CN114666059A - Identity authentication method and device for protecting privacy - Google Patents

Identity authentication method and device for protecting privacy Download PDF

Info

Publication number
CN114666059A
CN114666059A CN202210225660.4A CN202210225660A CN114666059A CN 114666059 A CN114666059 A CN 114666059A CN 202210225660 A CN202210225660 A CN 202210225660A CN 114666059 A CN114666059 A CN 114666059A
Authority
CN
China
Prior art keywords
mapping
result
round
target
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210225660.4A
Other languages
Chinese (zh)
Inventor
吴茜
田益腾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202210225660.4A priority Critical patent/CN114666059A/en
Publication of CN114666059A publication Critical patent/CN114666059A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/043Masking or blinding of tables, e.g. lookup, substitution or mapping

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The embodiment of the specification provides an identity authentication method and device for protecting privacy. And inquiring a first mapping value corresponding to the target category from the biological characteristic mapping set corresponding to the target account identification, and inquiring a second mapping value corresponding to the target account identification and related to the account information. Respectively carrying out mapping operation by taking the biological characteristic information and the account identity information of the target category as target information to obtain a first mapping result and a second mapping result, wherein the mapping operation comprises dividing a code corresponding to the target information into a plurality of data blocks and sequentially and iteratively compressing the data blocks. And determining that the user to be authenticated passes the identity authentication under the condition that the first mapping value is consistent with the first mapping result and the second mapping value is consistent with the second mapping result.

Description

Identity authentication method and device for protecting privacy
Technical Field
One or more embodiments of the present disclosure relate to the field of identity authentication technologies, and in particular, to an identity authentication method and apparatus for protecting privacy.
Background
Identity authentication is a necessary security check in many applications, and the current popular identity authentication mode is a biological verification mode. However, the biometric information involved in the biometric authentication method is vulnerable to hacking and, once breached, is susceptible to malicious exploitation. Therefore, it is desirable to provide an identity authentication method that protects privacy.
Disclosure of Invention
One or more embodiments of the present specification describe an identity authentication method and apparatus for protecting privacy, which can perform identity authentication on a user more accurately under the condition of protecting the privacy of the user.
In a first aspect, an identity authentication method for protecting privacy is provided, including:
acquiring biological characteristic information and account identity information of a target category of a user to be authenticated; wherein the account identity information at least comprises a target account identification;
inquiring a first mapping value corresponding to the target category from a biological characteristic mapping set corresponding to the target account identification, and inquiring a second mapping value corresponding to the target account identification and related to account information; the biological characteristic mapping set is stored with mapping values corresponding to various types of biological characteristic information which are input in advance;
respectively carrying out mapping operation by taking the biological characteristic information of the target category and the account identity information as target information to obtain a first mapping result and a second mapping result, wherein the mapping operation comprises dividing a code corresponding to the target information into a plurality of data blocks, and sequentially and iteratively compressing the data blocks;
and determining that the user to be authenticated passes identity authentication under the condition that the first mapping value is consistent with the first mapping result and the second mapping value is consistent with the second mapping result.
In a second aspect, an identity authentication apparatus for protecting privacy is provided, including:
the system comprises an acquisition unit, a verification unit and a verification unit, wherein the acquisition unit is used for acquiring the biological characteristic information and the account identity information of a target category of a user to be authenticated; wherein the account identity information at least comprises a target account identification;
the inquiry unit is used for inquiring a first mapping value corresponding to the target category from a biological characteristic mapping set corresponding to the target account identification and inquiring a second mapping value corresponding to the target account identification and related to account information; the biological characteristic mapping set stores mapping values corresponding to various types of biological characteristic information which are input in advance;
the operation unit is used for respectively carrying out mapping operation by taking the biological characteristic information of the target category and the account identity information as target information to obtain a first mapping result and a second mapping result, wherein the mapping operation comprises the steps of dividing a code corresponding to the target information into a plurality of data blocks and sequentially and iteratively compressing the data blocks;
and the determining unit is used for determining that the user to be authenticated passes the identity authentication under the condition that the first mapping value is consistent with the first mapping result and the second mapping value is consistent with the second mapping result.
In a third aspect, there is provided a computer storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect.
In a fourth aspect, there is provided a computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the method of the first aspect.
In the identity authentication method and apparatus for protecting privacy according to one or more embodiments of the present disclosure, first, only a mapping value corresponding to biometric information of a user is stored, so that security of the biometric information may be improved. Secondly, mapping values corresponding to various types of biological characteristic information stored in the biological characteristic mapping set can support various types of biological core ways aiming at the user, and therefore the general applicability can be improved. And finally, the identity authentication of the user is passed only under the condition that the biological characteristic information and the account identity information are verified successfully, so that the accuracy of the identity authentication can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present specification, the drawings used in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the description below are only some embodiments of the present specification, and it is obvious for those skilled in the art that other drawings may be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic diagram of an implementation scenario disclosed in one embodiment of the present disclosure;
FIG. 2 illustrates a flowchart of a privacy preserving identity authentication method according to one embodiment;
FIG. 3 illustrates a diagram of a mapping operation for target information in one embodiment;
FIG. 4 is a diagram illustrating a compression process for a block of data in one embodiment;
FIG. 5 is a schematic diagram of a method of the t-th iteration in the compression process;
FIG. 6 illustrates a schematic diagram of an identity authentication device with privacy protection according to one embodiment.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
As described above, the conventional biometric authentication method has a risk of privacy disclosure, and for this reason, the inventors of the present disclosure propose to store only the mapping value corresponding to the biometric information in the client or the cloud server. In addition, in order to support the multi-type biometric verification method, the scheme stores mapping values corresponding to the multi-type biometric information of the user in advance, and then can perform biometric verification of a certain type based on the currently acquired biometric information of the target type, so that the general applicability can be improved. Finally, the scheme not only checks the biological characteristic information, but also checks the account identity information, namely under the condition that both the biological characteristic information and the account identity information pass the check, the identity authentication of the user is determined to pass, and therefore the accuracy of the identity authentication method can be improved.
FIG. 1 shows an embodiment of the present specificationThe implementation scene is shown schematically. In fig. 1, the biometric information of the user in multiple categories may be collected, and then mapping operation may be performed on the biometric information of each category, so as to obtain mapping values corresponding to the biometric information of the multiple categories: h2、H3、…、Hcou+1Wherein cou is the number of categories of the biometric information, and the mapping values together form a biometric mapping set of the user. In addition, mapping operation can be performed on account identity information of the user, so that a corresponding second mapping value is obtained: h1
Then, when performing identity authentication for a user, biometric information (e.g., fingerprint characteristics) of a target category of the user to be authenticated and account identity information may be obtained, where the account identity information at least includes a target account identification ID. Then, inquiring a first mapping value H corresponding to a target category from a biological characteristic mapping set corresponding to the target account identification IDiWherein i is a positive integer greater than 1, and querying a second mapping value H corresponding to the target account identification ID and related to the account information1
Respectively carrying out mapping operation by taking the biological characteristic information and the account identity information of the target category as target information to obtain a first mapping result H'iAnd a second mapping result H'1. At the first mapping value HiAnd a first mapping result H'iAre consistent and the second mapping value H1And a second mapping result H'1And under the condition of consistency, determining that the user to be authenticated passes the identity authentication.
It should be understood that fig. 1 is only an exemplary illustration, and in practical applications, the database may also store a biometric mapping set corresponding to other account identifications and mapping values related to account information. In addition, the biometric mapping set corresponding to each account identifier and the mapping value related to the account information may be stored separately, which is not limited in this specification.
FIG. 2 illustrates a flow diagram of a privacy preserving identity authentication method according to one embodiment. The method may be performed by any apparatus, device, platform, cluster of devices having computing, processing capabilities. For example, it may be a client or a cloud server. As shown in fig. 2, the method may include at least the following steps.
Step 202, obtaining the biological characteristic information and the account identity information of the target category of the user to be authenticated.
The biometric information of the target category may be any one of the following: human face features, eye features, voiceprint features, fingerprint features, palm print features, heartbeat features, pulse features, vein features, human tooth bite mark features and the like.
The account identity information at least comprises a target account identification. In addition, at least one of an identification number, a password, a mobile phone number and the like can be included.
Specifically, the client may directly collect biometric information of a target category of the user to be authenticated. For the account identity information, when the account identity information only comprises the target account identifier, the account identifier of the current login of the user to be authenticated can be directly used as the account identity information. When the account identity information further includes information such as a mobile phone number, the information such as the mobile phone number of the user to be authenticated can be inquired from the pre-recorded user basic information based on the current login account identifier. And then, the information such as the currently logged-in account identification, the mobile phone number and the like is jointly used as account identity information.
It should be understood that when the method for identity recognition is executed by the cloud server, the client may encrypt the two pieces of information (i.e., the biometric information and the account identity information of the target category of the user to be authenticated) and send the encrypted information to the cloud server.
Step 204, a first mapping value corresponding to the target category is inquired from the biological characteristic mapping set corresponding to the target account identification, and a second mapping value corresponding to the target account identification and related to the account information is inquired.
The biological characteristic mapping set stores mapping values corresponding to various types of biological characteristic information which are input in advance. Here, each category of biometric information is separately collected. The mapping value corresponding to each type of biometric information may be obtained by a mapping operation, and the following method of calculating the mapping result may be specifically referred to.
In addition, the second mapping value related to the account information is obtained by performing mapping calculation on account identity information of a user to be authenticated, which is acquired in advance, and specifically, the following calculation method of the mapping result may be referred to.
The set of biometric mappings corresponding to the target account identifier and the second mapping value associated with the account information may be stored together or separately, for example, the biometric mapping may be stored in one data table, and the second mapping value associated with the account information may be stored in another data table, and the two may be associated with the target account identifier.
It should be understood that in practical applications, the corresponding set of biometric mappings and the second mapping value related to the account information may be stored in advance for a plurality of users. Thereafter, a biometric mapping set for the current user and a second mapping value related to the account information may be determined based on the current account identification.
And step 206, respectively taking the biological characteristic information and the account identity information of the target category as target information to perform mapping operation to obtain a first mapping result and a second mapping result.
The first mapping result is obtained by performing mapping operation on the biometric information of the target category, and the second mapping result is obtained by performing mapping operation on the account identity information. The mapping operation may be a hash operation, for example.
In one example, the mapping operation may include dividing the code corresponding to the target information into several data blocks, and performing compression processing on the several data blocks sequentially and iteratively.
Of course, in practical applications, before the above-mentioned dividing operation is performed, the corresponding code (for example, binary code) of the target information may be complemented, so that the final length is an integer multiple of 512 or 1024.
In an example, assuming that the binary code of the target information has a length of l bits, the process of padding bits may specifically be: first, a bit "1" is added to the last bit, and then k "0" is added, where k is the smallest non-negative integer of the following equation: l +1+ k ≡ 448mod 512. Finally, the 64-bit binary representation of the target information may be complemented. It should be understood that the length of the code after bit-filling by the above-described bit-filling method is a multiple of 512.
Of course, k can also be the smallest non-negative integer of the following equation: l +1+ k ≡ 689mod 1024, in which case the 128-bit binary representation of the target information can be complemented so that the length of the complemented code is an integer multiple of 1024.
It should be appreciated that when the encoding of the target information is also bit-complemented, the bit-complemented encoding may be divided into data blocks. For example, assuming that the length of the code after bit padding is a multiple of 512, the length of each divided data block may be 512. For another example, the length of the code after bit padding is a multiple of 1024, and the length of each data block obtained by dividing may be 1024. In the following description of the present specification, an example in which the length of each data block is 512 is described.
In one example, the mapping operation for the target information may be as shown in fig. 3. In FIG. 3, M(1)、M(2)、…、M(N)N data blocks divided for binary encoding for target information. The specific mapping operation process may be: from a predetermined constant H(0)(to be described later), the compression processing is sequentially performed iteratively on the N data blocks. Wherein, for any data block M(i)Performing the compression process may include: based at least on the data block M(i)Previous data block M of(i-1)Compression result of (H)(i-1)And a data block M(i)And determining an intermediate operation result. Compression result H for intermediate operation result and previous data block(i-1)Fusing to obtain a data block M(i)Compression result of (H)(i). Thereafter, the last data block M may be mapped to(N)Compression result of (H)(N)As a result of the mapping of the target information.
It should be understood that the first mapping result and the second mapping result can be obtained after the mapping operation shown in fig. 3 is performed with the biometric information and the account identification information of the target category as the target information, respectively.
Furthermore, the processing procedure of the mapping operation can also be expressed as the following formula:
Figure BDA0003535565460000051
wherein H(i)、H(i-1)、M(i)As can be seen from above, C () is a compression function. It should be understood that at M(i)For the first data block, H(i-1)I.e. the above-mentioned predetermined constant H(0)
In one example, the predetermined constant H is set to(0)May be taken from the fractional part of the square root of the first N prime numbers (2,3,5,7,11,13,17,19) in the natural number. In one example, the first 32 bits of the fractional part of the square root of the first 8 prime numbers may be taken, thus H(0)Has a length of 8 x 32 to 256.
When the predetermined constant is 256, the resulting mapping result (including the first and second mapping results) is also 256. It can be seen that, in the present solution, the length of the mapping result is much smaller than the encoding length corresponding to the target information (for example, an integral multiple of 512), that is, a large amount of information may be discarded in the operation process of the present solution, so that an attacker cannot calculate the input information in a reverse direction, which may effectively ensure the security of the biometric information or the account identity information of the user.
Note that, data block M(i)For example, the process of the compression process (i.e. the specific implementation of the compression function) may be as shown in fig. 4. In FIG. 4, the compression result H of the previous data block is shown(i-1)And performing m rounds of iterative operation as an iteration initial value. In one example, m here may be 64, for example.
Specifically, after the iteration starts, the iteration initial value may be split into 8 word constants: a. b, c, d, e, f, g, and h, wherein 1 word constant may correspond to 1 prime number, i.e., 32 bits. Then at any t round, combining the round constant K of the t roundtAnd wheel extension block WtThe 8 word constants are updated to achieve the t-th iteration until the m-th iteration is reached. Taking the operation result of the mth iteration as the intermediate operation result and the compression result H of the previous data block(i-1)Fusing to obtain a data block M(i)Compression result of (H)(i)
The round constants of the above rounds are different, so that the calculation of each round is different. These wheel constants were obtained as follows: the first 80 prime numbers are cubed and the first bits (e.g., 32 bits) of the fractional part are taken. These constants provide a 32-bit random string set that can initially eliminate statistical regularity in the input data.
In addition, the round expansion block of each round can be different, and the round expansion block can be obtained by carrying out the expansion on the data block M(i)And performing message expansion.
In one example, the message extension may include: data block M(i)The corresponding data bits are divided into groups, each of which may comprise, for example, 32 bits. Then sequentially selecting n (n) from the beginning<m) groups are respectively used as wheel expanding blocks of the front n wheels. Finally, the round expansion blocks of the remaining m-n rounds are determined by shifting different target groups and based on the shifting result.
In one example, the iterative operation of the above-mentioned t-th round can be as shown in fig. 5. In FIG. 5, the N-2 word constants in the result of the t-1 th round are used as the N-2 word constants in the result of the t-1 th round. It should be understood that when the t-th iteration is the 1 st iteration, the operation result of the t-1 st iteration is the initial value of the iteration. In one example, the 6 word constants a, b, c, e, f, and g of round t are taken as the 6 word constants b, c, d, f, g, and h of round t-1, respectively.
Next, the remaining two word constants in the operation result of the t-th round are calculated based on at least part of the word constants in the operation result of the t-1 th round, and the round constants and the round extension blocks of the t-th round using a logic function. For example, e for the t-th round is calculated using a first logic function based on the word constants d, e, f, g, and h for the t-1 th round and the round constants and the round extension blocks for the t-th round. And calculating a of the t-th round based on a, b, c, e, f, g, and h of the t-1 th round and the round constants and the round spreading blocks of the t-th round using a second logistic function.
Note that, in fig. 5, Σ, Maj () and Ch () represent different logic functions, respectively. It should be noted that the logic function described in this specification may refer to a function including several logic operations, where the logic operations include at least one of and operation, inversion operation, exclusive or operation, and shift operation.
And step 208, determining that the user to be authenticated passes the identity authentication under the condition that the first mapping value is consistent with the first mapping result and the second mapping value is consistent with the second mapping result.
The first mapping value is consistent with the first mapping result, which indicates that the biometric identification of the user to be authenticated passes. In addition, the second mapping value is consistent with the second mapping result, which indicates that the account identity of the user to be authenticated passes the identification. That is to say, the scheme is that the user to be authenticated is determined to pass the identity authentication only when the biological characteristic identification and the account identity identification of the user to be authenticated both pass, so that the accuracy of the user identity authentication can be improved.
It should be understood that, after the client can encrypt the two acquired information (i.e., the biometric information and the account identity information of the target category of the user to be authenticated) and send the encrypted information to the cloud server, the above steps 204-208 are performed by the cloud server, and then the cloud server can return a notification message that the user to be authenticated passes the identity authentication to the client.
In summary, since the length of the mapping result calculated by the scheme is much smaller than the length of the target information, the scheme can ensure that the probability of obtaining the same result for two different input operations is extremely small, and the calculation capability of the current computer can be ignored, so that the input information and the output result are considered to be in one-to-one correspondence, and the change of any input information will cause the change of the final output result. The uniqueness ensures that the input information can be used as identity authentication even if mapping operation is carried out.
In addition, the scheme only stores the mapping value corresponding to the biological characteristic information of the user, so that the safety of the biological characteristic information can be improved. Secondly, mapping values corresponding to various types of biological characteristic information stored in the biological characteristic mapping set can support various types of biological core ways aiming at the user, and therefore the general applicability can be improved.
In correspondence to the above identity authentication method for protecting privacy, an embodiment of the present specification further provides an identity authentication apparatus for protecting privacy, as shown in fig. 6, the apparatus may include:
the obtaining unit 602 is configured to obtain biometric information of a target category of a user to be authenticated and account identity information, where the account identity information at least includes a target account identifier.
In addition, the account identity information further comprises at least one item of identification card number, password and mobile phone number.
The querying unit 604 is configured to query a first mapping value corresponding to a target category from a biometric mapping set corresponding to a target account identifier, and query a second mapping value corresponding to the target account identifier and related to account information. The biological characteristic mapping set stores mapping values corresponding to various types of biological characteristic information which are input in advance.
Here, the various categories of biometric information include several items among a face feature, an eye feature, a voiceprint feature, a fingerprint feature, a palm print feature, a heartbeat feature, a pulse feature, a vein feature, and a human tooth bite mark feature.
The operation unit 606 is configured to perform mapping operation with the biometric information of the target category and the account identity information as target information, respectively, to obtain a first mapping result and a second mapping result, where the mapping operation includes dividing a code corresponding to the target information into a plurality of data blocks, and sequentially and iteratively compressing the data blocks.
The data blocks include a target data block, and the operation unit 606 may specifically include:
a determining module 6062 for determining an intermediate operation result based on at least a compression result of a previous data block of the target data block and the target data block;
and a fusion module 6064, configured to fuse the intermediate operation result and the compression result of the previous data block to obtain a compression result of the target data block.
The target data block is the first data block, and the compression result of the previous data block is a preset constant.
The determining module 6062 is specifically configured to:
performing multiple rounds of iterative operation for a preset number of times by taking the compression result of the previous data block as an iteration initial value, wherein any t-th round of iterative operation is performed based on a t-th round constant and a round expansion block, and the round expansion block is obtained by performing message expansion on a target data block;
and taking the operation result of the last iteration as an intermediate operation result.
Wherein the iteration initial value includes N word constants, and the determining module 6062 is further specifically configured to:
taking the N-2 word constants in the operation result of the t-1 th round as the N-2 word constants in the operation result of the t-1 th round;
and calculating the remaining two word constants in the operation result of the t-th round based on at least part of the word constants in the operation result of the t-1-th round and the round constants and the round expansion block of the t-th round by using a logic function.
The t-th iteration is the 1 st iteration, and the operation result of the t-1 st iteration is an iteration initial value.
The logic function is a function including a plurality of logic operations, and the logic operations include at least one of an and operation, an inversion operation, an xor operation, and a shift operation.
The determining unit 608 is configured to determine that the user to be authenticated passes the identity authentication when the first mapping value is consistent with the first mapping result and the second mapping value is consistent with the second mapping result.
The functions of each functional module of the device in the above embodiments of the present description may be implemented through each step of the above method embodiments, and therefore, a specific working process of the device provided in one embodiment of the present description is not repeated herein.
The identity authentication device for protecting privacy provided by one embodiment of the present specification can perform identity authentication on a user more accurately under the condition of protecting the privacy of the user.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2.
According to an embodiment of yet another aspect, there is also provided a computing device comprising a memory and a processor, the memory having stored therein executable code, the processor, when executing the executable code, implementing the method described in connection with fig. 2.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or may be embodied in software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a server. Of course, the processor and the storage medium may reside as discrete components in a server.
Those skilled in the art will recognize that the functionality described in this disclosure may be implemented in hardware, software, firmware, or any combination thereof, in one or more of the examples described above. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above-mentioned embodiments, objects, technical solutions and advantages of the present specification are further described in detail, it should be understood that the above-mentioned embodiments are only specific embodiments of the present specification, and are not intended to limit the scope of the present specification, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present specification should be included in the scope of the present specification.

Claims (20)

1. An identity authentication method for protecting privacy, comprising:
acquiring biological characteristic information and account identity information of a target category of a user to be authenticated; wherein the account identity information at least comprises a target account identification;
inquiring a first mapping value corresponding to the target category from a biological characteristic mapping set corresponding to the target account identification, and inquiring a second mapping value corresponding to the target account identification and related to account information; the biological characteristic mapping set is stored with mapping values corresponding to various types of biological characteristic information which are input in advance;
respectively carrying out mapping operation by taking the biological characteristic information of the target category and the account identity information as target information to obtain a first mapping result and a second mapping result, wherein the mapping operation comprises dividing a code corresponding to the target information into a plurality of data blocks, and sequentially and iteratively compressing the data blocks;
and determining that the user to be authenticated passes identity authentication under the condition that the first mapping value is consistent with the first mapping result and the second mapping value is consistent with the second mapping result.
2. The method of claim 1, wherein the number of data blocks includes a target data block;
the sequentially and iteratively compressing the data blocks comprises:
determining an intermediate operation result at least based on a compression result of a previous data block of the target data block and the target data block; and fusing the intermediate operation result and the compression result of the previous data block to obtain the compression result of the target data block.
3. The method of claim 2, wherein the target data block is a first data block; the compression result of the previous data block is a predetermined constant.
4. The method of claim 2, wherein the determining an intermediate operation result comprises:
taking the compression result of the previous data block as an iteration initial value to perform multiple rounds of iteration operation for a preset number of times; the iterative operation of any tth round is carried out based on a round constant of the tth round and a round expansion block, wherein the round expansion block is obtained by carrying out message expansion on a target data block;
and taking the operation result of the last iteration as the intermediate operation result.
5. The method of claim 4, wherein the iteration initial value comprises N word constants; the t-th round of iterative operation comprises the following steps:
taking the N-2 word constants in the operation result of the t-1 th round as the N-2 word constants in the operation result of the t-1 th round;
and calculating the remaining two word constants in the operation result of the t-th round based on at least part of the word constants in the operation result of the t-1-th round and the round constants and the round expansion block of the t-th round by using a logic function.
6. The method of claim 5, wherein the t-th iteration is a 1 st iteration, and the operation result of the t-1 st iteration is the initial value of the iteration.
7. The method of claim 5, wherein the logical function refers to a function comprising a number of logical operations including at least one of an AND operation, an inversion operation, an XOR operation, and a shift operation.
8. The method of claim 1, wherein the plurality of categories of biometric information include several of facial features, eye features, voice print features, fingerprint features, palm print features, heart beat features, pulse features, vein features, and human tooth bite trace features.
9. The method of claim 1, wherein the account identity information further comprises at least one of an identification number, a password, and a mobile phone number.
10. An identity authentication apparatus that protects privacy, comprising:
the system comprises an acquisition unit, a verification unit and a verification unit, wherein the acquisition unit is used for acquiring the biological characteristic information and the account identity information of a target category of a user to be authenticated; wherein the account identity information at least comprises a target account identification;
the inquiry unit is used for inquiring a first mapping value corresponding to the target category from a biological characteristic mapping set corresponding to the target account identification and inquiring a second mapping value corresponding to the target account identification and related to account information; the biological characteristic mapping set stores mapping values corresponding to various types of biological characteristic information which are input in advance;
the operation unit is used for respectively carrying out mapping operation by taking the biological characteristic information of the target category and the account identity information as target information to obtain a first mapping result and a second mapping result, wherein the mapping operation comprises the steps of dividing a code corresponding to the target information into a plurality of data blocks and sequentially and iteratively compressing the data blocks;
and the determining unit is used for determining that the user to be authenticated passes the identity authentication under the condition that the first mapping value is consistent with the first mapping result and the second mapping value is consistent with the second mapping result.
11. The apparatus of claim 10, wherein the number of data blocks comprises a target data block; the arithmetic unit includes:
a determining module, configured to determine an intermediate operation result based on at least a compression result of a previous data block of the target data block and the target data block;
and the fusion module is used for fusing the intermediate operation result and the compression result of the previous data block to obtain the compression result of the target data block.
12. The apparatus of claim 11, wherein the target data block is a first data block; the compression result of the previous data block is a predetermined constant.
13. The apparatus of claim 11, wherein the determining module is specifically configured to:
taking the compression result of the previous data block as an iteration initial value to perform multiple rounds of iteration operation for a preset number of times; the iterative operation of any tth round is carried out based on a round constant of the tth round and a round expansion block, wherein the round expansion block is obtained by carrying out message expansion on a target data block;
and taking the operation result of the last iteration as the intermediate operation result.
14. The apparatus of claim 13, wherein the iteration initial value comprises N word constants; the determining module is further specifically configured to:
taking the N-2 word constants in the operation result of the t-1 th round as the N-2 word constants in the operation result of the t-1 th round;
and calculating the remaining two word constants in the operation result of the t-th round based on at least part of the word constants in the operation result of the t-1 th round and the round constants and the round expansion blocks of the t-th round by using a logic function.
15. The apparatus of claim 14, wherein the t-th iteration is a 1 st iteration, and the result of the t-1 st iteration is the initial value of the iteration.
16. The apparatus of claim 14, wherein the logic function refers to a function comprising a number of logic operations including at least one of an and operation, an inversion operation, an xor operation, and a shift operation.
17. The apparatus of claim 10, wherein the plurality of categories of biometric information include several of facial features, eye features, voice print features, fingerprint features, palm print features, heart beat features, pulse features, vein features, and human tooth bite trace features.
18. The apparatus of claim 10, wherein the account identity information further comprises at least one of an identification number, a password, and a phone number.
19. A computer-readable storage medium, on which a computer program is stored, wherein the computer program causes a computer to carry out the method of any one of claims 1-9, when the computer program is carried out in the computer.
20. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that when executed by the processor implements the method of any of claims 1-9.
CN202210225660.4A 2022-03-07 2022-03-07 Identity authentication method and device for protecting privacy Pending CN114666059A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210225660.4A CN114666059A (en) 2022-03-07 2022-03-07 Identity authentication method and device for protecting privacy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210225660.4A CN114666059A (en) 2022-03-07 2022-03-07 Identity authentication method and device for protecting privacy

Publications (1)

Publication Number Publication Date
CN114666059A true CN114666059A (en) 2022-06-24

Family

ID=82028890

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210225660.4A Pending CN114666059A (en) 2022-03-07 2022-03-07 Identity authentication method and device for protecting privacy

Country Status (1)

Country Link
CN (1) CN114666059A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100014655A1 (en) * 2004-05-12 2010-01-21 Samsung Electronics Co., Ltd. Method and apparatus for generating cryptographic key using biometric data
CN111161448A (en) * 2018-11-07 2020-05-15 北京燧昀科技有限公司 Data storage method, data verification method, device, equipment and storage medium
CN111224774A (en) * 2018-11-27 2020-06-02 天地融科技股份有限公司 Authentication method and system for using rented vehicle and third-party platform
CN111709004A (en) * 2020-08-19 2020-09-25 北京远鉴信息技术有限公司 Identity authentication method and device, electronic equipment and readable storage medium
CN113987447A (en) * 2021-10-28 2022-01-28 支付宝(杭州)信息技术有限公司 Identity authentication method, device and equipment based on privacy protection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100014655A1 (en) * 2004-05-12 2010-01-21 Samsung Electronics Co., Ltd. Method and apparatus for generating cryptographic key using biometric data
CN111161448A (en) * 2018-11-07 2020-05-15 北京燧昀科技有限公司 Data storage method, data verification method, device, equipment and storage medium
CN111224774A (en) * 2018-11-27 2020-06-02 天地融科技股份有限公司 Authentication method and system for using rented vehicle and third-party platform
CN111709004A (en) * 2020-08-19 2020-09-25 北京远鉴信息技术有限公司 Identity authentication method and device, electronic equipment and readable storage medium
CN113987447A (en) * 2021-10-28 2022-01-28 支付宝(杭州)信息技术有限公司 Identity authentication method, device and equipment based on privacy protection

Similar Documents

Publication Publication Date Title
US20190138753A1 (en) Remote re-enrollment of physical unclonable functions
Dwivedi et al. A fingerprint based crypto-biometric system for secure communication
CN110503434B (en) Data verification method, device, equipment and storage medium based on Hash algorithm
WO2018078003A1 (en) Authentication method and system
JP6238867B2 (en) Sequential biometric cryptographic system and sequential biometric cryptographic processing method
US9882712B2 (en) Encrypted text matching system, method, and computer readable medium
Zhao et al. Iris template protection based on local ranking
CN110489466B (en) Method and device for generating invitation code, terminal equipment and storage medium
US20200076592A1 (en) Method for generating seed and device thereof
CN112487253B (en) User invitation code generation method, verification method, device, equipment and storage medium
US9747470B2 (en) Secure data processing method and use in biometry
CN109327444B (en) Account information registration and authentication method and device
US9985779B2 (en) Encrypted text matching system, method, and computer readable medium
JP2015019292A (en) Secrete data verification device, secrete data verification program, and secrete data verification method
CN110719172A (en) Signature method, signature system and related equipment in block chain system
Suresh et al. Two-factor-based RSA key generation from fingerprint biometrics and password for secure communication
Merkle et al. Multi-modal and multi-instance fusion for biometric cryptosystems
CN113343255B (en) Data interaction method based on privacy protection
CN105530230A (en) Fingerprint authentication method, device and server
CN110941854B (en) Method and device for saving and recovering private data based on secure multi-party computing
CN114666059A (en) Identity authentication method and device for protecting privacy
US9900146B2 (en) Encrypted text matching system, method, and computer readable medium
JP7235055B2 (en) Authenticator, client and server
CN114697019B (en) User account privacy protection method and system
CN107566123B (en) PPTP VPN password verification method and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination