CN114091094B - Fingerprint authentication and key negotiation method supporting updating - Google Patents
Fingerprint authentication and key negotiation method supporting updating Download PDFInfo
- Publication number
- CN114091094B CN114091094B CN202111353820.5A CN202111353820A CN114091094B CN 114091094 B CN114091094 B CN 114091094B CN 202111353820 A CN202111353820 A CN 202111353820A CN 114091094 B CN114091094 B CN 114091094B
- Authority
- CN
- China
- Prior art keywords
- fingerprint
- information
- authentication
- server
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Collating Specific Patterns (AREA)
Abstract
Description
技术领域Technical Field
本发明涉及认证和密钥协商领域,特别涉及一种支持更新的指纹认证和密钥协商方法。The present invention relates to the field of authentication and key negotiation, and in particular to a fingerprint authentication and key negotiation method supporting update.
背景技术Background Art
现有认证和密钥协商方法通常使用传统公私钥对或预共享口令实现,这些方法需要设备存储私钥或用户记忆口令,给个人用户带来不便。生物特征作为一种便捷的身份识别技术,在认证和密钥协商领域具有独特优势。然而,现有基于生物特征的认证和密钥协商方案需要存储用户生物特征,由于用户生物特征属于敏感个人数据,因此对生物特征的安全存储技术提出了极高的要求。Existing authentication and key negotiation methods are usually implemented using traditional public-private key pairs or pre-shared passwords. These methods require devices to store private keys or users to remember passwords, which brings inconvenience to individual users. As a convenient identity recognition technology, biometrics has unique advantages in the field of authentication and key negotiation. However, existing biometric-based authentication and key negotiation schemes require the storage of user biometrics. Since user biometrics are sensitive personal data, extremely high requirements are placed on the secure storage technology of biometrics.
发明内容Summary of the invention
针对现有技术中存在的问题,提供了一种支持更新的指纹认证和密钥协商方法,使得用户无须记忆信息或持有专门设备即可实现认证及密钥协商功能,并且用户生物特征的隐私性不依赖于安全存储技术。In view of the problems existing in the prior art, a fingerprint authentication and key negotiation method that supports updates is provided, so that users can realize authentication and key negotiation functions without memorizing information or holding special equipment, and the privacy of user biometrics does not rely on secure storage technology.
本发明采用的技术方案如下:The technical solution adopted by the present invention is as follows:
一种支持更新的指纹认证和密钥协商方法,应用于客户端与服务器之间,包括:A fingerprint authentication and key negotiation method supporting updates, applied between a client and a server, comprising:
系统全局初始化;System global initialization;
注册阶段:客户端根据输入的指纹信息构造盲化证书,并基于盲化证书向服务器发起注册请求,服务器保存盲化证书并返回注册结果;Registration phase: The client constructs a blind certificate based on the input fingerprint information, and initiates a registration request to the server based on the blind certificate. The server saves the blind certificate and returns the registration result.
认证与密钥协商阶段:客户端基于指纹向服务器发起认证,服务器生成密钥并返回认证回复信息,客户端输入正确指纹进行认证获取认证回复信息中的密钥,在密钥的基础上建立与服务器的通信通道。Authentication and key negotiation phase: The client initiates authentication to the server based on the fingerprint. The server generates a key and returns an authentication reply message. The client enters the correct fingerprint for authentication to obtain the key in the authentication reply message, and establishes a communication channel with the server based on the key.
进一步的,所述构造盲化证书过程为:Furthermore, the process of constructing the blinded certificate is:
步骤21、通过指纹分片算法对输入的指纹信息进行分片处理,得到指纹模板信息集合;Step 21: Slice the input fingerprint information using a fingerprint slicing algorithm to obtain a fingerprint template information set;
步骤22、通过指纹模板信息集合进行指纹信息隐藏处理,得到盲化证书。Step 22: Perform fingerprint information hiding processing through the fingerprint template information set to obtain a blinded certificate.
进一步的,所述步骤22中,隐藏处理方法为:采用离散对数难题将指纹模板的字符串隐藏在指数上。Furthermore, in step 22, the hiding processing method is: using the discrete logarithm problem to hide the character string of the fingerprint template on the exponent.
进一步的,所述全局初始化过程为:由服务器进行执行,根据输入的安全参数,输出公开参数以及主密钥,公开参数发送至客户端,主密钥保存在服务器。Furthermore, the global initialization process is: executed by the server, outputting public parameters and a master key according to the input security parameters, the public parameters are sent to the client, and the master key is stored in the server.
进一步的,在客户端发起注册请求时,发送包含盲化证书与身份标识的注册请求信息至服务器;服务器接收注册请求信息并根据身份标识返回注册结果,同时将客户端身份标识、更新因子、辅助信息、盲化证书保存在数据库中。Furthermore, when the client initiates a registration request, it sends a registration request message including a blinded certificate and an identity identifier to the server; the server receives the registration request message and returns a registration result based on the identity identifier, and at the same time saves the client identity identifier, update factor, auxiliary information, and blinded certificate in a database.
进一步的,所述认证与密钥协商阶段的具体过程还包括:Furthermore, the specific process of the authentication and key agreement phase also includes:
客户端输入公开参数、指纹图片信息以及基础指纹模板信息,对指纹图片信息进行处理生成指纹模板信息;采用指纹匹配算法进行处理获得新的指纹模板信息;在新的指纹模板信息中选取随机指纹信息计算得到盲化证书,将盲化证书与客户端身份标识结合生成认证请求信息发送至服务器;以及将状态信息保存在客户端本地;The client inputs public parameters, fingerprint image information and basic fingerprint template information, processes the fingerprint image information to generate fingerprint template information; uses fingerprint matching algorithm to process to obtain new fingerprint template information; selects random fingerprint information from the new fingerprint template information to calculate a blind certificate, combines the blind certificate with the client identity to generate authentication request information and sends it to the server; and saves the status information locally on the client;
服务器计算辅助信息,协助客户端生成共享密钥;选择秘密token∈{0,1}λ并将其分割为n个小块;服务器基于服务器身份标识、客户端身份标识、秘密以及盲化证书生成密钥,并将密钥加密为认证数据;服务器输出认证回复信息以及密钥。The server calculates auxiliary information to assist the client in generating a shared key; selects a secret token∈{0,1} λ and divides it into n small pieces; the server generates a secret key based on the server identity, client identity, secret, and blinded certificate. Generate a key and encrypt the key into authentication data; the server outputs authentication reply information and the key.
客户端接收到认证回复信息后结合公开参数以及状态信息;采用自身正确的指纹进行认证,如果认证成功则从认证回复信息中恢复出秘密凭证信息,结合状态信息计算得到公共会话密钥。After receiving the authentication reply information, the client combines the public parameters and state information; uses its own correct fingerprint for authentication. If the authentication is successful, the secret credential information is recovered from the authentication reply information and combined with the state information to calculate the public session key.
进一步的,所述服务器接收注册请求信息并根据身份标识返回注册结果具体过程为:判断接收的注册请求信息中的身份标识是否注册过,若没有则输出1,并初始化更新因子,并发送给客户端,同时将更新因子、身份标识、盲化证书、辅助信息保存在数据库中;反之则输出0,拒绝注册请求。Furthermore, the server receives the registration request information and returns the registration result according to the identity identifier. The specific process is: determine whether the identity identifier in the received registration request information has been registered. If not, output 1, initialize the update factor, and send it to the client. At the same time, save the update factor, identity identifier, blinding certificate, and auxiliary information in the database; otherwise, output 0 and reject the registration request.
进一步的,所述指纹图片信息进行处理生成指纹模板信息具体过程为:从指纹图片信息中提取n个细节点,并将其进行分片化处理,生成指纹模板信息。Furthermore, the specific process of processing the fingerprint image information to generate the fingerprint template information is as follows: extracting n detail points from the fingerprint image information, and processing them into pieces to generate the fingerprint template information.
进一步的,所述指纹匹配算法为:判断是否成立,成立则将指纹增加到基础指纹模板信息中,生成新的指纹模板信息;其中为指纹模板信息中指纹,ri为基础指纹模板中的指纹信息,τ为距离门槛值。Furthermore, the fingerprint matching algorithm is: Is it true? If it is true, the fingerprint Add to the basic fingerprint template information to generate new fingerprint template information; is the fingerprint in the fingerprint template information, ri is the fingerprint information in the basic fingerprint template, and τ is the distance threshold.
进一步的,还包括盲化证书更新:若主密钥发生泄漏,则服务器随机生成新的主密钥替换原主密钥,并对公开参数和数据库中的更新因子、辅助信息、盲化证书进行更新;若仅是盲化证书发生泄漏,则直接更新盲化证书。Furthermore, it also includes blind certificate update: if the master key is leaked, the server randomly generates a new master key to replace the original master key, and updates the public parameters and update factors, auxiliary information, and blind certificate in the database; if only the blind certificate is leaked, the blind certificate is directly updated.
与现有技术相比,采用上述技术方案的有益效果为:本发明不需要额外的加密设备来存储密钥或者记住密钥,采用指纹生物信息进行构造为用户身份认证提供了便捷的工具。考虑到证书基于指纹特征构造,如果没有得到妥善处理,可能泄露用户个人隐私信息,本发明将指纹进行分片化处理后用字符串表示,并进行盲化处理。考虑到攻击者可能通过入侵服务器或窃听信道来从认证和密钥协商过程中获取数据,证书可能会被窃取和盗用,本发明设计了盲化证书更新机制,该机制允许在证书遭到破坏的时候更新面向指纹的盲证书信息,以防止进一步的泄露,该方法可以在检测到攻击时更新证书数据库进行自我恢复。Compared with the prior art, the beneficial effects of adopting the above technical solution are as follows: the present invention does not require additional encryption equipment to store keys or remember keys, and the use of fingerprint biometric information for construction provides a convenient tool for user identity authentication. Considering that the certificate is constructed based on fingerprint features, if it is not properly handled, it may leak the user's personal privacy information. The present invention fragments the fingerprint and represents it with a string, and performs blind processing. Considering that attackers may obtain data from the authentication and key negotiation process by invading the server or eavesdropping on the channel, the certificate may be stolen and misused. The present invention designs a blind certificate update mechanism, which allows the fingerprint-oriented blind certificate information to be updated when the certificate is damaged to prevent further leakage. The method can update the certificate database for self-recovery when an attack is detected.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明提出的指纹认证和密钥协商过程示意图。FIG1 is a schematic diagram of the fingerprint authentication and key negotiation process proposed by the present invention.
图2为本发明提出的指纹表示示意图。FIG. 2 is a schematic diagram of fingerprint representation proposed by the present invention.
具体实施方式DETAILED DESCRIPTION
下面结合附图对本发明做进一步描述。The present invention will be further described below in conjunction with the accompanying drawings.
针对用户认证和密钥协商过程的可用性和跨设备便捷性、指纹特征涉及用户个人隐私的问题,提出一种支持更新的指纹认证和密钥协商方法,使得用户无须记忆信息或持有专门设备即可实现认证及密钥协商功能,并且用户生物特征的隐私性不依赖于安全存储技术。具体方案如下:In view of the availability and cross-device convenience of user authentication and key negotiation processes, and the problem that fingerprint features involve user personal privacy, a fingerprint authentication and key negotiation method that supports updates is proposed, so that users can achieve authentication and key negotiation functions without having to remember information or hold special equipment, and the privacy of user biometrics does not rely on secure storage technology. The specific solution is as follows:
如图1所示,系统全局初始化;As shown in Figure 1, the system is globally initialized;
注册阶段:客户端根据输入的指纹信息构造盲化证书,并基于盲化证书向服务器发起注册请求,服务器保存盲化证书并返回注册结果;Registration phase: The client constructs a blind certificate based on the input fingerprint information, and initiates a registration request to the server based on the blind certificate. The server saves the blind certificate and returns the registration result.
认证与密钥协商阶段:客户端基于指纹向服务器发起认证,服务器生成密钥并返回认证回复信息,客户端输入正确指纹进行认证获取认证回复信息中的密钥,在密钥的基础上建立与服务器的通信通道。Authentication and key negotiation phase: The client initiates authentication to the server based on the fingerprint. The server generates a key and returns an authentication reply message. The client enters the correct fingerprint for authentication to obtain the key in the authentication reply message, and establishes a communication channel with the server based on the key.
具体的,在面向指纹的盲化证书构造过程中,先执行初始化过程,输入安全参数λ,生成公开参数par,包括指纹信息分片所需全局参数和证书生成所需代数结构,包括素数阶为q的群G,群G的生成元g,以及在计算汉明距离时设置的门槛值τ。Specifically, in the process of constructing a blind certificate for fingerprints, an initialization process is first performed to input a security parameter λ and generate a public parameter par, including global parameters required for fingerprint information segmentation and an algebraic structure required for certificate generation, including a group G with a prime order of q, a generator g of the group G, and a threshold value τ set when calculating the Hamming distance.
初始化完成后,在输入的指纹图像信息中提取n个细节点{pointi}n,对n个细节点{pointi}n执行指纹分片算法,输出指纹信息模板的字符串集合如图2所示,完成对指纹信息的分片化处理。After the initialization is completed, n detail points {point i } n are extracted from the input fingerprint image information, and the fingerprint segmentation algorithm is executed on the n detail points {point i } n . The character string set of the output fingerprint information template is shown in Figure 2, and the segmentation processing of the fingerprint information is completed.
在本实施例中,如图2所示,为了精确的表示指纹信息,首先需要在X-Y坐标空间中提取n个细节点{pointi}n。具体来说,每个细节点都被初始化为中心点,然后选择直线距离最近的γ个点。假设γ=4,其中pointi为中心点,我们用表示与中心点距离最近的γ个点。用表示pointi到两点之间的矢量关系,其中dj表示矢量的长度, 表示相互矢量之间的角度关系,因此将指纹信息表示成字符串由于指纹分片是基于细节点的相对位置,旋转指纹图像并不会影响指纹的表示。In this embodiment, as shown in FIG2 , in order to accurately represent the fingerprint information, it is first necessary to extract n minutiae points {point i } n in the XY coordinate space. Specifically, each minutiae point is initialized as a center point, and then the γ points with the closest straight-line distance are selected. Assuming γ = 4, where point i is the center point, we use Indicates the γ points closest to the center point. Indicates point i to The vector relationship between two points, where d j represents the vector Length, Represents the angular relationship between mutual vectors, so the fingerprint information is represented as a string Since fingerprint segmentation is based on the relative positions of minutiae points, rotating the fingerprint image does not affect the representation of the fingerprint.
在得到指纹信息模板的字符串集合{ri}n后,对其进行指纹信息隐藏处理,得到对应的盲化证书{bi}n。After obtaining the character string set {r i } n of the fingerprint information template, fingerprint information hiding processing is performed on it to obtain the corresponding blinded certificate {b i } n .
具体的,在本实施例中,采用离散对数难题将指纹模板的字符串隐藏在指数上,即对于指纹信息将ri隐藏在中,其中h:{0,1}*→Zq为哈希函数,即生成了盲化的证书bi;Zq为模q的剩余类环。Specifically, in this embodiment, the discrete logarithm problem is used to hide the character string of the fingerprint template on the exponent, that is, for the fingerprint information Hide ri in In which h:{0,1} * →Z q is a hash function, that is, a blinded certificate bi is generated; Z q is a residual class ring modulo q.
在本实施例中,还提出基于指纹的认证和密钥协商的具体方法,包括全局初始化、用户注册、认证和密钥协商三部分。In this embodiment, a specific method of fingerprint-based authentication and key negotiation is also proposed, including three parts: global initialization, user registration, authentication and key negotiation.
具体的,全局初始化由服务器执行,通过输入安全参数λ,输出整个系统所需的公开参数pp,以及主密钥信息mk=(sk,sek),选择sk∈Zq进行保密,并计算gsk进行公开,sek为选择的对称加密的密钥。Specifically, the global initialization is performed by the server, which inputs the security parameter λ, outputs the public parameter pp required by the entire system, and the master key information mk=(sk,sek), selects sk∈Zq for confidentiality, and calculates gsk for public disclosure, where sek is the selected symmetric encryption key.
其中,公开参数pp还包括了素数阶q的群G,群中的生成元g,服务器的身份标识IDs,以及混淆布隆过滤器中所需要的哈希函数H=(h0,h1,...,hm-1)等信息。公开参数pp被客户端接收,主密钥信息mk被服务器端进行秘密保存。The public parameter pp also includes the group G of prime order q, the generator g in the group, the server's IDs, and the hash function H = (h 0 ,h 1 ,...,h m-1 ) required in the obfuscated Bloom filter. The public parameter pp is received by the client, and the master key information mk is secretly stored by the server.
用户注册包两个部分:创建注册和记录注册The user registration package has two parts: create registration and record registration
创建注册:Create a registration:
该部分在客户端执行,通过输入服务器发送的公开参数pp以及指纹图像信息finp,对指纹图像信息finp执行面向指纹的盲化证书构造过程,得到对应的盲化证书{bi}n,然后生成注册请求信息Reg={IDc,{bi}n},客户端将注册请求信息Reg发送给服务器进行注册,同时将构造盲化证书过程中生成的指纹模板信息{ri}n秘密保存。需要特别说明的是,在本实施例中,客户端必须使用身份标识IDc和基于指纹的盲化证书{bi}n向服务器进行注册。This part is executed on the client side. By inputting the public parameter pp and the fingerprint image information finp sent by the server, the fingerprint image information finp is subjected to the fingerprint-oriented blind certificate construction process to obtain the corresponding blind certificate { bi } n , and then the registration request information Reg = {IDc, { bi } n } is generated. The client side sends the registration request information Reg to the server for registration, and at the same time, the fingerprint template information { ri } n generated in the process of constructing the blind certificate is secretly saved. It should be noted that in this embodiment, the client side must register with the server using the identity IDc and the fingerprint-based blind certificate { bi } n .
记录注册:Record Registration:
该部分在服务器中执行,服务器接收到注册请求信息时,判断注册信息Reg中包含的身份标识IDc是否注册过(即是否已存在与数据库中),若没有注册过,则输出1,初始化一个更新因子Updc,并通过对称加密形式加密后发送给客户端。同时服务器将(IDc,Updc,ωc,{bi}n)记录于数据库DB中,完成注册;若注册过,则输出0,拒绝该注册请求。其中,ωc为更新凭证库时的辅助信息,通常ωc=gupdc。This part is executed in the server. When the server receives the registration request information, it determines whether the identity IDc contained in the registration information Reg has been registered (i.e., whether it already exists in the database). If it has not been registered, it outputs 1, initializes an update factor Updc, and sends it to the client after being encrypted in a symmetric encryption form. At the same time, the server records (IDc, Updc, ω c , {b i } n ) in the database DB to complete the registration; if it has been registered, it outputs 0 to reject the registration request. Among them, ω c is the auxiliary information when updating the credential library, usually ω c = g updc .
具体的,更新因子Updc初始化时设置为1,凭证数据库更新时将Updc乘以一个随机值进行更新。Specifically, the update factor Updc is set to 1 when initialized, and Updc is multiplied by a random value for updating when the credential database is updated.
优选的,对称加密采取AES方式进行。Preferably, the symmetric encryption is performed using AES.
认证和密钥协商包括创建请求、创建回复、获取凭证三个部分,具体的,Authentication and key negotiation include creating a request, creating a response, and obtaining credentials. Specifically,
创建请求:Create a request:
在客户端输入公开参数pp,指纹图片信息以及基础指纹模板信息{ri}n,从指纹图片信息中进行提取出n个细节点并将其进行分片化处理,生成对应的指纹模板信息 Enter the public parameter pp and fingerprint image information on the client And basic fingerprint template information { ri } n , from fingerprint image information Extract n detail points And it is processed into pieces to generate the corresponding fingerprint template information
调用指纹匹配算法进行匹配,为了实现多字符串模板的高精度指纹匹配,我们使用汉明距离(Hamming Distance)进行衡量,即计算两个字符串之间不同的位置数目。具体过程如下:对于指纹模板信息集合{ri}n和如果其中存在某个指纹信息ri∈{ri}n,那么计算汉明距离,如果其中τ为设置的距离门槛值,则把增加到集合{ri}n′中。Call the fingerprint matching algorithm for matching. In order to achieve high-precision fingerprint matching of multiple string templates, we use the Hamming distance to measure, that is, to calculate the number of different positions between two strings. The specific process is as follows: For the fingerprint template information set {r i } n and If there is a fingerprint information r i ∈ {r i } n , Then calculate the Hamming distance if Where τ is the set distance threshold value, then Add to the set { ri } n ′.
采用上述指纹匹配算法得到新的指纹模板信息{i}n′,在新的指纹模板信息中选择随机指纹信息rc∈Zq,计算盲化证书并且客户端临时在本地保存状态最终客户端生成认证请求信息发送给服务器。The above fingerprint matching algorithm is used to obtain new fingerprint template information { i } n ′, random fingerprint information r c ∈ Z q is selected from the new fingerprint template information, and the blinded certificate is calculated. And the client temporarily saves the state locally Finally, the client generates authentication request information Send to the server.
创建回复:Create a reply:
服务器将公开参数pp,数据库中存储的信息DB,认证请求信息以及主密钥信息mk作为输入。为了生成响应,服务器首先计算辅助信息(其中β∈Zq),去协助客户端生成共享密钥。随后,选择秘密token∈{0,1}λ,秘密token的长度为"λ",在系统全局初始化时确定,并且采用秘密分享技术分割成n个小块,为了隐藏这n个小块,我们采用混淆布隆过滤器(Garbled Bloom Filter,简称GBF)。重点是将进行随机分割,并通过对{i}n进行哈希定位填充到混淆布隆过滤器GBF中最后,服务器设置密钥其中rc,rs∈Zq,rs在密钥协商时由服务器随机生成,并生成认证加密数据c=AuthEnc(KIDc,IDs)。服务器为了向客户端证明自己的身份信息生成η=rs+l·sk(modq),其中sk为主密钥成份。最终,服务器输出认证回复信息以及密钥 The server will expose the parameters pp, the information stored in the database DB, and the authentication request information And the master key information mk as input. To generate a response, the server first calculates the auxiliary information (where β∈Z q ) to assist the client in generating a shared key. Then, a secret token∈{0,1} λ is selected. The length of the secret token is "λ", which is determined when the system is globally initialized, and is divided into n small blocks using secret sharing technology. In order to hide these n small blocks, we use a Garbled Bloom Filter (GBF). The key point is to Perform random segmentation and fill it into the confusion Bloom filter GBF by hashing { i } n . Finally, the server sets the key Where r c , r s ∈ Z q , r s is randomly generated by the server during key negotiation, and generates authentication encryption data c = AuthEnc (K IDc , IDs). In order to prove its identity information to the client, the server generates η = r s + l·sk (modq), where sk is the master key component. Finally, the server outputs the authentication reply information and the key
在本实施例中,将秘密分割为n小块与指纹图片中的n个细节点对应,并且分割成n小块可以利用秘密共享的方法容忍差错,即如果得到了n小块中的t块,就可以恢复出秘密token,t为秘密共享方案的阈值。In this embodiment, the secret is divided into n small blocks corresponding to the n detail points in the fingerprint image, and the division into n small blocks can tolerate errors using the secret sharing method, that is, if t blocks out of the n small blocks are obtained, the secret token can be recovered, and t is the threshold of the secret sharing scheme.
获取凭证:Get the credentials:
客户端从服务器接收到认证回复信息Res后,输入公开参数pp,本地保存的状态信息客户端使用自身正确的指纹进行认证,若认证成功,则可以回复出秘密凭证信息。也就是说,当客户端指纹认证成功时,客户端获得与服务器同步的凭证信息。同时根据本地保存的状态信息的c的值,计算得到的值,最后即可得到此时,客户端已经在会话密钥的基础上与服务器建立了一个安全的通信信道。After the client receives the authentication reply message Res from the server, it enters the public parameter pp and the status information saved locally The client uses its correct fingerprint for authentication. If the authentication is successful, it can reply with the secret That is, when the client fingerprint authentication succeeds, the client obtains the Credential information. At the same time, according to the value of c of the locally saved status information, we can calculate Finally, we can get the value of At this point, the client already has the session key A secure communication channel is established with the server based on the
最后,考虑到攻击者可能通过入侵服务器或窃听信道来从认证和密钥协商过程中获取数据,证书可能会被窃取和盗用,在本实施例中还提出了盲化证书更新机制,该机制允许在证书遭到破坏的时候更新面向指纹的盲证书信息,以防止进一步的泄露,该方法可以在检测到攻击时更新证书数据库进行自我恢复。Finally, considering that attackers may obtain data from the authentication and key negotiation process by invading the server or eavesdropping on the channel, the certificate may be stolen and misused. In this embodiment, a blind certificate update mechanism is also proposed, which allows the fingerprint-oriented blind certificate information to be updated when the certificate is compromised to prevent further leakage. This method can update the certificate database for self-recovery when an attack is detected.
一旦服务器被破坏,则盲化的证书{bi}n和主密钥mk都将被泄露,那么就会执行盲化证书更新操作。具体的,Once the server is compromised, the blinded certificate {b i } n and the master key mk will be leaked, and the blinded certificate update operation will be performed. Specifically,
在主密钥发生泄漏时,服务器随机生成一个新的主密钥mk′来排除被破坏的密钥,并且对公开参数pp和数据库DB中的信息进行更新。具体而言,创建新的密钥对(gsk′,sk′),其中sk′∈Zq,并且生成新的对称加密密钥sek′∈Zq。由此,服务器将数据DB中的信息Updc,ωc,{bi}n分别更新成Updc′,ω′c,{bi}′n,以及生成新的公开参数pp′和主密钥mk′=(sk′,sek′)。服务器可以决定定期更新数据库,或者由于数据库损坏而更新数据库。在此过程中,只需要服务器进行执行,并不需要客户端执行额外的操作步骤。When the master key is leaked, the server randomly generates a new master key mk′ to exclude the damaged key, and updates the public parameters pp and the information in the database DB. Specifically, a new key pair (g sk ′, sk′) is created, where sk′∈Z q , and a new symmetric encryption key sek′∈Z q is generated. As a result, the server updates the information Updc, ω c , {b i } n in the data DB to Updc′, ω′ c , {b i }′ n , respectively, and generates a new public parameter pp′ and master key mk′=(sk′, sek′). The server can decide to update the database regularly, or update the database due to database damage. In this process, only the server needs to execute, and the client does not need to perform additional operation steps.
其中,数据库具体更新算法为:选择α∈Zq对Updc进行更新,分别计算Updc′=Updc*α(mod q)和ω′c=gUpdc′的值,最终输出更新数据({b′i}n,Updc′,ω′c)。The specific database update algorithm is as follows: select α∈Z q to update Updc, and calculate Updc′=Updc*α(mod q) and ω′ c =g Updc ′, and finally output updated data ({b′ i } n , Updc′, ω′ c ).
如果只是盲化证书{i}n发生泄露,主密钥mk是安全的,那么继续维护原来的主密钥信息mk,只需要重新执行证书更新操作生成新的盲化证书即可。If only the blinded certificate { i } n is leaked and the master key mk is safe, then continue to maintain the original master key information mk and just re-execute the certificate update operation to generate a new blinded certificate.
本发明并不局限于前述的具体实施方式。本发明扩展到任何在本说明书中披露的新特征或任何新的组合,以及披露的任一新的方法或过程的步骤或任何新的组合。如果本领域技术人员,在不脱离本发明的精神所做的非实质性改变或改进,都应该属于本发明权利要求保护的范围。The present invention is not limited to the aforementioned specific embodiments. The present invention extends to any new features or any new combination disclosed in this specification, as well as any new method or process steps or any new combination disclosed. If non-substantial changes or improvements made by those skilled in the art without departing from the spirit of the present invention should fall within the scope of protection of the claims of the present invention.
本说明书中公开的所有特征,或公开的所有方法或过程中的步骤,除了互相排斥的特征和/或步骤以外,均可以以任何方式组合。All features disclosed in this specification, or steps in all methods or processes disclosed, except mutually exclusive features and/or steps, can be combined in any manner.
本说明书中公开的任一特征,除非特别叙述,均可被其他等效或具有类似目的的替代特征加以替换。即,除非特别叙述,每个特征只是一系列等效或类似特征中的一个例子而已。Any feature disclosed in this specification, unless otherwise stated, can be replaced by other equivalent or alternative features with similar purposes. That is, unless otherwise stated, each feature is only an example of a series of equivalent or similar features.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111353820.5A CN114091094B (en) | 2021-11-16 | 2021-11-16 | Fingerprint authentication and key negotiation method supporting updating |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111353820.5A CN114091094B (en) | 2021-11-16 | 2021-11-16 | Fingerprint authentication and key negotiation method supporting updating |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114091094A CN114091094A (en) | 2022-02-25 |
| CN114091094B true CN114091094B (en) | 2024-08-23 |
Family
ID=80300882
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111353820.5A Active CN114091094B (en) | 2021-11-16 | 2021-11-16 | Fingerprint authentication and key negotiation method supporting updating |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114091094B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115622693B (en) * | 2022-09-09 | 2023-05-30 | 重庆大学 | Body area network key negotiation method and system based on secret sharing |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007272352A (en) * | 2006-03-30 | 2007-10-18 | Toshiba Corp | IC card system, apparatus and program |
| CN111756533A (en) * | 2014-08-29 | 2020-10-09 | 维萨国际服务协会 | System, method and storage medium for secure password generation |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7124302B2 (en) * | 1995-02-13 | 2006-10-17 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
| EP3257227B1 (en) * | 2015-02-13 | 2021-03-31 | Visa International Service Association | Confidential communication management |
| AU2016287732A1 (en) * | 2015-06-30 | 2017-12-07 | Visa International Service Association | Mutual authentication of confidential communication |
| US11120436B2 (en) * | 2015-07-17 | 2021-09-14 | Mastercard International Incorporated | Authentication system and method for server-based payments |
| CN105871553A (en) * | 2016-06-28 | 2016-08-17 | 电子科技大学 | Identity-free three-factor remote user authentication method |
| US10771451B2 (en) * | 2016-09-13 | 2020-09-08 | Queralt, Inc. | Mobile authentication and registration for digital certificates |
| CN106936586A (en) * | 2016-12-07 | 2017-07-07 | 中国电子科技集团公司第三十研究所 | A kind of biological secret key extracting method based on fingerprint bit string and Error Correction of Coding |
| CN111682938B (en) * | 2020-05-12 | 2022-08-09 | 东南大学 | Three-party authenticatable key agreement method facing centralized mobile positioning system |
-
2021
- 2021-11-16 CN CN202111353820.5A patent/CN114091094B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007272352A (en) * | 2006-03-30 | 2007-10-18 | Toshiba Corp | IC card system, apparatus and program |
| CN111756533A (en) * | 2014-08-29 | 2020-10-09 | 维萨国际服务协会 | System, method and storage medium for secure password generation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114091094A (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111818039B (en) | A three-factor anonymous user authentication protocol method based on PUF in the Internet of Things | |
| Yu et al. | An efficient generic framework for three-factor authentication with provably secure instantiation | |
| US11223478B2 (en) | Biometric authentication with template privacy and non-interactive re-enrollment | |
| JP7127543B2 (en) | Matching system, method, device and program | |
| US10425232B2 (en) | Encrypted biometric registration | |
| CN114065169B (en) | Privacy protection biometric authentication method and device and electronic equipment | |
| WO2020182151A1 (en) | Methods for splitting and recovering key, program product, storage medium, and system | |
| US20140006806A1 (en) | Effective data protection for mobile devices | |
| US20130010957A1 (en) | Cryptographic security using fuzzy credentials for device and server communications | |
| CN105871553A (en) | Identity-free three-factor remote user authentication method | |
| CN111355588B (en) | A wearable device two-factor authentication method and system based on PUF and fingerprint features | |
| JP7323004B2 (en) | Data extraction system, data extraction method, registration device and program | |
| US11251949B2 (en) | Biometric security for cryptographic system | |
| CN106789032B (en) | Single password three-party authentication method for secret sharing between server and mobile equipment | |
| CN110719172B (en) | Signature method, signature system and related equipment in block chain system | |
| CN119696800B (en) | Data signing method, device, computer equipment and medium based on biological characteristics | |
| CN109379176B (en) | Password leakage resistant authentication and key agreement method | |
| CN113507380B (en) | Privacy protection remote unified biometric authentication method and device and electronic equipment | |
| CN114996727A (en) | Biological feature privacy encryption method and system based on palm print and palm vein recognition | |
| CN114091094B (en) | Fingerprint authentication and key negotiation method supporting updating | |
| WO2024030559A1 (en) | Systems and methods for biometrics-based secure data encryption and data signature | |
| CN112287316B (en) | Biological authentication method and system based on elliptic curve and removable biological characteristics | |
| US12417273B2 (en) | Management system and method for user authentication on password based systems | |
| JP4763465B2 (en) | Personal authentication apparatus, server apparatus, authentication system, and authentication method | |
| KR100986980B1 (en) | Biometric Authentication Methods, Clients, and Servers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |