use it to verify whether the "me” standing in front of the machine is Zhang San. The most common application scenario of this mode is face unlocking.
  • the terminal device only needs to compare the user's pre-registered photos with the photos collected on the spot to determine whether it is the same person, and then the identity verification can be completed. That is to say, in the case of 1:1, the cloud server already knows who the user is. For example, the mobile phone number can be locked, so a 1:1 comparison is performed.
  • face recognition is a 1:N comparison, that is, after the system collects a photo of "me”, it finds an image that matches the current user's face data from a massive portrait database, and performs Match, find out "who I am", especially suitable for situations where you don't know who the user is or only know the scope of a user group.
  • the sending device 230 sends the feature value instead of directly sending the biometric information or the original image, which can protect the biological privacy of the individual to a certain extent.
  • biometric identification algorithm or extraction algorithm of the system When the biometric identification algorithm or extraction algorithm of the system is updated, as a client, in one embodiment, multiple sets of biometric identification algorithms of different versions need to be maintained, which increases the complexity of the system and increases the storage burden of the client. In addition, in order to calculate the feature value under the new algorithm, the client has to collect the biometric information of the entity again, which will bring an unfriendly user experience.
  • the receiving device 240 is configured to receive a second extraction algorithm from the cloud server, and the second extraction algorithm is an updated version of the first extraction algorithm. That is to say, when there are multiple sets of different versions of biometric identification algorithms, the client 2000 does not need to maintain multiple sets of algorithms locally, but only needs to receive them from the cloud server, thereby reducing the cost of algorithm update and upgrade. In addition, the upgrade of the extraction algorithm is performed when the client 2000 initiates a new verification comparison.
  • the cloud server will determine whether there is an updated version of the biometric feature extraction algorithm used by the client 2000, if there is an updated version and the feature value in the comparison request message matches successfully , the cloud server will send the new version of the algorithm to the client 2000, that is, the receiving device 240 receives the new version of the algorithm from the cloud server after the comparison is passed and there is a second extraction algorithm with a newer version than the first extraction algorithm.
  • the second extraction algorithm is described.
  • the extraction device 220 is further configured to extract a second feature value from the biometric information using the second extraction algorithm. It should be pointed out that the extraction device 220 still uses the biometric information of the user previously collected by the collection device 210 (instead of re-collecting the biometric information of the user) as the basis of the second extraction algorithm to perform the second feature value extraction. calculate. In other words, the extraction device 220 calculates the feature value (for example, the second feature value) of the new version by using the biometric information that has been compared with the old version as the biometric information registered in the new version, so as to achieve a "non-sensing" upgrade.
  • the feature value for example, the second feature value
  • the sending means 230 is further configured to send a registration message including the second characteristic value to the cloud server so as to store the second characteristic value.
  • the sending means 230 is configured to encrypt the first comparison request message and the registration message for transmission.
  • the registration message may further include an identification number or version number of the second extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number or version number of the extraction algorithm in the registration message, the cloud server can register the second feature value in the feature value library (sub-library) corresponding to the version, Facilitate appropriate comparisons in the future.
  • the collecting device 210 is further configured to collect the second biometric information of the user when the user initiates identity authentication again; the extracting device 220 is further configured to use the second biometric information in the client 2000 The extraction algorithm extracts a third feature value from the second biometric information; and the sending device 230 is further configured to send a second comparison request message containing the third feature value and the identification number of the second extraction algorithm to the cloud server.
  • the cloud server can select an appropriate eigenvalue (sub) library to compare with the third eigenvalue, which reduces the complexity of the comparison.
  • the sending device 230 uses a secure multi-party computation (Secure Multi-Party Computation, MPC or SMPC) method to store and identify the secret state, and such a security protection level may be higher.
  • MPC Secure Multi-Party Computation
  • SMPC Simple Multi-Party Computation
  • the so-called secure multi-party computing is to solve the collaborative computing problem of privacy protection between a group of distrusting participants. Other members participating in the calculation.
  • Each secure multi-party computing participating node has the same status, can initiate collaborative computing tasks, or choose to participate in computing tasks initiated by other parties. Routing addressing and computing logic transmission are controlled by the hub node, looking for relevant data to transmit computing logic at the same time.
  • Each secure multi-party computing node completes data extraction and calculation in the local database according to the calculation logic, and routes the output calculation result to the designated node, so that the multi-party node completes the collaborative computing task and outputs the unique result.
  • all data of all parties is local and not provided to other nodes. Under the condition of ensuring data privacy, the calculation results are fed back to the entire computing task system, so that all parties can get correct data feedback.
  • the client 2000 calculates the feature value of the new version by using the biometric information that has passed the comparison of the old version as the biometric information registered in the new version, and automatically replaces the algorithm version of the client 2000, thereby realizing the non-sensing feature value upgrade.
  • the client 2000 may further include deletion means 250 (shown in dashed lines in FIG. 2 ) for deleting the first extraction algorithm after receiving the second extraction algorithm, which may reduce processing by the client 2000 and storage overhead, so that the client 2000 can realize the availability and ease of use of algorithm upgrades while ensuring the privacy of biometrics.
  • FIG. 3 shows a schematic flowchart of an identity recognition method 3000 performed by a cloud server according to an embodiment of the present invention. As shown in Figure 3, method 3000 includes the following steps:
  • step S310 a first comparison request message containing a first feature value is received from the client, where the first feature value is obtained from the user's biometric information using a first extraction algorithm pre-stored in the client extracted from;
  • step S320 the first feature value is compared with the feature value library in the cloud server
  • step S330 after the comparison is passed and there is a second extraction algorithm of a newer version than the first extraction algorithm, the second extraction algorithm is sent to the client;
  • step S340 a registration message including a second feature value is received from the client, the second feature value is extracted from the previously collected biometric information using the second extraction algorithm;
  • step S350 the second feature value is stored in the feature value library.
  • the term "client” is also referred to as a client, and refers to a device or device corresponding to a cloud server that provides local services to clients.
  • the client has some basic functions, including a collection function of collecting biometric information of a user, and extracting data of feature values from the collected biometric information by using an extraction algorithm pre-stored in the client processing functions, etc.
  • the client may be a user's smart device, including but not limited to, the user's mobile phone, a laptop computer, and a head-mounted device.
  • cloud server is also referred to as a remote server, which refers to a device or device corresponding to a "client” that provides remote services for the client.
  • the cloud server can provide the client with an online comparison function, which is to compare the feature value received from the client with the feature value library in the cloud server.
  • the cloud server can also send the updated extraction algorithm to the client after the comparison is passed and there is an updated version of the extraction algorithm.
  • biometric information refers to any information inherent in the human body that can be used for personal identification, including, but not limited to, physiological characteristics (eg, fingerprints, iris, facial features, DNA, etc.) and Behavioral characteristics (gait, keystroke habits, etc.).
  • feature value refers to an attribute extracted or calculated from biometric information by a specific algorithm, such as an extraction algorithm.
  • extraction algorithm also known as “biometric recognition algorithm” refers to an algorithm capable of extracting or calculating feature values from biometric information.
  • the extraction algorithm may be adjusted and updated according to the actual situation, so in one or more embodiments, the extraction algorithm may have different versions, for example, to be distinguished by identification numbers.
  • a first comparison request message including the first feature value is received from the client.
  • the first comparison request message can be encrypted and transmitted, which can effectively improve the security of data transmission.
  • the first comparison request message may further include an identification number of the first extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number of the extraction algorithm in the first comparison request message, the cloud server can know which version of the extraction algorithm is used to calculate the feature value contained in the comparison request message. obtained, and thus select the appropriate eigenvalue library for comparison.
  • the eigenvalue comparison algorithm of the cloud server will perform a 1:1 or 1:N comparison between the eigenvalue and the eigenvalue library, so as to verify and judge the verification value this time. Whether the distance from the registered feature value is within a threshold interval.
  • step S330 after the comparison is passed and there is a second extraction algorithm of a newer version than the first extraction algorithm, the cloud server sends the second extraction algorithm to the client. That is to say, when there are multiple sets of different versions of biometric identification algorithms, the client does not need to maintain multiple sets of algorithms locally, but only needs to receive them from the cloud server, thereby reducing the cost of algorithm update and upgrade.
  • step S340 a registration message including a second feature value is received from the client, the second feature value is extracted from the previously collected biometric information using the second extraction algorithm, and the second feature value is extracted from the previously collected biometric information.
  • step S350 the second feature value is stored in the feature value library.
  • the cloud server completes the registration and storage of the biometric information, and the entire process is insensitive to the user.
  • the registration message is encrypted and transmitted, so as to ensure the security of transmission.
  • the registration message further includes an identification number of the second extraction algorithm. In this way, through the identification number of the second extraction algorithm, the cloud server can select an appropriate feature value (sub) library to store the second feature value.
  • the identification method 3000 performed by the cloud server further includes: after storing the second feature value in the feature value database, removing the second feature value from the feature value database A record corresponding to the first feature value.
  • the eigenvalue library may include a first sub-eigenvalue library corresponding to the first extraction algorithm and a second sub-eigenvalue library corresponding to the second extraction algorithm, wherein The records corresponding to the eigenvalues are stored in the first sub-eigenvalue library, and the records corresponding to the second eigenvalues are stored in the second sub-eigenvalue library. In one embodiment, when the number of records in the first sub-feature value library drops to 0, the associated module corresponding to the first extraction algorithm is deleted, thereby saving space on the cloud server.
  • FIG. 4 shows a schematic structural diagram of a cloud server 4000 for identity recognition according to an embodiment of the present invention.
  • the cloud server 4000 includes: a receiving device 410 , a comparing device 420 , a sending device 430 , and a storage device 440 .
  • the receiving device 410 is configured to receive, from the client, a first comparison request message including a first feature value, where the first feature value is obtained from the user's biometric collected by using a first extraction algorithm pre-stored in the client extracted from the feature information; the comparing device 420 is configured to compare the first feature value with the feature value library in the cloud server; the sending device 430 is configured to compare the first feature value after the comparison is passed When extracting the second extraction algorithm of the updated version of the algorithm, send the second extraction algorithm to the client; and the storage device 440 is configured to store the second feature value in the feature value library, wherein the receiving Apparatus 410 is further configured to receive from the client a registration message containing the second characteristic value extracted from the previously collected biometric information using the second extraction algorithm.
  • the term "client” is also referred to as a client, and refers to a device or device corresponding to a cloud server that provides local services to clients.
  • the client has some basic functions, including a collection function of collecting biometric information of a user, and extracting data of feature values from the collected biometric information by using an extraction algorithm pre-stored in the client processing functions, etc.
  • the client may be a user's smart device, including but not limited to, the user's mobile phone, a laptop computer, and a head-mounted device.
  • cloud server is also referred to as a remote server, which refers to a device or device corresponding to a "client” that provides remote services for the client.
  • the cloud server can provide the client with an online comparison function, which is to compare the feature value received from the client with the feature value library in the cloud server.
  • the cloud server can also send the updated extraction algorithm to the client after the comparison is passed and there is an updated version of the extraction algorithm.
  • biometric information refers to any information inherent in the human body that can be used for personal identification, including, but not limited to, physiological characteristics (eg, fingerprints, iris, facial features, DNA, etc.) and Behavioral characteristics (gait, keystroke habits, etc.).
  • feature value refers to an attribute extracted or calculated from biometric information by a specific algorithm, such as an extraction algorithm.
  • extraction algorithm also known as “biometric recognition algorithm” refers to an algorithm capable of extracting or calculating feature values from biometric information.
  • the extraction algorithm may be adjusted and updated according to the actual situation, so in one or more embodiments, the extraction algorithm may have different versions, for example, to be distinguished by identification numbers.
  • the first comparison request message and the registration message are both encrypted and transmitted, so as to ensure the security of data or message transmission.
  • the first comparison request message further includes an identification number of the first extraction algorithm
  • the registration message further includes an identification number of the second extraction algorithm. In this way, by extracting the identification number of the algorithm, the cloud server can select an appropriate eigenvalue (sub) library to store the eigenvalues or select an appropriate eigenvalue (sub)library to compare with the eigenvalues.
  • the cloud server 4000 may further include: a removing device 450, configured to remove the second characteristic value from the characteristic value library and the first characteristic value from the characteristic value library after the second characteristic value is stored in the characteristic value library.
  • a record corresponding to an eigenvalue In one embodiment, the eigenvalue library includes a first sub-eigenvalue library corresponding to the first extraction algorithm and a second sub-eigenvalue library corresponding to the second extraction algorithm, wherein the A record corresponding to a feature value is stored in the first sub-feature value library, and a record corresponding to the second feature value is stored in the second sub-feature value library.
  • the removing device 450 may be configured to delete the associated module corresponding to the first extraction algorithm when the number of records in the first sub-feature value library decreases to 0.
  • the biometric identification system (including the client and the cloud server) based on the feature value can be divided into two stages: pre-registration and online comparison.
  • pre-registration refers to the first time that a user registers his biometrics in the system.
  • the feature value is directly extracted on the client, and then the feature value is transmitted to the cloud for storage. Inventory.
  • Online comparison is in the subsequent verification process.
  • the client will collect the biometric information or the original image and extract the feature value.
  • the feature value comparison algorithm of the cloud server After the feature value is transmitted to the cloud, the feature value comparison algorithm of the cloud server will It performs a 1:1 or 1:N comparison with the eigenvalue library, so as to verify and judge whether the distance between the current verification value and the registered eigenvalue is within a threshold interval.
  • FIG. 5 shows a smooth upgrade solution of an identity recognition system in an algorithm update scenario according to an embodiment of the present invention.
  • the upgrade process does not notify all users to complete the unified upgrade within a specified time period, but is performed when the user initiates a new verification and comparison.
  • the client still uses the existing version (N version) of the feature value extraction algorithm to extract the feature value, and then transmits it to the cloud server, and the cloud server uses the N version of the feature value comparison algorithm to discriminate and compare . If the comparison fails, the cloud server returns the comparison failure.
  • the cloud service program finds that there is a new version (N+1 version) of the algorithm, and directly pushes the N+1 version of the eigenvalue algorithm to the client, and the client updates the eigenvalue algorithm from N version to N +1 version, at the same time, extract the feature value of the N+1 version of the original image collected this time, and transmit it to the cloud server, and register the feature value of the N+1 version into the database, thus completing the N+1 version.
  • the version comparison completed the feature value registration of the N+1 version, and the whole process was completely unaware of the user (because the process of collecting features is only once, and other processes are automatically completed by the client and the cloud server).
  • FIG. 6 it shows the identification process of the identification system according to one embodiment of the present invention.
  • the version number of the identification algorithm (the N+1 version after the update) will be piggybacked. Therefore, when After the feature value is encrypted and transmitted to the cloud server, the cloud server will match the corresponding back-end feature value comparison program according to the version number, so as to achieve correct comparison and identification.
  • the cloud server side each time a new comparison request involves updating the comparison algorithm, a record will be inserted into the new feature value library.
  • An optimized approach is to insert a record in the new eigenvalue library, and at the same time delete the corresponding record in the old version eigenvalue library.
  • the number of entries in the eigenvalue library of the old version drops to 0, it means that this version has been completely replaced, then the eigenvalue library of this version can be deleted, and the associated modules such as the feature comparison algorithm corresponding to this version can also be deleted. This saves system space.
  • modules described as separate components may not be physically separated, that is, they may be located in one place, or may be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.
  • each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware.
  • the above-mentioned technical solutions can be embodied in the form of software products in essence or in the form of contributions to the prior art, and the computer software products can be stored in a computer-readable storage medium, the computer-readable recording A medium includes any mechanism for storing or transmitting information in a form readable by a computer (eg, a computer).
  • Machine-readable media include, for example, read only memory (ROM), random access memory (RAM), magnetic disk storage media, optical storage media, flash storage media, electrical, optical, acoustic, or other forms of propagated signals (eg, carrier waves) , infrared signals, digital signals, etc.), etc.
  • the computer software product includes several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the various embodiments or certain parts of the embodiments. Methods.
  • the client maintains low processing complexity and storage overhead: the client does not need to maintain and store multiple sets of biometric algorithm identification versions, and almost no additional processing and storage burdens are imposed on the client.
  • the final effect is that the eigenvalue-based identification system can ensure the privacy of biometrics, and at the same time, it can realize the availability and ease of use of algorithm upgrades.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions
  • the apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Multimedia (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Oral & Maxillofacial Surgery (AREA)
  • Computer Security & Cryptography (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Collating Specific Patterns (AREA)
  • Computer And Data Communications (AREA)

