CN114005190B - Face recognition method for class attendance system - Google Patents

Face recognition method for class attendance system Download PDF

Info

Publication number
CN114005190B
CN114005190B CN202111418164.2A CN202111418164A CN114005190B CN 114005190 B CN114005190 B CN 114005190B CN 202111418164 A CN202111418164 A CN 202111418164A CN 114005190 B CN114005190 B CN 114005190B
Authority
CN
China
Prior art keywords
terminal
user
attendance system
service
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111418164.2A
Other languages
Chinese (zh)
Other versions
CN114005190A (en
Inventor
魏泽宇
陈东
王波
林杨
徐金鑫
刘馨霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Investment Information Industry Group Co ltd
Original Assignee
Sichuan Investment Information Industry Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Investment Information Industry Group Co ltd filed Critical Sichuan Investment Information Industry Group Co ltd
Priority to CN202111418164.2A priority Critical patent/CN114005190B/en
Publication of CN114005190A publication Critical patent/CN114005190A/en
Application granted granted Critical
Publication of CN114005190B publication Critical patent/CN114005190B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C1/00Registering, indicating or recording the time of events or elapsed time, e.g. time-recorders for work people
    • G07C1/10Registering, indicating or recording the time of events or elapsed time, e.g. time-recorders for work people together with the recording, indicating or registering of other data, e.g. of signs of identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a face recognition method for a class attendance system, which comprises the following steps: registering the user with the biometric authentication server; receiving a request of a user of a class attendance system terminal to register the terminal of the user with the biological authentication server; registering a plurality of services with the biometric authentication server; authorizing a user to access services at the classroom attendance system terminal; receiving a watermark of a user terminal, generating a user token request by a class attendance system terminal, generating a disposable user token and sending the disposable user token to the class attendance system terminal; and decrypting the encrypted password by using the terminal watermark. The invention provides a face recognition method for a class attendance system, wherein a terminal watermark for identity recognition is not stored in a terminal, so that an attacker is prevented from using a leaked password, and the safety of the identity recognition is improved.

Description

Face recognition method for class attendance system
Technical Field
The invention relates to system safety, in particular to a face recognition method for a class attendance system.
Background
The authentication mechanism is a credential that identifies a legitimate user. In a networked campus attendance system, student users must enter a user name and password to log into the attendance platform, but revealing the password may result in intrusion and data disclosure. Furthermore, increasingly stringent password strength requirements result in users being unable to remember passwords. Password-centric authentication modes have failed to accommodate modern network attendance platform users.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a face recognition method for a class attendance system, which comprises the following steps:
registering the user with the biometric authentication server to create a password and a user identification code for the user, the password and the user identification code being linked to an account associated with the user group;
Receiving a request of a user of the class attendance system terminal, registering the terminal of the user with the biological authentication server to create a terminal profile comprising a received unique terminal identifier required for generating a terminal watermark and a terminal pre-sharing key, and creating a terminal asset identification number for the class attendance system terminal;
Registering a plurality of services with the biometric authentication server according to a service profile used by a user, wherein the service profile comprises a service principal name, a user name associated with the service principal name, a password and a terminal asset identification number, and a password encrypted at a terminal of a classroom attendance system using a terminal watermark;
Storing the registered user, the class attendance system terminal and the service profile in a repository of a biometric authentication server; authorizing the user to access a service at the classroom attendance system terminal, wherein the biometric authentication server is executed on the accessed campus cloud service;
Receiving a user terminal watermark from a user, generating a user token request by a class attendance system terminal, and sending the generated user token request to the biological authentication server by the class attendance system terminal;
processing the received user token request to generate a disposable user token linked to the accessed campus cloud service;
The terminal watermark is dynamically generated in memory by a HASH function using a terminal pre-shared key shared by the biometric authentication server with the classroom attendance system terminal over a secure channel and a terminal identifier associated with the registered classroom attendance system terminal, the terminal watermark is automatically generated by the classroom attendance system terminal and is automatically generated at the biometric authentication server using the terminal asset identification number, and wherein the terminal watermark is not stored in the user's classroom attendance system terminal or biometric authentication server;
wherein the verifying comprises sending the received one-time user token to the biometric authentication server to verify the one-time user token and the campus cloud service based on the server certificate and a service principal name linked to the accessed campus cloud service;
And generating the user token request by a plug-in loaded by the client application on the classroom attendance system terminal without the need of the biological authentication server.
Compared with the prior art, the invention has the following advantages:
The invention provides a face recognition method for a class attendance system, wherein a terminal watermark for identity recognition is not stored in a terminal, so that an attacker is prevented from using a leaked password, and the safety of the identity recognition is improved.
Drawings
Fig. 1 is a flowchart of a face recognition method for a class attendance system according to an embodiment of the present invention.
Detailed Description
The following provides a detailed description of one or more embodiments of the invention along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the invention provides a face recognition method for a class attendance system. Fig. 1 is a flowchart of a face recognition method for a class attendance system according to an embodiment of the present invention.
The invention provides a method for authoritative certification of related identities of an attendance system terminal. The invention provides identification of users and attendance system terminals in service sessions, watermarking of sources of user attendance system terminals, scoring of users based on legal social relationships, and modeling of attribute-based relationships using directed graphs for dynamic data fusion. Wherein the user authentication is by means of a user token issued by the cloud and a service ID issued by the accessed campus cloud service, terminal watermarks associated with the user's attendance system terminals and the user's social relationship in the service session, wherein the affiliated information is transmitted as a user token comprising dynamically calculated affiliated weights, component weights and affiliated attributes.
The terminal watermark of the invention is not stored in the user attendance system terminal or the biological authentication server, is not transmitted on the network, and is automatically and dynamically generated on the user attendance system terminal and the biological authentication server by using a hash function. The terminal watermark is generated using a plurality of terminal identifiers that are tightly coupled and bound to the user's attendance system terminal. Furthermore, the terminal watermark does not require any external physical attendance system terminal, such as a hardware key fob, to receive the one-time password.
The service ID issued by the accessed campus cloud service is digitally signed with a server private key and transmitted over a secure encrypted channel with extended server authentication. User tokens for social relationships are generated only upon service ID verification and transmitted over a secure encrypted channel.
The method comprises the steps of authenticating a service ID of an accessed campus cloud service before an authentication process based on a terminal watermark associated with a user attendance system terminal, verifying the service ID of the accessed campus cloud service before the user attendance system terminal transmits an encrypted password for decryption, and decrypting the encrypted password on the user attendance system terminal using the terminal watermark and a personal identification code of the user, wherein the personal identification code of the user is only owned by the user and is linked to the accessed campus cloud service requiring user authentication, or the user identification code is pre-shared by the attendance system terminal using the accessed campus cloud service not requiring user authentication. The personal identification code includes two kinds of service authentication code and user identification code.
The social relationship is a mechanism to generate and issue a user token that includes the affiliated weights, component weights, and affiliated attributes of the user requested by the accessed campus cloud service and is agreed upon by the user during the service session with user authentication. The user token request generation needs to use terminal watermark, attendance system terminal pre-sharing password and user identification code. In addition, the affiliation of a user is a relationship between other users and an organization. The service authentication code and the user identification code operate a plurality of users to safely share a single terminal and related terminal watermarks by using different personal identification codes.
For access to services requiring authentication, the terminal watermark created by the user and known only to the user is represented by PIC. The terminal watermark is dynamically and automatically generated by the attendance system terminal and the biometric authentication server to establish a proof that the user exists on the attendance system terminal during the service session. The terminal watermark is used to encrypt a password associated with the accessed service for use during the authentication process. The user terminal watermark is not registered with the identity provider, but is used only to encrypt the user's original authentication password. This facilitates the use of stronger passwords and periodic changes to passwords without having to invoke passwords that are difficult to remember, and prevents the use of compromised passwords by an attacker.
For access to services that do not require authentication, the attendance system terminal encrypts the user identification code using the terminal pre-shared password for transmission over the secure channel to the biometric authentication server. The terminal watermark of the user requiring privacy is used for protecting the damaged terminal watermark from being used maliciously by the terminal of the attacker attendance system, and the terminal watermark of the user requiring matching is used for protecting the damaged terminal watermark from being used maliciously by the terminal of the attacker attendance system. In addition, disclosure of the terminal watermark would require disclosure of the terminal pre-shared key and the plurality of terminal identifiers associated with the user's registered attendance system terminal.
Unlike traditional biometric authentication server authentication process, the present invention provides authoritative identification of users at the attendance system terminal, rather than user authentication mechanism based on biometric features or terminal attributes. The user provides authentication credentials to the accessed campus cloud service without having to manually enter a service login password that is difficult to remember. The method does not store the user's password in a library protected by a single password for automatic authentication using form automatic population. The user encrypts the password on the attendance system terminal using the private user terminal watermark and the dynamically generated terminal watermark and registers the encrypted password with the biometric authentication server to generate a user token that includes the encrypted password in subsequent access to the service. The encrypted password can only be decrypted on the attendance system terminal using the dynamically generated terminal watermark and the private user terminal watermark. The user may use the same terminal watermark for all accessed campus cloud services from one terminal, use a different terminal watermark for each accessed campus cloud service on one terminal, or use a different terminal watermark on a different terminal for the same accessed campus cloud service. If the terminal identifier is changed, the registered attendance system terminal is only needed to be resynchronized once, and if the terminal watermark of the user is destroyed on the attendance system terminal, all passwords protected by the watermark of the same user terminal are only needed to be used in a re-encryption mode once without changing all passwords.
The invention constructs a directed graph comprising entity vertices and relational links, processes attributes as dependent or independent variables, maps the attributes to components, and evaluates the relative impact of component weights and attributes in the user's affiliated weight calculation.
The social relationships of the present invention are not based on access control of attributes, but rather are based on weights for entity relationships in a directed graph for post-access rights management, where entities include users, organizations, and profiles, and relationships include dependent and independent attributes of the entities.
The invention uses a plurality of local terminal identifiers and terminal pre-sharing keys, which are shared with the terminals of the class attendance system by the biological authentication server through a secure channel, and dynamically generates terminal watermarks for the terminal identification of the class attendance system through a HASH function. The user identification may be based on a user name associated with the service principal name, and the user terminal watermark may be associated with a plurality of passwords on a plurality of user class attendance system terminals and a plurality of accessed campus cloud services.
The identity recognition method is based on the confirmation of the server to the registered class attendance system terminal, and is used as the proof that the user exists in the recognized class attendance system terminal, and the verification of the user based on the manually input user terminal watermark. During the authentication handshake or management session, the user terminal watermark is not transmitted over the network.
The class attendance system terminal registers and dynamically verifies multiple attributes and components based on the group account and terminal. The attributes include hardware identification, trusted platform module chip identifier, processor identification terminal asset identification number, etc. The above-mentioned attribute of the registered class attendance system terminal of the class attendance system terminal is used for dynamically generating globally unique terminal watermark and related terminal asset identification number, and is kept unchanged in the session.
The global unique terminal watermark is dynamically generated by a HASH function using a terminal pre-shared key PSK and a terminal identifier associated with a terminal of a registered class attendance system, the terminal pre-shared key is shared with the class attendance system terminal through a secure channel, and the terminal identifier is automatically generated at the class attendance system terminal. Therefore, the terminal watermark is not stored in the classroom attendance system terminal or the biometric authentication server.
The identity of the user is based on the account, class attendance system terminal registration and the service profile, wherein the password in the service profile is encrypted using the terminal watermark and the user's terminal watermark, and includes a service principal name (e.g., URL) by which the client uniquely identifies the instance of the service, the user name, the password and the terminal asset identification number. The user terminal watermark is entered locally at the terminal of the class attendance system to decrypt the password in the service profile. The password contained in the service profile is encrypted using the terminal watermark.
During a user session registering for a registration service of a class attendance system terminal, a user token request to a biometric authentication server includes a terminal asset identification number, an account, a time stamp, a digital signature generated using a terminal watermark and a time stamp, a service principal name, a user name for which an accessed service requires authentication or a user identification code encrypted using a terminal pre-shared key for which an accessed service does not require authentication, a service ID of a digital signature received via the biometric authentication server, and an accessed service IP address. The user token response may include an encrypted password in the service profile, which password was originally encrypted using the terminal watermark during service registration. The encrypted password in the service profile can only be decrypted using the user's terminal watermark. By using standard time stamps and message integrity signatures on the secure channel between the class attendance system terminal and the biometric authentication server, the user token request can be protected from replay attacks.
Identification in a real-time session requires a one-time user token linked to the service profile to be issued by the biometric authentication server based on verification of the terminal watermark to authenticate the identified user to the service, the optional accessory context including accessory weight, component weight and classification accessory attributes. The one-time user token may comprise an encrypted password or a pre-authentication token of the user.
Social relationships based on identification are established by treating various large datasets collected from multiple third party data sources as directed graphs and querying by user name, address, telephone number, etc. The received data set includes user profile information. The query also receives a data set related to an organization with which the user may be associated, the data set including organization profile information. Social relationships are used to sufficiently define the association of a user with a plurality of independent and trusted nodes to establish integrity based on a user profile.
The user's affiliated weights are a measure of the legitimate attributes and relationships, which are determined based on information about the user available to the cloud. The social relationship weights are derived based on a plurality of component weights, wherein each component weight is further determined based on relative weights and classifications of related attributes received from a plurality of data sources about the user. The privacy of the user profile is protected by first encrypting the data with the private user's terminal watermark on the user's classroom attendance system terminal, and then further encrypting the data on the remote server with a server platform identification number dynamically generated based on the user profile information and the server hardware. This provides dual protection for the user's static data.
