CN102916968B

CN102916968B - Identity identifying method, authentication server and identification authentication system

Info

Publication number: CN102916968B
Application number: CN201210421519.8A
Authority: CN
Inventors: 杨春林
Original assignee: Beijing Techshino Technology Co Ltd
Current assignee: Beijing Eye Intelligent Technology Co Ltd; Beijing Eyecool Technology Co Ltd
Priority date: 2012-10-29
Filing date: 2012-10-29
Publication date: 2016-01-27
Anticipated expiration: 2032-10-29
Also published as: CN102916968A

Abstract

The invention discloses a kind of identity identifying method, authentication server and identification authentication system.The method comprises the biological characteristic authentication request that certificate server receives client transmission; The challenge number of stochastic generation is back to client by certificate server; Certificate server receives the dynamic authentication password that client sends, and wherein, the first sub-key that dynamic authentication password is prestored by time of client when receiving challenge number, challenge number, user biological characteristic sum client generates; Certificate server generates dynamic password according to time of certificate server when receiving dynamic authentication password, challenge number, user biological characteristic sum the second sub-key; And whether certificate server checking dynamic password is consistent with dynamic authentication password, and return identity authentication result according to the result to client.By the present invention, ensured the effect of the fail safe of dynamic password by biological characteristic, ensure authenticity and the reliability of authenticating user identification.

Description

Identity identifying method, authentication server and identification authentication system

Technical field

The present invention relates to internet arena, in particular to a kind of identity identifying method, authentication server and identification authentication system.

Background technology

Along with the development of the Internet and ecommerce, the applications of computer network penetrates into all trades and professions, and global IT application has become the main trend of human development.Network security problem is particularly severe in recent years, and user is subject to the attack of hacker, wooden horse, Malware frequently, and it is of common occurrence that bank account is stolen, fund is stolen, user identity is falsely used phenomenon etc.CSDN600 ten thousand user password information is revealed, and electric business giant's Amazon China is also encountered by same crisis, and all Network Security Vulnerabilities have caused the worry of people to network security, and the Identity Authentication Mode of " user number+password " is not suitable with network security requirement.

In order to solve the problem of static password poor stability, identity identifying method safer at present adopts dynamic password authentication method to carry out authentication, or adopt biological feather recognition method to carry out authentication, but dynamic token can be replicated in dynamic password authentication method, and token and user itself do not have binding relationship, the key element and the user that generate dynamic password have nothing to do, do not possess user's individual difference, so, when other people obtain token and password thereof, dynamic password has lost its security implications, thus, still not enough based on the fail safe of the identity identifying method of dynamic password in prior art.

For in correlation technique based on the problem that the identity identifying method fail safe of dynamic password is poor, at present effective solution is not yet proposed.

Summary of the invention

Main purpose of the present invention is to provide a kind of identity identifying method, authentication server and identification authentication system, to solve based on the poor problem of the identity identifying method fail safe of dynamic password.

To achieve these goals, according to an aspect of the present invention, a kind of identity identifying method is provided.

Identity identifying method according to the present invention comprises: certificate server receives the biological characteristic authentication request that client sends, and wherein, biological characteristic authentication request comprises user biological feature; The challenge number of stochastic generation is back to client by certificate server; Certificate server receives the dynamic authentication password that client sends, and wherein, the first sub-key that dynamic authentication password is prestored by the time TM1 of client when receiving challenge number, challenge number, user biological characteristic sum client generates; Certificate server generates dynamic password according to the time TM of certificate server when receiving dynamic authentication password, challenge number, user biological characteristic sum the second sub-key, and wherein, the second sub-key is the key corresponding with the first sub-key; And whether certificate server checking dynamic password is consistent with dynamic authentication password, and return identity authentication result according to the result to client.

Further, before the biological characteristic authentication request receiving client transmission, the method also comprises: certificate server receives the registration request that client sends, and wherein, registration request comprises the identification information of the harvester for gathering user biological feature; Certificate server when receiving registration request, stochastic generation seed key, and the seed key of corresponding stored stochastic generation and identification information; And certificate server returns the seed key of stochastic generation to client, wherein, the first sub-key and the second sub-key are the seed key of stochastic generation, biological characteristic authentication request also comprises identification information, and certificate server obtains the second sub-key when generating dynamic password according to identification information.

Further, before the challenge number of stochastic generation is back to client, the method also comprises: it is first pre-conditioned whether the user biological feature that certificate server contrast user biological feature and certificate server historical reception arrive meets, and generates to attack when meeting first and being pre-conditioned and warn; Attack warning is back to client by certificate server.

Further, before the challenge number of stochastic generation is back to client, the method also comprises: certificate server inquires about the biometric templates matched with user biological feature in the biometric templates storehouse prestored; When certificate server inquiry is less than returning biological characteristic authentication failure information during biometric templates to client, when certificate server inquires biometric templates according to user biological characteristic modification biometric templates storehouse, wherein, the challenge number of stochastic generation is back to client comprise: when certificate server inquires biometric templates, the challenge number of stochastic generation is back to client by certificate server.

Further, certificate server comprises according to user biological characteristic modification biometric templates storehouse: when user biological is characterized as user's face feature and user's face feature meets default face fusion requirement, certificate server adding users face feature is to biometric templates storehouse; When user biological is characterized as client iris feature and client iris feature meets default iris fusion requirement, certificate server adding users iris feature is to biometric templates storehouse; When user biological is characterized as user fingerprints feature, what certificate server strengthened the characteristic point matched with user fingerprints feature in biometric templates mates weight coefficient, reduce in biometric templates with the unmatched characteristic point of user fingerprints feature mate weight coefficient; And when user biological is characterized as user's palm print characteristics, what certificate server strengthened the characteristic point matched with user's palm print characteristics in biometric templates mates weight coefficient, reduce in biometric templates with the unmatched characteristic point of user's palm print characteristics mate weight coefficient.

Further, when user biological is characterized as user's face feature and user's face feature meets default face fusion requirement, certificate server adding users face feature data comprise to biometric templates storehouse: when the face state that user's face feature is corresponding does not exist in the face state that biometric templates is corresponding, certificate server adding users face feature data are to biometric templates storehouse, and when the difference that certificate server receives the time of user's face feature and the settling time of biometric templates exceedes prefixed time interval, certificate server adding users face feature data are to biometric templates storehouse, when user biological is characterized as client iris feature and client iris feature meets default iris fusion requirement, certificate server adding users iris characteristic data comprises to biometric templates storehouse: when the difference of the pupil radium corresponding with biometric templates when the pupil radium that client iris feature is corresponding exceedes pre-set radius difference, certificate server adding users iris characteristic data is to biometric templates storehouse, when parabola on the eyelid that client iris feature is corresponding exceedes predetermined interval difference to the interval in the pupil center of circle and the difference of pupil radium, certificate server adding users iris characteristic data is to biometric templates storehouse, when in the iris noise template that client iris feature is corresponding, eyelashes noise proportional exceedes default noise proportional, certificate server adding users iris characteristic data is to biometric templates storehouse, and when in the pupil that client iris feature is corresponding without hot spot time, certificate server adding users iris characteristic data is to biometric templates storehouse.

Further, before certificate server generates dynamic password, the method also comprises: certificate server receives the TM1 that client sends; Certificate server judges | whether TM-TM1| exceedes preset difference value scope; And for when | when TM-TM1| exceedes preset difference value scope, certificate server returns time-out information to client, wherein, certificate server generate dynamic password comprise: when | when TM-TM1| does not exceed preset difference value scope, certificate server generate dynamic password.

Further, certificate server generation dynamic password comprises: when | when TM-TM1| does not exceed preset difference value scope, generate one group of dynamic password according to the time between TM and TM1; And certificate server checking dynamic password comprises with whether dynamic authentication password is consistent: whether certificate server checking dynamic authentication password is consistent with any one dynamic password in one group of dynamic password.

To achieve these goals, according to a further aspect in the invention, a kind of authentication server is provided.

Authentication server according to the present invention comprises: authentication request receiver module, and for receiving the biological characteristic authentication request that client sends, wherein, biological characteristic authentication request comprises user biological feature; Authentication request responder module, for being back to client by the challenge number of stochastic generation; Checking password receiver module, for receiving the dynamic authentication password that client sends, wherein, the first sub-key that dynamic authentication password is prestored by the time TM1 of client when receiving challenge number, challenge number, user biological characteristic sum client generates; Dynamic password generation module, generate dynamic password for the time TM according to certificate server when receiving dynamic authentication password, challenge number, user biological characteristic sum the second sub-key, wherein, the second sub-key is the key corresponding with the first sub-key; Password authentication module, for verifying that whether dynamic password is consistent with dynamic authentication password; And authentication result sending module, for the identity authentication result returned to client according to the result.

Further, this authentication server also comprises: registration request receiver module, and for receiving the registration request that client sends, wherein, registration request comprises the identification information of the harvester gathering user biological feature; Seed key generation module, for when receiving registration request, stochastic generation seed key; Seed key memory module, for seed key and the identification information of corresponding stored stochastic generation; And registration request responder module, for returning the seed key of stochastic generation to client, wherein, the first sub-key and the second sub-key are the seed key of stochastic generation, biological characteristic authentication request also comprises identification information, and dynamic password generation module is also for obtaining the second sub-key according to identification information.

Further, this authentication server also comprises: attack detection module, it is first pre-conditioned whether the user biological feature arrived for contrasting user biological feature and authentication request receiver module historical reception meets, and generate attack warning when meeting first and being pre-conditioned, wherein, authentication request responder module is also for being back to client by attack warning.

Further, this authentication server also comprises: characteristic query module, for the biometric templates that inquiry and user biological feature in the biometric templates storehouse prestored match; And Fusion Features module, for when characteristic query module polls is to biometric templates, according to user biological characteristic modification biometric templates storehouse, wherein, authentication request responder module also for when inquiry less than returning biological characteristic authentication failure information during biometric templates to client, when inquiring biometric templates, the challenge number of stochastic generation is back to client.

To achieve these goals, according to a further aspect in the invention, a kind of identification authentication system is provided.

Identification authentication system according to the present invention is arranged at client, comprising: authentication request sending module, and for sending biological characteristic authentication request to certificate server, wherein, biological characteristic authentication request comprises user biological feature; Authentication response receiver module, for receiving the challenge number of certificate server stochastic generation; Dynamic authentication password generated module, the first sub-key prestored for the time TM1 according to client when receiving challenge number, challenge number, user biological characteristic sum client generates dynamic authentication password; Dynamic authentication password sending module, for being sent to certificate server by dynamic authentication password; And authentication result receiver module, for receiving the identity authentication result that certificate server returns, wherein, identity authentication result is generated with whether dynamic authentication password is consistent according to checking dynamic password by certificate server, wherein, dynamic password is generated by the time TM of certificate server when receiving dynamic authentication password, challenge number, user biological feature, the second sub-key corresponding with the first sub-key.

Further, this identification authentication system also comprises: registration request sending module, and for sending registration request to certificate server, wherein, registration request comprises the identification information of identification authentication system; Registration reply receiver module, for receiving the seed key of the stochastic generation that certificate server returns, wherein, the first sub-key and the second sub-key are the seed key of stochastic generation, and biological characteristic authentication request also comprises identification information.

Further, this identification authentication system also comprises: attack warning receiver module, for receiving the attack warning that certificate server returns, wherein, warning is attacked satisfied first pre-conditioned for the user biological feature that represents user biological feature and certificate server historical reception and arrive.

By the present invention, adopt the identity identifying method comprised the following steps: certificate server receives the biological characteristic authentication request that client sends; The challenge number of stochastic generation is back to client by certificate server; Certificate server receives the dynamic authentication password that client sends; Certificate server generates dynamic password; And whether certificate server checking dynamic password is consistent with dynamic authentication password, and return identity authentication result according to the result to client, biological characteristic is participated in the computational process of dynamic password, solve based on the poor problem of the identity identifying method fail safe of dynamic password, and then reach the effect of the fail safe being ensured dynamic password by biological characteristic, ensure the authenticity of authenticating user identification and the effect of reliability.

Accompanying drawing explanation

The accompanying drawing forming a application's part is used to provide a further understanding of the present invention, and schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:

Fig. 1 is the block diagram of identity authorization system according to a first embodiment of the present invention;

Fig. 2 is the block diagram of identity authorization system according to a second embodiment of the present invention;

Fig. 3 is the composition schematic diagram according to middle certificate server embodiment illustrated in fig. 2

Fig. 4 is the composition schematic diagram according to middle identification authentication system embodiment illustrated in fig. 2;

Fig. 5 is the flow chart of identity identifying method according to a first embodiment of the present invention;

Fig. 6 is user ID according to the embodiment of the present invention and biometric templates register flow path figure;

Fig. 7 is the living things feature recognition flow chart according to the embodiment of the present invention;

Fig. 8 is the dynamic password checking process figure according to the embodiment of the present invention; And

Fig. 9 is the flow chart of identity identifying method according to a third embodiment of the present invention.

Embodiment

It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.Below with reference to the accompanying drawings and describe the present invention in detail in conjunction with the embodiments.

This embodiment provide firstly the embodiment of identity authorization system.

Fig. 1 is the block diagram of identity authorization system according to a first embodiment of the present invention, and as shown in Figure 1, this identity authorization system comprises authentication server 20 and is integrated in the identification authentication system 40 of client.Wherein, authentication server 20 comprises authentication request receiver module 21, authentication request responder module 22, checking password receiver module 23, dynamic password generation module 24, password authentication module 25 and authentication result sending module 26; Identification authentication system 40 comprises authentication request sending module 41, authentication response receiver module 42, dynamic authentication password generated module 43, dynamic authentication password sending module 44 and authentication result receiver module 45.

Wherein, to complete the flow process of one-time identity authentication as follows for this identity authorization system:

First, user controls the collection of identification authentication system 40 completing user biological characteristic and stores, collection apparatus device can be the transducer arranged separately, also can for being integrated in the collecting device of client, then the user biological feature organization of collection is become biological characteristic authentication request message by the authentication request sending module 41 of identification authentication system 40, and this request message is sent to certificate server 20.

The second, the authentication request receiver module 21 of certificate server 20 receives biological characteristic authentication request message, resolves message, obtains user biological feature.

3rd, after obtaining user biological feature, the challenge number CN of authentication request responder module 22 stochastic generation of certificate server 20, and the identification authentication system 40 challenge number CN being back to client.

4th, the authentication response receiver module 42 of identification authentication system 40 receives the challenge number CN that certificate server 20 returns.

5th, the first sub-key SK1 that the dynamic authentication password generated module 43 of identification authentication system 40 prestores according to time TM1, the challenge number CN of client when receiving challenge number CN, user biological characteristic sum client generates dynamic authentication password OTP1, wherein, the computing of dynamic authentication password adopts hash algorithm, hash algorithm is also called hashing algorithm or hash algorithm, includes but not limited to SHA-1, SHA-256, SM3, MD5 scheduling algorithm.

6th, the dynamic authentication password OTP1 of generation is sent to certificate server 20 by the dynamic authentication password sending module 44 of identification authentication system 40.

7th, the checking password receiver module 23 of certificate server 20 receives dynamic authentication password OTP1.

8th, the dynamic password generation module 24 of certificate server 20 generates dynamic password OTP2 according to the time TM of certificate server when receiving dynamic authentication password, challenge number CN, user biological characteristic sum the second sub-key SK2, wherein, the second sub-key SK2 is the key corresponding with the first sub-key SK1, and the second sub-key SK2 and the first sub-key SK1 and corresponding relation thereof can be pre-stored in certificate server 20.The algorithm that this place calculates dynamic password OTP2 is identical with the algorithm generating OTP1, identification authentication system 40 and certificate server 20 can adopt fixing algorithm to carry out the calculating of password, also dynamic authentication password sending module 44 can being made when sending OTP1 simultaneously to send the algorithm identification information generating OTP1, generating OTP2 to make dynamic password generation module 24 according to the algorithm identification information selection algorithm received.

9th, the password authentication module 25 of certificate server 20 verifies that whether dynamic password OTP2 is consistent with dynamic authentication password OPT1.

Tenth, when OTP2 with OPT1 is consistent, generate the successful authentication result of authentication, when OTP2 and OPT1 is inconsistent, generate the authentication result of authentication failure, and by the authentication result sending module 26 of certificate server 20, identity authentication result is back to client.

11, the authentication result receiver module 45 of identification authentication system 40 receives identity authentication result, completes one-time identity authentication.

In this embodiment, living things feature recognition is combined with dynamic password, realize the security reliability of the anti-tamper of biological attribute data and authenticating user identification, in the generative process of dynamic password, biological characteristic is participated in dynamic password to calculate, the key element generating dynamic password is directed to the human body biological characteristics of user, thus different user generate dynamic password and user self closely related, as long as and biological characteristic is illegally distorted, the checking of dynamic password will be caused not to be inconsistent, thus play the effect of the fail safe being ensured dynamic password by biological characteristic, authenticity and the reliability of authenticating user identification are ensured.

Preferably, the first sub-key SK1 and the second sub-key SK2 can adopt the mode of pre-registration to arrange, then authentication server also comprises registration request receiver module, seed key generation module, seed key memory module and registration request responder module, correspondingly, identification authentication system also comprises registration request sending module and registration reply receiver module.

Adopting before identification authentication system carries out authentication first, the identification information tissue of identification authentication system is become registration request message and is sent to certificate server by the registration request sending module of identification authentication system, the registration request receiver module of authentication server receives the registration request message of client transmission, resolve the identification information that registration request message obtains identification authentication system, seed key generation module stochastic generation seed key, and by the seed key of this stochastic generation and the identification information storage of correspondence, the seed key stored is the second sub-key, then by registration request responder module, the seed key of stochastic generation is back to identification authentication system, the seed key of this stochastic generation is received by registration reply receiver module, obtain the first sub-key.

When adopting which to generate the first sub-key and the second sub-key, the identification information of user biological characteristic sum identification authentication system is organized into as biological characteristic authentication request message by authentication request sending module 41 together, after authentication request receiver module 21 receives biological characteristic authentication request message, before authentication request responder module 22 generates challenge number CN, first certificate server carries out the certification of biological characteristic, if authentication success, then authentication request responder module 22 generates challenge number CN, and dynamic password generation module 24 obtains the second sub-key SK2 according to the identification information of identification authentication system, otherwise authentication request responder module 22 returns biological characteristic authentication failure information to client, or dynamic authentication password sending module 44 sends the identification information of identification authentication system when sending dynamic authentication password OTP1, dynamic password generation module 24 obtains the second sub-key SK2 according to the identification information of identification authentication system.

The first sub-key SK1 and the second sub-key SK2 also can adopt other mode to arrange, such as, be set to fixed value, or is undertaken associating by other identification informations.

Preferably, in order to avoid the Replay Attack in verification process, the user biological feature received during each certification stores by authentication server, authentication server also comprises attack detection module, before the storage at every turn carrying out user biological feature, whether attack detection module contrasts user biological feature that this user biological feature and authentication request receiver module historical reception arrive and meets first pre-conditioned, first pre-conditioned to be set to this user biological feature identical with historic user biological characteristic for this, and meet this first pre-conditioned time generate attack warning, attack warning is back to client, the identification authentication system being arranged at client also comprises attacks warning receiver module, this attack warning receiver module is for receiving the attack warning returned, wherein, this attack warning can warn user.

Because the human body biological characteristics gathered all exists difference at every turn, therefore, the identical probability of user biological feature of twice acquisition is minimum, certificate server utilizes this feature to forbid Replay Attack, thus after receiving user biological feature at every turn, first check whether this user biological feature exists consistent record in historical record, if consistent, then refuse this request, when this situation frequently appears in certain user ID or certain client id, add up to reach certain number of times, this user ID or client id are charged to blacklist by certificate server.

Further preferably, the user biological Feature Conversion received during each certification is that cryptographic Hash stores by authentication server, then attack detection module contrasts whether cryptographic Hash corresponding to this user biological feature be identical with the cryptographic Hash of storage detects Replay Attack, can reduce the memory space of certificate server.

Further preferably, when attack detection module contrast this user biological feature not identical with historic user biological characteristic time, authentication server also comprises feature comparing module and ATL modified module, wherein, feature comparing module is used for user biological feature and the biometric templates be pre-stored in biometric templates storehouse to compare, when the comparison result of user biological feature and a certain biometric templates meet default comparison require time, then this biometric templates and user biological feature match; ATL modified module is used for when feature comparing module gets the biometric templates matched, according to user biological feature modification biometric templates storehouse.Coupling during the coupling comparatively playback attack detecting at this place requires lower, need not be identical.

Wherein, feature comparing module specifically can adopt the comparison method of " one to one ", this kind of comparison method requires that authentication server receives user biological feature and receives identification information simultaneously, biometric templates library storage biometric templates and the corresponding relation with identification information thereof, then first feature comparing module finds corresponding biometric templates according to the identification information received in biometric templates storehouse, the user biological feature received and the biometric templates found are compared, identification information wherein can be user ID information etc. again.

Feature comparing module also can adopt the comparison method of " one-to-many ", when feature comparing module adopts this comparison method, by the biometric templates comparison one by one in the user biological feature that receives and biometric templates storehouse, until get the biometric templates matched.Which only need receive user biological feature, without the need to receiving identification information.Further, if when biometric templates library storage biometric templates and the corresponding relation with identification information thereof, then while getting the biometric templates matched, corresponding identification information has also been got, such as user ID information.

Wherein, following alter mode is comprised: when user biological is characterized as user's face feature and the satisfied default face amendment of user's face feature requires, certificate server adding users face feature is to biometric templates storehouse according to user biological feature modification biometric templates storehouse; When user biological is characterized as client iris feature and the satisfied default iris amendment of client iris feature requires, certificate server adding users iris feature is to biometric templates storehouse; When user biological is characterized as user fingerprints feature, the characteristic point matched with user fingerprints feature in the biometric templates of certificate server wild phase coupling mate weight coefficient, reduce in the biometric templates matched with the unmatched characteristic point of user fingerprints feature mate weight coefficient; And when user biological is characterized as user's palm print characteristics, the characteristic point matched with user's palm print characteristics in the biometric templates of certificate server wild phase coupling mate weight coefficient, reduce in the biometric templates matched with the unmatched characteristic point of user's palm print characteristics mate weight coefficient.

Wherein, certificate server adding users face feature data comprise to biometric templates storehouse: when the face state that user's face feature is corresponding does not exist in the face state that the biometric templates matched is corresponding, the face state at this place can be the state informations such as face angle, face orientation or expression, and certificate server adding users face feature data are to the biometric templates storehouse matched; Consider the time dependent characteristic of face, when the time that certificate server receives user's face feature exceedes prefixed time interval with the difference of the settling time of the biometric templates matched, certificate server adding users face feature data are to biometric templates storehouse.

Wherein, certificate server adding users iris characteristic data comprises to biometric templates storehouse: when the difference of the pupil radium corresponding with the biometric templates matched when the pupil radium that client iris feature is corresponding exceedes pre-set radius difference, certificate server adding users iris characteristic data is to biometric templates storehouse, and this semidiameter can be set to be more than or equal to 10 pixel separation; When parabola on the eyelid that client iris feature is corresponding exceedes predetermined interval difference to the interval in the pupil center of circle and the difference of pupil radium, certificate server adding users iris characteristic data is to biometric templates storehouse, and this predetermined interval difference can be set to-5 to 0 pixels; When in the iris noise template that client iris feature is corresponding, eyelashes noise proportional exceedes default noise proportional, certificate server adding users iris characteristic data is to biometric templates storehouse; And when in the pupil that client iris feature is corresponding without hot spot time, certificate server adding users iris characteristic data is to biometric templates storehouse.

Again further preferably, when user does not carry out that in biological characteristic registration or user biological feature and biometric templates storehouse, all template matchings are not all inconsistent, feature comparing module obtains less than the biometric templates matched.When obtaining less than the biometric templates matched, the challenge number of stochastic generation, also for returning biological characteristic authentication failure information to client, when getting the biometric templates matched, is back to client by authentication request responder module.

Preferably, authentication request responder module 22 is while being back to identification authentication system 40 by challenge number CN, the time TM0 generating challenge number certificate server is back to identification authentication system 40 simultaneously, dynamic authentication password generated module 43 is when generating OTP1, according to TM0, TM1 is corrected, when TM1 and TM0 differs by more than default time difference scope, TM1 is set to TM0.

Preferably, dynamic authentication password sending module 44 is when sending OTP1, TM1 is sent to certificate server 20, then dynamic password generation module 24 is when generating OTP2, first judge | whether TM-TM1| exceedes preset difference value scope, wherein, TM is the time of certificate server certificate server when receiving OTP1, | when TM-TM1| exceedes preset difference value scope, certificate server 20 returns time-out information to client, dynamic password generation module 24 exists | and when TM-TM1| does not exceed preset difference value scope, generate dynamic password OTP2, certification time-out can be avoided.

Further preferably, | when TM-TM1| does not exceed preset difference value scope, dynamic password generation module 24 generates one group of dynamic password according to the time between TM and TM1, particularly, with default minute for stepping length, TMi is selected between TM and TM1, often calculate an OTP2, password authentication module 25 carries out one-time authentication, generate the successful authentication result of authentication when OTP1 with OTP2 is consistent, if inconsistent, dynamic password generation module 24 selects new TMi, and carry out the calculating of new dynamic password, terminate until OTP1 equals OTP2 value.

Fig. 2 is the block diagram of identity authorization system according to a second embodiment of the present invention, as shown in Figure 2, this system comprises certificate server, application server, various client (comprising desktop computer client, notebook client, PAD client, cell-phone customer terminal etc.) and identification authentication system.

Application server and various client belong to applications of computer network system, is referred to as application system.The authentication of application system user (asu) is the important component part of safety management, generally, need the transaction of authenticating user identification to comprise system login, service authorization, authority transfer, account's confirmation etc., and the authentication procedures of each user need to be ensured by safe practice means.Due to the diversity of the applications of computer network, define various application system, simultaneously, the safety management of each application system is necessary, all need perfect identity identifying technology means, therefore, the present embodiment simultaneously for multiple application system provides a set of unification, open living things feature recognition identity authorization system, can realize the safety certification of the user identity such as enterprise network, the Internet, Internet of Things.

In this embodiment, biological characteristic authentication server (referred to as certificate server) is as the third party of independently authentication, take biometrics identification technology as core technology, there is the functions such as user biological registering characteristics and biological characteristic authentication, unified, multi-modal living things feature recognition mode and means can be provided for each application system.This certificate server also can be integrated in one with application server, makes application system also can the safety certification of completing user identity without the need to third party.

Wherein, as shown in Figure 3, communicate with each application system as third-party biological characteristic authentication server, this certificate server comprises following several parts: operating system, biological attribute data storehouse, system management function unit, biological characteristic authentication service unit, dynamic password generate and authentication unit, system interface component unit etc., are described as follows:

Biological attribute data storehouse for store client and send user biological characteristic, the certification daily record data of certificate server in verification process and user's registration and authentication time the biometric templates storehouse that generates, wherein, user biological feature comprises the biological characteristic kinds such as fingerprint, palmmprint, face, iris, vein, and database can be the main flow relevant databases such as Oracle, DB2, Sybase, Informix, SQLServer, MySql;

System management function unit comprises living things feature recognition algorithm management, application server ID registration, identification authentication system ID registration, user ID and biological characteristic registration thereof and amendment, blacklist management etc.;

Biological characteristic authentication service unit provides various biological characteristic validation function, comprise " one to one " aspect ratio to, the feature identification of " one-to-many ", meanwhile, the function such as the legitimacy verification to characteristic to be verified (the user biological feature of also i.e. client transmission), dynamic biological feature templates fusion (being also the amendment in biometric templates storehouse) is provided;

After user biological feature verification passes through, dynamic password generates and authentication unit utilizes the dynamic key elements such as user biological feature, timestamp, random challenge number, dynamic password is generated by hash algorithm, and whether the dynamic authentication password that responsible checking client generates is consistent with the dynamic password that certificate server generates, judged integrality and the reliability of the relevant informations such as biological characteristic by the result, send identity authentication result to user side;

System interface component unit provides the communication interface of opening, easily extensible, uniformity, facilitates the connection of each application system, supports the modes such as WebService, Socket, supports the agreements such as SOAP, HTTPS, TCP/IP.

Wherein, being arranged at client identity authenticate device can be the device being integrated in client, also can for the self-contained unit being connected with client, intercoming mutually, as shown in Figure 4, specifically comprise following several parts: physical characteristics collecting sensor unit, processor unit (safety chip), display unit, clock unit, memory cell, keyboard unit and communication unit etc., every table apparatus all has unique biometric devices ID(and is called for short device ID, also the identification information of the harvester of user biological feature is namely gathered), the effect of each unit is as follows:

Physical characteristics collecting sensor unit is used for the collection of user biological characteristic image, and be the functional unit reading biological characteristic, biological characteristic type includes but not limited to fingerprint, palmmprint, face, iris, vein etc.; Processor unit is used for the function such as process, feature extraction, the calculating of dynamic authentication password of biometric image, is equivalent to the CPU of device, available use safety chip stiffening device safe and secret; Display unit is used for the relevant informations such as display unit time, dynamic authentication password, the dynamic password that receives, can adopt the modes such as LCD or OLED; Memory cell is the memory for conserving species sub-key, session key, user biological characteristic and device parameter; Clock unit is used to provide clock, and have can the function of position as requested; Keyboard unit is the unit for inputting relevant information, and such as input is challenged number, carried out operation acknowledgement etc. by user; Communication unit is used for the host computer communications such as client, and communication interface mode comprises the modes such as USB, Ethernet, Rs232.

As the third party of certificate server as independently authentication, before identity authorization system carries out authentication, preferably, application server registers can be adopted following register flow path to certificate server:

First, determine application server ID, this ID has uniqueness in system; Secondly, application server sends ID registration request to certificate server, and the data of transmission comprise application server ID; Finally, certificate server receives request, check whether application server ID repeats, if do not repeated, the seed key SK1 of 16-32 byte is produced so more at random by certificate server, each application server has unique SK1, SK1 is back to application server and preserves, and completes the registration of application server.

Preferably, also the identification authentication system being arranged at client side can be registered to certificate server, to ensure the legitimacy of identification authentication system, its register flow path can adopt following flow process:

First, client determines one's identity the ID of authenticate device, and this ID has uniqueness in system; Secondly, client sends ID registration request to certificate server, and the data of transmission comprise identification authentication system ID; Finally, certificate server receives request, check whether identification authentication system ID repeats, if do not repeated, the seed key SK1 of 16-32 byte is produced so more at random by certificate server, each identification authentication system has unique SK1, SK1 is back to identification authentication system and preserves, and completes the registration of identification authentication system.

The flow process that this identity authorization system completes one-time identity authentication is as follows:

Step S102: client receives the living things feature recognition type of user's input, and wherein, identification types includes but not limited to the types such as fingerprint, face, iris, user according to own characteristic or custom, can select the identification types being applicable to oneself;

Step S104: according to identification types, client drives identification authentication system to gather the corresponding human body biological characteristics such as fingerprint, face or iris, and the image collected carried out detect, locate, the step such as image procossing, extraction feature, the identification authentication system at this place is the device integrating the physical characteristics collectings such as fingerprint, face or iris, controls to start corresponding acquisition function by client;

Step S106: after user biological collection apparatus completes, is temporarily kept at biological characteristic in the memory cell of identification authentication system and (is designated as BIO), with the calculating of dynamic authentication password later;

Step S108: to gather and after storing user biological feature, client utilizes the feature verification request of user biological feature BIO tissue biological to be sent to certificate server;

Step S110: after certificate server receives the authentication request that client sends, deciphering biological attribute data, and stochastic generation challenge number CN(at least 6 is to 8 digit numeric codes), simultaneously, record certification daily record, log content comprises: the biological characteristic BIO of this request authentication, challenge number CN, and challenge number CN is back to client;

Step S112: client, after receiving the challenge number that certificate server returns, imports this challenge number into identification authentication system;

Step S114: identification authentication system receives challenge number CN, obtain the time TM1 that identification authentication system is current, according to time TM1, the first sub-key SK1(prestored is when identification authentication system completes registration at certificate server, this key SK 1 is the seed key received when completing registration, when identification authentication system is not registered, and application server is when completing registration, this key SK 1 to be intercomed mutually the seed key got by client and application server, challenge number CN and the user biological feature BIO being temporarily stored in identification authentication system generates dynamic authentication password OTP1, OTP1=H(TM1, SK1, CN, BIO), after generating dynamic authentication password, BIO can be removed,

The calculating process of dynamic authentication password is as follows: the computing of dynamic authentication password adopts hash algorithm, hash algorithm is also called hashing algorithm or hash algorithm, hash algorithm is divided into multiple, includes but not limited to SHA-1, SHA-256, SM3, MD5 scheduling algorithm, and concrete operation step is as follows:

TM1 is timestamp, and if current time is 2012 09 month 15: 01 on the 20th, then corresponding TM1 is expressed as the data of " 0x32,0x30,0x31,0x32,0x30,0x39,0x32,0x30,0x31,0x35,0x30,0x31 " 12 bytes; SK1 is the seed key of 16-32 byte, and key length can adjust according to demand; CN is challenge number, is at least 6 to 8 digit numeric codes, such as: " 59713131 ", during computing, is expressed as " 0x35,0x39,0x37,0x31,0x33,0x31,0x33,0x31 "; BIO is biological attribute data, is variable-length field, such as: fingerprint characteristic data is between 128 ~ 512 bytes, and face characteristic is in 3K ~ 5K byte, and iris feature is 512 bytes; Following mode can be adopted: each field data is formed one section of elongated data when generating dynamic password according to above-mentioned each key element, that is: TM1+SK1+CN+BIO, as the plaintext data of input, by hash algorithm computing, form the summary data of fixed length, i.e. dynamic password; Or using TM1+CN+BIO as plaintext data, then encrypt with SK1, using enciphered data as input data, by hash algorithm computing, form the summary data of fixed length, i.e. dynamic password.

Wherein, the summary generated during SM3 algorithm is adopted to be 32 byte datas; Adopt SHA-1 algorithm time generate summary be 20 bytes sentence by sentence; Adopting and generating summary during SHA-256 algorithm is 32 byte datas; Adopting and generating summary during MD5 algorithm is 16 byte datas.

Step S116: the dynamic authentication password OTP1 that identification authentication system generates by client is uploaded to application server, organizes message, the information such as dynamic authentication password OTP1 and application server ID are sent to certificate server by application server;

Step S118: after certificate server receives message information, first check application server ID whether to register, after verification is legal, certificate server recalls certification log recording, obtain BIO, the CN in this record, obtain the time TM of certificate server when receiving message, obtain the second sub-key SK2 for generating dynamic password, the second sub-key SK2 is corresponding with the first sub-key SK1, ID by identification authentication system obtains, also obtain by other keywords, and generate dynamic password OTP2 according to BIO, CN, TM and SK2;

The method generating dynamic password OTP2 is consistent with the method generating dynamic authentication password OTP1, and its concrete operation process repeats no more herein.

Step S120: whether OTP2 is consistent with dynamic authentication password OTP1 for certificate server checking dynamic password, if OTP1 and OTP2 is consistent, so judge this authentication success, otherwise, be judged to be authentification failure, authentication result is returned application server, and then feeds back to client, complete one-time identity authentication.

This embodiment offers a kind of identity authorization system, within the system, biometrics identification technology is combined with dynamic password, realize the security reliability of the anti-tamper of biological attribute data and authenticating user identification, in the generative process of dynamic password, biological characteristic is participated in dynamic password to calculate, the key element generating dynamic password is directed to the human body biological characteristics of user, thus different user generate dynamic password and user self closely related, as long as and biological characteristic is illegally distorted, the checking of dynamic password will be caused not to be inconsistent, thus play the effect of the fail safe being ensured dynamic password by biological characteristic, authenticity and the reliability of authenticating user identification are ensured.

Preferably, in step s 110, after certificate server receives authentication request and deciphers biological attribute data, judge whether this user biological feature received or its cryptographic Hash exist in historical record, if exist, then show that this biological characteristic possibility is stolen or be replicated, then return to client and attack warning, this authentification failure.Preferably, the abnormal conditions number of times of user ID that can be corresponding to the ID or this biological attribute data sending this biological attribute data client adds up, if frequency of abnormity reaches preset value, so just this client or this user is charged to blacklist.

Biometrics identification technology belongs to mode identification technology, and each human body biological characteristics gathered all exists difference, and therefore, the identical probability of user biological feature of twice acquisition is minimum, and certificate server utilizes this feature to forbid Replay Attack.After receiving user biological feature at every turn, after attack detecting completes, this biological attribute data is recorded in history log, also the compressed value of biological attribute data can be preserved, i.e. cryptographic Hash, thus after receiving user biological feature at every turn, first check whether this user biological feature or cryptographic Hash exist consistent record in historical record, if consistent, then refuse this request, when this situation frequently appears in certain user ID or certain client id, add up to reach certain number of times, this user ID or client id are charged to blacklist by certificate server.

Preferably, before identity authorization system carries out authentication, to being about to the user using biological character for identity authentication, by client, biometric templates or user ID and biometric templates are registered to certificate server, during registration, directly can register the biological characteristic of fixed type, also by different biological features, the registrations such as fingerprint, palmmprint, face, iris, vein can be comprised.Before user ID and biometric templates are registered, this user ID exists at application server, and after registration, the user ID that the user ID in certificate server and client user input in ID, application server is corresponding.Wherein, biometric templates refers to the one or more biometric sample gathering user, and utilize the biometric reference template that multiple biometric sample constructs, this template can be used to determine or determine individual identity, is usually also referred to as enrollment.

Further preferably, when certificate server judges this user biological feature received or its cryptographic Hash does not exist in historical record, user biological feature and the biometric templates be pre-stored in biometric templates storehouse are compared by certificate server, to get the biometric templates matched with user biological feature, when user ID and biometric templates are all registered to certificate server, and client to certificate server send user ID time, certificate server adopts the biological characteristic alignments of " one to one ", in biometric templates storehouse, the biometric templates matched with user ID is automatically searched according to user ID, then user biological feature and the biometric templates found are compared, when only there being biological characteristic to be sent to certificate server, certificate server adopts the biological characteristic alignments of " one-to-many ", directly each biological characteristic in user biological feature and biometric templates storehouse is compared, find the biological characteristic enrollment matched with user biological feature.When certificate server obtains less than returning biological characteristic authentication failure information during the biometric templates matched to client, when certificate server gets the biometric templates matched, also after namely biological characteristic authentication passes through, judge the quality of this biological characteristic, if biological characteristic quality or state satisfy condition, then carry out dynamic biological feature templates fusion treatment process, also namely according to user biological feature modification biometric templates storehouse.

Wherein, adopt the processing procedure that dynamic biological feature templates merges, along with the increase of certification number of times, biological attribute data certification passed through carries out integrating, revise, the amendment such as to supplement after, biometric templates information is constantly improved in application change, thus progressively strengthen the adaptability of bio-identification, improve the accuracy rate of feature identification.There is difference according to the difference of bio-identification type in dynamic biological feature templates fusion process, and carries out under biological characteristic quality or state meet certain condition, avoids merging template according to low-quality user biological feature.

Fingerprint recognition or personal recognition are the calculating processes of feature based point mode, and its feature templates merges the method adopting " integrating system ".So-called " integrating system ", exactly in aspect ratio to after passing through, the characteristic point matched is done and adds divisional processing (maximum restriction is set), deduction process is done to the characteristic point do not matched, mark is higher shows that the confidence level of this characteristic point is higher, otherwise, if this characteristic point confidence level is lower, the confidence level of characteristic point is relevant with the weight coefficient of aspect ratio centering matching algorithm, confidence level is higher, weight is larger, improve the accuracy that aspect ratio is right, simultaneously, in feature comparison process, characteristic point does not match, integration reduces, confidence level more reduces, this characteristic point is deleted after negative integration reaches predetermined value, in actual applications, the biological characteristic of fingers and palms line may change, therefore, there is the situation increasing new feature point, new feature point and primitive character point are equally applicable to the method for " integrating system ".

The behavioral characteristics template of recognition of face merges " multiaspect face " method of employing, that is: shown the difference expression, face orientation etc. of face by several faces, increases face alignment percent of pass.After face alignment passes through, judge whether the expression of this face or orientation can fill up the blank of this face state at present, if passable, then add new skin detection to ATL, simultaneously, also the characteristics such as face changes in time to be considered, history face characteristic (original skin detection can not be replaced) is replaced with face characteristic recently, Generic face image should be that front is shone, and for looking squarely, but head orientation is change sometimes, excursion is defined as the upper and lower angle of pitch and is no more than by this place ± and 20 °, left and right sides drift angle is no more than ± and 20 °, left-right rotary corner is no more than ± and 10 °.

Iris recognition has high accurate rate, but iris recognition can be subject to the impact of some factor, the iris nonlinear change that such as pupil convergent-divergent causes, eyelid are on the factor such as impact, eyeball left rotation and right rotation angle of iris, therefore, iris recognition also needs behavioral characteristics template fusion treatment, namely replaces historical Iris Feature (original iris features template can not be replaced) with new iris feature.After iris comparison is passed through, judge whether this iris feature meets and preset fusion conditions requirement, if passable, then add new iris feature template to database.The precondition of iris fusion is: certificate server inquires the iris feature template matched with client iris feature, but client iris feature and iris feature template matches score lower, illustrate that the feature difference in the client iris feature of this certification and ATL is larger.Concrete fusion conditions is as follows:

(1) judge that the size of the pupil radium that client iris feature the is corresponding pupil difference corresponding with iris feature template is more than 10 pixel separation, when also namely changing obvious with historical record;

(2) for the impact of the covering of eyelid, judge on the eyelid that client iris feature is corresponding, whether parabola exceedes predetermined interval difference to the pixel separation (Interval) in the pupil center of circle and the difference of pupil radium, predetermined interval difference can be set as-5<=Interval<=0;

(3) for the impact that eyelash blocks, eyelashes noise proportion Ratio1, Ratio2 in two pieces (getting 64*32 size) is obtained about pupil respectively in the iris noise template that client iris feature is corresponding, calculate (Ratio1+Ratio2)-(Ratio1 '+Ratio2 '), wherein, Ratio1 ' and Ratio2 ' to be respectively about the pupil obtained in the iris feature template matched eyelashes noise proportion in two pieces, and whether the difference judging to calculate gained is within-0.05 ~ 0.05; Or, utilize value min(Ratio1 less in two ratios, Ratio2) judge, if min(Ratio1, Ratio2)=Ratio1, then judge that the difference of Ratio1 and Ratio1 ' is whether within-0.02 ~ 0.02, if min(Ratio1, Ratio2)=Ratio2, then judge that the difference of Ratio2 and Ratio2 ' is whether within-0.02 ~ 0.02;

(4) when in the pupil that client iris feature is corresponding without hot spot, also i.e. eyeball deflection, during fusion, eyeball left rotation and right rotation angle is within ± 35 degree.

Preferably, in step s 110, challenge number CN and current certificate server time TM0 is back to client by certificate server, when generating OTP1 in step S114, if the difference of TM1 and TM0 exceedes preset value, so just need the clock correcting identification authentication system, even TM1=TM0.In step S116, OTP1 and TM1 is uploaded to application server by client, organizes message to be sent to certificate server by application server; In step S118, after getting the time TM of certificate server when receiving message, judge | whether TM-TM1| exceeds preset time range, if exceed preset value, then this authenticated time is long, judges authentification failure, certificate server returns time-out information to client, if do not exceed preset value, then generates one group of dynamic password according to the time between TM and TM1, particularly, OTP2=H(TMi, SK2, CN, BIO), with default minute for stepping length, between TM and TM1, TMi is selected; Often calculate an OTP2, in the step s 120, whether unanimously compare OTP1 with OTP2, if unanimously, then judge authentication success, if inconsistent, select new TMi, the calculating of Mobile state password of going forward side by side, terminate until OTP1 equals OTP2 value.

Preferably, when matching biological template and user biological feature, because single creature characteristic matching has limitation sometimes, such as: existing characteristics defect and cannot use, biological characteristic imitation etc., therefore, system, according to the feature of bio-identification type, proposes one and identifies filtration and combination decision-making method step by step.

First, carry out the arrangement of priority according to the feature of often kind of biological identification technology, recognition of face is the most easily accepted, and can make number one, and fingerprint recognition is the most general, and can come second, iris recognition is the safest, can come the 3rd.If pursue fail safe or accuracy, so just need according to said sequence certification or combination attestation step by step, such as: first recognition of face, rear fingerprint recognition, or first recognition of face, rear iris recognition.

So-called " identify step by step and filter and combination decision-making method ", be exactly " first easily rear numerous, combination judgement ", if the similarity of biometric matches formerly reaches pre-set requirement, then judge authentication success, if similarity does not reach set preset value, but meet the condition of checking further, then selected priority time low bio-identification type does further checking, if similarity reaches pre-set requirement, then judge authentication success.If subsequent bio feature identification similarity does not still reach pre-set requirement, then the similarity of each self-identifying is combined, a new Similarity value (aX+bY is synthesized according to certain set of weights, a, b are that the higher weight coefficient of accuracy of weight coefficient-identification types is larger, X, Y are the similarity of single identification), judge whether combination similarity meets the demands.

In addition, also the feature of often kind of biological identification technology can be utilized, the application of particular place is realized by combined strategy, such as: the location utilizing the convenience completing user identity of face recognition technology, and then utilize the accuracy of fingerprint recognition or iris recognition, further checking is done to user identity, like this, not only achieved convenience, but also be showed accuracy.

Compared with single authentication mode, multi-modal authentication mode has better technical performance, its characteristic is as follows: fail safe: by multimodal Biometrics, and invader's artificiality or imitation product multi-biological characteristic of simultaneously out-tricking is impossible substantially, and system is safer, reliable; Accuracy: merged and overall merit by multiple biological characteristic, effectively can overcome the defect that single creature feature often has, and improves the accuracy of authentication greatly; Convenience: also can exchange flexibly, to ensure, when a kind of biological characteristic distortion, still can identify smoothly when a certain biological characteristic inconvenience of individual.

For guaranteeing the safety of communication data, the mode of encrypted transmission can be adopted before data communication between client and certificate server, between application server and certificate server, the key of cryptographic algorithm can adopt and divide the interim conversation shed key by seed key SK, for the communication security of the message informations such as biological characteristic, if exceed the ticket reserving time, then regenerate session key.

Certificate server in this embodiment is the server supporting polytype bio-identification mode, and support the bio-identification algorithm of different manufacturers, adopt the API/SPI model of ISO/IEC international standard " BioAPI specification ", be implemented as follows: BioAPI framework is unified to top service, simultaneously, BioAPI framework is by the interface of SPI(algorithm or equipment provider) shield the difference of each cma algorithm or device drives, serve the effect of standard middleware; Wherein, as long as algorithm or equipment provider provide corresponding algorithms library and device drives according to SPI interface standard, upper layer application just can realize transparent calling by " API/SPI ", thus shields the difference of each cma algorithm storehouse or device drives.

This embodiment additionally provides the embodiment of identity identifying method.

Fig. 5 is the flow chart of identity identifying method according to a first embodiment of the present invention, and as shown in Figure 5, the method comprises following step S202 to step S210.

Step S202: certificate server receives the biological characteristic authentication request that client sends, and wherein, biological characteristic authentication request comprises user biological feature.

After user completes the collection of biological characteristic, user biological feature organization is become biological characteristic authentication request message by client, and this request message is sent to certificate server, and certificate server is resolved the message received, and obtains user biological feature.

Step S204: the challenge number of stochastic generation is back to client by certificate server, after obtaining user biological feature, the challenge number CN of certificate server stochastic generation, and challenge number CN is back to client.

Step S206: certificate server receives the dynamic authentication password that client sends, wherein, the first sub-key that dynamic authentication password is prestored by the time TM1 of client when receiving challenge number, challenge number, user biological characteristic sum client generates.

The first sub-key SK1 that client prestores according to time TM1, the challenge number CN of client when receiving challenge number CN, user biological characteristic sum client generates dynamic authentication password OTP1, wherein, the computing of dynamic authentication password adopts hash algorithm, hash algorithm is also called hashing algorithm or hash algorithm, include but not limited to SHA-1, SHA-256, SM3, MD5 scheduling algorithm, and the dynamic authentication password OTP1 just generated is sent to certificate server.

Step S208: certificate server generates dynamic password.

Certificate server generates dynamic password OTP2 according to the time TM of certificate server when receiving dynamic authentication password OTP1, challenge number CN, user biological characteristic sum the second sub-key SK2, wherein, the second sub-key SK2 is the key corresponding with the first sub-key SK1, and the second sub-key SK2 and the first sub-key SK1 and corresponding relation thereof can be pre-stored in certificate server.The algorithm that this place calculates dynamic password OTP2 is identical with the algorithm generating OTP1, and client and certificate server can adopt predetermined fixing algorithm to carry out the calculating of password, also can arrange password computational algorithm in communication process.

Step S210: whether certificate server checking dynamic password is consistent with dynamic authentication password, and returns identity authentication result according to the result to client.

When OTP2 with OPT1 is consistent, generate the successful authentication result of authentication, when OTP2 and OPT1 is inconsistent, generates the authentication result of authentication failure, and by certificate server, identity authentication result is back to client.

Preferably, the first sub-key SK1 and the second sub-key SK2 can adopt the mode of pre-registration to arrange, then before the biological characteristic authentication request receiving client transmission, the method also comprises: certificate server receives the registration request that client sends, wherein, registration request comprises the identification information of the harvester for gathering user biological feature, the identification information of such as, identification authentication system in embodiment illustrated in fig. 2; Certificate server when receiving registration request, stochastic generation seed key, and the seed key of corresponding stored stochastic generation and identification information; And certificate server returns the seed key of stochastic generation to client, wherein, the first sub-key and the second sub-key are the seed key of stochastic generation, biological characteristic authentication request also comprises identification information, and certificate server obtains the second sub-key when generating dynamic password according to identification information.

When adopting which to generate the first sub-key and the second sub-key, in step S202, the identification information of user biological characteristic sum identification authentication system is organized into as biological characteristic authentication request message together, before step S204, according to biological characteristic authentication request message, first certificate server judges whether identification authentication system completes registration, if complete registration, then perform step S204, and in step S208, the second sub-key SK2 is obtained according to the identification information of identification authentication system, otherwise return mechanism biological characteristic authentication failure information is to client, or in step S206, send the identification information of identification authentication system while sending dynamic authentication password OTP1, in step S208, obtain the second sub-key SK2 according to the identification information of identification authentication system.The first sub-key SK1 and the second sub-key SK2 also can adopt other mode to arrange, such as, be set to fixed value, or is undertaken associating by other identification informations.

Preferably, in order to avoid the Replay Attack in verification process, the method also comprises the step of carrying out attack detecting, and detailed process is corresponding with the function of the attack detection module in above identity authorization system embodiment, repeats no more herein.

Preferably, before the challenge number of stochastic generation is back to client, the method also comprises the comparison carrying out user biological feature and biometric templates, and the biometric templates matched with user biological feature is obtained according to comparison result, and carry out the amendment in biometric templates storehouse, the function of detailed process and above feature comparing module, ATL modified module and corresponding with the processing procedure that dynamic biological feature templates above merges, repeats no more herein.

Preferably, before certificate server generates dynamic password, the method also comprises aligning step, the certification time-out detecting step and when certification is not overtime of client (identification authentication system end) time, by calculating the step that one group of dynamic password carries out verifying, all describe hereinbefore, repeat no more herein.

This embodiment additionally provides the second embodiment of identity identifying method, and in this embodiment, identity identifying method comprises: before carrying out user biological feature verification first, user ID and biometric templates register flow path; Living things feature recognition flow process and dynamic password checking process.

To being about to the user using biological character for identity authentication, by application system, user ID and biometric templates are registered to certificate server, wherein, the user ID in certificate server is corresponding with the user ID in application server.User ID and biometric templates require that this user ID exists in application system before registering.Wherein, user ID and biometric templates registration process as shown in Figure 6, comprise following step S4-1 to step S4-14:

S4-1: input user ID on the client, select bio-identification type, bio-identification type comprises fingerprint, palmmprint, face, iris, vein etc.;

S4-2: client-side program drives biometric devices (i.e. identification authentication system) by device API, collection user biological feature also processes, forms biometric templates;

S4-3: the session key user biological feature templates data of disperseing out with SK seed key;

S4-4: by information composition communication data messages such as device ID, user ID, identification types, biometric templates, be sent to application server;

S4-5: application server receives client upload message information, and analytic message;

S4-6: application system judges whether user ID exists, if user ID does not exist, so this operation failure, result returns client; If user ID exists, then continue next step process;

S4-7: after client upload message is added application server ID, send registration request to certificate server;

S4-8: certificate server receives the registration request of application system, and resolves communication data message;

S4-9: judge whether application server ID in request message and device ID registers in certificate server, if not registered, then this authentification failure returns, if registered, then continues next step process;

S4-10: obtain corresponding SK seed key by device ID, then obtain SK and divide the session key shed, utilize session key to be decrypted biological attribute data ciphertext;

S4-11: judge whether user ID exists, if user ID does not exist, then adds the information such as user ID and biometric templates to database; If user ID exists, then revise its biometric templates information; Result returns application server;

S4-12: application server receives user's registration and returns results, and is for further processing according to returning results;

S4-13: if user registration success, then application server system revises the data-base recording corresponding to this user ID, comprise biological characteristic and enable the fields such as mark and type identification, indicate that this user ID enables biological characteristic authentication mode, and the identification types adopted;

S4-14: this user's registering result returns client the most at last, and transaction completes.

As shown in Figure 7, flow process performing step comprises following step S6-1 to step S6-11 to living things feature recognition flow process:

S6-1: when user carries out certification, first will determine biological characteristic alignments, and namely the aspect ratio of " one to one " is to the aspect ratio pair with " one-to-many "." one to one " under mode, in client input user ID, otherwise, do not need input;

S6-2: then selective recognition type, i.e. bio-identification type, include but not limited to the types such as fingerprint, face, iris;

S6-3: according to identification types, client drives biometric devices to gather the human body biological characteristics such as fingerprint, face or iris, and the course of work of recognition device comprises the steps such as IMAQ, detection, location, image procossing, extraction feature;

S6-4: after human body biological characteristics collection completes, is temporarily kept at biological characteristic in recognition device and (is designated as BIO), calculates with dynamic password later;

S6-5: send biological characteristic authentication request to certificate server, biological characteristic authentication request comprises two kinds of modes." one to one " under mode, device ID, user ID, identification types and biological characteristic is needed to be sent to certificate server, under " one-to-many " mode, only need dispensing device ID, identification types and biological characteristic, no matter which kind of authentication mode, as long as have passed biological characteristic comparison or identification, all user ID will be returned;

S6-6: after certificate server receives the authentication request that client sends, first whether calibration equipment ID is through registration, then, judges identification types, searches the biometric templates storehouse of correspondence according to identification types;

S6-7: deciphering biological attribute data, and judge whether this biological characteristic or its cryptographic Hash exist in historical record, if exist, then show that this biological characteristic possibility is stolen or be replicated, return warning, this authentification failure; , the number of times of these user ID abnormal conditions is added up meanwhile, if frequency of abnormity reaches preset value (such as: 3 times), so just this user ID is charged to blacklist;

S6-8: the alignments judging biological characteristic, if " one to one " mode, then automatically search this user profile according to user ID, and carry out biological characteristic comparison, if " one-to-many " mode, then search in biometric templates storehouse, find the user profile with biometric matches;

S6-9: after biological characteristic authentication passes through, judges the quality of this biological characteristic, if biological characteristic quality satisfies condition, then carries out dynamic biological feature templates fusion process;

S6-10: challenge number CN(at least 6 to 8 digit numeric codes by certificate server stochastic generation), simultaneously, record certification daily record, log content comprises: the information such as biological characteristic BIO, challenge number CN, current server time TM0 of user ID, device ID, this request authentication, and the information such as user ID, challenge number CN, server time TM0 are returned applications client;

S6-11: the information such as user ID, challenge number CN, server time TM0 are returned client, and client-side program imports biometric devices into above-mentioned information again.

As shown in Figure 8, flow process performing step comprises following step S7-1 to step S7-9 to dynamic password checking process:

S7-1: biometric devices receives the information such as user ID, challenge number CN, server time TM0;

S7-2: acquisition device time TM1, if the difference of TM1 and TM0 exceedes preset value (be set to ± 1 minute) herein, so just need means for correcting clock, that is: make TM1=TM0;

S7-3: according to information such as time, seed key, challenge number and biological characteristics, generate dynamic password OTP1=H(TM1, SK, CN, BIO), TM1 is the current time of recognition device, and SK is the seed key of recognition device, CN is the challenge number that server is sent, and BIO is the biological attribute data be temporarily stored in equipment.After generation dynamic password completes, BIO can be removed;

S7-4: client is by user ID, OTP1, △ T(TM1-TM0), the information such as hash algorithm type is uploaded to application server;

S7-5: the information such as user ID, OTP1, △ T, hash algorithm type, application server ID are sent to certificate server by application server;

Whether S7-6: after certificate server receives message information, first check application server ID and register, and after only having verification legal, just can be for further processing;

S7-7: system recalls certification log recording corresponding to user ID, obtains the information such as BIO, TM0, CN of this record correspondence;

S7-8: obtain certificate server current time TM, judges whether " TM – (TM0+ △ T) " exceeds preset time range (be set to ± 2 minutes) herein, if exceed preset value, then this authenticated time is long, judges authentification failure;

If do not exceed preset value, then according to same hash algorithm calculate dynamic password, i.e. OTP2=H(TMi, SK, CN, BIO), TMi gets the little person among TM0+ △ T and TM, and changes between TM0+ △ T and TM, stepping length by minute in units of; Relatively OTP1 and OTP2, if identical, then judges authentication success, if not identical, then to TMi from TM0+ △ T to TM value successively, and carry out H(TMi, SK, CN, BIO) computing, until OTP1 equals OTP2;

S7-9: if OTP1 equals OTP2, so just judges this biological characteristic success, otherwise, be judged to be authentification failure, authentication result is returned application server, and then feed back to client.

In this second embodiment, add following key element in the computational process of dynamic password, comprise biological characteristic, timestamp, challenge number, seed key SK etc., except SK, other are dynamic factor.In verification process, controlled the real-time of authentication by timestamp; The randomness of this certification is controlled by challenge number; The biological attribute data BIO produced in each certification, also has variability, and this is determined by biological identification technology feature, and to a certain extent, BIO can use as random number; If BIO is tampered or replaces, so will cause not being inconsistent of dynamic password, in a word, the combination that living things feature recognition of the present invention and dynamic password are applied, will ensure real-time, randomness, the anti-tamper and non-reproduction of authentication.

For the Face detection of VIP user's (visitant customer) and follow-up fingerprint or iris authentication, Fig. 9 is the flow chart of identity identifying method according to a third embodiment of the present invention, as shown in Figure 9, the flow for authenticating ID schematic diagram performing step of living things feature recognition is as follows.

First by recognition of face location client, following step S5-1 is comprised to step S5-5:

S5-1: after user enters lobby or other places, in imaging region, application system client will drive face imaging identification device to capture facial image, and carry out the process such as IMAQ, detection, location, process, extraction feature;

S5-2: device ID, face characteristic data, identification types etc. are formed communication message by client, send face characteristic identification request to certificate server;

S5-3: after certificate server receives request, carries out search coupling by face characteristic, i.e. " one-to-many " RM in skin detection storehouse;

S5-4: after face characteristic search comparison, judges whether the user finding coupling.If do not find the user of coupling, then failure result is returned client, this recognition of face failure; If find the user profile of coupling, system stochastic generation challenge number, and user ID and challenge number are returned client;

According to the check results of dynamic password, S5-5: client generates dynamic password, and verifies dynamic password through application server to certificate server, and result is returned application system, judges that whether this authentication is successful.

Secondly, utilize the further identifying user identity of fingerprint technique, if VIP user also has other service needed to handle, so can utilize the Face detection result of last process, namely utilize user ID to do the finger print identifying of " one to one ", comprise following step S5-6 to step S5-11

S5-6: client drives fingerprint identification device, gathers fingerprint and extracts feature;

S5-7: send fingerprint authentication request to certificate server, by user ID authentication of users fingerprint, that is: the verification mode of " one to one ";

S5-8: if user fingerprints alignment similarity reaches preset value, then this fingerprint authentication passes through; If fingerprint authentication does not pass through, then this fingerprint comparison similarity and previous human face similarity degree comparison are carried out combination and judge, if reach preset requirement, then sentence combined authentication and pass through, otherwise, return authentication failed result;

S5-9: after fingerprint authentication or combined authentication are passed through, system stochastic generation challenge number, and the information such as user ID and challenge number are returned client;

S5-10: client generates dynamic password, and verifies dynamic password through application server to certificate server, and result is returned application system;

S5-11: judge that whether this authentication is successful according to the check results of dynamic password.

From above description, can find out, present invention achieves following technique effect: just living things feature recognition combines with dynamic password, realize the security reliability of the anti-tamper of biological attribute data and authenticating user identification, in the generative process of dynamic password, biological characteristic is participated in dynamic password to calculate, the key element generating dynamic password is directed to the human body biological characteristics of user, thus different user generate dynamic password and user self closely related, as long as and biological characteristic is illegally distorted, the checking of dynamic password will be caused not to be inconsistent, thus play the effect of the fail safe being ensured dynamic password by biological characteristic, authenticity and the reliability of authenticating user identification are ensured.

It should be noted that, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, but in some cases, can be different from the step shown or described by order execution herein.

Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on network that multiple calculation element forms, alternatively, they can realize with the executable program code of calculation element, thus, they can be stored and be performed by calculation element in the storage device, or they are made into each integrated circuit modules respectively, or the multiple module in them or step are made into single integrated circuit module to realize.Like this, the present invention is not restricted to any specific hardware and software combination.

The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims

1. an identity identifying method, is characterized in that, comprising:

Certificate server receives the biological characteristic authentication request that client sends, and wherein, described biological characteristic authentication request comprises user biological feature;

The challenge number of stochastic generation is back to described client by described certificate server;

Described certificate server receives the dynamic authentication password that described client sends, wherein, the first sub-key that described dynamic authentication password is prestored by client described in the time TM1 of described client when receiving described challenge number, described challenge number, described user biological characteristic sum generates;

Described certificate server generates dynamic password according to the time TM of described certificate server when receiving described dynamic authentication password, described challenge number, described user biological characteristic sum the second sub-key, wherein, described the second sub-key is the key corresponding with the first sub-key described; And

Described certificate server verifies that whether described dynamic password is consistent with described dynamic authentication password, and returns identity authentication result according to the result to described client;

Before the challenge number of stochastic generation is back to described client, described method also comprises:

Whether described certificate server contrasts user biological feature that described user biological feature and described certificate server historical reception arrive and meets first pre-conditioned, and meet described first pre-conditioned time generate and attack warning;

Described attack warning is back to described client by described certificate server, wherein, described first pre-conditioned be that this user biological feature is identical with historic user biological characteristic.

2. identity identifying method according to claim 1, is characterized in that, before the biological characteristic authentication request receiving client transmission, described method also comprises:

Described certificate server receives the registration request that described client sends, and wherein, described registration request comprises the identification information of the harvester for gathering described user biological feature;

Described certificate server when receiving described registration request, stochastic generation seed key, and the seed key of stochastic generation described in corresponding stored and described identification information; And

Described certificate server returns the seed key of described stochastic generation to described client,

Wherein, the first sub-key described and described the second sub-key are the seed key of described stochastic generation, described biological characteristic authentication request also comprises described identification information, and described certificate server obtains described the second sub-key when generating described dynamic password according to described identification information.

3. identity identifying method according to claim 1, is characterized in that, before the challenge number of stochastic generation is back to described client, described method also comprises:

Described user biological feature and the biometric templates be pre-stored in biometric templates storehouse are compared, to get the biometric templates matched with described user biological feature by described certificate server;

When described certificate server obtains less than returning biological characteristic authentication failure information during the biometric templates matched to described client, when the biometric templates matched described in described certificate server gets according to described user biological feature modification biometric templates storehouse

Wherein, the challenge number of stochastic generation is back to described client and comprises: the biometric templates matched described in getting when described certificate server, the challenge number of stochastic generation is back to described client by described certificate server.

4. identity identifying method according to claim 3, is characterized in that, described certificate server comprises in biometric templates storehouse according to described user biological feature modification:

When described user biological is characterized as user's face feature and the satisfied default face amendment of described user's face feature requires, described certificate server increases described user's face feature to described biometric templates storehouse;

When described user biological is characterized as client iris feature and the satisfied default iris amendment of described client iris feature requires, described certificate server increases described client iris feature to described biometric templates storehouse;

When described user biological is characterized as user fingerprints feature, the characteristic point matched with described user fingerprints feature in the biometric templates matched described in described certificate server strengthens mate weight coefficient, in the biometric templates that matches described in reduction with the unmatched characteristic point of described user fingerprints feature mate weight coefficient; And

When described user biological is characterized as user's palm print characteristics, the characteristic point matched with described user's palm print characteristics in the biometric templates matched described in described certificate server strengthens mate weight coefficient, in the biometric templates matched described in reduction with the unmatched characteristic point of described user's palm print characteristics mate weight coefficient.

5. identity identifying method according to claim 4, is characterized in that,

When described user biological is characterized as user's face feature and the satisfied default face amendment of described user's face feature requires, described certificate server increases described user's face feature data to described biometric templates storehouse and comprises:

When the face state that described user's face feature is corresponding does not exist in the face state that the described biometric templates matched is corresponding, described certificate server increases described user's face feature data to described biometric templates storehouse; And

When the difference that described certificate server receives the time of described user's face feature and the settling time of the described biometric templates matched exceedes prefixed time interval, described certificate server increases described user's face feature data to described biometric templates storehouse

When described user biological is characterized as client iris feature and the satisfied default iris amendment of described client iris feature requires, described certificate server increases described client iris characteristic to described biometric templates storehouse and comprises:

When the difference of the pupil radium corresponding with the described biometric templates matched when the pupil radium that described client iris feature is corresponding exceedes pre-set radius difference, described certificate server increases described client iris characteristic to described biometric templates storehouse;

When parabola on the eyelid that described client iris feature is corresponding exceedes predetermined interval difference to the interval in the pupil center of circle and the difference of pupil radium, described certificate server increases described client iris characteristic to described biometric templates storehouse;

When in the iris noise template that the biometric templates matched described in eyelashes noise proportional in the iris noise template that described client iris feature is corresponding exceedes is corresponding during eyelashes noise proportional, described certificate server increases described client iris characteristic to described biometric templates storehouse; And

When in the pupil that described client iris feature is corresponding without hot spot time, described certificate server increases described client iris characteristic to described biometric templates storehouse.

6. identity identifying method according to claim 1, is characterized in that, before described certificate server generates described dynamic password, described method also comprises:

Described certificate server receives the described TM1 that described client sends;

Described certificate server judges | whether TM-TM1| exceedes preset difference value scope; And

For when | when TM-TM1| exceedes described preset difference value scope, described certificate server returns time-out information to described client,

Wherein, described certificate server generates described dynamic password and comprises: when | when TM-TM1| does not exceed described preset difference value scope, described certificate server generates described dynamic password.

7. identity identifying method according to claim 6, is characterized in that,

Described certificate server generates described dynamic password and comprises: when | when TM-TM1| does not exceed described preset difference value scope, generate one group of dynamic password according to the time between described TM and described TM1; And

Described certificate server verifies that described dynamic password comprises with whether described dynamic authentication password is consistent: described certificate server verifies that whether described dynamic authentication password is consistent with any one dynamic password in described one group of dynamic password.

8. an authentication server, is characterized in that, comprising:

Authentication request receiver module, for receiving the biological characteristic authentication request that client sends, wherein, described biological characteristic authentication request comprises user biological feature;

Authentication request responder module, for being back to described client by the challenge number of stochastic generation;

Checking password receiver module, for receiving the dynamic authentication password that described client sends, wherein, the first sub-key that described dynamic authentication password is prestored by client described in the time TM1 of described client when receiving described challenge number, described challenge number, described user biological characteristic sum generates;

Dynamic password generation module, dynamic password is generated for the time TM according to certificate server when receiving described dynamic authentication password, described challenge number, described user biological characteristic sum the second sub-key, wherein, described the second sub-key is the key corresponding with the first sub-key described;

Password authentication module, for verifying that whether described dynamic password is consistent with described dynamic authentication password; And

Authentication result sending module, for the identity authentication result returned to described client according to the result;

Also comprise:

Attack detection module, it is first pre-conditioned whether the user biological feature arrived for contrasting described user biological feature and described authentication request receiver module historical reception meets, and meet described first pre-conditioned time generate and attack warning,

Wherein, described authentication request responder module also for described attack warning is back to described client, described first pre-conditioned be that this user biological feature is identical with historic user biological characteristic.

9. authentication server according to claim 8, is characterized in that, also comprises:

Registration request receiver module, for receiving the registration request that described client sends, wherein, described registration request comprises the identification information of the harvester gathering described user biological feature;

Seed key generation module, for when receiving described registration request, stochastic generation seed key;

Seed key memory module, for seed key and the described identification information of stochastic generation described in corresponding stored;

Registration request responder module, for returning the seed key of described stochastic generation to described client,

Wherein, the first sub-key described and described the second sub-key are the seed key of described stochastic generation, described biological characteristic authentication request also comprises described identification information, and described dynamic password generation module is also for obtaining described the second sub-key according to described identification information.

10. authentication server according to claim 8, is characterized in that, also comprises:

Feature comparing module, for comparing described user biological feature and the biometric templates be pre-stored in biometric templates storehouse, to get the biometric templates matched with described user biological feature; And

ATL modified module, for when getting the biometric templates matched, biometric templates storehouse according to described user biological feature modification,

Wherein, described authentication request responder module is also for when acquisition is less than returning biological characteristic authentication failure information during the described biometric templates matched to described client, the biometric templates matched described in get, is back to described client by the challenge number of stochastic generation.

11. 1 kinds of identification authentication systems, are arranged at client, it is characterized in that, described identification authentication system comprises:

Authentication request sending module, for sending biological characteristic authentication request to certificate server, wherein, described biological characteristic authentication request comprises user biological feature;

Authentication response receiver module, for receiving the challenge number of described certificate server stochastic generation;

Dynamic authentication password generated module, the first sub-key prestored for client described in the time TM1 according to client when receiving described challenge number, described challenge number, described user biological characteristic sum generates dynamic authentication password;

Dynamic authentication password sending module, for being sent to described certificate server by described dynamic authentication password; And

Authentication result receiver module, for receiving the identity authentication result that described certificate server returns, wherein, described identity authentication result is generated with whether described dynamic authentication password is consistent according to checking dynamic password by described certificate server, wherein, described dynamic password is generated by the time TM of described certificate server when receiving described dynamic authentication password, described challenge number, described user biological feature, the second sub-key corresponding with the first sub-key described;

Attack warning receiver module, for receiving the attack warning that described certificate server returns, wherein, describedly attack warning for representing that user biological feature that described user biological feature and described certificate server historical reception arrive is satisfied first pre-conditioned, described first pre-conditioned be that this user biological feature is identical with historic user biological characteristic.

12. identification authentication systems according to claim 11, is characterized in that, also comprise:

Registration request sending module, for sending registration request to described certificate server, wherein, described registration request comprises the identification information of described identification authentication system;

Registration reply receiver module, for receiving the seed key of the stochastic generation that described certificate server returns,

Wherein, the first sub-key described and described the second sub-key are the seed key of described stochastic generation, and described biological characteristic authentication request also comprises described identification information.