Abstract

An identity recognition method executed by a client, the method comprising: collecting biometric information of a user (S110); extracting a first feature value from the biometric information by using a first extraction algorithm pre-stored in the client (S120); sending a first comparison request message containing the first feature value to a cloud server (S130); after comparison is successful, receiving a second extraction algorithm from the cloud server, the second extraction algorithm being an updated version of the first extraction algorithm (S140); extracting a second feature value from the biometric information by using the second extraction algorithm (S150); and sending a registration message containing the second feature value to the cloud server so as to store the second feature value (S160).

Description

客户端、云端服务器及其身份识别方法、系统以及计算机存储介质Client, cloud server and identification method, system and computer storage medium thereof 【技术领域】【Technical field】
本申请要求中国专利申请(申请号:202010766784.4)的优先权,并且本申请涉及身份识别方案,更具体地,涉及一种客户端、云端服务器及其身份识别方法、计算机存储介质以及身份识别系统。This application claims the priority of a Chinese patent application (application number: 202010766784.4), and this application relates to an identification scheme, more particularly, to a client, a cloud server and an identification method thereof, a computer storage medium and an identification system.
【背景技术】【Background technique】
近年来,生物特征(例如人脸、指纹等)由于其与个体身份的紧密关联性逐渐成为主流的身份识别方法,取款、支付、手机银行登录等重要的金融场景有不少的应用。当前绝大多数的生物特征识别系统,是直接采集并存储生物特征的明文原图(例如人脸、指纹的原图),这种方案能够实现良好的生物特征匹配,但同时也存在巨大的安全隐患与隐私合规问题,因为生物特征数据一旦泄露,将无法更改或者销毁,并且生物特征事关用户隐私,直接采集并存储明文原图会存在合规性风险。In recent years, biometrics (such as face, fingerprint, etc.) have gradually become mainstream identification methods due to their close relationship with individual identities. There are many applications in important financial scenarios such as withdrawals, payments, and mobile banking logins. Most of the current biometric identification systems directly collect and store the original plaintext images of biometrics (such as the original images of faces and fingerprints). This solution can achieve good biometric matching, but at the same time there is a huge security Hidden dangers and privacy compliance issues, because once biometric data is leaked, it cannot be changed or destroyed, and biometrics are related to user privacy. Directly collecting and storing plaintext original images will pose compliance risks.
因此,期望一种改进的身份识别方案。Therefore, an improved identification scheme is desired.
【发明内容】[Content of the invention]
根据本发明的一方面,提供了一种客户端执行的身份识别方法,所述方法包括:采集用户的生物特征信息;利用所述客户端中预存的第一提取算法从所述生物特征信息中提取第一特征值;将包含所述第一特征值的第一比对请求消息发送至云端服务器;从所述云端服务器接收第二提取算法,所述第二提取算法是所述第一提取算法的更新版本;利用所述第二提取算法从所述生物特征信息中提取第二特征值;以及将包含所述第二特征值的注册消息发送至所述云端服务器以便存储所述第二特征值。According to an aspect of the present invention, there is provided an identification method performed by a client, the method comprising: collecting biometric information of a user; using a first extraction algorithm pre-stored in the client to extract information from the biometric information extracting a first feature value; sending a first comparison request message containing the first feature value to a cloud server; receiving a second extraction algorithm from the cloud server, where the second extraction algorithm is the first extraction algorithm using the second extraction algorithm to extract a second feature value from the biometric information; and sending a registration message containing the second feature value to the cloud server for storing the second feature value .
作为对上述方案的补充或替换,上述身份识别方法还可包括删除所述第一提取算法。As a supplement or alternative to the above solution, the above-mentioned identification method may further include deleting the first extraction algorithm.
作为对上述方案的补充或替换,在上述身份识别方法中,所述第一比对请求消息和所述注册消息均经过加密传输。As a supplement or replacement to the above solution, in the above identification method, the first comparison request message and the registration message are both encrypted and transmitted.
作为对上述方案的补充或替换,在上述身份识别方法中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第二提取算法的识别号。As a supplement or alternative to the above solution, in the above identification method, the first comparison request message further includes the identification number of the first extraction algorithm, and the registration message further includes the identification number of the second extraction algorithm.
作为对上述方案的补充或替换,在上述身份识别方法中,在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,从所述云端服务器接收所述第二提取算法。As a supplement or alternative to the above solution, in the above identification method, after the comparison is passed and there is a second extraction algorithm with a newer version than the first extraction algorithm, the second extraction algorithm is received from the cloud server. algorithm.
作为对上述方案的补充或替换,上述身份识别方法还可包括:采集该用户的第二生物特征信息;利用所述客户端中的所述第二提取算法从所述第二生物特征信息中提取第三特征值;以及将包含所述第三特征值和所述第二提取算法的识别号的第二比对请求消息发送至所述云端服务器。As a supplement or alternative to the above solution, the above identification method may further include: collecting second biometric information of the user; extracting from the second biometric information by using the second extraction algorithm in the client a third feature value; and sending a second comparison request message containing the third feature value and the identification number of the second extraction algorithm to the cloud server.
根据本发明的另一个方面,提供了一种用于身份识别的客户端,所述客户端包括:采集装置,用于采集用户的生物特征信息;提取装置,用于利用所述客户端中预存的第一提取算法从所述生物特征信息中提取第一特征值;发送装置,用于将包含所述第一特征值的第一比对请求消息发送至云端服务器;以及接收装置,用于在比对通过后从所述云端服务器接收第二提取算法,所述第二提取算法是所述第一提取算法的更新版本,其中,所述提取装置还配置成利用所述第二提取算法从所述生物特征信息中提取第二特征值,所述发送装置还配置成将包含所述第二特征值的注册消息发送至所述云端服务器以便存储所述第二特征值。According to another aspect of the present invention, a client for identity identification is provided, the client comprising: a collection device for collecting biometric information of a user; an extraction device for using pre-stored information in the client The first extraction algorithm extracts the first feature value from the biological feature information; the sending device is used to send the first comparison request message containing the first feature value to the cloud server; and the receiving device is used for in the After the comparison is passed, a second extraction algorithm is received from the cloud server, and the second extraction algorithm is an updated version of the first extraction algorithm, wherein the extraction device is further configured to use the second extraction algorithm from the extracting a second feature value from the biometric information, and the sending device is further configured to send a registration message including the second feature value to the cloud server so as to store the second feature value.
作为对上述方案的补充或替换,上述客户端还可包括删除装置,用于删除所述第一提取算法。As a supplement or alternative to the above solution, the above client may further include a deletion device for deleting the first extraction algorithm.
作为对上述方案的补充或替换,在上述客户端中,所述发送装置配置成将所述第一比对请求消息和所述注册消息经过加密来进行传输。As a supplement or alternative to the above solution, in the above client, the sending device is configured to encrypt and transmit the first comparison request message and the registration message.
作为对上述方案的补充或替换,在上述客户端中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第 二提取算法的识别号。As a supplement or replacement to the above solution, in the above client, the first comparison request message further includes the identification number of the first extraction algorithm, and the registration message also includes the identification number of the second extraction algorithm.
作为对上述方案的补充或替换,在上述客户端中,所述接收装置配置成在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,从所述云端服务器接收所述第二提取算法。As a supplement or alternative to the above solution, in the above client, the receiving device is configured to receive from the cloud server after the comparison is passed and when there is a second extraction algorithm with a newer version than the first extraction algorithm the second extraction algorithm.
作为对上述方案的补充或替换,在上述客户端中,所述采集装置还配置成采集该用户的第二生物特征信息;所述提取装置还配置成利用所述客户端中的所述第二提取算法从所述第二生物特征信息中提取第三特征值;并且所述发送装置还配置成将包含所述第三特征值和所述第二提取算法的识别号的第二比对请求消息发送至所述云端服务器。As a supplement or alternative to the above solution, in the above client, the collection device is further configured to collect the second biometric information of the user; the extraction device is further configured to use the second biometric information in the client An extraction algorithm extracts a third feature value from the second biometric information; and the sending device is further configured to send a second comparison request message containing the third feature value and the identification number of the second extraction algorithm sent to the cloud server.
根据本发明的又一个方面,提供了一种云端服务器执行的身份识别方法,所述方法包括:从客户端接收包含第一特征值的第一比对请求消息,所述第一特征值是利用所述客户端中预存的第一提取算法从所采集的用户的生物特征信息中提取的;将所述第一特征值与所述云端服务器中的特征值库进行比对;在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,将所述第二提取算法发送给所述客户端;从所述客户端接收包含第二特征值的注册消息,所述第二特征值是利用所述第二提取算法从之前所采集的所述生物特征信息中提取的;以及将所述第二特征值存储在所述特征值库中。According to yet another aspect of the present invention, there is provided an identity recognition method executed by a cloud server, the method comprising: receiving a first comparison request message including a first feature value from a client, the first feature value is obtained by using The first extraction algorithm pre-stored in the client is extracted from the collected biometric information of the user; the first characteristic value is compared with the characteristic value library in the cloud server; after the comparison is passed And when there is a second extraction algorithm with a newer version than the first extraction algorithm, send the second extraction algorithm to the client; receive a registration message including the second feature value from the client, the first extraction algorithm The second feature value is extracted from the previously collected biometric information using the second extraction algorithm; and the second feature value is stored in the feature value library.
作为对上述方案的补充或替换,在上述身份识别方法中,所述第一比对请求消息和所述注册消息均经过加密传输。As a supplement or replacement to the above solution, in the above identification method, the first comparison request message and the registration message are both encrypted and transmitted.
作为对上述方案的补充或替换,在上述身份识别方法中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第二提取算法的识别号。As a supplement or alternative to the above solution, in the above identification method, the first comparison request message further includes the identification number of the first extraction algorithm, and the registration message further includes the identification number of the second extraction algorithm.
作为对上述方案的补充或替换,上述身份识别方法还可包括:在将所述第二特征值存储在所述特征值库之后,从所述特征值库中移除与所述第一特征值对应的记录。As a supplement or alternative to the above solution, the above identification method may further include: after storing the second characteristic value in the characteristic value library, removing the first characteristic value from the characteristic value library the corresponding record.
作为对上述方案的补充或替换,在上述身份识别方法中,所述特征值库包括对应于所述第一提取算法的第一子特征值库和对应于所述第二提取算法的第二子特征值库,其中,与所述第一特征值对应的 记录存储在所述第一子特征值库中,而与所述第二特征值对应的记录存储在所述第二子特征值库中。As a supplement or replacement to the above solution, in the above identification method, the feature value library includes a first sub-feature value library corresponding to the first extraction algorithm and a second sub-feature value library corresponding to the second extraction algorithm an eigenvalue library, wherein records corresponding to the first eigenvalues are stored in the first sub-eigenvalue library, and records corresponding to the second eigenvalues are stored in the second sub-eigenvalue library .
作为对上述方案的补充或替换,在上述身份识别方法中,当所述第一子特征值库中的记录数降为0时,删除所述第一提取算法对应的关联模块。As a supplement or replacement to the above solution, in the above identification method, when the number of records in the first sub-feature value library drops to 0, the association module corresponding to the first extraction algorithm is deleted.
根据本发明的又一个方面,提供了一种云端服务器,所述云端服务器包括:接收装置,用于从客户端接收包含第一特征值的第一比对请求消息,所述第一特征值是利用所述客户端中预存的第一提取算法从所采集的用户的生物特征信息中提取的;比对装置,用于将所述第一特征值与所述云端服务器中的特征值库进行比对;发送装置,用于在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,将所述第二提取算法发送给所述客户端;以及存储装置,用于将第二特征值存储在所述特征值库中,其中,所述接收装置还配置成从所述客户端接收包含所述第二特征值的注册消息,所述第二特征值是利用所述第二提取算法从之前所采集的所述生物特征信息中提取的。According to yet another aspect of the present invention, a cloud server is provided, the cloud server comprising: a receiving device for receiving a first comparison request message including a first feature value from a client, the first feature value is Extracted from the collected biometric information of the user by using the first extraction algorithm pre-stored in the client; a comparison device, configured to compare the first characteristic value with the characteristic value library in the cloud server pair; a sending device for sending the second extraction algorithm to the client after the comparison is passed and when there is a second extraction algorithm with a newer version than the first extraction algorithm; and a storage device for storing a second characteristic value in the characteristic value library, wherein the receiving means is further configured to receive a registration message from the client comprising the second characteristic value, the second characteristic value being obtained using the The second extraction algorithm is extracted from the previously collected biometric information.
作为对上述方案的补充或替换,在上述云端服务器中,所述第一比对请求消息和所述注册消息均经过加密传输。As a supplement or replacement to the above solution, in the above cloud server, the first comparison request message and the registration message are both encrypted and transmitted.
作为对上述方案的补充或替换,在上述云端服务器中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第二提取算法的识别号。As a supplement or alternative to the above solution, in the above cloud server, the first comparison request message further includes the identification number of the first extraction algorithm, and the registration message further includes the identification number of the second extraction algorithm.
作为对上述方案的补充或替换,上述云端服务器还可包括:移除装置,用于在将所述第二特征值存储在所述特征值库之后,从所述特征值库中移除与所述第一特征值对应的记录。As a supplement or replacement to the above solution, the above cloud server may further include: a removing device, configured to remove from the eigenvalue library after storing the second eigenvalue in the eigenvalue library The record corresponding to the first eigenvalue is described.
作为对上述方案的补充或替换,在上述云端服务器中,所述特征值库包括对应于所述第一提取算法的第一子特征值库和对应于所述第二提取算法的第二子特征值库,其中,与所述第一特征值对应的记录存储在所述第一子特征值库中,而与所述第二特征值对应的记录存储在所述第二子特征值库中。As a supplement or alternative to the above solution, in the above cloud server, the feature value library includes a first sub-feature value library corresponding to the first extraction algorithm and a second sub-feature corresponding to the second extraction algorithm A value library, wherein records corresponding to the first feature values are stored in the first sub-feature value library, and records corresponding to the second feature values are stored in the second sub-feature value library.
作为对上述方案的补充或替换,在上述云端服务器中,所述移除 装置还配置成在所述第一子特征值库中的记录数降为0时,删除所述第一提取算法对应的关联模块。As a supplement or replacement to the above solution, in the above cloud server, the removing device is further configured to delete the corresponding data of the first extraction algorithm when the number of records in the first sub-feature value library decreases to 0 Associated modules.
根据本发明的又一个方面,提供了一种计算机存储介质,所述介质包括指令,所述指令在运行时执行如前所述的身份识别方法。According to yet another aspect of the present invention, there is provided a computer storage medium, the medium comprising instructions that, when executed, perform the aforementioned identification method.
根据本发明的又一个方面,提供了一种身份识别系统,其包括如前所述的客户端以及云端服务器。According to yet another aspect of the present invention, an identification system is provided, which includes the aforementioned client and a cloud server.
与现有的身份识别方案相比,根据本发明的一个或多个实施例的身份识别方案不直接存储生物信息明文或者原图(例如人脸、指纹的原图),而是采用传输以及存储生物信息特征值的方法,从而保护原始的生物特征信息免于泄露。另外,通过特征值的比对,同样能够判别出身份的真假。特征值相对于明文图片,显然其肉眼可辨识性会降低很多,从而可以一定程度地保护个人的生物隐私。Compared with the existing identification scheme, the identification scheme according to one or more embodiments of the present invention does not directly store the plaintext of biological information or the original image (such as the original image of the face and fingerprint), but adopts the transmission and storage method. The method of biometric feature value, thereby protecting the original biometric information from leakage. In addition, through the comparison of eigenvalues, the authenticity of the identity can also be determined. Compared with the plaintext image, the eigenvalue is obviously much less recognizable to the naked eye, so that the biological privacy of the individual can be protected to a certain extent.
另外,本发明的一个或多个实施例的身份识别方案可以在提取算法升级时,无需要求用户重新再采集一遍生物特征信息,对用户做到无感。而且,客户端无需维护并存储多套的生物特征提取算法,几乎对客户端不额外增加处理与存储的负担,使得本发明的一个或多个实施例的身份识别方案能够在保障生物特征隐私的同时,实现算法升级的可用与易用。In addition, the identity recognition solution of one or more embodiments of the present invention can be insensitive to the user without requiring the user to collect biometric information again when the extraction algorithm is upgraded. Moreover, the client does not need to maintain and store multiple sets of biometric extraction algorithms, and almost does not increase the burden of processing and storage on the client, so that the identity recognition solution of one or more embodiments of the present invention can ensure the privacy of biometrics. At the same time, the availability and ease of use of algorithm upgrades are realized.
【附图说明】【Description of drawings】
从结合附图的以下详细说明中,将会使本发明的上述和其他目的及优点更加完整清楚,其中,相同或相似的要素采用相同的标号表示。The above and other objects and advantages of the present invention will be more fully apparent from the following detailed description taken in conjunction with the accompanying drawings, wherein the same or similar elements are designated by the same reference numerals.
图1示出了根据本发明的一个实施例的客户端执行的身份识别方法的流程示意图;FIG. 1 shows a schematic flowchart of an identification method performed by a client according to an embodiment of the present invention;
图2示出了根据本发明的一个实施例的用于身份识别的客户端的结构示意图;2 shows a schematic structural diagram of a client for identity identification according to an embodiment of the present invention;
图3示出了根据本发明的一个实施例的云端服务器执行的身份识别方法的流程示意图;以及FIG. 3 shows a schematic flowchart of an identification method performed by a cloud server according to an embodiment of the present invention; and
图4示出了根据本发明的一个实施例的用于身份识别的云端服务器的结构示意图;4 shows a schematic structural diagram of a cloud server for identity identification according to an embodiment of the present invention;
图5示出了根据本发明的一个实施例的身份识别系统在算法更新场景下的平滑升级方案;以及FIG. 5 shows a smooth upgrade scheme of an identity recognition system in an algorithm update scenario according to an embodiment of the present invention; and
图6示出了根据本发明的一个实施例的身份识别系统的识别过程。FIG. 6 shows the identification process of the identification system according to an embodiment of the present invention.
【具体实施方式】【detailed description】
下面结合附图和实施例对本发明的实施方式作进一步详细描述。以下实施例用于说明本发明,但不能用来限制本发明的范围。The embodiments of the present invention will be described in further detail below with reference to the accompanying drawings and examples. The following examples are intended to illustrate the present invention, but not to limit the scope of the present invention.
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明实施例的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,术语“第一”、“第二”、“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structures, materials, or features are included in at least one example or example of embodiments of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the terms "first", "second", and "third" are used for descriptive purposes only and should not be construed to indicate or imply relative importance. Furthermore, those skilled in the art may combine and combine the different embodiments or examples described in this specification, as well as the features of the different embodiments or examples, without conflicting each other.
图1示出了根据本发明的一个实施例的客户端执行的身份识别方法1000的流程示意图。如图1所示,方法1000包括如下步骤:FIG. 1 shows a schematic flowchart of an identity recognition method 1000 performed by a client according to an embodiment of the present invention. As shown in Figure 1, method 1000 includes the following steps:
在步骤S110中,采集用户的生物特征信息;In step S110, collect the biometric information of the user;
在步骤S120中,利用所述客户端中预存的第一提取算法从所述生物特征信息中提取第一特征值;In step S120, a first feature value is extracted from the biometric information by using a first extraction algorithm pre-stored in the client;
在步骤S130中,将包含所述第一特征值的第一比对请求消息发送至云端服务器;In step S130, a first comparison request message containing the first feature value is sent to the cloud server;
在步骤S140中,从所述云端服务器接收第二提取算法,所述第二提取算法是所述第一提取算法的更新版本;In step S140, a second extraction algorithm is received from the cloud server, and the second extraction algorithm is an updated version of the first extraction algorithm;
在步骤S150中,利用所述第二提取算法从所述生物特征信息中提取第二特征值;以及In step S150, using the second extraction algorithm to extract a second feature value from the biometric information; and
在步骤S160中,将包含所述第二特征值的注册消息发送至所述 云端服务器以便存储所述第二特征值。In step S160, a registration message containing the second characteristic value is sent to the cloud server so as to store the second characteristic value.
在本发明的上下文中,术语“客户端”也称为用户端,是指与云端服务器相对应,为客户提供本地服务的设备或装置。在一个或多个实施例中,该客户端具有一些基本功能,包括采集用户的生物特征信息的采集功能,以及利用客户端中预存的提取算法从所采集的生物特征信息中提取特征值的数据处理功能等。该客户端可以是用户的智能设备,包括但不限于,用户的手机、笔记本电脑以及头戴式设备。In the context of the present invention, the term "client" is also referred to as a client, and refers to a device or device corresponding to a cloud server that provides local services to clients. In one or more embodiments, the client has some basic functions, including a collection function of collecting biometric information of a user, and extracting data of feature values from the collected biometric information by using an extraction algorithm pre-stored in the client processing functions, etc. The client may be a user's smart device, including but not limited to, the user's mobile phone, a laptop computer, and a head-mounted device.
术语“云端服务器”也称为远端服务器,是指与“客户端”相对应,为客户端提供远程服务的设备或装置。在一个或多个实施例中,云端服务器可为客户端提供在线比对功能,即将从客户端接收的特征值与云端服务器中的特征值库进行比对。而且,该云端服务器还可在比对通过之后且存在更新版本的提取算法时,将更新的提取算法发送给客户端。The term "cloud server" is also referred to as a remote server, which refers to a device or device corresponding to a "client" that provides remote services for the client. In one or more embodiments, the cloud server can provide the client with an online comparison function, which is to compare the feature value received from the client with the feature value library in the cloud server. Moreover, the cloud server can also send the updated extraction algorithm to the client after the comparison is passed and there is an updated version of the extraction algorithm.
在本发明的上下文中,术语“生物特征信息”是指任何可用于进行个人身份鉴定的人体所固有的信息,其包括但不限于,生理特征(例如,指纹、虹膜、面相、DNA等)和行为特征(步态、击键习惯等)。术语“特征值”是指通过特定算法(如提取算法)从生物特征信息中所提取或计算出的属性。In the context of the present invention, the term "biometric information" refers to any information inherent in the human body that can be used for personal identification, including, but not limited to, physiological characteristics (eg, fingerprints, iris, facial features, DNA, etc.) and Behavioral characteristics (gait, keystroke habits, etc.). The term "feature value" refers to an attribute extracted or calculated from biometric information by a specific algorithm, such as an extraction algorithm.
术语“提取算法”也称为“生物特征识别算法”,是指能够从生物特征信息中提取或计算出特征值的算法。该提取算法可根据实际情况而进行调整更新,因此在一个或多个实施例中,提取算法可具有不同版本,例如通过识别号来进行区分。The term "extraction algorithm", also known as "biometric recognition algorithm", refers to an algorithm capable of extracting or calculating feature values from biometric information. The extraction algorithm may be adjusted and updated according to the actual situation, so in one or more embodiments, the extraction algorithm may have different versions, for example, to be distinguished by identification numbers.
在步骤S110中,客户端可通过各种方式来采集用户的生物特征信息。例如,客户端可通过预装的指纹识别模块来采集用户的指纹信息。又例如,客户端可通过摄像头来采集用户的面部信息。再例如,客户端可通过第三方装置的协助来获取用户的生物特征信息,例如通过光反射二极管把红外光照进一小块皮肤并通过测定的反射光波长来获得用户的生物特征信息(例如皮肤厚度、皮层结构等),并进而确认人的身份。In step S110, the client may collect the biometric information of the user in various ways. For example, the client can collect the user's fingerprint information through a pre-installed fingerprint identification module. For another example, the client may collect the user's facial information through a camera. For another example, the client can obtain the user's biometric information with the assistance of a third-party device, for example, through a light-reflecting diode that transmits infrared light into a small piece of skin and obtains the user's biometric information (such as the skin) by measuring the wavelength of the reflected light. thickness, cortical structure, etc.), and thereby confirm the identity of the person.
在步骤S120中,利用所述客户端中预存的第一提取算法从所述 生物特征信息中提取第一特征值。在这里,术语“第一”、“第二”、“第三”仅用于描述区分目的,而不能理解为指示或暗示相对重要性。可以理解,“第一提取算法”与“第二提取算法”尽管均是提取算法,但是彼此不同,因而通过术语“第一”和“第二”来进行区分。对于“第一特征值”、“第二特征值”、“第三特征值”可以此类推。In step S120, a first feature value is extracted from the biometric information by using a first extraction algorithm pre-stored in the client. Here, the terms "first", "second" and "third" are used for descriptive distinction purposes only, and should not be construed as indicating or implying relative importance. It can be understood that although the "first extraction algorithm" and the "second extraction algorithm" are both extraction algorithms, they are different from each other, and thus are distinguished by the terms "first" and "second". The analogy can be made for "first eigenvalue", "second eigenvalue", and "third eigenvalue".
在本发明的一个或多个实施例中,客户端仅需存储一个版本的提取算法。在从云端服务器接收到新版本的提取算法时,例如接收到第二提取算法时,客户端可用第二提取算法替代第一提取算法,从而避免同时维护多套不同版本的生物特征识别算法或提取算法,降低了客户端的复杂度和存储负担。In one or more embodiments of the invention, the client only needs to store one version of the extraction algorithm. When receiving a new version of the extraction algorithm from the cloud server, for example, when receiving the second extraction algorithm, the client can use the second extraction algorithm to replace the first extraction algorithm, so as to avoid maintaining multiple sets of different versions of biometric identification algorithms or extraction algorithms at the same time. The algorithm reduces the complexity and storage burden of the client.
在步骤S130中,将包含所述第一特征值的第一比对请求消息发送至云端服务器。在一个实施例中,第一特征值先经过加密分发,然后在安全的通道上传输至云端服务器。在一个实施例中,除了第一特征值之外,第一比对请求消息还包括第一提取算法的识别号或版本号。这在存在多个版本的提取算法时特别有利,通过第一比对请求消息中的提取算法的识别号,云端服务器可了解比对请求消息中包含的特征值是采用何种版本的提取算法计算得出的,并从而选择合适的特征值库来进行比对。具体来说,在特征值传输至云端服务器后,云端服务器的特征值比对算法会将该特征值与特征值库进行1:1或者1:N的比对,从而验证判断本次的验证值与注册的特征值的距离是否在一个阈值区间之内。In step S130, a first comparison request message including the first feature value is sent to the cloud server. In one embodiment, the first feature value is encrypted and distributed first, and then transmitted to the cloud server over a secure channel. In one embodiment, in addition to the first feature value, the first comparison request message further includes an identification number or version number of the first extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number of the extraction algorithm in the first comparison request message, the cloud server can know which version of the extraction algorithm is used to calculate the feature value contained in the comparison request message. obtained, and thus select an appropriate library of eigenvalues for comparison. Specifically, after the eigenvalue is transmitted to the cloud server, the eigenvalue comparison algorithm of the cloud server will perform a 1:1 or 1:N comparison between the eigenvalue and the eigenvalue library, so as to verify and judge the verification value this time. Whether the distance from the registered feature value is within a threshold interval.
需要注意的是,在比对请求消息中发送的是特征值,而不是直接发送生物特征信息或原图,这可在一定程度上保护个人的生物隐私。It should be noted that the feature value is sent in the comparison request message, rather than the biometric information or the original image directly, which can protect the biological privacy of individuals to a certain extent.
当系统的生物特征识别算法或提取算法有更新时,作为客户端,在一个实施方案中需要维护多套不同版本的生物特征识别算法,提升了系统的复杂度,也加重了客户端的存储负担。另外,为了计算出新算法下的特征值,客户端不得不再重新采集一遍实体的生物特征信息,由此会带来不友好的用户体验。When the biometric identification algorithm or extraction algorithm of the system is updated, as a client, in one embodiment, multiple sets of biometric identification algorithms of different versions need to be maintained, which increases the complexity of the system and increases the storage burden of the client. In addition, in order to calculate the feature value under the new algorithm, the client has to collect the biometric information of the entity again, which will bring an unfriendly user experience.
因此,在本发明的一个实施例中,参见步骤S140,从所述云端服务器接收第二提取算法,所述第二提取算法是所述第一提取算法的更 新版本。也就是说,当存在多套不同版本的生物特征识别算法时,客户端无需在本地维护多套算法,而只需从云端服务器接收即可,从而降低了算法更新升级的开销。另外,提取算法的升级在客户端发起一次新的验证比对的时刻进行。即,云端服务器在接收比对请求消息后,会判定客户端使用的生物特征提取算法是否存在更新的版本,若存在更新版本而且比对请求消息中的特征值匹配成功,则云端服务器会将新版本的算法发送给客户端。Therefore, in an embodiment of the present invention, referring to step S140, a second extraction algorithm is received from the cloud server, and the second extraction algorithm is an updated version of the first extraction algorithm. That is to say, when there are multiple sets of different versions of biometric identification algorithms, the client does not need to maintain multiple sets of algorithms locally, but only needs to receive them from the cloud server, thereby reducing the cost of algorithm update and upgrade. In addition, the upgrade of the extraction algorithm is performed at the moment when the client initiates a new verification comparison. That is, after the cloud server receives the comparison request message, it will determine whether there is an updated version of the biometric feature extraction algorithm used by the client. If there is an updated version and the feature value in the comparison request message is successfully matched, the cloud server will The version of the algorithm is sent to the client.
接着,在步骤S150中,客户端利用第二提取算法从所述生物特征信息中提取第二特征值。需要指出的是,客户端在这里仍然采用在步骤S110中采集的用户的生物特征信息(而不是重新再采集用户的生物特征信息)作为第二提取算法的基础来进行第二特征值的计算。换言之,客户端在这里通过将老版本对比通过的生物特征信息作为新版本注册的生物特征信息来进行新版特征值(例如,第二特征值)的计算,可实现“无感”升级。Next, in step S150, the client uses a second extraction algorithm to extract a second feature value from the biometric information. It should be noted that the client still uses the user's biometric information collected in step S110 (instead of re-collecting the user's biometric information) as the basis of the second extraction algorithm to calculate the second characteristic value. In other words, the client calculates the feature value (eg, the second feature value) of the new version by using the biometric information that has passed the comparison of the old version as the biometric information registered in the new version, so as to achieve a "non-sensing" upgrade.
在步骤S160中,将包含所述第二特征值的注册消息发送至所述云端服务器以便存储所述第二特征值。在一个实施例中,所述第一比对请求消息和所述注册消息均经过加密传输。在一个实施例中,所述注册消息还可包括第二提取算法的识别号或版本号。这在存在多个版本的提取算法时特别有利,通过注册消息中的提取算法的识别号或版本号,云端服务器可将第二特征值注册在对应该版本的特征值库(子库)中,便于将来进行合适的比对。In step S160, a registration message including the second characteristic value is sent to the cloud server so as to store the second characteristic value. In one embodiment, the first comparison request message and the registration message are both encrypted and transmitted. In one embodiment, the registration message may further include an identification number or version number of the second extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number or version number of the extraction algorithm in the registration message, the cloud server can register the second feature value in the feature value library (sub-library) corresponding to the version, Facilitate appropriate comparisons in the future.
尽管图1中未示出,在一个实施例中,客户端执行的身份识别方法1000还包括删除第一提取算法。这样,客户端将第一提取算法删除,只保留第二提取算法,效果是客户端只维护一个版本的算法,使得复杂度降低。Although not shown in FIG. 1 , in one embodiment, the identification method 1000 performed by the client also includes deleting the first extraction algorithm. In this way, the client deletes the first extraction algorithm and retains only the second extraction algorithm. The effect is that the client maintains only one version of the algorithm, which reduces the complexity.
在一个实施例中,客户端执行的身份识别方法1000还可包括:采集该用户的第二生物特征信息;利用所述客户端中的所述第二提取算法从所述第二生物特征信息中提取第三特征值;以及将包含所述第三特征值和所述第二提取算法的识别号的第二比对请求消息发送至所述云端服务器。In one embodiment, the identification method 1000 performed by the client may further include: collecting second biometric information of the user; using the second extraction algorithm in the client to extract information from the second biometric information extracting a third feature value; and sending a second comparison request message containing the third feature value and the identification number of the second extraction algorithm to the cloud server.
这样,通过第二提取算法的识别号,云端服务器可选择合适的特征值(子)库来与第三特征值进行比对,降低了比对的复杂度。In this way, through the identification number of the second extraction algorithm, the cloud server can select an appropriate eigenvalue (sub) library to compare with the third eigenvalue, which reduces the complexity of the comparison.
在一个实施例中,在存储特征值的时候,采用安全多方计算(Secure Multi-Party Computation,MPC或者SMPC)的方法进行密态的存储与识别,这样的安全保护等级可更高。所谓安全多方计算,是解决一组互不信任的参与方之间保护隐私的协同计算问题,它要确保输入的独立性、计算的正确性、去中心化等特征,同时不泄露各输入值给参与计算的其他成员。各个安全多方计算参与节点地位相同,可以发起协同计算任务,也可以选择参与其他方发起的计算任务。路由寻址和计算逻辑传输由枢纽节点控制,寻找相关数据同时传输计算逻辑。各个安全多方计算节点根据计算逻辑,在本地数据库完成数据提取、计算,并将输出计算结果路由到指定节点,从而多方节点完成协同计算任务,输出唯一性结果。整个过程各方数据全部在本地,并不提供给其他节点,在保证数据隐私的情况下,将计算结果反馈到整个计算任务系统,从而各方得到正确的数据反馈。In one embodiment, when storing eigenvalues, a secure multi-party computation (Secure Multi-Party Computation, MPC or SMPC) method is used to store and identify the secret state, and such a security protection level can be higher. The so-called secure multi-party computing is to solve the collaborative computing problem of privacy protection between a group of distrusting participants. Other members involved in the calculation. Each secure multi-party computing participating node has the same status, can initiate collaborative computing tasks, or choose to participate in computing tasks initiated by other parties. Routing addressing and computing logic transmission are controlled by the hub node, looking for relevant data to transmit computing logic at the same time. Each secure multi-party computing node completes data extraction and calculation in the local database according to the calculation logic, and routes the output calculation result to the designated node, so that the multi-party node completes the collaborative computing task and outputs the unique result. In the whole process, all data of all parties is local and not provided to other nodes. Under the condition of ensuring data privacy, the calculation results are fed back to the entire computing task system, so that all parties can get correct data feedback.
因此,客户端执行的身份识别方法1000在不存储生物特征明文的基本前提下,还能够实现在提取算法出现更新时对用户做到无感,同时几乎对客户端不额外增加处理与存储的负担,从而使得基于特征值的生物识别系统在能够保障生物特征隐私的同时,又能够实现算法升级的可用与易用。Therefore, under the basic premise of not storing the plaintext of biometric features, the identity recognition method 1000 executed by the client can also realize that the user is insensitive when the extraction algorithm is updated, and at the same time, it hardly increases the burden of processing and storage on the client. , so that the biometric recognition system based on feature value can ensure the privacy of biometric features, and at the same time can realize the availability and ease of use of algorithm upgrade.
图2示出了根据本发明的一个实施例的用于身份识别的客户端2000的结构示意图。如图2所示,客户端2000包括采集装置210、提取装置220、发送装置230以及接收装置240。其中,采集装置210用于采集用户的生物特征信息;提取装置220用于利用所述客户端中预存的第一提取算法从所述生物特征信息中提取第一特征值;发送装置230用于将包含所述第一特征值的第一比对请求消息发送至云端服务器;以及接收装置240用于从所述云端服务器接收第二提取算法,所述第二提取算法是所述第一提取算法的更新版本,其中,所述提取装置220还配置成利用所述第二提取算法从所述生物特征信息中提取第二特征值,所述发送装置230还配置成将包含所述第二特征值的注 册消息发送至所述云端服务器以便存储所述第二特征值。FIG. 2 shows a schematic structural diagram of a client 2000 for identity recognition according to an embodiment of the present invention. As shown in FIG. 2 , the client 2000 includes a collecting device 210 , an extracting device 220 , a sending device 230 and a receiving device 240 . Wherein, the collecting device 210 is used for collecting the biometric information of the user; the extracting device 220 is used for extracting the first feature value from the biometric information by using the first extraction algorithm pre-stored in the client; the sending device 230 is used for extracting the first feature value from the biometric information; Sending a first comparison request message including the first feature value to the cloud server; and the receiving device 240 is configured to receive a second extraction algorithm from the cloud server, where the second extraction algorithm is part of the first extraction algorithm The updated version, wherein the extracting means 220 is further configured to extract a second feature value from the biometric information by using the second extraction algorithm, and the sending device 230 is further configured to A registration message is sent to the cloud server for storing the second characteristic value.
在本发明的上下文中,术语“客户端”也称为用户端,是指与云端服务器相对应,为客户提供本地服务的设备或装置。在一个或多个实施例中,该客户端具有一些基本功能,包括采集用户的生物特征信息的采集功能,以及利用客户端中预存的提取算法从所采集的生物特征信息中提取特征值的数据处理功能等。该客户端可以是用户的智能设备,包括但不限于,用户的手机、笔记本电脑以及头戴式设备。In the context of the present invention, the term "client" is also referred to as a client, and refers to a device or device corresponding to a cloud server that provides local services to clients. In one or more embodiments, the client has some basic functions, including a collection function of collecting biometric information of a user, and extracting data of feature values from the collected biometric information by using an extraction algorithm pre-stored in the client processing functions, etc. The client may be a user's smart device, including but not limited to, the user's mobile phone, a laptop computer, and a head-mounted device.
术语“云端服务器”也称为远端服务器,是指与“客户端”相对应,为客户端提供远程服务的设备或装置。在一个或多个实施例中,云端服务器可为客户端提供在线比对功能,即将从客户端接收的特征值与云端服务器中的特征值库进行比对。而且,该云端服务器还可在比对通过之后且存在更新版本的提取算法时,将更新的提取算法发送给客户端。The term "cloud server" is also referred to as a remote server, which refers to a device or device corresponding to a "client" that provides remote services for the client. In one or more embodiments, the cloud server can provide the client with an online comparison function, which is to compare the feature value received from the client with the feature value library in the cloud server. Moreover, the cloud server can also send the updated extraction algorithm to the client after the comparison is passed and there is an updated version of the extraction algorithm.
在本发明的上下文中,术语“生物特征信息”是指任何可用于进行个人身份鉴定的人体所固有的信息,其包括但不限于,生理特征(例如,指纹、虹膜、面相、DNA等)和行为特征(步态、击键习惯等)。术语“特征值”是指通过特定算法(如提取算法)从生物特征信息中所提取或计算出的属性。In the context of the present invention, the term "biometric information" refers to any information inherent in the human body that can be used for personal identification, including, but not limited to, physiological characteristics (eg, fingerprints, iris, facial features, DNA, etc.) and Behavioral characteristics (gait, keystroke habits, etc.). The term "feature value" refers to an attribute extracted or calculated from biometric information by a specific algorithm, such as an extraction algorithm.
术语“提取算法”也称为“生物特征识别算法”,是指能够从生物特征信息中提取或计算出特征值的算法。该提取算法可根据实际情况而进行调整更新,因此在一个或多个实施例中,提取算法可具有不同版本,例如通过识别号来进行区分。The term "extraction algorithm", also known as "biometric recognition algorithm", refers to an algorithm capable of extracting or calculating feature values from biometric information. The extraction algorithm may be adjusted and updated according to the actual situation, so in one or more embodiments, the extraction algorithm may have different versions, for example, to be distinguished by identification numbers.
采集装置210可通过各种方式来采集用户的生物特征信息。例如,采集装置210可通过预装的指纹识别模块来采集用户的指纹信息。又例如,采集装置210可通过摄像头来采集用户的面部信息。再例如,采集装置210可通过第三方装置的协助来获取用户的生物特征信息,例如通过光反射二极管把红外光照进一小块皮肤并通过测定的反射光波长来获得用户的生物特征信息,并进而确认人的身份。The collecting device 210 may collect the biometric information of the user in various ways. For example, the collection device 210 may collect the user's fingerprint information through a pre-installed fingerprint identification module. For another example, the collecting device 210 may collect the facial information of the user through a camera. For another example, the collection device 210 can obtain the user's biometric information with the assistance of a third-party device, for example, by using a light-reflecting diode to inject infrared light into a small piece of skin, and obtain the user's biometric information by measuring the wavelength of the reflected light, and obtain the user's biometric information. to confirm the identity of the person.
提取装置220利用客户端2000中预存的第一提取算法从所述生物特征信息中提取第一特征值。在这里,术语“第一”、“第二”、 “第三”仅用于描述区分目的,而不能理解为指示或暗示相对重要性。可以理解,“第一提取算法”与“第二提取算法”尽管均是提取算法,但是彼此不同,因而通过术语“第一”和“第二”来进行区分。对于“第一特征值”、“第二特征值”、“第三特征值”可以此类推。The extraction device 220 uses the first extraction algorithm pre-stored in the client 2000 to extract the first feature value from the biological feature information. Here, the terms "first", "second" and "third" are used for descriptive distinction purposes only, and should not be construed as indicating or implying relative importance. It can be understood that although the "first extraction algorithm" and the "second extraction algorithm" are both extraction algorithms, they are different from each other, and thus are distinguished by the terms "first" and "second". The analogy can be made for "first eigenvalue", "second eigenvalue", and "third eigenvalue".
在本发明的一个或多个实施例中,客户端2000仅需存储一个版本的提取算法。在从云端服务器接收到新版本的提取算法时,例如接收到第二提取算法时,客户端2000可用第二提取算法替代第一提取算法,从而避免同时维护多套不同版本的生物特征识别算法或提取算法,降低了客户端2000的复杂度和存储负担。In one or more embodiments of the invention, the client 2000 only needs to store one version of the extraction algorithm. When receiving a new version of the extraction algorithm from the cloud server, for example, when receiving the second extraction algorithm, the client 2000 can use the second extraction algorithm to replace the first extraction algorithm, so as to avoid simultaneously maintaining multiple sets of different versions of the biometric identification algorithm or The extraction algorithm reduces the complexity and storage burden of the client 2000.
发送装置230将包含所述第一特征值的第一比对请求消息发送至云端服务器。在一个实施例中,第一特征值先经过加密分发,然后在安全的通道上传输至云端服务器。在一个实施例中,除了第一特征值之外,第一比对请求消息还包括第一提取算法的识别号或版本号。这在存在多个版本的提取算法时特别有利,通过第一比对请求消息中的提取算法的识别号,云端服务器可了解比对请求消息中包含的特征值是采用何种版本的提取算法计算得出的,并从而选择合适的特征值库来进行比对。具体来说,在特征值传输至云端服务器后,云端服务器的特征值比对算法会将该特征值与特征值库进行1:1或者1:N的比对,从而验证判断本次的验证值与注册的特征值的距离是否在一个阈值区间之内。举例来说,人脸验证做的是1:1的比对,其身份验证模式本质上是对当前人脸与人像数据库进行快速人脸比对,并得出是否匹配的过程,可以简单理解为证明你就是你。就是我们先告诉人脸识别系统,我是张三,然后用来验证站在机器面前的“我”到底是不是张三。这种模式最常见的应用场景便是人脸解锁,终端设备只需将用户事先注册的照片与临场采集的照片做对比,判断是否为同一人,即可完成身份验证。也就是说,1:1的情况是云端服务器已经知道用户是谁,例如可以通过手机号已经锁定,所以就进行1:1比对。又例如,人脸识别做的是1:N的比对,即系统采集了“我”的一张照片之后,从海量的人像数据库中找到与当前使用者人脸数据相符合的图像,并进行匹配,找出来“我是谁”,特别适用于不知道用户是谁或者仅知 道一个用户群体的范围的情形。The sending device 230 sends the first comparison request message including the first feature value to the cloud server. In one embodiment, the first feature value is encrypted and distributed first, and then transmitted to the cloud server over a secure channel. In one embodiment, in addition to the first feature value, the first comparison request message further includes an identification number or version number of the first extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number of the extraction algorithm in the first comparison request message, the cloud server can know which version of the extraction algorithm is used to calculate the feature value contained in the comparison request message. obtained, and thus select an appropriate library of eigenvalues for comparison. Specifically, after the eigenvalue is transmitted to the cloud server, the eigenvalue comparison algorithm of the cloud server will perform a 1:1 or 1:N comparison between the eigenvalue and the eigenvalue library, so as to verify and judge the verification value this time. Whether the distance from the registered feature value is within a threshold interval. For example, face verification is a 1:1 comparison. Its identity verification mode is essentially a process of quickly comparing the current face with the portrait database, and determining whether it matches, which can be simply understood as Prove that you are who you are. That is, we first tell the face recognition system that I am Zhang San, and then use it to verify whether the "me" standing in front of the machine is Zhang San. The most common application scenario of this mode is face unlocking. The terminal device only needs to compare the user's pre-registered photos with the photos collected on the spot to determine whether it is the same person, and then the identity verification can be completed. That is to say, in the case of 1:1, the cloud server already knows who the user is. For example, the mobile phone number can be locked, so a 1:1 comparison is performed. For another example, face recognition is a 1:N comparison, that is, after the system collects a photo of "me", it finds an image that matches the current user's face data from a massive portrait database, and performs Match, find out "who I am", especially suitable for situations where you don't know who the user is or only know the scope of a user group.
需要注意的是,发送装置230在比对请求消息中发送的是特征值,而不是直接发送生物特征信息或原图,这可在一定程度上保护个人的生物隐私。It should be noted that, in the comparison request message, the sending device 230 sends the feature value instead of directly sending the biometric information or the original image, which can protect the biological privacy of the individual to a certain extent.
当系统的生物特征识别算法或提取算法有更新时,作为客户端,在一个实施方案中需要维护多套不同版本的生物特征识别算法,提升了系统的复杂度,也加重了客户端的存储负担。另外,为了计算出新算法下的特征值,客户端不得不再重新采集一遍实体的生物特征信息,由此会带来不友好的用户体验。When the biometric identification algorithm or extraction algorithm of the system is updated, as a client, in one embodiment, multiple sets of biometric identification algorithms of different versions need to be maintained, which increases the complexity of the system and increases the storage burden of the client. In addition, in order to calculate the feature value under the new algorithm, the client has to collect the biometric information of the entity again, which will bring an unfriendly user experience.
因此,在本发明的一个实施例中,接收装置240配置成从所述云端服务器接收第二提取算法,所述第二提取算法是所述第一提取算法的更新版本。也就是说,当存在多套不同版本的生物特征识别算法时,客户端2000无需在本地维护多套算法,而只需从云端服务器接收即可,从而降低了算法更新升级的开销。另外,提取算法的升级在客户端2000发起一次新的验证比对的时刻进行。即,在发送装置230向云端服务器发送比对请求消息后,云端服务器会判定客户端2000使用的生物特征提取算法是否存在更新的版本,若存在更新版本而且比对请求消息中的特征值匹配成功,则云端服务器会将新版本的算法发送给客户端2000,即接收装置240在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,从所述云端服务器接收所述第二提取算法。Therefore, in one embodiment of the present invention, the receiving device 240 is configured to receive a second extraction algorithm from the cloud server, and the second extraction algorithm is an updated version of the first extraction algorithm. That is to say, when there are multiple sets of different versions of biometric identification algorithms, the client 2000 does not need to maintain multiple sets of algorithms locally, but only needs to receive them from the cloud server, thereby reducing the cost of algorithm update and upgrade. In addition, the upgrade of the extraction algorithm is performed when the client 2000 initiates a new verification comparison. That is, after the sending device 230 sends the comparison request message to the cloud server, the cloud server will determine whether there is an updated version of the biometric feature extraction algorithm used by the client 2000, if there is an updated version and the feature value in the comparison request message matches successfully , the cloud server will send the new version of the algorithm to the client 2000, that is, the receiving device 240 receives the new version of the algorithm from the cloud server after the comparison is passed and there is a second extraction algorithm with a newer version than the first extraction algorithm. The second extraction algorithm is described.
另外,所述提取装置220还配置成利用所述第二提取算法从所述生物特征信息中提取第二特征值。需要指出的是,提取装置220在这里仍然用采集装置210之前所采集的用户的生物特征信息(而不是重新再采集用户的生物特征信息)作为第二提取算法的基础来进行第二特征值的计算。换言之,提取装置220这里通过将老版本对比通过的生物特征信息作为新版本注册的生物特征信息来进行新版特征值(例如,第二特征值)的计算,可实现“无感”升级。In addition, the extraction device 220 is further configured to extract a second feature value from the biometric information using the second extraction algorithm. It should be pointed out that the extraction device 220 still uses the biometric information of the user previously collected by the collection device 210 (instead of re-collecting the biometric information of the user) as the basis of the second extraction algorithm to perform the second feature value extraction. calculate. In other words, the extraction device 220 calculates the feature value (for example, the second feature value) of the new version by using the biometric information that has been compared with the old version as the biometric information registered in the new version, so as to achieve a "non-sensing" upgrade.
在一个实施例中,发送装置230还配置成将包含所述第二特征值的注册消息发送至所述云端服务器以便存储所述第二特征值。在一个 实施例中,发送装置230配置成将所述第一比对请求消息和所述注册消息经过加密来进行传输。在一个实施例中,所述注册消息还可包括第二提取算法的识别号或版本号。这在存在多个版本的提取算法时特别有利,通过注册消息中的提取算法的识别号或版本号,云端服务器可将第二特征值注册在对应该版本的特征值库(子库)中,便于将来进行合适的比对。In one embodiment, the sending means 230 is further configured to send a registration message including the second characteristic value to the cloud server so as to store the second characteristic value. In one embodiment, the sending means 230 is configured to encrypt the first comparison request message and the registration message for transmission. In one embodiment, the registration message may further include an identification number or version number of the second extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number or version number of the extraction algorithm in the registration message, the cloud server can register the second feature value in the feature value library (sub-library) corresponding to the version, Facilitate appropriate comparisons in the future.
在一个实施例中,采集装置210还配置成在所述用户再次发起身份认证时,采集该用户的第二生物特征信息;提取装置220还配置成利用所述客户端2000中的所述第二提取算法从所述第二生物特征信息中提取第三特征值;并且发送装置230还配置成将包含所述第三特征值和所述第二提取算法的识别号的第二比对请求消息发送至所述云端服务器。In one embodiment, the collecting device 210 is further configured to collect the second biometric information of the user when the user initiates identity authentication again; the extracting device 220 is further configured to use the second biometric information in the client 2000 The extraction algorithm extracts a third feature value from the second biometric information; and the sending device 230 is further configured to send a second comparison request message containing the third feature value and the identification number of the second extraction algorithm to the cloud server.
这样,通过第二提取算法的识别号,云端服务器可选择合适的特征值(子)库来与第三特征值进行比对,降低了比对的复杂度。In this way, through the identification number of the second extraction algorithm, the cloud server can select an appropriate eigenvalue (sub) library to compare with the third eigenvalue, which reduces the complexity of the comparison.
在一个实施例中,发送装置230采用安全多方计算(Secure Multi-Party Computation,MPC或者SMPC)的方法进行密态的存储与识别,这样的安全保护等级可更高。所谓安全多方计算,是解决一组互不信任的参与方之间保护隐私的协同计算问题,它要确保输入的独立性、计算的正确性、去中心化等特征,同时不泄露各输入值给参与计算的其他成员。各个安全多方计算参与节点地位相同,可以发起协同计算任务,也可以选择参与其他方发起的计算任务。路由寻址和计算逻辑传输由枢纽节点控制,寻找相关数据同时传输计算逻辑。各个安全多方计算节点根据计算逻辑,在本地数据库完成数据提取、计算,并将输出计算结果路由到指定节点,从而多方节点完成协同计算任务,输出唯一性结果。整个过程各方数据全部在本地,并不提供给其他节点,在保证数据隐私的情况下,将计算结果反馈到整个计算任务系统,从而各方得到正确的数据反馈。In one embodiment, the sending device 230 uses a secure multi-party computation (Secure Multi-Party Computation, MPC or SMPC) method to store and identify the secret state, and such a security protection level may be higher. The so-called secure multi-party computing is to solve the collaborative computing problem of privacy protection between a group of distrusting participants. Other members participating in the calculation. Each secure multi-party computing participating node has the same status, can initiate collaborative computing tasks, or choose to participate in computing tasks initiated by other parties. Routing addressing and computing logic transmission are controlled by the hub node, looking for relevant data to transmit computing logic at the same time. Each secure multi-party computing node completes data extraction and calculation in the local database according to the calculation logic, and routes the output calculation result to the designated node, so that the multi-party node completes the collaborative computing task and outputs the unique result. In the whole process, all data of all parties is local and not provided to other nodes. Under the condition of ensuring data privacy, the calculation results are fed back to the entire computing task system, so that all parties can get correct data feedback.
因此,客户端2000通过将老版本比对通过的生物特征信息作为新版本注册的生物特征信息进行新版特征值的计算,并自动替换客户端2000的算法版本,从而实现无感特征值升级。另外,客户端2000 在每次向后台(例如云端服务器)比对时,捎带上版本信息,将版本匹配的处理过程移至后台,使得客户端2000只需维护一个版本的算法模块。在一个实施例中,客户端2000可进一步包括删除装置250(在图2中以虚线示出),其用于在接收第二提取算法之后删除第一提取算法,这可降低客户端2000的处理与存储开销,从而使得客户端2000能够在保障生物特征隐私的同时,实现算法升级的可用与易用。Therefore, the client 2000 calculates the feature value of the new version by using the biometric information that has passed the comparison of the old version as the biometric information registered in the new version, and automatically replaces the algorithm version of the client 2000, thereby realizing the non-sensing feature value upgrade. In addition, each time the client 2000 compares to the background (eg, a cloud server), it carries version information and moves the version matching process to the background, so that the client 2000 only needs to maintain one version of the algorithm module. In one embodiment, the client 2000 may further include deletion means 250 (shown in dashed lines in FIG. 2 ) for deleting the first extraction algorithm after receiving the second extraction algorithm, which may reduce processing by the client 2000 and storage overhead, so that the client 2000 can realize the availability and ease of use of algorithm upgrades while ensuring the privacy of biometrics.
图3示出了根据本发明的一个实施例的云端服务器执行的身份识别方法3000的流程示意图。如图3所示,方法3000包括如下步骤:FIG. 3 shows a schematic flowchart of an identity recognition method 3000 performed by a cloud server according to an embodiment of the present invention. As shown in Figure 3, method 3000 includes the following steps:
在步骤S310中,从客户端接收包含第一特征值的第一比对请求消息,所述第一特征值是利用所述客户端中预存的第一提取算法从所采集的用户的生物特征信息中提取的;In step S310, a first comparison request message containing a first feature value is received from the client, where the first feature value is obtained from the user's biometric information using a first extraction algorithm pre-stored in the client extracted from;
在步骤S320中,将所述第一特征值与所述云端服务器中的特征值库进行比对;In step S320, the first feature value is compared with the feature value library in the cloud server;
在步骤S330中,在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,将所述第二提取算法发送给所述客户端;In step S330, after the comparison is passed and there is a second extraction algorithm of a newer version than the first extraction algorithm, the second extraction algorithm is sent to the client;
在步骤S340中,从所述客户端接收包含第二特征值的注册消息,所述第二特征值是利用所述第二提取算法从之前所采集的所述生物特征信息中提取的;以及In step S340, a registration message including a second feature value is received from the client, the second feature value is extracted from the previously collected biometric information using the second extraction algorithm; and
在步骤S350中,将所述第二特征值存储在所述特征值库中。In step S350, the second feature value is stored in the feature value library.
在本发明的上下文中,术语“客户端”也称为用户端,是指与云端服务器相对应,为客户提供本地服务的设备或装置。在一个或多个实施例中,该客户端具有一些基本功能,包括采集用户的生物特征信息的采集功能,以及利用客户端中预存的提取算法从所采集的生物特征信息中提取特征值的数据处理功能等。该客户端可以是用户的智能设备,包括但不限于,用户的手机、笔记本电脑以及头戴式设备。In the context of the present invention, the term "client" is also referred to as a client, and refers to a device or device corresponding to a cloud server that provides local services to clients. In one or more embodiments, the client has some basic functions, including a collection function of collecting biometric information of a user, and extracting data of feature values from the collected biometric information by using an extraction algorithm pre-stored in the client processing functions, etc. The client may be a user's smart device, including but not limited to, the user's mobile phone, a laptop computer, and a head-mounted device.
术语“云端服务器”也称为远端服务器,是指与“客户端”相对应,为客户端提供远程服务的设备或装置。在一个或多个实施例中,云端服务器可为客户端提供在线比对功能,即将从客户端接收的特征值与云端服务器中的特征值库进行比对。而且,该云端服务器还可在 比对通过之后且存在更新版本的提取算法时,将更新的提取算法发送给客户端。The term "cloud server" is also referred to as a remote server, which refers to a device or device corresponding to a "client" that provides remote services for the client. In one or more embodiments, the cloud server can provide the client with an online comparison function, which is to compare the feature value received from the client with the feature value library in the cloud server. Moreover, the cloud server can also send the updated extraction algorithm to the client after the comparison is passed and there is an updated version of the extraction algorithm.
在本发明的上下文中,术语“生物特征信息”是指任何可用于进行个人身份鉴定的人体所固有的信息,其包括但不限于,生理特征(例如,指纹、虹膜、面相、DNA等)和行为特征(步态、击键习惯等)。术语“特征值”是指通过特定算法(如提取算法)从生物特征信息中所提取或计算出的属性。In the context of the present invention, the term "biometric information" refers to any information inherent in the human body that can be used for personal identification, including, but not limited to, physiological characteristics (eg, fingerprints, iris, facial features, DNA, etc.) and Behavioral characteristics (gait, keystroke habits, etc.). The term "feature value" refers to an attribute extracted or calculated from biometric information by a specific algorithm, such as an extraction algorithm.
术语“提取算法”也称为“生物特征识别算法”,是指能够从生物特征信息中提取或计算出特征值的算法。该提取算法可根据实际情况而进行调整更新,因此在一个或多个实施例中,提取算法可具有不同版本,例如通过识别号来进行区分。The term "extraction algorithm", also known as "biometric recognition algorithm", refers to an algorithm capable of extracting or calculating feature values from biometric information. The extraction algorithm may be adjusted and updated according to the actual situation, so in one or more embodiments, the extraction algorithm may have different versions, for example, to be distinguished by identification numbers.
在步骤S310中,从客户端接收包含第一特征值的第一比对请求消息。在一个实施例中,该第一对比请求消息可经过加密传输,这可有效提高数据传输的安全性。在一个实施例中,所述第一比对请求消息还可包括第一提取算法的识别号。这在存在多个版本的提取算法时特别有利,通过第一比对请求消息中的提取算法的识别号,云端服务器可了解比对请求消息中包含的特征值是采用何种版本的提取算法计算得出的,并从而选择合适的特征值库来进行比对。具体来说,在特征值传输至云端服务器后,云端服务器的特征值比对算法会将该特征值与特征值库进行1:1或者1:N的比对,从而验证判断本次的验证值与注册的特征值的距离是否在一个阈值区间之内。In step S310, a first comparison request message including the first feature value is received from the client. In one embodiment, the first comparison request message can be encrypted and transmitted, which can effectively improve the security of data transmission. In one embodiment, the first comparison request message may further include an identification number of the first extraction algorithm. This is particularly advantageous when there are multiple versions of the extraction algorithm. Through the identification number of the extraction algorithm in the first comparison request message, the cloud server can know which version of the extraction algorithm is used to calculate the feature value contained in the comparison request message. obtained, and thus select the appropriate eigenvalue library for comparison. Specifically, after the eigenvalue is transmitted to the cloud server, the eigenvalue comparison algorithm of the cloud server will perform a 1:1 or 1:N comparison between the eigenvalue and the eigenvalue library, so as to verify and judge the verification value this time. Whether the distance from the registered feature value is within a threshold interval.
在步骤S330中,在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,云端服务器将所述第二提取算法发送给所述客户端。也就是说,当存在多套不同版本的生物特征识别算法时,客户端无需在本地维护多套算法,而只需从云端服务器接收即可,从而降低了算法更新升级的开销。In step S330, after the comparison is passed and there is a second extraction algorithm of a newer version than the first extraction algorithm, the cloud server sends the second extraction algorithm to the client. That is to say, when there are multiple sets of different versions of biometric identification algorithms, the client does not need to maintain multiple sets of algorithms locally, but only needs to receive them from the cloud server, thereby reducing the cost of algorithm update and upgrade.
在步骤S340中,从所述客户端接收包含第二特征值的注册消息,所述第二特征值是利用所述第二提取算法从之前所采集的所述生物特征信息中提取的,并且在步骤S350中,将所述第二特征值存储在所述特征值库中。通过步骤S340和步骤S350,云端服务器完成了生 物特征信息的注册入库,整个过程对用户做到无感。In step S340, a registration message including a second feature value is received from the client, the second feature value is extracted from the previously collected biometric information using the second extraction algorithm, and the second feature value is extracted from the previously collected biometric information. In step S350, the second feature value is stored in the feature value library. Through steps S340 and S350, the cloud server completes the registration and storage of the biometric information, and the entire process is insensitive to the user.
在一个实施例中,所述注册消息经过加密传输,从而保证传输的安全性。在一个实施例中,所述注册消息还包括第二提取算法的识别号。这样,通过第二提取算法的识别号,云端服务器可选择合适的特征值(子)库来存储第二特征值。In one embodiment, the registration message is encrypted and transmitted, so as to ensure the security of transmission. In one embodiment, the registration message further includes an identification number of the second extraction algorithm. In this way, through the identification number of the second extraction algorithm, the cloud server can select an appropriate feature value (sub) library to store the second feature value.
尽管图3未示出,在一个实施例中,云端服务器执行的身份识别方法3000还包括:在将所述第二特征值存储在所述特征值库之后,从所述特征值库中移除与所述第一特征值对应的记录。在一个实施例中,特征值库可包括对应于所述第一提取算法的第一子特征值库和对应于所述第二提取算法的第二子特征值库,其中,与所述第一特征值对应的记录存储在所述第一子特征值库中,而与所述第二特征值对应的记录存储在所述第二子特征值库中。在一个实施例中,当所述第一子特征值库中的记录数降为0时,删除与所述第一提取算法对应的关联模块,从而节省出云端服务器的空间。Although not shown in FIG. 3 , in one embodiment, the identification method 3000 performed by the cloud server further includes: after storing the second feature value in the feature value database, removing the second feature value from the feature value database A record corresponding to the first feature value. In one embodiment, the eigenvalue library may include a first sub-eigenvalue library corresponding to the first extraction algorithm and a second sub-eigenvalue library corresponding to the second extraction algorithm, wherein The records corresponding to the eigenvalues are stored in the first sub-eigenvalue library, and the records corresponding to the second eigenvalues are stored in the second sub-eigenvalue library. In one embodiment, when the number of records in the first sub-feature value library drops to 0, the associated module corresponding to the first extraction algorithm is deleted, thereby saving space on the cloud server.
参考图4,图4示出了根据本发明的一个实施例的用于身份识别的云端服务器4000的结构示意图。如图4所示,所述云端服务器4000包括:接收装置410、比对装置420、发送装置430以及存储装置440。其中,接收装置410用于从客户端接收包含第一特征值的第一比对请求消息,所述第一特征值是利用所述客户端中预存的第一提取算法从所采集的用户的生物特征信息中提取的;比对装置420用于将所述第一特征值与所述云端服务器中的特征值库进行比对;发送装置430用于在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,将所述第二提取算法发送给所述客户端;以及存储装置440用于将第二特征值存储在所述特征值库中,其中,所述接收装置410还配置成从所述客户端接收包含所述第二特征值的注册消息,所述第二特征值是利用所述第二提取算法从之前所采集的所述生物特征信息中提取的。Referring to FIG. 4, FIG. 4 shows a schematic structural diagram of a cloud server 4000 for identity recognition according to an embodiment of the present invention. As shown in FIG. 4 , the cloud server 4000 includes: a receiving device 410 , a comparing device 420 , a sending device 430 , and a storage device 440 . The receiving device 410 is configured to receive, from the client, a first comparison request message including a first feature value, where the first feature value is obtained from the user's biometric collected by using a first extraction algorithm pre-stored in the client extracted from the feature information; the comparing device 420 is configured to compare the first feature value with the feature value library in the cloud server; the sending device 430 is configured to compare the first feature value after the comparison is passed When extracting the second extraction algorithm of the updated version of the algorithm, send the second extraction algorithm to the client; and the storage device 440 is configured to store the second feature value in the feature value library, wherein the receiving Apparatus 410 is further configured to receive from the client a registration message containing the second characteristic value extracted from the previously collected biometric information using the second extraction algorithm.
在本发明的上下文中,术语“客户端”也称为用户端,是指与云端服务器相对应,为客户提供本地服务的设备或装置。在一个或多个实施例中,该客户端具有一些基本功能,包括采集用户的生物特征信 息的采集功能,以及利用客户端中预存的提取算法从所采集的生物特征信息中提取特征值的数据处理功能等。该客户端可以是用户的智能设备,包括但不限于,用户的手机、笔记本电脑以及头戴式设备。In the context of the present invention, the term "client" is also referred to as a client, and refers to a device or device corresponding to a cloud server that provides local services to clients. In one or more embodiments, the client has some basic functions, including a collection function of collecting biometric information of a user, and extracting data of feature values from the collected biometric information by using an extraction algorithm pre-stored in the client processing functions, etc. The client may be a user's smart device, including but not limited to, the user's mobile phone, a laptop computer, and a head-mounted device.
术语“云端服务器”也称为远端服务器,是指与“客户端”相对应,为客户端提供远程服务的设备或装置。在一个或多个实施例中,云端服务器可为客户端提供在线比对功能,即将从客户端接收的特征值与云端服务器中的特征值库进行比对。而且,该云端服务器还可在比对通过之后且存在更新版本的提取算法时,将更新的提取算法发送给客户端。The term "cloud server" is also referred to as a remote server, which refers to a device or device corresponding to a "client" that provides remote services for the client. In one or more embodiments, the cloud server can provide the client with an online comparison function, which is to compare the feature value received from the client with the feature value library in the cloud server. Moreover, the cloud server can also send the updated extraction algorithm to the client after the comparison is passed and there is an updated version of the extraction algorithm.
在本发明的上下文中,术语“生物特征信息”是指任何可用于进行个人身份鉴定的人体所固有的信息,其包括但不限于,生理特征(例如,指纹、虹膜、面相、DNA等)和行为特征(步态、击键习惯等)。术语“特征值”是指通过特定算法(如提取算法)从生物特征信息中所提取或计算出的属性。In the context of the present invention, the term "biometric information" refers to any information inherent in the human body that can be used for personal identification, including, but not limited to, physiological characteristics (eg, fingerprints, iris, facial features, DNA, etc.) and Behavioral characteristics (gait, keystroke habits, etc.). The term "feature value" refers to an attribute extracted or calculated from biometric information by a specific algorithm, such as an extraction algorithm.
术语“提取算法”也称为“生物特征识别算法”,是指能够从生物特征信息中提取或计算出特征值的算法。该提取算法可根据实际情况而进行调整更新,因此在一个或多个实施例中,提取算法可具有不同版本,例如通过识别号来进行区分。The term "extraction algorithm", also known as "biometric recognition algorithm", refers to an algorithm capable of extracting or calculating feature values from biometric information. The extraction algorithm may be adjusted and updated according to the actual situation, so in one or more embodiments, the extraction algorithm may have different versions, for example, to be distinguished by identification numbers.
在一个实施例中,所述第一比对请求消息和所述注册消息均经过加密传输,这样可保证数据或消息传输的安全性。在一个实施例中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第二提取算法的识别号。这样,通过提取算法的识别号,云端服务器可选择合适的特征值(子)库来存储特征值或者选择合适的特征值(子)库来与特征值进行比对。In one embodiment, the first comparison request message and the registration message are both encrypted and transmitted, so as to ensure the security of data or message transmission. In one embodiment, the first comparison request message further includes an identification number of the first extraction algorithm, and the registration message further includes an identification number of the second extraction algorithm. In this way, by extracting the identification number of the algorithm, the cloud server can select an appropriate eigenvalue (sub) library to store the eigenvalues or select an appropriate eigenvalue (sub)library to compare with the eigenvalues.
在一个实施例中,云端服务器4000还可包括:移除装置450,用于在将所述第二特征值存储在所述特征值库之后,从所述特征值库中移除与所述第一特征值对应的记录。在一个实施例中,所述特征值库包括对应于所述第一提取算法的第一子特征值库和对应于所述第二提取算法的第二子特征值库,其中,与所述第一特征值对应的记录存储在所述第一子特征值库中,而与所述第二特征值对应的记录存储在 所述第二子特征值库中。在该实施例中,移除装置450可配置成在所述第一子特征值库中的记录数降为0时,删除所述第一提取算法对应的关联模块。In one embodiment, the cloud server 4000 may further include: a removing device 450, configured to remove the second characteristic value from the characteristic value library and the first characteristic value from the characteristic value library after the second characteristic value is stored in the characteristic value library. A record corresponding to an eigenvalue. In one embodiment, the eigenvalue library includes a first sub-eigenvalue library corresponding to the first extraction algorithm and a second sub-eigenvalue library corresponding to the second extraction algorithm, wherein the A record corresponding to a feature value is stored in the first sub-feature value library, and a record corresponding to the second feature value is stored in the second sub-feature value library. In this embodiment, the removing device 450 may be configured to delete the associated module corresponding to the first extraction algorithm when the number of records in the first sub-feature value library decreases to 0.
一般而言,如果不考虑提取算法的升级,那么基于特征值的生物识别系统(包括客户端以及云端服务器)可分为前期注册以及在线比对两个阶段。其中,前期注册是指用户第一次在系统中注册自己的生物特征,在客户端采集生物特征信息或原图后,直接在客户端进行特征值的提取,随后将特征值传输至云端进行存储入库。在线比对则是在之后的验证环节,当用户发起一次认证,客户端会采集生物特征信息或原图并提取特征值,将特征值传输至云端后,云端服务器的特征值比对算法会将其与特征值库进行1:1或者1:N的比对,从而验证判断本次的验证值与注册的特征值的距离是否在一个阈值区间之内。Generally speaking, if the upgrade of the extraction algorithm is not considered, the biometric identification system (including the client and the cloud server) based on the feature value can be divided into two stages: pre-registration and online comparison. Among them, early registration refers to the first time that a user registers his biometrics in the system. After collecting biometric information or original image on the client, the feature value is directly extracted on the client, and then the feature value is transmitted to the cloud for storage. Inventory. Online comparison is in the subsequent verification process. When the user initiates an authentication, the client will collect the biometric information or the original image and extract the feature value. After the feature value is transmitted to the cloud, the feature value comparison algorithm of the cloud server will It performs a 1:1 or 1:N comparison with the eigenvalue library, so as to verify and judge whether the distance between the current verification value and the registered eigenvalue is within a threshold interval.
图5示出了根据本发明的一个实施例的身份识别系统在算法更新场景下的平滑升级方案。如图5所示,升级的过程并不会通知所有的用户在指定的时间段内完成统一升级,而是在用户发起一次新的验证比对的时刻进行。当用户发起识别比对时,客户端仍然用现有版本(N版本)的特征值提取算法提取特征值,之后传输至云端服务器,并且云端服务器用N版本的特征值比对算法进行判别比对。如果比对不通过,则云端服务器返回比对失败。一旦比对通过后,云端服务程序发现有新版本(N+1版本)的算法,则直接将N+1版的特征值算法推送至客户端,客户端将特征值算法由N版更新为N+1版本,与此同时,再对本次采集的原图进行N+1版的特征值提取,并且传输至云端服务器,进行N+1版本的特征值注册入库,由此既完成了N版本的比对,又完成了N+1版本的特征值注册,而整个过程对于用户完全没有感知(因为采集特征的过程只有一次,其他过程都由客户端与云端服务端自动完成)。FIG. 5 shows a smooth upgrade solution of an identity recognition system in an algorithm update scenario according to an embodiment of the present invention. As shown in FIG. 5 , the upgrade process does not notify all users to complete the unified upgrade within a specified time period, but is performed when the user initiates a new verification and comparison. When the user initiates identification and comparison, the client still uses the existing version (N version) of the feature value extraction algorithm to extract the feature value, and then transmits it to the cloud server, and the cloud server uses the N version of the feature value comparison algorithm to discriminate and compare . If the comparison fails, the cloud server returns the comparison failure. Once the comparison is passed, the cloud service program finds that there is a new version (N+1 version) of the algorithm, and directly pushes the N+1 version of the eigenvalue algorithm to the client, and the client updates the eigenvalue algorithm from N version to N +1 version, at the same time, extract the feature value of the N+1 version of the original image collected this time, and transmit it to the cloud server, and register the feature value of the N+1 version into the database, thus completing the N+1 version. The version comparison completed the feature value registration of the N+1 version, and the whole process was completely unaware of the user (because the process of collecting features is only once, and other processes are automatically completed by the client and the cloud server).
进一步参考图6,其示出了根据本发明的一个实施例的身份识别系统的识别过程。与图5所示的过程对应,在后续每次发起识别的过程中,也即在特征值提取的步骤,会捎带上识别算法的版本号(更新后为N+1版本),由此,当该特征值经加密传输到云端服务器后,云 端服务器会根据版本号匹配到相对应的后端特征值比对程序,从而实现正确的比对识别。在云端服务器侧,当每次有新的比对请求涉及到更新比对算法时,将在新的特征值库中插入一条记录。一种优化的做法是,在新特征值库中插入一条记录的同时,还可以删除老版本特征值库中对应的记录。当老版本特征值库中的条目数降为0时,说明该版本已经被完全替换,则可以删除该版本的特征值库,同时也可以删除该版本所对应的特征比对算法等关联模块,从而节省出系统的空间。Referring further to FIG. 6, it shows the identification process of the identification system according to one embodiment of the present invention. Corresponding to the process shown in Figure 5, in the subsequent process of initiating identification, that is, in the step of feature value extraction, the version number of the identification algorithm (the N+1 version after the update) will be piggybacked. Therefore, when After the feature value is encrypted and transmitted to the cloud server, the cloud server will match the corresponding back-end feature value comparison program according to the version number, so as to achieve correct comparison and identification. On the cloud server side, each time a new comparison request involves updating the comparison algorithm, a record will be inserted into the new feature value library. An optimized approach is to insert a record in the new eigenvalue library, and at the same time delete the corresponding record in the old version eigenvalue library. When the number of entries in the eigenvalue library of the old version drops to 0, it means that this version has been completely replaced, then the eigenvalue library of this version can be deleted, and the associated modules such as the feature comparison algorithm corresponding to this version can also be deleted. This saves system space.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的模块也可以不是物理上分开的,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The apparatus embodiments described above are only illustrative, wherein the modules described as separate components may not be physically separated, that is, they may be located in one place, or may be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.
通过以上各种实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,所述计算机可读记录介质包括用于以计算机(例如计算机)可读的形式存储或传送信息的任何机制。例如,机器可读介质包括只读存储器(ROM)、随机存取存储器(RAM)、磁盘存储介质、光存储介质、闪速存储介质、电、光、声或其他形式的传播信号(例如,载波、红外信号、数字信号等)等,该计算机软件产品包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。From the description of the various embodiments above, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or in the form of contributions to the prior art, and the computer software products can be stored in a computer-readable storage medium, the computer-readable recording A medium includes any mechanism for storing or transmitting information in a form readable by a computer (eg, a computer). Machine-readable media include, for example, read only memory (ROM), random access memory (RAM), magnetic disk storage media, optical storage media, flash storage media, electrical, optical, acoustic, or other forms of propagated signals (eg, carrier waves) , infrared signals, digital signals, etc.), etc., the computer software product includes several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the various embodiments or certain parts of the embodiments. Methods.
综上所述,本申请的技术方案在不存储生物特征明文的基本前提下,能够实现:To sum up, the technical solution of the present application can realize the following on the basic premise of not storing the plaintext of biometrics:
1)用户无感:在算法升级时,无需要求用户重新再采集一遍生物特征信息,可以对用户做到无感;1) User insensitivity: When the algorithm is upgraded, there is no need to ask the user to collect biometric information again, which can be insensitive to the user;
2)客户端保持低处理复杂度与存储开销:客户端无需维护并存 储多套的生物特征算法识别版本,几乎对客户端不额外增加处理与存储的负担。2) The client maintains low processing complexity and storage overhead: the client does not need to maintain and store multiple sets of biometric algorithm identification versions, and almost no additional processing and storage burdens are imposed on the client.
最终的效果是使得基于特征值的身份识别系统能够保障生物特征隐私的同时,又能够实现算法升级的可用与易用。The final effect is that the eigenvalue-based identification system can ensure the privacy of biometrics, and at the same time, it can realize the availability and ease of use of algorithm upgrades.
本申请是参照根据本申请实施例的方法、装置(设备)和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (apparatus) and computer program products according to embodiments of the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.
尽管已描述了本申请的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请范围的所有变更和修改。显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。While the preferred embodiments of the present application have been described, additional changes and modifications to these embodiments may occur to those skilled in the art once the basic inventive concepts are known. Therefore, the appended claims are intended to be construed to include the preferred embodiment and all changes and modifications that fall within the scope of this application. Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (26)

  1. 一种客户端执行的身份识别方法,其特征在于,所述方法包括:An identity recognition method performed by a client, characterized in that the method comprises:
    采集用户的生物特征信息;Collect the user's biometric information;
    利用所述客户端中预存的第一提取算法从所述生物特征信息中提取第一特征值;Extract the first feature value from the biometric information by using the first extraction algorithm pre-stored in the client;
    将包含所述第一特征值的第一比对请求消息发送至云端服务器;sending the first comparison request message containing the first feature value to the cloud server;
    从所述云端服务器接收第二提取算法,所述第二提取算法是所述第一提取算法的更新版本;receiving a second extraction algorithm from the cloud server, the second extraction algorithm being an updated version of the first extraction algorithm;
    利用所述第二提取算法从所述生物特征信息中提取第二特征值;以及extracting a second feature value from the biometric information using the second extraction algorithm; and
    将包含所述第二特征值的注册消息发送至所述云端服务器以便存储所述第二特征值。Sending a registration message containing the second characteristic value to the cloud server for storing the second characteristic value.
  2. 如权利要求1所述的身份识别方法,还包括:The identification method of claim 1, further comprising:
    删除所述第一提取算法。Delete the first extraction algorithm.
  3. 如权利要求1所述的身份识别方法,其中,所述第一比对请求消息和所述注册消息均经过加密传输。The identification method according to claim 1, wherein the first comparison request message and the registration message are both encrypted and transmitted.
  4. 如权利要求1所述的身份识别方法,其中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第二提取算法的识别号。The identification method of claim 1, wherein the first comparison request message further includes an identification number of the first extraction algorithm, and the registration message further includes an identification number of the second extraction algorithm.
  5. 如权利要求1所述的身份识别方法,其中,在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,从所述云端服务器接收所述第二提取算法。The identification method according to claim 1, wherein the second extraction algorithm is received from the cloud server after the comparison is passed and when there is a second extraction algorithm with a newer version than the first extraction algorithm.
  6. 如权利要求1或5所述的身份识别方法,还包括:The identification method according to claim 1 or 5, further comprising:
    采集该用户的第二生物特征信息;collecting the second biometric information of the user;
    利用所述客户端中的所述第二提取算法从所述第二生物特征信息中提取第三特征值;以及extracting a third feature value from the second biometric information using the second extraction algorithm in the client; and
    将包含所述第三特征值和所述第二提取算法的识别号的第二比对请求消息发送至所述云端服务器。Sending a second comparison request message containing the third feature value and the identification number of the second extraction algorithm to the cloud server.
  7. 一种用于身份识别的客户端,其特征在于,所述客户端包括:A client for identity identification, characterized in that the client comprises:
    采集装置,用于采集用户的生物特征信息;a collection device for collecting the biometric information of the user;
    提取装置,用于利用所述客户端中预存的第一提取算法从所述生物特征信息中提取第一特征值;an extraction device, configured to extract a first feature value from the biometric information by using a first extraction algorithm pre-stored in the client;
    发送装置,用于将包含所述第一特征值的第一比对请求消息发送至云端服务器;以及a sending device, configured to send a first comparison request message including the first feature value to a cloud server; and
    接收装置,用于从所述云端服务器接收第二提取算法,所述第二提取算法是所述第一提取算法的更新版本,a receiving device, configured to receive a second extraction algorithm from the cloud server, where the second extraction algorithm is an updated version of the first extraction algorithm,
    其中,所述提取装置还配置成利用所述第二提取算法从所述生物特征信息中提取第二特征值,所述发送装置还配置成将包含所述第二特征值的注册消息发送至所述云端服务器以便存储所述第二特征值。Wherein, the extraction device is further configured to extract a second feature value from the biometric information by using the second extraction algorithm, and the sending device is further configured to send a registration message containing the second feature value to the the cloud server to store the second feature value.
  8. 如权利要求7所述的客户端,还包括:The client of claim 7, further comprising:
    删除装置,用于删除所述第一提取算法。A deletion device is used to delete the first extraction algorithm.
  9. 如权利要求7所述的客户端,其中,所述发送装置配置成将所述第一比对请求消息和所述注册消息经过加密来进行传输。The client of claim 7, wherein the sending means is configured to encrypt the first comparison request message and the registration message for transmission.
  10. 如权利要求7所述的客户端,其中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第二提取算法的识别号。8. The client of claim 7, wherein the first comparison request message further includes an identification number of the first extraction algorithm, and the registration message further includes an identification number of the second extraction algorithm.
  11. 如权利要求7所述的客户端,其中,所述接收装置配置成在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,从所述云端服务器接收所述第二提取算法。The client of claim 7, wherein the receiving means is configured to receive the first extraction algorithm from the cloud server after the comparison is passed and when there is a second extraction algorithm with a newer version than the first extraction algorithm Second extraction algorithm.
  12. 如权利要求7或11所述的客户端,其中,所述采集装置还配置成采集该用户的第二生物特征信息;所述提取装置还配置成利用所述客户端中的所述第二提取算法从所述第二生物特征信息中提取第三特征值;并且所述发送装置还配置成将包含所述第三特征值和所述第二提取算法的识别号的第二比对请求消息发送至所述云端服务器。The client according to claim 7 or 11, wherein the collecting means is further configured to collect second biometric information of the user; the extracting means is further configured to utilize the second extraction in the client an algorithm extracts a third feature value from the second biometric information; and the sending device is further configured to send a second comparison request message containing the third feature value and the identification number of the second extraction algorithm to the cloud server.
  13. 一种云端服务器执行的身份识别方法,其特征在于,所述方法包括:An identity recognition method performed by a cloud server, characterized in that the method comprises:
    从客户端接收包含第一特征值的第一比对请求消息,所述第一特征值是利用所述客户端中预存的第一提取算法从所采集的用户的生物特征信息中提取的;receiving, from the client, a first comparison request message including a first feature value, where the first feature value is extracted from the collected biometric information of the user by using a first extraction algorithm pre-stored in the client;
    将所述第一特征值与所述云端服务器中的特征值库进行比对;comparing the first characteristic value with the characteristic value library in the cloud server;
    在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,将所述第二提取算法发送给所述客户端;After the comparison is passed and there is a second extraction algorithm of a newer version than the first extraction algorithm, sending the second extraction algorithm to the client;
    从所述客户端接收包含第二特征值的注册消息,所述第二特征值是利用所述第二提取算法从之前所采集的所述生物特征信息中提取的;以及receiving from the client a registration message containing a second feature value extracted from the previously collected biometric information using the second extraction algorithm; and
    将所述第二特征值存储在所述特征值库中。The second eigenvalue is stored in the eigenvalue library.
  14. 如权利要求13所述的身份识别方法,其中,所述第一比对请求消息和所述注册消息均经过加密传输。The identification method according to claim 13, wherein the first comparison request message and the registration message are both encrypted and transmitted.
  15. 如权利要求13所述的身份识别方法,其中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第二提取算法的识别号。The identification method of claim 13, wherein the first comparison request message further includes an identification number of the first extraction algorithm, and the registration message further includes an identification number of the second extraction algorithm.
  16. 如权利要求13所述的身份识别方法,还包括:The identification method of claim 13, further comprising:
    在将所述第二特征值存储在所述特征值库之后,从所述特征值库中移除与所述第一特征值对应的记录。After storing the second feature value in the feature value library, the record corresponding to the first feature value is removed from the feature value library.
  17. 如权利要求16所述的身份识别方法,其中,所述特征值库包括对应于所述第一提取算法的第一子特征值库和对应于所述第二提取算法的第二子特征值库,其中,与所述第一特征值对应的记录存储在所述第一子特征值库中,而与所述第二特征值对应的记录存储在所述第二子特征值库中。The identification method according to claim 16, wherein the feature value library comprises a first sub-feature value library corresponding to the first extraction algorithm and a second sub-feature value library corresponding to the second extraction algorithm , wherein the records corresponding to the first eigenvalues are stored in the first sub-eigenvalue library, and the records corresponding to the second eigenvalues are stored in the second sub-eigenvalue library.
  18. 如权利要求17所述的身份识别方法,其中,当所述第一子特征值库中的记录数降为0时,删除所述第一提取算法对应的关联模块。The identification method according to claim 17, wherein when the number of records in the first sub-feature value library drops to 0, the association module corresponding to the first extraction algorithm is deleted.
  19. 一种云端服务器,其特征在于,所述云端服务器包括:A cloud server, characterized in that the cloud server comprises:
    接收装置,用于从客户端接收包含第一特征值的第一比对请求消息,所述第一特征值是利用所述客户端中预存的第一提取算法从所采集的用户的生物特征信息中提取的;A receiving device, configured to receive a first comparison request message including a first feature value from a client, where the first feature value is obtained from the user's biometric information using a first extraction algorithm pre-stored in the client extracted from;
    比对装置,用于将所述第一特征值与所述云端服务器中的特征值库进行比对;a comparison device, configured to compare the first feature value with a feature value library in the cloud server;
    发送装置,用于在比对通过之后且存在比所述第一提取算法更新版本的第二提取算法时,将所述第二提取算法发送给所述客户端;以 及A sending device, configured to send the second extraction algorithm to the client after the comparison is passed and when there is a second extraction algorithm of a newer version than the first extraction algorithm; and
    存储装置,用于将第二特征值存储在所述特征值库中,a storage device for storing the second eigenvalue in the eigenvalue library,
    其中,所述接收装置还配置成从所述客户端接收包含所述第二特征值的注册消息,所述第二特征值是利用所述第二提取算法从之前所采集的所述生物特征信息中提取的。Wherein, the receiving device is further configured to receive from the client a registration message including the second characteristic value, where the second characteristic value is obtained from the biometric information previously collected by using the second extraction algorithm extracted from.
  20. 如权利要求19所述的云端服务器,其中,所述第一比对请求消息和所述注册消息均经过加密传输。The cloud server of claim 19, wherein the first comparison request message and the registration message are both encrypted and transmitted.
  21. 如权利要求19所述的云端服务器,其中,所述第一比对请求消息还包括第一提取算法的识别号,并且所述注册消息还包括第二提取算法的识别号。The cloud server of claim 19, wherein the first comparison request message further includes an identification number of the first extraction algorithm, and the registration message further includes an identification number of the second extraction algorithm.
  22. 如权利要求19所述的云端服务器,还包括:The cloud server of claim 19, further comprising:
    移除装置,用于在将所述第二特征值存储在所述特征值库之后,从所述特征值库中移除与所述第一特征值对应的记录。A removing device is configured to remove a record corresponding to the first characteristic value from the characteristic value library after the second characteristic value is stored in the characteristic value library.
  23. 如权利要求22所述的云端服务器,其中,所述特征值库包括对应于所述第一提取算法的第一子特征值库和对应于所述第二提取算法的第二子特征值库,其中,与所述第一特征值对应的记录存储在所述第一子特征值库中,而与所述第二特征值对应的记录存储在所述第二子特征值库中。The cloud server according to claim 22, wherein the eigenvalue library comprises a first sub-eigenvalue library corresponding to the first extraction algorithm and a second sub-eigenvalue library corresponding to the second extraction algorithm, The records corresponding to the first feature values are stored in the first sub-feature value library, and the records corresponding to the second feature values are stored in the second sub-feature value library.
  24. 如权利要求23所述的云端服务器,其中,所述移除装置还配置成在所述第一子特征值库中的记录数降为0时,删除所述第一子特征值库以及与所述第一提取算法对应的关联模块。The cloud server according to claim 23, wherein the removing means is further configured to delete the first sub-eigenvalue library and the related The association module corresponding to the first extraction algorithm described above.
  25. 一种计算机存储介质,其特征在于,所述介质包括指令,所述指令在运行时执行如权利要求1至6、13至18中任一项所述的身份识别方法。A computer storage medium, characterized in that, the medium comprises instructions, and the instructions execute the identification method according to any one of claims 1 to 6 and 13 to 18 when running.
  26. 一种身份识别系统,其包括如权利要求7至12中任一项所述的客户端以及如权利要求19至24中任一项所述的云端服务器。An identification system, comprising the client according to any one of claims 7 to 12 and the cloud server according to any one of claims 19 to 24.
PCT/CN2021/075547 2020-08-03 2021-02-05 Client, cloud server and identity recognition method therefor, system, and computer storage medium WO2022027948A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010766784.4 2020-08-03
CN202010766784.4A CN112418863B (en) 2020-08-03 2020-08-03 Client, cloud server, and identity recognition method, system and computer storage medium thereof

Publications (1)

Publication Number Publication Date
WO2022027948A1 true WO2022027948A1 (en) 2022-02-10

Family

ID=74844129

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/075547 WO2022027948A1 (en) 2020-08-03 2021-02-05 Client, cloud server and identity recognition method therefor, system, and computer storage medium

Country Status (3)

Country Link
CN (1) CN112418863B (en)
TW (1) TWI781546B (en)
WO (1) WO2022027948A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113095430B (en) * 2021-04-26 2022-02-01 北京瑞莱智慧科技有限公司 Model updating method capable of protecting privacy, object identification method, system, device, medium and equipment
CN116955476A (en) * 2022-11-22 2023-10-27 腾讯科技(深圳)有限公司 Feature synchronization method, device, server, storage medium, and program product
CN116992422B (en) * 2023-09-05 2024-01-09 腾讯科技(深圳)有限公司 Biological data processing method, apparatus, device and computer readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420301A (en) * 2008-04-21 2009-04-29 林格灵 Human face recognizing identity authentication system
CN101436247A (en) * 2007-11-12 2009-05-20 中国长城计算机深圳股份有限公司 Biological personal identification method and system based on UEFI
CN101714918A (en) * 2009-10-23 2010-05-26 浙江维尔生物识别技术股份有限公司 Safety system for logging in VPN and safety method for logging in VPN
CN102223233A (en) * 2011-06-15 2011-10-19 刘洪利 Biological code authentication system and biological code authentication method
CN105160302A (en) * 2015-08-10 2015-12-16 西安凯虹电子科技有限公司 Multi-model biological recognition general platform and multi-model biological recognition identity authentication method
CN109583165A (en) * 2018-10-12 2019-04-05 阿里巴巴集团控股有限公司 A kind of biological information processing method, device, equipment and system
US10296734B2 (en) * 2015-01-27 2019-05-21 Idx Technologies Inc. One touch two factor biometric system and method for identification of a user utilizing a portion of the person's fingerprint and a vein map of the sub-surface of the finger

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI416366B (en) * 2009-10-12 2013-11-21 Htc Corp Method, electronic apparatus and computer program product for creating biologic feature data
US9084411B1 (en) * 2014-04-10 2015-07-21 Animal Biotech Llc Livestock identification system and method
CN104980278B (en) * 2014-04-14 2018-11-16 阿里巴巴集团控股有限公司 The method and apparatus for verifying the availability of biometric image
CN110674695B (en) * 2019-08-27 2023-12-15 腾讯科技(深圳)有限公司 Service providing method, device, equipment and medium based on identity information identification

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436247A (en) * 2007-11-12 2009-05-20 中国长城计算机深圳股份有限公司 Biological personal identification method and system based on UEFI
CN101420301A (en) * 2008-04-21 2009-04-29 林格灵 Human face recognizing identity authentication system
CN101714918A (en) * 2009-10-23 2010-05-26 浙江维尔生物识别技术股份有限公司 Safety system for logging in VPN and safety method for logging in VPN
CN102223233A (en) * 2011-06-15 2011-10-19 刘洪利 Biological code authentication system and biological code authentication method
US10296734B2 (en) * 2015-01-27 2019-05-21 Idx Technologies Inc. One touch two factor biometric system and method for identification of a user utilizing a portion of the person's fingerprint and a vein map of the sub-surface of the finger
CN105160302A (en) * 2015-08-10 2015-12-16 西安凯虹电子科技有限公司 Multi-model biological recognition general platform and multi-model biological recognition identity authentication method
CN109583165A (en) * 2018-10-12 2019-04-05 阿里巴巴集团控股有限公司 A kind of biological information processing method, device, equipment and system

Also Published As

Publication number Publication date
CN112418863B (en) 2023-09-01
TWI781546B (en) 2022-10-21
CN112418863A (en) 2021-02-26
TW202207130A (en) 2022-02-16

Similar Documents

Publication Publication Date Title
WO2022027948A1 (en) Client, cloud server and identity recognition method therefor, system, and computer storage medium
AU2021201911B2 (en) Methods and devices for acquiring and recording tracking information on blockchain
US10182051B1 (en) Systems and methods for providing block chain-based multifactor personal identity verification
US10484178B2 (en) Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features
US20180343120A1 (en) Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features
US20190318077A1 (en) Visual data processing of response images for authentication
WO2020006252A1 (en) Biometric authentication
US11811937B2 (en) Biometric digital signature generation for identity verification
US11711215B2 (en) Methods, systems, and media for secure authentication of users based on a biometric identifier and knowledge-based secondary information
KR101942684B1 (en) System of Providing Virtual Money Storage Service Based on Multiple Certification
US11502842B2 (en) Cluster-based security for network devices
WO2019209291A1 (en) Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features
CN111738717B (en) Digital wallet security protection method and device, electronic equipment and storage medium
Brown et al. A novel multimodal biometric authentication system using machine learning and blockchain
Raina Integration of Biometric authentication procedure in customer oriented payment system in trusted mobile devices.
US20200028847A1 (en) Authentication method and authentication device
Wu et al. Multibiometric fusion authentication in wireless multimedia environment using dynamic Bayesian method
JP2021002084A (en) Authentication system, authentication method, and authentication program
US20240022562A1 (en) Systems, methods, and non-transitory computer-readable media for biometrically confirming trusted engagement
US20230112458A1 (en) Multi-Biometric Authentication System
Boldea et al. Facial recognition technology used in the payment system
JPH10177553A (en) Network security system
OA18670A (en) Systems and methods for providing block chain-based multifactor personal identity verification
KR20140089236A (en) A method for processing certification for on-line banking

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21854144

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21854144

Country of ref document: EP

Kind code of ref document: A1