The computation of the subordinate weights uses a directed graph in which a set of objects, i.e., nodes, are connected together, all edges, i.e., links, point from one node to another, and the function homomorphic encryption is used for confusion. The biometric server service obtains various user attributes from a plurality of data sources through a directed query to the user. User attributes that may be cached in the repository include information in personal, social, professional, and organizational fields. The static and associated attributes of the user are used to construct a dynamic directed graph, representing entities as nodes and relationships as links. Entities include user communities, social networks, organizations, roles. The relationship represents a type of association, such as relatives, colleagues, friends. A plurality of component weights is calculated based on the scoring function traversing the directed graph. The weighting function calculates a weighted weight for each entity and relationship that matches the weighting criteria.
Social relationship weight calculation is based on interdependencies between entities. Each node is an entity and may be assigned an attribute. Each link represents a relationship with a specified attribute of static or dynamic absolute weight. The calculation of the affiliated weights of the user entities is based on conditional weights of weighted absolute weights of other entities and relationships in the directed graph.
For the distribution of the pre-shared key, it is first necessary to generate the RSA parameter D:
D=(E,p,Ωxy)
Wherein: e is an elliptic curve over an integer field GF (p) modulo a prime number, p being a large prime number of a predetermined length. Omega xy is the x, y coordinate of the base point omega on the elliptic curve E. The RSA parameter D is generated by a single accessed server. For each management domain a (comprising a plurality of management terminals R n, each management terminal managing an ID set Σ n comprising a plurality of attendance system terminals):
A={R1,R2,…,Rn12,…,Σn}
And using the same group of parameters D, and registering in a biological authentication server according to the identifiers of the management terminal to which the A belongs and the attendance system terminal.
For each attendance system terminal T n of each pair of management terminals R n and its subordinate ID set Σ n within the same management domain, the server needs to generate a positive integer P and a public-private key for identity authentication between the attendance system terminal ID and the reader. The authentication private key d r、dt of each of the management terminal and the attendance system terminal is private, and the public key K r of the management terminal is shared by all the attendance system terminals in the ID set managed by the management terminal. The public key K t of the attendance system terminal is stored in the biometric authentication server according to the attendance system terminal ID TID. The specific generation and distribution steps of the pre-shared key of one management terminal R n and the subordinate ID set Σ n are as follows:
The server selects a random number D r with a sufficient length, and simultaneously takes out RSA parameter D of a management domain A to which a target management terminal R n belongs from the biological authentication server, and calculates K r=ED(dr.OMEGA on a curve E D described by D;
the server selects a positive integer P n as a parameter of the target attendance system terminal T n for exchanging the pre-shared secret key, selects a random number D t with a sufficient length, simultaneously takes out RSA parameter D of a management domain A to which the target attendance system terminal T n belongs from the biological authentication server, and calculates K t=ED(dt.OMEGA on a curve E D described by the D;
the server distributes the generated d t、Kr、Pn to the target attendance system terminal T n through a reliable channel, and stores the generated K t、Pn in the biometric authentication server by taking the target attendance system terminal ID TID n as an inquiry key value.
Repeating the steps, respectively selecting different target attendance system terminals T n in the ID set sigma n subordinate to R n for pre-sharing key distribution, until all the attendance system terminals in the ID set sigma n are processed, and then distributing d r as a management terminal authentication private key to the target management terminal R n through a reliable channel, thereby ending the pre-sharing key distribution process.
In summary, the invention provides a face recognition method for a class attendance system, wherein a terminal watermark for identity recognition is not stored in a terminal, so that an attacker is prevented from using a leaked password, and the safety of identity recognition is improved.
It will be apparent to those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing system, they may be centralized in a single computing system, or distributed over a network of computing systems, and they may alternatively be implemented in program code executable by a computing system, where they may be stored in a storage system for execution by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explanation of the principles of the present invention and are in no way limiting of the invention. Accordingly, any modification, equivalent replacement, improvement, etc. made without departing from the spirit and scope of the present invention should be included in the scope of the present invention. Furthermore, the appended claims are intended to cover all such changes and modifications that fall within the scope and boundary of the appended claims, or equivalents of such scope and boundary.

