CN104065487A

CN104065487A - A method of IBC identity authentication based on digital fingerprint random secret value

Info

Publication number: CN104065487A
Application number: CN201410322752.XA
Authority: CN
Inventors: 刘桂雄; 余长庚; 徐静; 洪晓斌
Original assignee: South China University of Technology SCUT
Current assignee: South China University of Technology SCUT
Priority date: 2014-07-08
Filing date: 2014-07-08
Publication date: 2014-09-24

Abstract

The invention discloses a random secret value IBC identity authentication method based on a digital fingerprint. The random secret value IBC identity authentication method based on the digital fingerprint comprises the steps that (1) a user private key is jointly generated according to a user ID, a password PW and a system main secret key generated by a PKG server, digital fingerprint information of the user is encrypted, and user identity mark information is generated; (2) the PKG server generates a user identity credential according to the user ID, the password PW, a fingerprint feature ciphertext and a user identity credential time limit and sends and stores the user identity credential to a user authentication server; (3) the user authentication server deduces the authenticity of the user identity mark information according to stored user identity credential information and a fingerprint feature threshold value. The random secret value IBC identity authentication method based on the digital fingerprint has good authentication, privacy and non-repudiation performance, and is suitable for identity authentication among entities in a monitoring system.

Description

A method of IBC identity authentication based on digital fingerprint random secret value

技术领域technical field

本发明涉及一种认证方法，特别涉及一种基于数字指纹随机密值IBC身份认证的方法，属于信息系统安全和数字指纹识别技术领域。The invention relates to an authentication method, in particular to an IBC identity authentication method based on a digital fingerprint random secret value, and belongs to the technical fields of information system security and digital fingerprint identification.

背景技术Background technique

随着计算机技术、网络通信技术在监控系统的应用，使得对不同地域设备或环境监控变得非常方便，用户可以随时随地登录系统方便查看各类信息。信息化、网络化给用户带来便利的同时，网络攻击、信息篡改、病毒木马等威胁也给系统可信度造成了严重影响。With the application of computer technology and network communication technology in the monitoring system, it is very convenient to monitor equipment or environments in different regions. Users can log in to the system anytime and anywhere to view various information. While informatization and networking bring convenience to users, threats such as cyber attacks, information tampering, and viruses and Trojan horses have also seriously affected the credibility of the system.

网络非法入侵及身份冒充行为影响到系统平台内的主体身份可信，身份认证就是通过对被验证方其身份属性产生相关身份标识的鉴别服务，以确定其身份合法性。Illegal network intrusion and identity impersonation affect the trustworthiness of the subject's identity in the system platform. Identity authentication is an identification service that generates a relevant identity mark for the identity attribute of the authenticated party to determine the legitimacy of its identity.

现有身份认证技术依赖许多因素，如用户所知道的信息集合A₁＝{密码A₁₁，口令A₁₂，…}，用户所拥有的东西集合A₂＝{令牌A₂₁，智能卡A₂₂，…}，用户的生物特征集合A₃＝{指纹A₃₁，虹膜A₃₂，…}等，这些被认证方的安全要素集合AS＝{A₁，A₂，A₃}产生其身份证据，与认证方身份证据期望值比较得到认证结果。从身份认证安全性和特点来看：(1)基于信息集合A₁身份验证方法简便易用，但口令有公认的薄弱环节，容易有泄露、被窃取危险；(2)用户所知道的信息集合A₁和用户所拥有的东西集合A₂组成基于双因素认证方法，该方法可以从根本上改善信息秘密认证方式由于口令泄露而引起的安全隐患，以及口令(或其摘要值)在网络传输中被窃听而引起的重放攻击；(3)基于生物特征身份认证技术，由于生物特征具有普遍性、独特性和不能复制、丢失及忘记；具有可靠性高，应用方便特点。除此之外，现有基于生物特征身份认证技术存在一个缺点，存储生物特征模板信息容易造成泄露，特征模板安全是安全生物特征系统关键问题。Existing identity authentication technology relies on many factors, such as information set A ₁ known by the user = {password A ₁₁ , password A ₁₂ , ...}, set of things owned by the user A ₂ = {token A ₂₁ , smart card A ₂₂ , ...}, user's biometric feature set A ₃ = {fingerprint A ₃₁ , iris A ₃₂ , ...}, etc., these authenticated parties' security element sets AS = {A ₁ , A ₂ , A ₃ } produce their identity evidence, and The authentication result is obtained by comparing the expected value of the authentication party's identity evidence. From the perspective of identity authentication security and characteristics: (1) The identity authentication method based on information set _A1 is simple and easy to use, but the password has a recognized weak link, which is easy to be leaked and stolen; (2) The information set known to the user The composition of A ₁ and the collection of things owned by the user A ₂ is based on the two-factor authentication method, which can fundamentally improve the security risks caused by the leakage of passwords in information secret authentication methods, and the transmission of passwords (or their abstract values) in the network Replay attacks caused by eavesdropping; (3) Based on biometric identity authentication technology, because biometrics are universal, unique, and cannot be copied, lost and forgotten; they have the characteristics of high reliability and convenient application. In addition, there is a shortcoming in the existing biometric-based identity authentication technology. Storing biometric template information is easy to cause leakage, and the security of biometric templates is a key issue in a secure biometric system.

发明内容Contents of the invention

本发明针对生物特征模板安全问题，结合生物特征认证技术和传统密码学技术，提出一种具有良好认证性、隐私性及不可抵赖性的基于数字指纹随机密值IBC身份认证方法。Aiming at the problem of biometric template security, the present invention combines biometric authentication technology and traditional cryptography technology, and proposes an IBC identity authentication method based on digital fingerprint random encryption value with good authentication, privacy and non-repudiation.

本发明所基于数字指纹随机密值IBC身份认证方法是通过以下技术方案来实现的：The digital fingerprint random secret value IBC identity authentication method based on the present invention is realized through the following technical solutions:

一种基于数字指纹随机密值IBC身份认证方法，具体步骤包括：1)、以用户ID、密码PW、PKG服务器产生的系统主密钥共同生成用户私钥，同时，PKG服务器对用户私钥进行数字签名；2)、采集用户数字指纹信息并进行加密，产生用户身份标识信息；3)、PKG服务器根据用户ID、密码PW、用户身份标识信息、用户身份凭证时间期限及数字签名生成用户身份凭证，发送并保存到用户认证服务器，同时，用户认证服务器将注册参数写入到用户USBKey中，注册完成；4)采集需认证用户数字指纹特征向量，加密后形成密文发送到用户认证服务器，用户认证服务器根据随机数发生器进行随机融合密值计算，并发送到需认证用户；5)、需认证用户使用用户私钥对随机融合密值解密，解密结果回送至用户认证服务器，进而推断出用户身份标识信息真实性，身份认证过程完成。A kind of IBC identity authentication method based on digital fingerprint random secret value, concrete steps comprise: 1), generate user's private key jointly with the system master key that user ID, password PW, PKG server produce, meanwhile, PKG server carries out user's private key Digital signature; 2), collect user digital fingerprint information and encrypt it to generate user identity information; 3), PKG server generates user identity certificate according to user ID, password PW, user identity information, user identity certificate time limit and digital signature , send and save to the user authentication server, at the same time, the user authentication server writes the registration parameters into the user’s USBKey, and the registration is completed; 4) collect the digital fingerprint feature vector of the user to be authenticated, encrypt and send it to the user authentication server as ciphertext, and the user The authentication server calculates the random fusion encryption value according to the random number generator, and sends it to the user who needs to be authenticated; 5), the user who needs to be authenticated uses the user's private key to decrypt the random fusion encryption value, and the decryption result is sent back to the user authentication server, and then infers that the user The identity identification information is authentic, and the identity authentication process is completed.

所述步骤1)具体包括：Described step 1) specifically comprises:

1.1)、PKG服务器初始化，构造满足Diffie-Hellman假设椭圆曲线E_p，选取椭圆曲线E_p上阶为n的基点G，使得用户ID满足映射函数：F_ID:{0，1}^m→E_p，产生大素数k_m作为PKG系统主密钥，再得PKG公钥P_m＝k_m·G。1.1), the PKG server is initialized, the construction satisfies the Diffie-Hellman assumption of the elliptic curve E _p , and the base point G of the upper order of the elliptic curve E _p is n, so that the user ID satisfies the mapping function: F _ID : {0, 1} ^m → E _p , generate a large prime number k _m as the PKG system master key, and then obtain the PKG public key P _m =k _m ·G.

1.2)、PKG服务器利用系统主密钥k_m、PKG公钥P_m，用户提供ID、密码值PW，产生用户私钥k_u，k_u满足ID||PW＝U_ID＝k_u·G。1.2), the PKG server uses the system master key k _m , PKG public key P _m , and the user provides ID and password value PW to generate user private key k _u , k _u satisfies ID||PW=U _ID =k _u ·G.

1.3)、PKG服务器使用数字签名函数Sig(k_m,k_u)对用户私钥ku数字签名S_u＝{k_u,Sig(k_m,k_u)}，用户接收用户私钥数字签名S_u后，使用数字签名验证函数Ver(P_m,S_u)验证用户私钥与数字签名是否匹配，确定用户私钥k_u合法性。1.3), the PKG server uses the digital signature function Sig(k _m ,k _u ) to digitally sign the user's private key ku S _u ={k _u ,Sig(k _m ,k _u )}, and the user receives the digital signature S _u of the user's private key Finally, use the digital signature verification function Ver(P _m ,S _u ) to verify whether the user's private key matches the digital signature, and determine the legitimacy of the user's private key k _u .

所述步骤2)具体包括：Described step 2) specifically comprises:

2.1)、采集用户指纹，提取用户指纹特征向量组W_i:{W₁，W₂，W₃，…}，根据用户指纹特征向量生成指纹特征阈值τ。2.1) Collect user fingerprints, extract user fingerprint feature vector group W _i : {W ₁ , W ₂ , W ₃ ,...}, generate fingerprint feature threshold τ according to user fingerprint feature vectors.

2.2)、用户使用RSA加密算法对指纹向量组向量W_i加密得到作为模板的指纹特征密文E(W_i)＝E(U_ID,W_i)，指纹特征密文E(W_i)和指纹特征阈值τ构成身份认证用户身份标识信息。2.2), the user uses the RSA encryption algorithm to encrypt the fingerprint vector group vector W _i to obtain the fingerprint feature ciphertext E(W _i )=E(U _ID ,W _i ) as a template, the fingerprint feature ciphertext E(W _i ) and the fingerprint The feature threshold τ constitutes the identification information of the identity authentication user.

所述步骤3)具体包括：PKG服务器利用用户ID、密码PW、指纹特征密文E(W_i)、指纹特征阈值τ、用户身份凭证时间期限T及数字签名Sig(k_m,τ||T||E(W_i))生成用户身份凭证C_u:The step 3) specifically includes: the PKG server uses the user ID, password PW, fingerprint feature ciphertext E(W _i ), fingerprint feature threshold τ, user identity credential time limit T and digital signature Sig(k _m ,τ||T ||E(W _i )) Generate user identity credential C _u :

C_u＝{U_ID,PW,E(W_i),τ,Sig(k_m,τ||T||E(W_i))}C _u ＝{U _ID ,PW,E(W _i ),τ,Sig(k _m ,τ||T||E(W _i ))}

同时，用户认证服务器使用数字签名验证函数Ver(P_m,C_u)，验证用户身份凭证C_u合法性，并将用户ID、密码PW、用户指纹特征密文E(W_i)、指纹特征阈值τ及身份凭证时间期限T保存于身份凭证数据库，PKG服务器通知用户注册成功，并将注册参数{k_u,G,Ver(P_m,C_u)}写入用户USBKey。At the same time, the user authentication server uses the digital signature verification function Ver(P _m ,C _u ) to verify the legitimacy of the user identity credential C _u , and sends the user ID, password PW, user fingerprint feature ciphertext E(W _i ), fingerprint feature threshold τ and the time limit T of the identity certificate are stored in the identity certificate database, and the PKG server notifies the user of successful registration, and writes the registration parameters {k _u ,G,Ver(P _m ,C _u )} into the user's USBKey.

所述步骤4)具体包括：Described step 4) specifically comprises:

4.1)、利用指纹采集仪采集需认证用户指纹，并提取数字指纹特征向量X_u:{x₁,x₂,…,x_n}，使用用户公钥U_ID对X_u使用RSA算法加密，指纹特征向量密文E(x_i)＝E(U_ID,x_i)，将指纹特征向量密文E(x_i)发送至用户认证服务器。4.1), use the fingerprint collector to collect the fingerprint of the user who needs to be authenticated, and extract the digital fingerprint feature vector X _u :{x ₁ ,x ₂ ,…,x _n }, use the user public key U _ID to encrypt X _u using the RSA algorithm, and the fingerprint Feature vector ciphertext E( _xi )=E(U _ID ,xi ₎ , and the fingerprint feature vector ciphertext E( _xi ) is sent to the user authentication server.

4.2)、用户认证服务器随机数发生器产生k个随机数ρ_j、kn个随机数r_ji，且ρ_j、r_ji满足约束条件： 4.2), the random number generator of the user authentication server generates k random numbers ρ _j and kn random numbers r _ji , and ρ _j and r _ji meet the constraints:

4.3)、使用RSA算法对随机数r_ji加密得到随机数密值E(r_ji)＝E(U_ID,r_ji)。4.3) Use the RSA algorithm to encrypt the random number r _ji to obtain the encrypted value of the random number E(r _ji )=E(U _ID ,r _ji ).

4.4)、用户认证服务器将用户作为模板的指纹特征密值E(W_i)、指纹特征向量密文E(x_i)及随机数密值E(r_ji)计算随机融合密值E(W_ix_ir_ji)＝E(W_i)E(x_i)E(r_ji)，并将随机融合密值E(W_ix_ir_ji)发送给需认证用户。4.4), the user authentication server uses the fingerprint feature encryption value E(W _i ) of the user as a template, the fingerprint feature vector ciphertext E(xi ₎ and the random number encryption value E(r _ji ) to calculate the random fusion encryption value E(W _i x _i r _ji )=E(W _i )E(xi ₎ E(r _ji ), and send the random fusion encryption value E(W _i x _i r _ji ) to the user requiring authentication.

所述步骤5)具体包括：Described step 5) specifically comprises:

5.1)、需认证用户使用用户私钥k_u对随机融合密值E(W_ix_ir_ji)解密，获得随机化指纹特征W_ix_ir_ji；计算随机化指纹特征向量和并将R_j发送至用户认证服务器。5.1), the user who needs to be authenticated uses the user's private key k _u to decrypt the random fusion encryption value E(W _i x _i r _ji ) to obtain the randomized fingerprint feature W _i x _i r _ji ; calculate the randomized fingerprint feature vector and And send R _j to the user authentication server.

5.2)、用户认证服务器根据R_j计算出需认证用户指纹特征验证值R为：5.2), the user authentication server calculates the fingerprint feature verification value R of the user to be authenticated according to R _j as:

$R R = = {Σ Σ}_{j j = = 11}^{k k} {ρ ρ}_{j j} \cdot &Center Dot; {R R}_{j j} = = {Σ Σ}_{j j = = 11}^{k k} {ρ ρ}_{j j} {Σ Σ}_{i i = = 11}^{n no} {W W}_{i i} {x x}_{i i} {r r}_{ji the ji} = = {Σ Σ}_{i i = = 11}^{n no} {Σ Σ}_{j j = = 11}^{k k} {ρ ρ}_{j j} {W W}_{i i} {r r}_{ji the ji} = = {Σ Σ}_{i i = = 11}^{n no} {W W}_{i i} {x x}_{i i} {Σ Σ}_{j j = = 11}^{k k} {ρ ρ}_{j j} {r r}_{ji the ji} = = {Σ Σ}_{i i = = 11}^{n no} {W W}_{i i} {x x}_{i i}$

若R＞τ，则用户身份认证通过；若R＜τ，则用户身份认证失败，并将认证结果返回需认证用户。If R>τ, the user identity authentication is passed; if R<τ, the user identity authentication fails, and the authentication result is returned to the user to be authenticated.

与现有技术相比，本发明的有益效果包括：Compared with the prior art, the beneficial effects of the present invention include:

1、基于数字指纹随机密值IBC身份认证方法将传统密码学和生物特征识别技术相结合，为认证过程提供了良好的认证性、隐私性及不可抵赖性，广泛适用于监控系统中各实体间的身份认证。1. The IBC identity authentication method based on the digital fingerprint random secret value combines traditional cryptography and biometric identification technology, which provides good authentication, privacy and non-repudiation for the authentication process, and is widely used among entities in the monitoring system authentication.

2、通过用户身份标识信息生成身份凭证及随机密值判定方法，使系统不必直接存储用户指纹特征信息，即使攻击者能够进入数据库也不能获得用户指纹特征信息，实现数字指纹模板高度保密性。2. Generate identity certificates and random secret value judgment methods through user identity information, so that the system does not need to directly store user fingerprint feature information, even if an attacker can enter the database, he cannot obtain user fingerprint feature information, and realizes high confidentiality of digital fingerprint templates.

3、不直接利用指纹作为唯一认证信息，用户无需向服务器提供指纹模板。3. The fingerprint is not directly used as the only authentication information, and the user does not need to provide the server with a fingerprint template.

4、认证服务器的认证方法信息对用户透明，使得系统在享受生物特征良好认证性的同时，保障了用户指纹模板及认证服务器资源隐私性。4. The authentication method information of the authentication server is transparent to the user, so that the system can enjoy the good authentication of biometric features while ensuring the privacy of the user's fingerprint template and the resource of the authentication server.

附图说明Description of drawings

附图用来提供对本发明的进一步理解，并且构成说明书的一部分，与本发明的实施例共同用于解释本发明，不构成对本发明限制。其中：The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the description, and are used together with the embodiments of the present invention to explain the present invention, and do not limit the present invention. in:

图1是本发明所述方法中基于数字指纹随机密值IBC身份认证用户注册过程的结构示意框图；Fig. 1 is the schematic block diagram of the structure based on digital fingerprint random secret value IBC identity authentication user registration process in the method of the present invention;

图2是本发明所述方法中基于数字指纹随机密值IBC身份认证用户身份验证示过程的结构示意框图。Fig. 2 is a schematic structural block diagram of the user identity verification demonstration process based on the digital fingerprint random secret value IBC identity authentication in the method of the present invention.

具体实施方式Detailed ways

本发明所述的基于数字指纹随机密值IBC身份认证方法是基于指纹特征向量和随机密值解析方法进行身份认证，其过程分为两部分：用户注册与用户身份验证。The IBC identity authentication method based on digital fingerprint random cipher value of the present invention is based on fingerprint feature vector and random cipher value analysis method for identity authentication, and its process is divided into two parts: user registration and user identity verification.

基于数字指纹随机密值IBC身份认证用户注册过程包括：1、以用户ID、密码PW、PKG服务器产生的系统主密钥共同生成用户私钥，同时，PKG服务器对用户私钥进行数字签名；2)、采集用户数字指纹信息并进行加密，产生用户身份标识信息；3)、PKG服务器根据用户ID、密码PW、用户身份标识信息、用户身份凭证时间期限及数字签名生成用户身份凭证，发送并保存到用户认证服务器，同时，用户认证服务器将注册参数写入到用户USBKey中，注册完成。The user registration process based on digital fingerprint random secret value IBC identity authentication includes: 1. The user's private key is jointly generated with the user ID, password PW, and the system master key generated by the PKG server. At the same time, the PKG server digitally signs the user's private key; 2. ), collect user digital fingerprint information and encrypt to generate user identity information; 3), PKG server generates user identity certificate according to user ID, password PW, user identity information, user identity certificate time limit and digital signature, sends and saves At the same time, the user authentication server writes the registration parameters into the user USBKey, and the registration is completed.

基于数字指纹随机密值IBC身份认证用户身份验证过程具体包括：1)采集需认证用户数字指纹特征向量，加密后形成密文发送到用户认证服务器，用户认证服务器根据随机数发生器进行随机融合密值计算，并发送到需认证用户；2)、需认证用户使用用户私钥对随机融合密值解密，解密结果回送至用户认证服务器，进而推断出用户身份标识信息真实性，身份认证过程完成。Based on the digital fingerprint random secret value IBC identity authentication user identity verification process specifically includes: 1) Collect the digital fingerprint feature vector of the user to be authenticated, encrypt it to form a ciphertext and send it to the user authentication server, and the user authentication server performs random fusion encryption according to the random number generator. 2) The user who needs to be authenticated uses the user's private key to decrypt the random fusion encryption value, and the decryption result is sent back to the user authentication server, and then the authenticity of the user's identity information is deduced, and the identity authentication process is completed.

下面结合附图1对基于数字指纹随机密值IBC身份认证用户注册过程做进一步的详细描述：Below in conjunction with accompanying drawing 1, the IBC identity authentication user registration process based on digital fingerprint random secret value is described in further detail:

步骤一、PKG服务器初始化，构造满足Diffie-Hellman假设椭圆曲线E_p，选取椭圆曲线E_p上阶为n的基点G，使得用户ID满足映射函数：F_ID:{0，1}^m→E_p，产生大素数k_m作为PKG系统主密钥，再得PKG公钥P_m＝k_m·G。Step 1. Initialize the PKG server, construct the elliptic curve E _p that satisfies the Diffie-Hellman assumption, and select the base point G whose upper order is n on the elliptic curve E _p , so that the user ID satisfies the mapping function: F _ID : {0, 1} ^m → E _p , generate a large prime number k _m as the PKG system master key, and then obtain the PKG public key P _m =k _m ·G.

步骤二、PKG服务器利用系统主密钥k_m、PKG公钥P_m，用户提供ID、密码值PW，产生用户私钥k_u，k_u满足ID||PW＝U_ID＝k_u·G。Step 2: The PKG server uses the system master key k _m , the PKG public key P _m , and the user provides ID and password value PW to generate the user's private key k _u , and k _u satisfies ID||PW=U _ID =k _u ·G.

步骤三、PKG服务器使用数字签名函数Sig(k_m,k_u)对用户私钥ku数字签名S_u＝{k_u,Sig(k_m,k_u)}，以提高k_u传输安全性；当用户接收用户私钥数字签名S_u后，使用数字签名验证函数Ver(P_m,S_u)验证用户私钥与数字签名是否匹配，从而确定出用户私钥k_u的合法性。Step 3: The PKG server uses the digital signature function Sig(k _m ,k _u ) to digitally sign the user's private key ku S _u ={k _u ,Sig(k _m ,k _u )} to improve the security of k _u transmission; when After receiving the digital signature _Su of the user's private key, the user uses the digital signature verification function Ver(P _m , Su ₎ to verify whether the user's private key matches the digital signature, thereby determining the legitimacy of the user's private key k _u .

步骤四、采集用户指纹，提取用户指纹特征向量组W_i:{W₁，W₂，W₃，…}，根据用户指纹特征向量生成指纹特征阈值τ。Step 4: collect user fingerprints, extract user fingerprint feature vector group W _i : {W ₁ , W ₂ , W ₃ ,...}, and generate fingerprint feature threshold τ according to user fingerprint feature vectors.

步骤五、用户使用RSA加密算法对指纹向量组向量W_i加密得到作为模板的指纹特征密文E(W_i)＝E(U_ID,W_i)，指纹特征密文E(W_i)和指纹特征阈值τ构成身份认证用户身份标识信息。Step 5. The user uses the RSA encryption algorithm to encrypt the fingerprint vector group vector W _i to obtain the fingerprint feature ciphertext E(W _i )=E(U _ID ,W _i ) as a template, the fingerprint feature ciphertext E(W _i ) and the fingerprint The feature threshold τ constitutes the identification information of the identity authentication user.

步骤六、PKG服务器利用用户ID、密码PW、指纹特征密文E(W_i)、指纹特征阈值τ、用户身份凭证时间期限T及数字签名Sig(k_m,τ||T||E(W_i))生成用户身份凭证C_u:Step 6: The PKG server uses the user ID, password PW, fingerprint feature ciphertext E(W _i ), fingerprint feature threshold τ, user identity credential time limit T and digital signature Sig(k _m ,τ||T||E(W _i )) Generate user identity credential C _u :

下面结合附图2对基于数字指纹随机密值IBC身份认证用户身份验证过程做进一步的详细描述：Below in conjunction with accompanying drawing 2, do further detailed description based on digital fingerprint random secret value IBC identity authentication user authentication process:

步骤一、利用指纹采集仪采集需认证用户指纹，并提取数字指纹特征向量X_u:{x₁,x₂,…,x_n}，使用用户公钥U_ID对X_u使用RSA算法加密，指纹特征向量密文E(x_i)＝E(U_ID,x_i)，将指纹特征向量密文E(x_i)发送至用户认证服务器。Step 1. Use the fingerprint collector to collect the fingerprint of the user who needs to be authenticated, and extract the digital fingerprint feature vector X _u :{x ₁ ,x ₂ ,…,x _n }, use the user public key U _ID to encrypt X _u using the RSA algorithm, and the fingerprint Feature vector ciphertext E( _xi )=E(U _ID ,xi ₎ , and the fingerprint feature vector ciphertext E( _xi ) is sent to the user authentication server.

步骤二、用户认证服务器随机数发生器产生k个随机数ρ_j、kn个随机数r_ji，且ρ_j、r_ji满足约束条件： Step 2. The random number generator of the user authentication server generates k random numbers ρ _j and kn random numbers r _ji , and ρ _j and r _ji satisfy the constraints:

步骤三、使用RSA算法对随机数r_ji加密得到随机数密值E(r_ji)＝E(U_ID,r_ji)。Step 3: Use the RSA algorithm to encrypt the random number r _ji to obtain the random number encrypted value E(r _ji )=E(U _ID ,r _ji ).

步骤四、用户认证服务器将用户作为模板的指纹特征密值E(W_i)、指纹特征向量密文E(x_i)及随机数密值E(r_ji)计算随机融合密值E(W_ix_ir_ji)＝E(W_i)E(x_i)E(r_ji)，并将随机融合密值E(W_ix_ir_ji)发送给需认证用户。Step 4: The user authentication server uses the fingerprint feature encryption value E(W _i ), fingerprint feature vector ciphertext E(xi ₎ and random number encryption value E(r _ji ) of the user as a template to calculate the random fusion encryption value E(W _i x _i r _ji )=E(W _i )E(xi ₎ E(r _ji ), and send the random fusion encryption value E(W _i x _i r _ji ) to the user requiring authentication.

步骤五、需认证用户使用用户私钥ku对随机融合密值E(W_ix_ir_ji)解密，获得随机化指纹特征W_ix_ir_ji；计算随机化指纹特征向量和并将R_j发送至用户认证服务器。Step 5. The user who needs to be authenticated uses the user private key ku to decrypt the random fusion encryption value E(W _i x _i r _ji ) to obtain the randomized fingerprint feature W _i x _i r _ji ; calculate the randomized fingerprint feature vector and And send R _j to the user authentication server.

步骤六、用户认证服务器根据R_j计算出需认证用户指纹特征验证值R为：Step 6. The user authentication server calculates the fingerprint feature verification value R of the user to be authenticated according to R _j as:

本发明所述的基于数字指纹随机密值IBC身份认证方法并不仅限于说明书和实施例中的描述。凡在本发明的精神和原则之内，所做的任何修改、同等替换、改进等，均包含在本发明的权利要求范围之内。The IBC identity authentication method based on the digital fingerprint random encryption value described in the present invention is not limited to the description in the instructions and embodiments. All modifications, equivalent replacements, improvements, etc. made within the spirit and principle of the present invention are included within the scope of the claims of the present invention.

Claims

Based on digital finger-print with a secret value IBC identity identifying method, it is characterized in that, concrete steps comprise:

One, register with secret value IBC authentication user based on digital finger-print

1), the system master key that produces with user ID, password PW, PKG server generates private key for user jointly, meanwhile, PKG server carries out digital signature to private key for user;

2), gather number finger print information and be encrypted, generation User Identity information;

3), PKG server generates user identity voucher according to user ID, password PW, User Identity information, user identity voucher time limit and digital signature, send and be saved in subscriber authentication server, simultaneously, subscriber authentication server will be registered parameter read-in in user USBKey, and registration completes;

Two, based on digital finger-print with secret value IBC authentication subscriber authentication

4) gather and need authenticated user digital finger-print characteristic vector, form ciphertext and send to subscriber authentication server after encrypting, subscriber authentication server carries out merging close value and calculating at random according to randomizer, and sends to and need authenticated user;

5), need authenticated user user private key to the deciphering of the close value of random fusion, decrypted result is recycled to subscriber authentication server, and then infers User Identity information authenticity, authentication process completes.
According to claim 1 based on digital finger-print with secret value IBC identity identifying method, it is characterized in that described step 1) specifically comprise:

1.1), the initialization of PKG server, structure meets Diffie-Hellman hypothesis elliptic curve E _p, choose elliptic curve E _pupper rank are the basic point G of n, make user ID meet mapping function: F _iD: { 0,1} ^m→ E _p, produce large prime number k _mas PKG system master key, then obtain PKG PKI P _m=k _mg;

1.2), PKG server by utilizing system master key k _m, PKG PKI P _m, user provides ID, password value PW, produces private key for user k _u, k _umeet ID||PW=U _iD=k _ug;

1.3), PKG server uses digital signature function Sig (k _m, k _u) to private key for user ku digital signature S _u={ k _u, Sig (k _m, k _u), user receives private key for user digital signature S _uafter, use digital signature authentication function Ver (P _m, S _u) whether authentication of users private key mate with digital signature, determines private key for user k _ulegitimacy.
According to claim 1 based on digital finger-print with secret value IBC identity identifying method, it is characterized in that described step 2) specifically comprise:

2.1), gather user fingerprints, extraction user fingerprints characteristic vector group W _i: { W ₁, W ₂, W ₃..., generate fingerprint characteristic threshold tau according to user fingerprints characteristic vector;

2.2), user uses RSA cryptographic algorithms to fingerprint vector group vector W _iencryption obtains the fingerprint characteristic ciphertext E (W as template _i)=E (U _iD, W _i), fingerprint characteristic ciphertext E (W _i) and fingerprint characteristic threshold tau formation authentication User Identity information.
According to claim 1 based on digital finger-print with secret value IBC identity identifying method, it is characterized in that described step 3) specifically comprise:

PKG server by utilizing user ID, password PW, fingerprint characteristic ciphertext E (W _i), fingerprint characteristic threshold tau, user identity voucher time limit T and digital signature Sig (k _m, τ || T||E (W _i)) generation user identity voucher C _u:

C _u＝{U _ID,PW,E(W _i),τ,Sig(k _m,τ||T||E(W _i))}

Meanwhile, subscriber authentication server uses digital signature authentication function Ver (P _m, C _u), identifying user identity voucher C _ulegitimacy, and by user ID, password PW, user fingerprints feature ciphertext E (W _i), fingerprint characteristic threshold tau and identity documents time limit T be stored in identity documents database, PKG server notification user registration success, and will register parameter { k _u, G, Ver (P _m, C _u) write access customer USBKey.
According to claim 1 based on digital finger-print with secret value IBC identity identifying method, it is characterized in that described step 4) specifically comprise:

4.1), utilize fingerprint acquisition instrument collection to need authenticated user fingerprint, and extract digital finger-print feature vector, X _u: { x ₁, x ₂..., x _n, user's PKI U _iDto X _uuse RSA Algorithm is encrypted, fingerprint characteristic vector ciphertext E (x _i)=E (U _iD, x _i), by fingerprint characteristic vector ciphertext E (x _i) be sent to subscriber authentication server;

4.2), subscriber authentication server randomizer produces k random number ρ _j, a kn random number r _ji, and ρ _j, r _jimeet constraints:

4.3), use RSA Algorithm to random number r _jiencryption obtains the close value E (r of random number _ji)=E (U _iD, r _ji);

4.4), the close value of the fingerprint characteristic of subscriber authentication server using user as template E (W _i), fingerprint characteristic vector ciphertext E (x _i) and the close value of random number E (r _ji) calculate and merge at random close value E (W _ix _ir _ji)=E (W _i) E (x _i) E (r _ji), and will merge at random close value E (W _ix _ir _ji) send to and need authenticated user.
According to claim 1 based on digital finger-print with secret value IBC identity identifying method, it is characterized in that described step 5) specifically comprise:

5.1), need authenticated user user private key k _uto the close value of random fusion E (W _ix _ir _ji) deciphering, obtain randomization fingerprint characteristic W _ix _ir _ji; Calculate randomization fingerprint characteristic vector sum and by R _jbe sent to subscriber authentication server;

5.2), subscriber authentication server is according to R _jcalculate and need authenticated user fingerprint characteristic validation value R to be:

$R = Σ_{j = 1}^{k} ρ_{j} \cdot R_{j} = Σ_{j = 1}^{k} ρ_{j} Σ_{i = 1}^{n} W_{i} x_{i} r_{ji} = Σ_{i = 1}^{n} Σ_{j = 1}^{k} ρ_{j} W_{i} r_{ji} = Σ_{i = 1}^{n} W_{i} x_{i} Σ_{j = 1}^{k} ρ_{j} r_{ji} = Σ_{i = 1}^{n} W_{i} x_{i}$

If R > is τ, authenticating user identification passes through; If R < is τ, authenticating user identification failure, and authentication result is returned and needed authenticated user.