Embodiment
For the ease of understanding the present invention, below with reference to relevant drawings, the present invention is described more fully.Preferred embodiment of the present invention is given in accompanying drawing.But the present invention can realize in many different forms, is not limited to embodiment described herein.On the contrary, provide the object of these embodiments be make the understanding of disclosure of the present invention more comprehensively thorough.
Unless otherwise defined, all technology used herein and scientific terminology are identical with belonging to the implication that those skilled in the art of the present invention understand usually.The object of term used in the description of the invention just in order to describe specific embodiment, is not intended to be restriction the present invention.Term as used herein " or/and " comprise arbitrary and all combinations of one or more relevant Listed Items.
Access control method based on biometric feature of the present invention and system relate to smart card and certification end.Smart card can memory device sequence number, biometric feature; The all right information such as storing initial key, authentication key of smart card; Smart card can also carry out biological characteristic validation; Smart card can also be encrypted according to authentication double secret key random number and user name.Certification end is provided with expense control key management system.The server of certification end stores the equipment Serial Number of all smart cards and corresponding access control right.The server of certification end can also store the username and password of the user corresponding with equipment Serial Number.Certification end can gather and receive the biometric feature of human body.Certification end can also receive user name and the password of user's typing.
As shown in Figure 1, the access control method based on biometric feature of one embodiment of the present invention, comprises step:
S140: receive the biometric feature of human body, and the biometric feature of described human body is sent to smart card carries out biological characteristic validation.
Certification end gathers the biometric feature of human body, and receives this biometric feature, but does not store this biometric feature in certification end, but this biometric feature is sent to smart card.So, the biometric feature revealing user in certification end is avoided.Smart card is preserved by user oneself, and biological characteristic validation carries out within a smart card, therefore does not need to preserve in certification end or transmit in grid, ensure that the security of the biometric feature of user.Described biological characteristic validation is specially, by described smart card, the biometric feature received and the biometric feature stored within a smart card is carried out contrast verification.
Wherein in an embodiment, biometric feature is fingerprint.Understandably, also can be the features such as hand shape, the shape of face, iris, retina, pulse, auricle.
S145: receive the biological characteristic validation result that smart card sends.
If biological characteristic validation result is for passing through, then perform step S190.If biological characteristic validation result is not for pass through, then show biological characteristic validation failure, return and continue to perform step S140.
S190: authorize corresponding access control right.
In the present embodiment, according to equipment Serial Number and the biological characteristic validation result of smart card, the access control right corresponding with equipment Serial Number is authorized.
The above-mentioned access control method based on biometric feature, receives the biometric feature of human body, and the biometric feature of described human body is sent to smart card carries out biological characteristic validation; Receive the biological characteristic validation result that smart card sends; If biological characteristic validation is for passing through, authorize corresponding access control right.Carry out biological characteristic validation because the biometric feature received is sent to smart card, therefore, do not need preserve in certification end or transmit biometric feature in grid, the security of the biometric feature of user can be ensured to a certain extent.
For strengthening the security of access control, avoiding carrying out personal injury to certified people, as organ cutting etc., causing the non-subjectivity of licensee to agree to license and authorized situation about conducting interviews.Wherein in an embodiment, as shown in Figure 2, after step S140 or S145, step S190 comprises step S170 and S180.
S170: the username and password receiving typing.
Wherein in an embodiment, only have biological characteristic validation result for by time, the username and password of typing could be received.If because biological characteristic validation result is not for pass through, do not need to carry out subsequent authentication and just directly can judge that not there are any access rights, do not allow access, so, the burden that system is unnecessary can be reduced.
In another embodiment, if described biological characteristic validation result is for passing through, perform step S180.
S180: according to the username and password received, and the equipment Serial Number of described smart card carries out authentication.
According to the user name received and the equipment Serial Number of described smart card whether corresponding, and whether username and password accurately and correspondence carries out authentication.
In the present embodiment, if the step of authentication, namely the result of step S180 is for passing through, and just authorizes corresponding access control right, performs former step S190; If the result of the step of authentication is not for pass through, then show authentication failure, return and continue to perform step S170 or S140.
Be by afterwards in biological characteristic validation result, carry out authentication again, access control is only determined by the biological characteristic validation single factor test based on smart card, and the dual factors being promoted to the authentication of the username and password remembered by biological characteristic validation and the knowledge based based on smart card determine.So, the security of access control can be strengthened, the security risk that smart card is falsely used or password is stolen can be avoided.
Please continue to refer to Fig. 2, for strengthening the security of access control further, wherein in an embodiment, if described biological characteristic validation result is for passing through, after step S145, before step S180, also comprise step:
S150: generate random number, sends described random number to described smart card, and receives described smart card and adopt random number and user name described in authentication double secret key to be encrypted the ciphering sequence of rear generation.
Authentication key is that certification end generates for dispersion factor with the equipment Serial Number of smart card, and smart card be distributed to user carry out personal settings time, be sent to smart card, therefore, the authentication key of each smart card is not identical.User name can for be stored in smart card together with equipment Serial Number; Also can be received by certification end to be sent to smart card again.
S160: described in use certificate double secret key, ciphering sequence is decrypted, and judge that whether the random number after deciphering is consistent with the user name of the random number generated and storage with user name.
When authentication key is for verifying, the server of certification end is using the expectation that the equipment Serial Number of smart card generates as the dispersion factor key identical with authentication key.
If the random number after deciphering is consistent with the random number of production and the user name of storage with user name, then devices illustrated sequence number, random number, user name are all accurate.Now, can subsequent authentication or operation be carried out, in the present embodiment, perform step S180.
If deciphering after random number and the random number of user name and production and the user name of storage inconsistent, then devices illustrated sequence number, random number, user name have existing problems at least.Now, display authentication failed, returns S140 or S150.
So, carried out the checking of random number, user name and key by challenge response pattern, the security of access control can be strengthened further.Authentication key is identical with the dispersion factor of authentication secret generating, and both are identical key in theory, and therefore above-mentioned challenge response pattern is specially the challenge response pattern based on symmetric key.Challenge response pattern based on symmetric key does not need additionally to increase Public Key Infrastructure in certification end, and its structure is simple, and simultaneous verification process is simple.
Please continue to refer to Fig. 2, wherein in an embodiment, before step S140, also comprise step:
S130: the biometric feature receiving human body, and be stored in described smart card.
Smart card is carried by user oneself, so, can ensure the security of biometric feature.
Please continue to refer to Fig. 2, wherein in an embodiment, before step S130, also comprise step:
S110: the initial key receiving described smart card, and described initial secret key is verified.
Initial key is the key that smart card used before carrying out personal settings, can be used for the true and false verifying smart card.If be verified, then perform step S120; Otherwise, continue to perform step S110.
S120: the equipment Serial Number according to described smart card generates authentication key, and send described authentication key to described smart card.
After carrying out personal settings to smart card, initial key lost efficacy, and subsequent operation adopts the authentication key of personal settings to be encrypted.So, the difference that personal settings can increase different intelligent card is carried out to smart card.
As shown in Figure 3, the access control system based on biometric feature of one embodiment of the present invention, comprising:
Feature receives sending module 140, for receiving the biometric feature of human body, and the biometric feature of described human body is sent to smart card carries out biological characteristic validation.
The feature of certification end receives the biometric feature that sending module 140 gathers human body, and receives this biometric feature, but does not store this biometric feature in certification end, but this biometric feature is sent to smart card.So, the biometric feature revealing user in certification end is avoided.Smart card is preserved by user oneself, and biological characteristic validation carries out within a smart card, therefore does not need to preserve in certification end or transmit in grid, ensure that the security of the biometric feature of user.Described biological characteristic validation is specially, by described smart card, the biometric feature received and the biometric feature stored within a smart card is carried out contrast verification.
Wherein in an embodiment, biometric feature is fingerprint.Understandably, also can be the features such as hand shape, the shape of face, iris, retina, pulse, auricle.
Characteristic results receiver module 145, for receiving the biological characteristic validation result that smart card sends.
If biological characteristic validation result is for passing through, then performs access rights and authorize module 190.If biological characteristic validation result is not for pass through, then show biological characteristic validation failure, return and continue to perform feature reception sending module 140.
Access rights authorize module 190, for authorizing corresponding access control right.
In the present embodiment, according to equipment Serial Number and the biological characteristic validation result of smart card, the access control right corresponding with equipment Serial Number is authorized.
The above-mentioned access control system based on biometric feature, feature receives sending module 140 and receives the biometric feature of human body, and the biometric feature of described human body is sent to smart card carries out biological characteristic validation; Characteristic results receiver module 145 receives the biological characteristic validation result that smart card sends; If the biological characteristic validation that described characteristic results receiver module receives is for passing through, access rights are authorized module 190 and are authorized corresponding access control right.Carry out biological characteristic validation because the biometric feature received is sent to smart card, therefore, do not need preserve in certification end or transmit biometric feature in grid, the security of the biometric feature of user can be ensured to a certain extent.
For strengthening the security of access control, avoiding carrying out personal injury to certified people, as organ cutting etc., causing the non-subjectivity of licensee to agree to license and authorized situation about conducting interviews.Wherein in an embodiment, as shown in Figure 4, user name password acceptance module 170 and authentication module 180 is also comprised.
User name password acceptance module 170, for receiving the username and password of typing.
Wherein in an embodiment, the biological characteristic validation result only having characteristic results receiver module 145 to receive for by time, user name password acceptance module 170 could receive the username and password of typing.If because biological characteristic validation result is not for pass through, do not need to carry out subsequent authentication and just directly can judge that not there are any access rights, do not allow access, so, the burden that system is unnecessary can be reduced.
In another embodiment, if the described biological characteristic validation result that characteristic results receiver module 145 receives is for passing through, authentication module 180 is performed.
Described authentication module 180, for the username and password according to reception, and the equipment Serial Number of described smart card carries out authentication.
Authentication module 180 according to the user name received and the equipment Serial Number of described smart card whether corresponding, and whether username and password accurately and correspondence carries out authentication.
In the present embodiment, right-granting module 190, also for receiving the result of the described authentication of described authentication module before authorizing corresponding access control right, if the described authentication that described authentication module 180 is carried out is for passing through, namely authorize corresponding access control right; If the described authentication that authentication module 180 is carried out is not for pass through, then show authentication failure, return and continue to perform user name password acceptance module 170 or feature reception sending module 140.
The biological characteristic validation result received at characteristic results receiver module 145 is by afterwards, authentication is carried out again by authentication module 180, access control is only determined by the biological characteristic validation single factor test based on smart card, and the dual factors being promoted to the authentication of the username and password remembered by biological characteristic validation and the knowledge based based on smart card determine.So, the security of access control can be strengthened, the security risk that smart card is falsely used or password is stolen can be avoided.
Please continue to refer to Fig. 4, for strengthening the security of access control further, wherein in an embodiment, if the described biological characteristic validation result that characteristic results receiver module 145 receives is for passing through, also comprise random number generation module 150 and consistance judge module 160.
Random number generation module 150, for generating random number, sends described random number to described smart card, and receives described smart card and adopt random number and user name described in authentication double secret key to be encrypted the ciphering sequence of rear generation.
Authentication key is that certification end generates for dispersion factor with the equipment Serial Number of smart card, and smart card be distributed to user carry out personal settings time, be sent to smart card, therefore, the authentication key of each smart card is not identical.User name can for be stored in smart card together with equipment Serial Number; Also can be received by certification end to be sent to smart card again.
Consistance judge module 160, is decrypted for ciphering sequence described in use certificate double secret key, and judges that whether the random number after deciphering is consistent with the user name of the random number generated and storage with user name.
When authentication key is for verifying, the server of certification end is using the expectation that the equipment Serial Number of smart card generates as the dispersion factor key identical with authentication key.
If the random number after deciphering is consistent with the random number of production and the user name of storage with user name, then devices illustrated sequence number, random number, user name are all accurate.Now, subsequent authentication or operation can be carried out.In the present embodiment, described authentication module 180, also for receiving the judged result of described consistance judge module 160 before carrying out authentication, if described judged result is described consistance judge module 160 judge that the random number after deciphering is consistent with the random number of generation and the user name of storage with user name, then carry out described authentication.
If deciphering after random number and the random number of user name and production and the user name of storage inconsistent, then devices illustrated sequence number, random number, user name have existing problems at least.Now, display authentication failed, backout feature receives sending module 140 or random number generation module 150.
So, carried out the checking of random number, user name and key by challenge response pattern, the security of access control can be strengthened further.Authentication key is identical with the dispersion factor of authentication secret generating, and both are identical key in theory, and therefore above-mentioned challenge response pattern is specially the challenge response pattern based on symmetric key.Challenge response pattern based on symmetric key does not need additionally to increase Public Key Infrastructure in certification end, and its structure is simple, and simultaneous verification process is simple.
Please continue to refer to Fig. 4, wherein in an embodiment, also comprise:
First feature receiver module 130, for receiving the biometric feature of human body, and is stored in described smart card.
Smart card is carried by user oneself, so, can ensure the security of biometric feature.
Please continue to refer to Fig. 4, wherein in an embodiment, also comprise:
Initial key authentication module 110, for receiving the initial secret key of described smart card, and verifies described initial key.
Initial key is the key that smart card used before carrying out personal settings, can be used for the true and false verifying smart card.If be verified, then perform personal settings module 120; Otherwise, continue to perform initial key authentication module 110.
Personal settings module 120, generates authentication key for the equipment Serial Number according to described smart card, and sends described authentication key to described smart card.
After carrying out personal settings to smart card, initial key lost efficacy, and subsequent operation adopts the authentication key of personal settings to be encrypted.So, the difference that personal settings can increase different intelligent card is carried out to smart card.
Above embodiment only have expressed several embodiment of the present invention, and it describes comparatively concrete and detailed, but therefore can not be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make multiple distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.