Claims (1)

1. The face recognition method for the classroom attendance system is characterized by comprising the steps of:
registering the user with the biometric authentication server to create a password and a user identification code for the user, the password and the user identification code being linked to an account associated with the user group;
Receiving a request of a user of the class attendance system terminal, registering the terminal of the user with the biological authentication server to create a terminal profile comprising a received unique terminal identifier required for generating a terminal watermark and a terminal pre-sharing key, and creating a terminal asset identification number for the class attendance system terminal;
Registering a plurality of services with the biometric authentication server according to a service profile used by a user, wherein the service profile comprises a service principal name, a user name associated with the service principal name, a password and a terminal asset identification number, and a password encrypted at a terminal of a classroom attendance system using a terminal watermark;
Storing the registered user, the class attendance system terminal and the service profile in a repository of a biometric authentication server; authorizing the user to access a service at the classroom attendance system terminal, wherein the biometric authentication server is executed on the accessed campus cloud service;
Receiving a user terminal watermark from a user, generating a user token request by a class attendance system terminal, and sending the generated user token request to the biological authentication server by the class attendance system terminal;
processing the received user token request to generate a disposable user token linked to the accessed campus cloud service;
The terminal watermark is dynamically generated in memory by a HASH function using a terminal pre-shared key shared by the biometric authentication server with the classroom attendance system terminal over a secure channel and a terminal identifier associated with the registered classroom attendance system terminal, the terminal watermark is automatically generated by the classroom attendance system terminal and is automatically generated at the biometric authentication server using the terminal asset identification number, and wherein the terminal watermark is not stored in the user's classroom attendance system terminal or biometric authentication server;
During a user session of a registration service of a terminal of a class attendance system, a user token request to a biometric authentication server including a terminal asset identification number, an account, a time stamp, a digital signature generated using a terminal watermark and the time stamp, a service principal name, a user name that an accessed service needs to authenticate or a user identification code encrypted using a terminal pre-shared key that the accessed service does not need to authenticate, a service ID of the digital signature received via the biometric authentication server, and an accessed service IP address; the user token response includes an encrypted password in the service profile, the password initially encrypted using the terminal watermark during service registration; the encrypted password in the service profile can only be decrypted using the user's terminal watermark; protecting the user token request by using a standard timestamp and a message integrity signature on a secure channel between the classroom attendance system terminal and the biometric authentication server;
Linking the identity in the real-time session to a disposable user token of the service profile issued by the biometric authentication server based on verification of the terminal watermark to authenticate the identified user to the service, the affiliated context comprising an affiliated weight, a component weight and a classified affiliated attribute; the disposable user token comprises an encrypted password or a pre-authentication token of the user;
Establishing an identification-based social relationship by processing various large datasets collected from a plurality of third party data sources as directed graphs and querying through user names, addresses, telephone numbers, wherein the received datasets include user profile information, and receiving datasets related to an organization associated with the user, the datasets including the organization profile information;
the accessory weight is a measure of a legal attribute and relationship, and the attribute and relationship are determined based on information about a user obtained by a cloud; social relationship weights are derived based on a plurality of component weights, wherein each component weight is determined based on relative weights and classifications of related attributes received from a plurality of data sources about a user;
Encrypting data by using a private user terminal watermark on a user class attendance system terminal, and then encrypting data by using a server platform identification number dynamically generated based on user profile information and server hardware on a remote server, thereby providing protection for static data of the user;
Calculating an attached weight using a directed graph, wherein a set of objects, i.e., nodes, are connected together, all edges, i.e., links, point from one node to another, and function homomorphic encryption is used for confusion; the biometric authentication server service obtains various user attributes from a plurality of data sources through a directed query to the user; the static and associated attributes of the user are used for constructing a dynamic directed graph, the entity is represented as a node, and the relationship is represented as a link; the entity comprises a user community, a social network, an organization and a role, a plurality of component weights are calculated based on a scoring function traversing the directed graph, and a weighting weight is calculated for each entity and relation matching a weight standard by the weight function;
The pre-shared key distribution process further includes first generating an RSA parameter D:
D=(E,p,Ω xy)
Wherein E is an elliptic curve over an integer field GF (p) modulo a prime number, p being a large prime number of a predetermined length; omega xy is the x, y coordinates of the base point omega on the elliptic curve E; RSA parameter D is generated by a single accessed server; for each management domain a, wherein the management domain a includes a plurality of management terminals R n, each management terminal manages an ID set Σ n including a plurality of attendance system terminals:
A={R1,R2,…,Rn12,…,Σn}
The same group of parameters D are used, and registration is carried out on a biological authentication server according to the identifiers of the management terminal to which the A belongs and the attendance system terminal;
For each attendance system terminal T n in each pair of management terminals R n and its subordinate ID set Σ n within the same management domain, the server needs to generate a positive integer P and a public-private key for identity authentication between the attendance system terminal ID and the reader; the authentication private key d r、dt of each of the management terminal and the attendance system terminal is private, and the public key K r of the management terminal is shared by all the attendance system terminals in the ID set managed by the management terminal; the public key K t of the attendance system terminal is stored in the biological authentication server according to the ID TID of the attendance system terminal; the pre-shared key specific generation and distribution process of the management terminal R n and the subordinate ID set Σ n includes:
The server selects a random number D r, and simultaneously takes out RSA parameters D of a management domain A to which a target management terminal R n belongs from a biological authentication server, and calculates K r=ED(dr. Omega. On a curve E D described by D;
The server selects a positive integer P n as a parameter of the target attendance system terminal T n for exchanging the pre-shared secret key, selects a random number D t, simultaneously takes out RSA parameter D of a management domain A to which the target attendance system terminal T n belongs from the biological authentication server, and calculates K t=ED(dt.OMEGA on a curve E D described by the D;
The server distributes the generated d t、Kr、Pn to the target attendance system terminal T n through a reliable channel, and stores the generated K t、Pn in the biological authentication server by taking the target attendance system terminal ID TID n as an inquiry key value;
Repeating the steps, respectively selecting different target attendance system terminals T n in the ID set sigma n subordinate to R n for pre-sharing key distribution, until all the attendance system terminals in the ID set sigma n are processed, and then distributing d r as a management terminal authentication private key to the target management terminal R n through a reliable channel, thereby ending the pre-sharing key distribution process.
CN202111418164.2A 2021-11-26 2021-11-26 Face recognition method for class attendance system Active CN114005190B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111418164.2A CN114005190B (en) 2021-11-26 2021-11-26 Face recognition method for class attendance system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111418164.2A CN114005190B (en) 2021-11-26 2021-11-26 Face recognition method for class attendance system

Publications (2)

Publication Number Publication Date
CN114005190A CN114005190A (en) 2022-02-01
CN114005190B true CN114005190B (en) 2024-07-02

Family

ID=79930436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111418164.2A Active CN114005190B (en) 2021-11-26 2021-11-26 Face recognition method for class attendance system

Country Status (1)

Country Link
CN (1) CN114005190B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9503452B1 (en) * 2016-04-07 2016-11-22 Automiti Llc System and method for identity recognition and affiliation of a user in a service transaction
CN209231993U (en) * 2019-01-24 2019-08-09 刘磊 A kind of smart classroom comprehensive management system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7810147B2 (en) * 2005-12-01 2010-10-05 Emc Corporation Detecting and preventing replay in authentication systems
US9536065B2 (en) * 2013-08-23 2017-01-03 Morphotrust Usa, Llc System and method for identity management
KR101710200B1 (en) * 2015-11-05 2017-02-24 광운대학교 산학협력단 Automatic Attendance System Using Face Recognition and method thereof
CN109274644B (en) * 2018-08-21 2020-12-25 华为技术有限公司 Data processing method, terminal and watermark server
CN112200924A (en) * 2020-09-30 2021-01-08 广东技术师范大学 Class attendance checking method and system based on face recognition

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9503452B1 (en) * 2016-04-07 2016-11-22 Automiti Llc System and method for identity recognition and affiliation of a user in a service transaction
CN209231993U (en) * 2019-01-24 2019-08-09 刘磊 A kind of smart classroom comprehensive management system

Also Published As

Publication number Publication date
CN114005190A (en) 2022-02-01

Similar Documents

Publication Publication Date Title
CN110084068B (en) Block chain system and data processing method for block chain system
RU2325693C2 (en) Methods of authentication of potentials members, which were invited to join the group
US7937584B2 (en) Method and system for key certification
CN109963282B (en) Privacy protection access control method in IP-supported wireless sensor network
JP6731491B2 (en) Data transfer method, non-transitory computer-readable storage medium, cryptographic device, and method of controlling data use
US8683209B2 (en) Method and apparatus for pseudonym generation and authentication
US20200412554A1 (en) Id as service based on blockchain
Chalaemwongwan et al. A practical national digital ID framework on blockchain (NIDBC)
Hoang et al. Privacy-preserving blockchain-based data sharing platform for decentralized storage systems
Quan et al. A secure user authentication protocol for sensor network in data capturing
Paquin U-prove technology overview v1. 1
Kravitz Transaction immutability and reputation traceability: Blockchain as a platform for access controlled iot and human interactivity
Guo et al. Using blockchain to control access to cloud data
KR20200016506A (en) Method for Establishing Anonymous Digital Identity
EP3785409B1 (en) Data message sharing
CN117376026A (en) Internet of things equipment identity authentication method and system
Li et al. Blockchain‐Based Fine‐Grained Data Sharing for Multiple Groups in Internet of Things
CN114005190B (en) Face recognition method for class attendance system
Rajeb et al. Formal analyze of a private access control protocol to a cloud storage
Aljahdali et al. Efficient and Secure Access Control for IoT-based Environmental Monitoring
Chaudhari et al. Towards lightweight provable data possession for cloud storage using indistinguishability obfuscation
Zhang et al. CKAA: Certificateless key‐agreement authentication scheme in digital twin telemedicine environment
CN113556236B (en) Energy data middlebox sensitive content entrusting and authorizing method based on proxy signature
CN114915494B (en) Anonymous authentication method, system, equipment and storage medium
CN114996770A (en) Identity recognition method based on host management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant