CN109753779B - A network-wide unified identity authentication method and system based on biometric identification - Google Patents

Abstract

The present invention provides a network-wide unified identity authentication method and system based on biometric identification, wherein the method includes: an authenticated end collects a user's biometrics, and sends an authentication request to the authenticating end; the authenticated end sends the first collected information To the local trust server of the authenticated end; if the local trust server of the authenticated end queries the user ID identification information, it compares whether the biometric information of the user to be authenticated is consistent with the biometric information of the user authentication, and obtains the comparison result and sends it to the authentication end; If the authenticating end local trust server does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information, and the authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, The local trust server of the authenticated end obtains the comparison result and sends it to the authenticating end; the authenticating end judges whether the authentication is passed according to the authentication request and the comparison result.

Description

A network-wide unified identity authentication method and system based on biometric identification

technical field

The invention relates to the field of communications, in particular to a method and system for unified identity authentication of the entire network based on biometric identification.

Background technique

Biometrics are unique and permanent, each person's biometrics are quite fixed and difficult to change, etc. A person can be matched with his biometrics, by comparing the biometrics with the pre-saved biometrics , you can verify its true identity. It can be seen that biometric identification technology is currently the most convenient and reliable biometric identification technology solution, and has great potential in large-scale applications. In a broad sense, biometric identification devices can be applied to systems and products that require identity authentication, and are currently widely used in many fields such as finance, access control, and household registration.

Under the public key cryptosystem, the public key digital signature technology relies on the CA certificate issued by the public key infrastructure (PKI) to bind the entity identity and public key to ensure the authenticity of the entity public key. Binding the user's public key to the user's identity in the form of a public key certificate forms a mature solution to network security issues. However, PKI introduces a trusted third-party CA, which brings costs in the management, storage and calculation of certificates: first, the issuance, issuance, acquisition, verification, and revocation of certificates are complicated; second, online The certificate directory provides users with certificate download and status query services at any time, which increases maintenance overhead; third, if the user communicates with many objects, the user must store and manage these certificates locally, which increases the user-side usage overhead; fourth, large-scale encryption The problem of key management is generally to use the method of adding CAs physically, and there are also problems of cross-certification and trust management among the users of each CA.

SUMMARY OF THE INVENTION

The present invention aims to overcome at least one of the above-mentioned defects and provide a method and system for unified identity authentication of the whole network based on biometric identification.

In order to achieve the above object, the technical scheme of the present invention is specifically realized in this way:

One aspect of the present invention provides a network-wide unified identity authentication method based on biometric identification. Authentication request; the authenticated terminal sends the first collection information to the local trust server of the authenticated terminal, wherein the first collection information includes user ID identification information, the identification address information of the authenticated terminal, and the biometric information of the user to be authenticated; the authenticated terminal local If the trust server finds the user ID identification information, it compares the user's biometric information to be authenticated with the user authentication biometric information, obtains the comparison result, and sends the comparison result to the authentication terminal through the trust anchor subsystem, wherein the user The authentication biometric information is the biometric information of the real user corresponding to the user ID identification information; if the authenticated local trust server does not query the user ID identification information, it will query the trust anchor subsystem for the user ID identification information, if the trust anchor When the subsystem queries the user ID identification information, the authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, and the authenticated end local trust server compares the user's biometric information to be authenticated with the user's biometric information. Verify whether the biometric information is consistent, obtain the comparison result, and send the comparison result to the authentication end; the authentication end judges whether the authentication is passed according to the authentication request and the comparison result.

The method further includes: the authenticated end collects the biometric features of the user through a biometric collector to obtain user authentication biometric information; the authenticated end sends the second collected information to the authenticated end local trust server, wherein the second collected information Including user ID identification information, authenticated end identification address information and user authentication biometric information; the authenticated end local trust server sends the second collection information to the trust anchor subsystem; the authority trust server in the trust anchor subsystem obtains the second collection information information, and store the second collection information.

Wherein, the local trust server of the authenticated end sends the second collection information to the trust anchor subsystem; the authority trust server in the trust anchor subsystem obtains the second collection information, and stores the second collection information, including: the local trust server of the authenticated end according to Check whether the address of the authority trust server connected to the local trust server of the authenticated end in the trust anchor subsystem is compared with the user ID identification information is the authority trust server corresponding to the user ID identification information; if so, the local trust server of the authenticated end will The second collection information is sent to the authority trust server connected to the local trust server of the authenticating end; the authority trust server connected to the local trust server of the authenticating end acquires the second collection information, and stores the second collection information.

Wherein, the local trust server of the authenticated end sends the second collection information to the trust anchor subsystem; the authority trust server in the trust anchor subsystem obtains the second collection information, and stores the second collection information, including: the local trust server of the authenticated end according to User ID identification information is compared to the authority trust server in the trust anchor subsystem to which the local trust server of the authenticated end is connected, whether the address of the authority trust server is the authority trust server corresponding to the user ID identification information; if not, the authenticated end compares the authority trust server Whether the address of the connected top-level trust server is the top-level trust server corresponding to the user ID identification information; if not, access the root trust server connected to the top-level authority server, and the root trust server finds the user ID identification information according to the user ID identification information. The top-level trust server corresponding to the information, and access from the top-level trust server corresponding to the user ID identification information, find the authority trust server corresponding to the user ID identification information, and send the second collection information to the authority trust corresponding to the user ID identification information. server; the authority trust server corresponding to the user ID identification information obtains the second collection information, and stores the second collection information.

Among them, if the local trust server of the authenticated end does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information. If the trust anchor subsystem queries the user ID identification information, the authority trusts in the trust anchor subsystem The server sends the user authentication biometric information to the local trust server of the authenticated side, and the local trust server of the authenticated side compares the biometric information of the user to be authenticated with the user authentication biometric information, obtains the comparison result, and sends the comparison result to The authenticating end includes: if the local trust server of the authenticated end does not query the user ID identification information, it will query the user ID identification information from the authority trust server connected with the authenticating end local trust server in the trust anchor subsystem. When the user ID identification information is queried, the local trust server connected to the authority trust server and corresponding to the user ID identification information compares whether the biometric information of the user to be authenticated is consistent with the biometric information for authentication of the user, and obtains the comparison result. Send it to the authentication terminal; if the user ID identification information is not queried on the authority trust server, query the user ID identification information from the top-level trust server connected to the authority trust server. If the user ID information is queried on the authority trust server under the top-level trust server ID identification information, then the local trust server connected with the authority trust server under the top-level trust server and storing the user ID identification information compares whether the biometric information of the user to be authenticated is consistent with the biometric information for user authentication, and obtains the comparison result. The result is sent to the authentication terminal; if the user ID identification information is not queried on the authority trust server under the top-level trust server, the user ID identification information is queried from the root trust server connected to the top-level trust server. The user ID identification information is stored on the trust server, and the root trust server is used to query the top-level trust server that stores the user ID identification information connected to the root trust server to the authority trust server that stores the user ID identification information. When the authority trust server of the ID identification information queries the user authentication biometric information, the local trust server connected to the authority trust server storing the user ID identification information compares whether the user biometric information to be authenticated is consistent with the user authentication biometric information, and obtains The comparison result is sent to the authentication terminal.

Among them, if the local trust server of the authenticated end does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information. If the trust anchor subsystem queries the user ID identification information, the authority trusts in the trust anchor subsystem The server sends the user authentication biometric information to the local trust server of the authenticated side, and the local trust server of the authenticated side compares the biometric information of the user to be authenticated with the user authentication biometric information, obtains the comparison result, and sends the comparison result to The authenticating end includes: if the local trust server of the authenticated end does not query the user ID identification information, it will make an iterative query to request the upper-level root trust server of the authenticated end local trust server to query the user ID identification information. To the user ID identification information, the address of the top-level trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end requests the top-level trust server to which the user ID identification information belongs to query the user ID identification information. If the top-level trust server is queried To the user ID identification information, the address of the authority trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end requests the authority trust server to which the user ID identification information belongs to query the user ID identification information. to the user ID identification information, then return to the authenticated end local trust server and the user authentication biometric information corresponding to the user ID identification information, and the authenticated end local trust server compares the user to be authenticated. The comparison result is obtained, and the comparison result is sent to the authentication terminal.

Another aspect of the present invention provides a network-wide unified identity authentication system based on biometric identification, including: an authenticated end, an authenticating end, and a trust anchor subsystem; wherein: the trust anchor subsystem at least includes a local trust server of the authenticated end; The authenticated end is used to collect the biometrics of the user through the biometric collector, obtain the biometric information of the user to be authenticated, and send an authentication request to the authenticating end; the authenticated end is also used to send the first collected information to the authenticated end Local trust server, wherein the first collection information includes user ID identification information, authenticated end identification address information and user biometric information to be authenticated; the authenticated end local trust server is used to compare the user ID identification information if the user ID identification information is queried. Whether the user's biometric information to be authenticated is consistent with the user authentication biometric information, a comparison result is obtained, and the comparison result is sent to the authentication terminal through the trust anchor subsystem, wherein the user authentication biometric information is the real information corresponding to the user ID identification information. The biometric information of the user; the local trust server of the authenticated end is also used to query the user ID identification information from the trust anchor subsystem if the user ID identification information is not queried, and if the trust anchor subsystem queries the user ID identification information, Then the authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, and the authenticated end local trust server compares the user biometric information to be authenticated with the user authentication biometric information, and obtains a comparison. As for the result, the comparison result is sent to the authentication terminal; the authentication terminal is used for judging whether the authentication is passed according to the authentication request and the comparison result.

Wherein, the trust anchor subsystem further includes: an authority trust server; the authenticated end is also used to collect the biometrics of the user through the biometric collector to obtain the user authentication biometric information; the authenticated end is also used to collect the second collected information Sent to the authenticated end local trust server, wherein the second collection information includes user ID identification information, authenticated end identification address information and user authentication biometric information; the authenticated end local trust server is also used to send the second collection information to the trust anchor subsystem; the authority trust server in the trust anchor subsystem is used to acquire the second collection information and store the second collection information.

Wherein, the local trust server of the authenticated end is specifically used to compare whether the address of the authority trust server connected to the local trust server of the authenticated end in the trust anchor subsystem is the authority trust server corresponding to the user ID identification information according to the user ID identification information. If yes, then the second collection information is sent to the authority trust server connected by the authenticated end local trust server; the authority trust server connected by the authenticated end local trust server is specifically used to obtain the second collection information, and store the second collection information.

Wherein, the local trust server of the authenticated end is specifically used to compare whether the address of the authority trust server connected to the local trust server of the authenticated end in the trust anchor subsystem is the authority trust server corresponding to the user ID identification information according to the user ID identification information. ; if not, compare whether the address of the top-level trust server connected to the authority trust server is the top-level trust server corresponding to the user ID identification information; if not, access the root trust server connected to the top-level authority server, the root trust server Find the top-level trust server corresponding to the user ID identification information according to the user ID identification information, access from the top-level trust server corresponding to the user ID identification information, find the authority trust server corresponding to the user ID identification information, and send the second collection information to the authority trust server corresponding to the user ID identification information; the authority trust server corresponding to the user ID identification information is specifically used to obtain the second collection information and store the second collection information.

Among them, the local trust server of the authenticated end is specifically used to query the user ID identification information from the authority trust server in the trust anchor subsystem connected to the local trust server of the authenticating end if the user ID identification information is not queried. If the user ID identification information is queried on the server, the local trust server connected to the authority trust server and corresponding to the user ID identification information compares whether the biometric information of the user to be authenticated is consistent with the biometric information for authentication of the user, and obtains the comparison result. The result is sent to the authentication terminal; if the user ID identification information is not queried on the authority trust server, the user ID identification information is queried from the top-level trust server connected to the authority trust server. To the user ID identification information, the local trust server that is connected with the authority trust server under the top-level trust server and has the user ID identification information compares whether the biometric information of the user to be authenticated is consistent with the user authentication biometric information, and obtains the comparison result, Send the comparison result to the authentication terminal; if the user ID identification information is not queried on the authority trust server under the top-level trust server, query the user ID identification information from the root trust server connected to the top-level trust server. The user ID identification information is stored on the authority trust server, then the top-level trust server that stores the user ID identification information connected to the root trust server is queried to the authority trust server that stores the user ID identification information through the root trust server. When the authority trust server with the user ID identification information queries the user authentication biometric information, the local trust server connected to the authority trust server storing the user ID identification information compares whether the user biometric information to be authenticated is consistent with the user authentication biometric information. , get the comparison result, and send the comparison result to the authentication terminal.

Among them, the local trust server of the authenticated end is specifically used to request the root trust server of the upper level of the local trust server of the authenticated end to query the user ID identification information through iterative query if the user ID identification information is not queried. If the user ID identification information is queried on the Internet, the address of the top-level trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end requests the top-level trust server to which the user ID identification information belongs to query the user ID identification information. If the user ID identification information is queried on the Internet, the address of the authority trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end requests the authority trust server to which the user ID identification information belongs to query the user ID identification information. If the user ID identification information is queried, the user authentication biometric information corresponding to the user ID identification information is returned to the authenticated local trust server, and the authenticated local trust server compares the user biometric information to be authenticated with the user authentication biometric information. If they are consistent, the comparison result is obtained, and the comparison result is sent to the authentication terminal.

It can be seen from the technical solutions provided by the present invention that, through the method and system for unified identity authentication of the whole network based on biometric identification provided by the embodiments of the present invention, the unified identity authentication of the whole network can be performed based on the biometric characteristics, thereby effectively avoiding There are many problems such as cross-certification, and the user's biometric information can be authenticated more conveniently and reliably. At the same time, when the user's biometric information is authenticated, the authentication end cannot obtain the biometric information, but can only obtain the information about whether the comparison is consistent. , the comparison work is carried out in the local trust server in the trust anchor subsystem to ensure the security of private information (user biometric information).

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

1 is a schematic structural diagram of a network-wide unified identity authentication system based on biometric identification provided by an embodiment of the present invention;

FIG. 2 is a flowchart of a method for unified identity authentication for the entire network based on biometric identification provided by an embodiment of the present invention;

3 is a schematic diagram of biometric feature collection in a method for unified identity authentication based on biometric identification provided by an embodiment of the present invention;

Fig. 4 is another schematic diagram of biometric feature collection in the method for unified identity authentication based on biometric identification provided by an embodiment of the present invention;

5 is a schematic diagram of authentication in a method for unified identity authentication based on biometric identification provided by an embodiment of the present invention;

FIG. 6 is another schematic diagram of authentication in the method for unified identity authentication for the entire network based on biometric identification according to an embodiment of the present invention.

Detailed ways

The embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

FIG. 1 is a schematic structural diagram of a network-wide unified identity authentication system based on biometric identification provided by an embodiment of the present invention. Referring to FIG. 1 , the entire network unified identity authentication system based on biometric identification provided by an embodiment of the present invention includes:

Trust Anchor Subsystem: It is used to manage the biometric collection information of each terminal and other network devices, generate user ID identification information, and the identification address information of each terminal, and at the same time, it can provide functions such as query services for network devices.

Authentication end: The authenticating party needs to log in to the device at the authenticating end to perform the authentication of the authenticated end. The authenticated end can only be allowed to operate after passing the identity authentication at the authenticating end.

Authenticated end: includes a network element device with a biometric collector. For example, the biometric collector can be a fingerprint collector, which collects the user's biometric information and sends it to the authority in the trust anchor subsystem through the local trust server server for storage.

In the present invention, the biometric feature can be one of fingerprint, face, iris, voice feature or any combination thereof.

Under the framework of the network-wide unified identity authentication system based on biometric identification shown in FIG. 1 , FIG. 2 shows a flowchart of a biometric-based unified identity authentication method for the entire network provided by an embodiment of the present invention, see FIG. 2 , the biometric identification-based unified identity authentication method for the entire network provided by the embodiment of the present invention includes:

S201, the authenticated end collects the biometrics of the user through the biometrics collector, obtains the biometrics information of the user to be authenticated, and sends an authentication request to the authenticating end.

Specifically, in the process of requesting authentication by the authenticated end, as shown in FIG. 1 , user A can collect biometric features through a biometric feature collector. Convert the collected biometric information into digital form. For example, user A can collect the user's fingerprint through a fingerprint collector.

As an optional implementation manner of the embodiment of the present invention, before authentication is performed, the biometric information of the real user corresponding to the user ID identification information needs to be obtained. The method for unified network-wide identity authentication based on biometric identification provided by the embodiment of the present invention further includes: the authenticated end collects the user's biometrics through a biometric collector to obtain user authentication biometric information; the authenticated end sends the second collected information to the authenticated end local trust server, wherein the second collection information includes user ID identification information, authenticated end identification address information and user authentication biometric information; the authenticated end local trust server sends the second collection information to the trust anchor subsystem ; the authority trust server in the trust anchor subsystem acquires the second collection information, and stores the second collection information. In this way, the biometric information of the real user can be stored in the authority trust server in the trust anchor subsystem, so as to protect the security of the biometric information of the real user. For an example of the data stored on the authority trust server, please refer to Table 1.

Numbering User ID identification information The identity address information of the authenticated terminal User's biometric information 1 D1 addr1 Fingerprint1 2 D2 addr2 Fingerprint2 3 ... ... …

Table 1 Examples of data stored on the authority trust server

If the user ID identification information of the authenticated end and the authority trust server that needs to store the biometric information of the user belong to the upper and lower levels, as an optional implementation of the embodiment of the present invention, the local trust server of the authenticated end sends the second collection information to trust anchor subsystem; the authority trust server in the trust anchor subsystem obtains the second collection information, and stores the second collection information, including: the local trust server of the authenticated end compares the authenticated end in the trust anchor subsystem according to the user ID identification information Whether the address of the authority trust server connected to the local trust server is the authority trust server corresponding to the user ID identification information; if so, the authenticated end local trust server sends the second collection information to the authority trust server connected to the authenticated end local trust server server; the authority trust server connected to the local trust server of the authenticating end acquires the second collection information, and stores the second collection information. It can be seen that when the authority trust server connected to the local trust server of the authenticated side is the superior authority trust server of the local trust server of the authenticated side, the local trust server of the authenticated side can obtain the real user's ID information corresponding to the user ID identification information. After the biometric information is obtained, the biometric information of the real user corresponding to the user ID identification information is directly stored on the superior authority trust server.

Specifically, a specific biometric collection process is provided below. Referring to FIG. 3, if the ID identification information generated by the authenticated terminal and the authority trust server that needs to store the user information belong to the upper and lower levels, the following process is performed:

1. User A collects biometric features through a biometric collector, for example, collects the user's fingerprint through a fingerprint collector. The collected biometric information is converted into a digital form, and the user ID identification information and the identification address information of the authenticated terminal generated by the trust anchor subsystem are sent to the local trust server.

2. The local trust server sends the user ID identification information, the identification address information of the authenticated terminal, and the corresponding user authentication biometric information to the superior authority trust server, and saves them to the authority trust server.

3. After the saving is successful, the success information is returned step by step, and the information is returned to the authenticated end to collect the passed information.

If the user ID identification information of the authenticated end and the authority trust server that needs to store the biometric information of the user do not belong to the upper and lower levels, as an optional implementation of the embodiment of the present invention, the local trust server of the authenticated end sends the second collection information to to the trust anchor subsystem; the authority trust server in the trust anchor subsystem obtains the second collection information, and stores the second collection information including: the local trust server of the authenticated end compares the authenticated data in the trust anchor subsystem according to the user ID identification information Whether the address of the authority trust server connected to the local trust server of the terminal is the authority trust server corresponding to the user ID identification information; if not, the authenticated end compares whether the address of the top-level trust server connected to the authority trust server is the authority trust server corresponding to the user ID identification information. The corresponding top-level trust server; if not, access to the root trust server connected to the top-level authority server, the root trust server finds the top-level trust server corresponding to the user ID identification information according to the user ID identification information, and from the user ID identification information. The corresponding top-level trust server accesses, finds the authority trust server corresponding to the user ID identification information, and sends the second collection information to the authority trust server corresponding to the user ID identification information; the authority trust server corresponding to the user ID identification information obtains the first Second, collect information, and store the second collected information. It can be seen that when the authority trust server connected to the local trust server of the authenticated side is not the superior authority trust server of the local trust server of the authenticated side, the local trust server of the authenticated side can obtain the real user's identity information corresponding to the user ID identification information. After the biometric information, query the upper-level top-level trust server of the authority trust server connected to it, and then query the upper-level root trust server until the authority trust server corresponding to the user ID identification information is queried. The biometric information of the real user corresponding to the information is stored on the authority trust server.

Specifically, another specific biometric collection process is provided below. Referring to FIG. 4, if the ID identification information generated by the authenticated terminal and the authority trust server that needs to store the user information do not belong to the upper and lower levels, the following process is performed:

1. User A collects biometric features through a biometric collector, for example, collects the user's fingerprint through a fingerprint collector. The collected biometric information is converted into a digital form, and the user ID identification information and the identification address information of the authenticated terminal generated by the trust anchor subsystem are sent to the local trust server.

2. The local trust server accesses the superior authority trust server, compares the address of the superior authority trust server according to the user ID identification information, and continues to access the top-level trust server if it is inconsistent.

3. The authority trust server accesses the upper-level top-level trust server, compares the address of the upper-level authority trust server according to the user ID identification information, and accesses the root trust server if it is inconsistent.

4. Access the root trust server, and find the top-level trust server corresponding to the user ID identification information according to the user ID identification information.

5. Access from the root trust server to the corresponding top-level trust server.

6. According to the user ID identification information, find the authority server corresponding to the user ID identification information. The user ID identification information, the identification address information of the authenticated terminal, and the corresponding user authentication biometric information are sent to the authority trust server, and stored in the authority trust server.

7. After the saving is successful, the success information is returned step by step, and returned to the authenticated end to collect the passed information.

S202, the authenticated end sends first collection information to the authenticated end local trust server, where the first collection information includes user ID identification information, authenticated end identification address information, and user biometric feature information to be authenticated.

Specifically, the authenticated terminal can send the user ID identification information generated for it by the trust anchor subsystem, and the identification address information of the authenticated terminal to the local trust server, and at the same time, the collected biometric information of the user to be authenticated can also be sent to the local trust server. server so that the local trusted server can compare the biometric information. Since the user's biometric information cannot be obtained by the authentication terminal during authentication, the comparison work is carried out in the local trust server in the trust anchor subsystem, which can ensure the security of private information (user biometrics).

S203, if the local trust server of the authenticated end queries the user ID identification information, it compares whether the biometric information of the user to be authenticated is consistent with the biometric information for authentication of the user, obtains a comparison result, and sends the comparison result through the trust anchor subsystem to The authentication terminal, wherein the user authentication biometric information is the real user biometric information corresponding to the user ID identification information.

Specifically, if the local trust server can query the user ID identification information, it means that the user authentication biometric information, that is, the biometric information of the real user, is stored in the authority trust server connected to it. Therefore, the local trust server can directly obtain the information. to the user authentication biometric information, so as to compare whether the user biometric information to be authenticated is consistent with the user authentication biometric information.

S204, if the local trust server of the authenticated end does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information, and if the trust anchor subsystem queries the user ID identification information, the authority trusts in the trust anchor subsystem The server sends the user authentication biometric information to the local trust server of the authenticated side, and the local trust server of the authenticated side compares the biometric information of the user to be authenticated with the user authentication biometric information, obtains the comparison result, and sends the comparison result to Authentication side.

Specifically, if the local trust server of the authenticated end does not query the user ID identification information, it means that the local trust server of the authenticated end has not stored the biometric information for user authentication. At this time, it is necessary to request the trust anchor subsystem to obtain the user authentication information. Biometric information, so as to perform comparison according to the obtained user authentication biometric information.

As an optional implementation of the embodiment of the present invention, if the local trust server of the authenticated end does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information, and if the trust anchor subsystem queries the user ID identification information , then the authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, and the authenticated end local trust server compares whether the user biometric information to be authenticated is consistent with the user authentication biometric information, and obtains The comparison result, sending the comparison result to the authenticating end includes: if the local trust server of the authenticated end does not query the user ID identification information, then query the authority trust server in the trust anchor subsystem connected with the local trust server of the authenticating end to query the user. ID identification information, if the user ID identification information is queried on the authority trust server, the local trust server connected to the authority trust server and corresponding to the user ID identification information compares the user's biometric information to be authenticated and the user authentication biometric information. , obtain the comparison result, and send the comparison result to the authentication terminal; if the user ID identification information is not queried on the authority trust server, query the user ID identification information from the top-level trust server connected to the authority trust server. The user ID identification information is queried on the authority trust server under the server, and the local trust server that stores the user ID identification information connected to the authority trust server under the top-level trust server compares the biometric information of the user to be authenticated and the user authentication biometric information. Check whether it is consistent, get the comparison result, and send the comparison result to the authentication terminal; if the user ID identification information is not queried on the authority trust server under the top-level trust server, query the user ID from the root trust server connected to the top-level trust server. Identification information, if user ID identification information is stored on the authority trust server under the root trust server, then through the root trust server to the top-level trust server that stores the user ID identification information connected to the root trust server to the top-level trust server that stores the user ID identification information. The authority trust server performs a query. When the authority trust server storing the user ID identification information queries the user authentication biometric information, the local trust server connected to the authority trust server storing the user ID identification information compares the user's biometric information to be authenticated. Whether it is consistent with the user authentication biometric information, the comparison result is obtained, and the comparison result is sent to the authentication terminal. Therefore, authentication can be performed through a hierarchical tree authentication method.

Specifically, another specific authentication process is provided below. Referring to FIG. 5 , the authentication through the hierarchical tree authentication method executes the following process:

1. At the authenticated end, user A collects the biometrics through a biometric collector, for example, collects the user's fingerprint through a fingerprint collector. Send an authentication request to the authenticator.

2. Send the user ID identification information of the authenticated end, the identification address information of the authenticated end and the biometric information of the user to be authenticated to the local trust server. If the user ID identification information is queried on the local trust server, the biometric information is compared, and the comparison result is returned to the authentication terminal. If the user ID identification information is not queried on the local trust server, continue to query the user ID identification information on the authority trust server.

3. The local server requests to query the user ID identification information from the superior authority trust server. If the user ID identification information is queried on the authority trust server, the local trust server corresponding to the lower level compares the biometric information, and returns the comparison result to the authentication end. If the user ID identification information is not queried on the authority trust server, continue to query the user ID identification information on the top-level trust server.

4. The authority trust server then requests the top-level trust server to query the user ID identification information. If the user ID identification information is queried on the top-level trust server, the local trust server that stores the user ID identification information at the lower level compares the biometric information, and returns the comparison result to the authentication end. If the user ID identification information is not queried on the top-level trust server, continue to query the user ID identification information on the root trust server.

5. The top-level trust server then requests the root trust server to query the user ID identification information.

6. The root trust server queries the top-level trust server and the authority trust server where the user ID identification information is stored, and finds the biometric information of user A.

7. The local trust server corresponding to the subordinate user ID identification information compares the biometric information.

8. Return the comparison result (whether it is consistent) to the authentication terminal.

9. The authentication end makes a judgment according to the comparison result returned by the authority trust server. If they are consistent, the authentication is passed; otherwise, the authentication is rejected.

As an optional implementation of the embodiment of the present invention, if the local trust server of the authenticated end does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information, and if the trust anchor subsystem queries the user ID identification information , then the authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, and the authenticated end local trust server compares whether the user biometric information to be authenticated is consistent with the user authentication biometric information, and obtains The comparison result, sending the comparison result to the authenticating end includes: if the local trust server of the authenticated end does not query the user ID identification information, then through an iterative query, request the root trust server of the upper level of the local trust server of the authenticated end to query the user ID. Identification information, if the user ID identification information is queried on the root trust server, the address of the top-level trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end requests to query the user ID from the top-level trust server to which the user ID identification information belongs. Identification information, if the user ID identification information is queried on the top-level trust server, the address of the authority trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end requests the authority trust server to which the user ID identification information belongs to query the user ID Identification information, if the user ID identification information is queried on the authority trust server, it is returned to the user authentication biometric information corresponding to the user ID identification information on the local trust server of the authenticated end, and the local trust server of the authenticated end compares the biometric characteristics of the user to be authenticated Whether the information is consistent with the user authentication biometric information, the comparison result is obtained, and the comparison result is sent to the authentication terminal. Thereby, authentication can be performed through an iterative recursive authentication method.

Specifically, another specific authentication process is provided below. Referring to FIG. 6 , the authentication by iterative recursive authentication method performs the following process:

1. At the authenticated end, user A collects the biometrics through a biometric collector, for example, collects the user's fingerprint through a fingerprint collector. Send an authentication request to the authenticator.

2. Send the user ID identification information of the authenticated end, the identification address information of the authenticated end and the biometric information of the user to be authenticated to the local trust server. If the user ID identification information is queried on the local trust server, the biometric information is compared, and the comparison result is returned to the authentication terminal.

3. If the user ID identification information is not queried on the local trust server, through an iterative query, the local server requests the root trust server to query the user ID identification information.

4. If the user ID identification information is not queried on the root trust server, the query is terminated and the information not found by the local trust server is returned. If the user ID identification information is queried on the root trust server, the address of the top-level trust server to which the user ID identification information belongs is returned.

5. The local server then requests to query the user ID identification information from the top-level trust server to which it belongs.

6. If the user ID identification information is not queried on the top-level trust server, the query is terminated and the information not found by the local trust server is returned. If the user ID identification information is queried on the top-level trust server, the address of the authority trust server to which the user ID identification information belongs is returned.

7. Finally, the local server requests to query the user ID identification information from the affiliated authority trust server.

8. If the user ID identification information is not queried on the authority trust server, the query is terminated and the information not found by the local trust server is returned. If the user ID identification information is queried on the authority trust server, the biometric information of the user A corresponding to it is returned to the local trust server.

9. The local trust server compares the biometric information, and returns the comparison result (whether it is consistent) to the authentication terminal.

10. The authentication end makes a judgment according to the comparison result returned by the authority trust server. If they are consistent, the authentication is passed; otherwise, the authentication is rejected.

S205, the authentication end judges whether the authentication is passed according to the authentication request and the comparison result.

Specifically, the comparison result may include information about successful comparison and unsuccessful comparison, and these comparison results may be sent to the authentication terminal, so that the authentication terminal can determine whether the authentication is passed. If the comparison is successful, the authentication is passed. In the case of unsuccessful, the authentication is not passed.

It can be seen that, through the unified identity authentication method based on biometric identification provided in the embodiment of the present invention, unified identity authentication of the entire network can be performed based on biometrics, thereby effectively avoiding many problems such as cross-authentication. The biometric information can be authenticated more conveniently and reliably. At the same time, when the user's biometric information is authenticated, the authentication end cannot obtain the biometric information, but can only obtain the information about whether the comparison is consistent, and the comparison works in the trust anchor subsystem. It is carried out in the local trust server to ensure the security of private information (user biometrics).

The following provides a network-wide unified identity authentication system based on biometric identification provided by the embodiment of the present invention. The system utilizes the system shown in FIG. 1 and adopts the above-mentioned related methods. The functions of the network-wide unified identity authentication system are briefly described. For other unresolved matters, please refer to the relevant description of the above method. A terminal, an authentication terminal and a trust anchor subsystem; wherein: the trust anchor subsystem includes at least a local trust server of the authenticated terminal; the authenticated terminal is used to collect the biometrics of the user through the biometric collector to obtain the biometric information of the user to be authenticated, and send an authentication request to the authenticating end; the authenticated end is also used to send the first collection information to the local trust server of the authenticated end, wherein the first collection information includes the user ID identification information, the identification address information of the authenticated end, and the user waiting list. Authentication biometric information; the local trust server of the authenticated end is used to compare whether the user's biometric information to be authenticated is consistent with the user's authentication biometric information if the user ID identification information is queried, obtain the comparison result, and pass the comparison result The trust anchor subsystem is sent to the authentication terminal, wherein the user authentication biometric information is the real user's biometric information corresponding to the user ID identification information; the local trust server of the authenticated terminal is also used if the user ID identification information is not queried. , then query the trust anchor subsystem for the user ID identification information, if the trust anchor subsystem queries the user ID identification information, the authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, The local trust server of the authenticated end compares whether the biometric information of the user to be authenticated is consistent with the biometric information of the user authentication, obtains the comparison result, and sends the comparison result to the authentication end; Judgment of whether to pass the certification.

It can be seen that, through the unified identity authentication system based on biometric identification provided by the embodiment of the present invention, the unified identity authentication of the entire network can be performed based on biometrics, thereby effectively avoiding many problems such as cross-authentication. The biometric information can be authenticated more conveniently and reliably. At the same time, when the user's biometric information is authenticated, the authentication end cannot obtain the biometric information, but can only obtain the information about whether the comparison is consistent, and the comparison works in the trust anchor subsystem. It is carried out in the local trust server to ensure the security of private information (user biometrics).

As an optional implementation manner of the embodiment of the present invention, the trust anchor subsystem further includes: an authority trust server; the authenticated terminal is further configured to collect the biometrics of the user through the biometrics collector to obtain user authentication biometrics information; the authenticated end The terminal is also used to send the second collection information to the local trust server of the authenticated terminal, wherein the second collection information includes the user ID identification information, the identification address information of the authenticated terminal and the user authentication biometric information; the local trust server of the authenticated terminal is also used to send the second collection information to the trust anchor subsystem; the authority trust server in the trust anchor subsystem is used to obtain the second collection information and store the second collection information. In this way, the biometric information of the real user can be stored in the authority trust server in the trust anchor subsystem, so as to protect the security of the biometric information of the real user.

As an optional implementation of the embodiment of the present invention, the local trust server of the authenticated end is specifically configured to compare, according to the user ID identification information, whether the address of the authority trust server connected to the local trust server of the authenticated end in the trust anchor subsystem is The authority trust server corresponding to the user ID identification information; if so, the second collection information is sent to the authority trust server connected to the local trust server of the authenticated end; the authority trust server connected to the local trust server of the authenticated end is specifically used to obtain The second collection information is stored, and the second collection information is stored. It can be seen that when the authority trust server connected to the local trust server of the authenticated side is the superior authority trust server of the local trust server of the authenticated side, the local trust server of the authenticated side can obtain the real user's ID information corresponding to the user ID identification information. After the biometric information is obtained, the biometric information of the real user corresponding to the user ID identification information is directly stored on the superior authority trust server.

As an optional implementation of the embodiment of the present invention, the local trust server of the authenticated end is specifically configured to compare, according to the user ID identification information, whether the address of the authority trust server connected to the local trust server of the authenticated end in the trust anchor subsystem is The authority trust server corresponding to the user ID identification information; if not, compare whether the address of the top-level trust server connected to the authority trust server is the top-level trust server corresponding to the user ID identification information; if not, connect to the top-level authority server The root trust server to access, the root trust server finds the top-level trust server corresponding to the user ID identification information according to the user ID identification information, and accesses from the top-level trust server corresponding to the user ID identification information, and finds the corresponding user ID identification information. The authority trust server sends the second collection information to the authority trust server corresponding to the user ID identification information; the authority trust server corresponding to the user ID identification information is specifically used to obtain the second collection information and store the second collection information. It can be seen that when the authority trust server connected to the local trust server of the authenticated side is not the superior authority trust server of the local trust server of the authenticated side, the local trust server of the authenticated side can obtain the real user's identity information corresponding to the user ID identification information. After the biometric information, query the upper-level top-level trust server of the authority trust server connected to it, and then query the upper-level root trust server until the authority trust server corresponding to the user ID identification information is queried. The biometric information of the real user corresponding to the information is stored on the authority trust server.

As an optional implementation of the embodiment of the present invention, the local trust server of the authenticated end is specifically configured to, if the user ID identification information is not queried, send to the authority trust server in the trust anchor subsystem that is connected to the local trust server of the authenticating end Query the user ID identification information, if the user ID identification information is queried on the authority trust server, the local trust server connected to the authority trust server and corresponding to the user ID identification information compares the user's biometric information to be authenticated and the user authentication biometric information. Whether it is consistent, get the comparison result, and send the comparison result to the authentication terminal; if the user ID identification information is not queried on the authority trust server, query the user ID identification information from the top-level trust server connected to the authority trust server. The user ID identification information is queried on the authority trust server under the top-level trust server, and the local trust server that stores the user ID identification information connected to the authority trust server under the top-level trust server compares the user's biometric information to be authenticated with the user's authentication biometric information. Whether the feature information is consistent, get the comparison result, and send the comparison result to the authentication terminal; if the user ID identification information is not queried on the authority trust server under the top-level trust server, query the root trust server connected to the top-level trust server. User ID identification information, if user ID identification information is stored on the authority trust server under the root trust server, then the top-level trust server that stores the user ID identification information connected to the root trust server sends the user ID identification information to the top-level trust server that stores the user ID identification information through the root trust server. The authority trust server for the information is queried. When the authority trust server storing the user ID identification information queries the user authentication biometric information, the local trust server connected to the authority trust server storing the user ID identification information compares the user's biometrics to be authenticated. Whether the feature information is consistent with the user authentication biometric information, a comparison result is obtained, and the comparison result is sent to the authentication terminal. Therefore, authentication can be performed through a hierarchical tree authentication method.

As an optional implementation of the embodiment of the present invention, the local trust server of the authenticated end is specifically configured to request a query from the root trust server of the upper level of the local trust server of the authenticated end through an iterative query if the user ID identification information is not queried. User ID identification information, if the user ID identification information is queried on the root trust server, the address of the top-level trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end requests the query from the top-level trust server to which the user ID identification information belongs. User ID identification information, if the user ID identification information is queried on the top-level trust server, the address of the authority trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated side requests the query to the authority trust server to which the user ID identification information belongs. User ID identification information, if the user ID identification information is queried on the authority trust server, it is returned to the authenticated local trust server and the user authentication biometric information corresponding to the user ID identification information, and the authenticated local trust server compares the user to be authenticated Whether the biometric information is consistent with the user authentication biometric information, a comparison result is obtained, and the comparison result is sent to the authentication terminal. Thereby, authentication can be performed through an iterative recursive authentication method.

Any description of a process or method in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code comprising one or more executable instructions for implementing a specified logical function or step of the process , and the scope of the preferred embodiments of the invention includes alternative implementations in which the functions may be performed out of the order shown or discussed, including performing the functions substantially concurrently or in the reverse order depending upon the functions involved, which should It is understood by those skilled in the art to which the embodiments of the present invention belong.

Those skilled in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing the relevant hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be stored in a computer-readable storage medium. When executed, one or a combination of the steps of the method embodiment is included.

In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

The above embodiments are only to describe the preferred embodiments of the present invention, and do not limit the scope of the present invention. Variations and improvements should fall within the protection scope determined by the claims of the present invention.

Claims (8)

1. a network-wide unified identity authentication method based on biometric identification, is characterized in that, comprises: The authenticated end collects the user's biometrics through the biometrics collector, obtains the user's biometrics information to be authenticated, and sends an authentication request to the authenticating end; The authenticated end sends the first collection information to the authenticated end local trust server, wherein the first collection information includes user ID identification information, the authenticated end identification address information and the user's biometric feature information to be authenticated; If the authenticated end local trust server finds the user ID identification information, it compares whether the biometric information of the user to be authenticated is consistent with the user authentication biometric information, obtains a comparison result, and passes the comparison result. The trust anchor subsystem is sent to the authentication terminal, wherein the user authentication biometric information is the real user biometric information corresponding to the user ID identification information; If the local trust server of the authenticated end does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information, if the trust anchor subsystem queries the user ID identification information , the authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, and the authenticated end local trust server compares the biometric information of the user to be authenticated Whether it is consistent with the user authentication biometric information, a comparison result is obtained, and the comparison result is sent to the authentication terminal; The authentication terminal judges whether the authentication is passed according to the authentication request and the comparison result; in: If the local trust server of the authenticated end does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information, and if the trust anchor subsystem queries the user ID identification information, then The authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, and the authenticated end local trust server compares the biometric information of the user to be authenticated with the user authentication information. Check whether the user authentication biometric information is consistent, obtain a comparison result, and send the comparison result to the authentication terminal including: If the authenticated end local trust server does not query the user ID identification information, then query the user ID identification information from the authority trust server in the trust anchor subsystem that is connected to the authenticating end local trust server, If the user ID identification information is queried on the authority trust server, the local trust server connected to the authority trust server and corresponding to the user ID identification information compares the biometric information of the user to be authenticated with the user ID information. Whether the biometric information of the user authentication is consistent, obtain the comparison result, and send the comparison result to the authentication terminal; The top-level trust server connected to the server queries the user ID identification information, and if the user ID identification information is queried on the authority trust server under the top-level trust server, it will be connected to the authority trust server under the top-level trust server. The local trust server that has the user ID identification information compares whether the biometric information to be authenticated of the user is consistent with the biometric information for authentication of the user, obtains a comparison result, and sends the comparison result to the authentication terminal; if If the user ID identification information is not queried on the authority trust server under the top-level trust server, the user ID identification information is queried from the root trust server connected to the top-level trust server. The user ID identification information is stored on the authority trust server of When the authority trust server storing the user ID identification information queries the user authentication biometric information, the local trust server connected to the authority trust server storing the user ID identification information is queried. The server compares whether the biometric information of the user to be authenticated is consistent with the biometric information for authentication of the user, obtains a comparison result, and sends the comparison result to the authentication terminal; If the local trust server of the authenticated end does not query the user ID identification information, it queries the trust anchor subsystem for the user ID identification information, and if the trust anchor subsystem queries the user ID identification information, then The authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated end local trust server, and the authenticated end local trust server compares the biometric information of the user to be authenticated with the user authentication information. Check whether the user authentication biometric information is consistent, obtain a comparison result, and send the comparison result to the authentication terminal including: If the authenticated end local trust server does not query the user ID identification information, then through the iterative query, request to query the user ID identification information from the root trust server of the upper level of the authenticated end local trust server. If the user ID identification information is queried on the root trust server, the address of the top-level trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end requests a query from the top-level trust server to which the user ID identification information belongs. For the user ID identification information, if the user ID identification information is queried on the top-level trust server, the address of the authority trust server to which the user ID identification information belongs is returned, and the authenticated local trust server reports to the user. The authority trust server to which the ID identification information belongs requests to query the user ID identification information. If the user ID identification information is queried on the authority trust server, it returns to the authenticated local trust server and the user ID. The user authentication biometric information corresponding to the identification information, the authenticated end local trust server compares the user biometric information to be authenticated with the user authentication biometric information, obtains a comparison result, and compares the The result is sent to the authenticator. 2. The method of claim 1, further comprising: The authenticated end collects the biometrics of the user through a biometrics collector to obtain the user authentication biometrics information; The authenticated end sends second collection information to the authenticated end local trust server, wherein the second collection information includes the user ID identification information, the authenticated end identification address information and the user authentication biometric information; The authenticated end local trust server sends the second collection information to the trust anchor subsystem; The authority trust server in the trust anchor subsystem acquires the second collection information and stores the second collection information. 3. The method according to claim 2, wherein the local trust server of the authenticated end sends the second collection information to the trust anchor subsystem; the authority trust server in the trust anchor subsystem Acquiring the second collection information and storing the second collection information includes: The authenticated end local trust server compares, according to the user ID identification information, whether the address of the authority trust server connected to the authenticated end local trust server in the trust anchor subsystem is corresponding to the user ID identification information The authority trust server; If yes, then the authenticated end local trust server sends the second collection information to the authority trust server connected to the authenticated end local trust server; The authority trust server connected to the local trust server of the authenticated terminal acquires the second collection information, and stores the second collection information. 4. The method according to claim 2, wherein the local trust server of the authenticated end sends the second collection information to the trust anchor subsystem; the authority trust server in the trust anchor subsystem Acquiring the second collection information and storing the second collection information includes: The authenticated end local trust server compares, according to the user ID identification information, whether the address of the authority trust server connected to the authenticated end local trust server in the trust anchor subsystem is corresponding to the user ID identification information The authority trust server; If not, the authenticated end compares whether the address of the top-level trust server connected to the authority trust server is the top-level trust server corresponding to the user ID identification information; if not, it connects to the top-level authority server The root trust server to access, the root trust server finds the top-level trust server corresponding to the user ID identification information according to the user ID identification information, and from the top-level trust server corresponding to the user ID identification information. Access, find the authority trust server corresponding to the user ID identification information, and send the second collection information to the authority trust server corresponding to the user ID identification information; The authority trust server corresponding to the user ID identification information acquires the second collection information, and stores the second collection information. 5. A network-wide unified identity authentication system based on biometric identification, comprising: an authenticated end, an authenticating end and a trust anchor subsystem; wherein: the trust anchor subsystem at least includes a local trust server of the authenticated end ; The authenticated end is used to collect the user's biometrics through the biometrics collector, obtain the user's biometrics information to be authenticated, and send an authentication request to the authenticating end; The authenticated terminal is also used to send the first collection information to the local trust server of the authenticated terminal, wherein the first collection information includes user ID identification information, the identification address information of the authenticated terminal, and the biometric feature information of the user to be authenticated ; The local trust server of the authenticated end is used to compare whether the biometric information of the user to be authenticated is consistent with the biometric information of the user authentication if the user ID identification information is queried, obtain a comparison result, and compare the biometric information of the user to be authenticated. Sending the result to the authentication terminal through the trust anchor subsystem, wherein the user authentication biometric information is the biometric information of the real user corresponding to the user ID identification information; The authenticated end local trust server is further configured to query the trust anchor subsystem for the user ID identification information if the user ID identification information is not queried, and if the trust anchor subsystem queries the user ID identification information, user ID identification information, the authority trust server in the trust anchor subsystem sends the user authentication biometric information to the authenticated local trust server, and the authenticated local trust server compares the user Whether the authentication biometric information is consistent with the user authentication biometric information, a comparison result is obtained, and the comparison result is sent to the authentication terminal; the authentication terminal, configured to judge whether the authentication is passed according to the authentication request and the comparison result; in: The authenticated-end local trust server is specifically configured to query the user for the authority trust server in the trust anchor subsystem connected to the authenticating-end local trust server if the user ID identification information is not queried ID identification information, if the user ID identification information is queried on the authority trust server, the local trust server connected to the authority trust server and corresponding to the user ID identification information compares the user's biological creature to be authenticated Whether the feature information is consistent with the user authentication biometric information, obtain a comparison result, and send the comparison result to the authentication terminal; if the user ID identification information is not queried on the authority trust server, send the comparison result to the The top-level trust server connected to the authority trust server queries the user ID identification information, and if the user ID identification information is queried on the authority trust server under the top-level trust server, the user ID identification information will be queried by the user ID identification information under the top-level trust server. The local trust server that is connected to the authority trust server and stores the user ID identification information compares whether the biometric information to be authenticated of the user is consistent with the biometric information for authentication of the user, obtains a comparison result, and sends the comparison result to Authentication end; if the user ID identification information is not queried on the authority trust server under the top-level trust server, query the user ID identification information from the root trust server connected to the top-level trust server, if the The user ID identification information is stored on the authority trust server under the root trust server, then the top-level trust server that stores the user ID identification information connected to the root trust server sends the user ID identification information to the storage device through the root trust server. The authority trust server that stores the user ID identification information queries the authority trust server that stores the user ID identification information, and when the authority trust server that stores the user ID identification information queries the user authentication biometric information, the authority trust server that stores the user ID identification information The connected local trust server compares whether the biometric information of the user to be authenticated is consistent with the biometric information for authentication of the user, obtains a comparison result, and sends the comparison result to the authentication terminal; The local trust server of the authenticated end is specifically used to request the root trust server of the upper level of the local trust server of the authenticated end to query the user ID identification information through an iterative query if the user ID identification information is not queried. , if the user ID identification information is queried on the root trust server, the address of the top-level trust server to which the user ID identification information belongs is returned, and the local trust server of the authenticated end reports to the top-level trust server to which the user ID identification information belongs. The trust server requests to query the user ID identification information, and if the user ID identification information is queried on the top-level trust server, the address of the authority trust server to which the user ID identification information belongs is returned, and the authenticated end local trust server Request to query the user ID identification information from the authority trust server to which the user ID identification information belongs, if the user ID identification information is queried on the authority trust server, then return to the authenticated end local trust server and The user authentication biometric information corresponding to the user ID identification information, the authenticated end local trust server compares the user biometric information to be authenticated and the user authentication biometric information whether the biometric information is consistent, obtains a comparison result, and sets the The comparison result is sent to the authentication terminal. 6. The system according to claim 5, wherein the trust anchor subsystem further comprises: an authority trust server; The authenticated end is further configured to collect the biometrics of the user through a biometrics collector to obtain the user authentication biometrics information; The authenticated end is further configured to send second collection information to the authenticated end local trust server, wherein the second collection information includes the user ID identification information, the authenticated end identification address information and the user authentication biometric information; The authenticated end local trust server is further configured to send the second collection information to the trust anchor subsystem; The authority trust server in the trust anchor subsystem is configured to acquire the second collection information and store the second collection information. 7. The system of claim 6, wherein: The authenticated end local trust server is specifically configured to compare, according to the user ID identification information, whether the address of the authority trust server connected to the authenticated end local trust server in the trust anchor subsystem is the same as that of the user. The authority trust server corresponding to the ID identification information; if so, send the second collection information to the authority trust server connected to the local trust server of the authenticated terminal; The authority trust server connected to the local trust server of the authenticated end is specifically configured to acquire the second collection information and store the second collection information. 8. The system of claim 6, wherein: The authenticated end local trust server is specifically configured to compare, according to the user ID identification information, whether the address of the authority trust server connected to the authenticated end local trust server in the trust anchor subsystem is the same as that of the user. The authority trust server corresponding to the ID identification information; if not, compare whether the address of the top-level trust server connected to the authority trust server is the top-level trust server corresponding to the user ID identification information; The top-level authority server is connected to the root trust server for access, and the root trust server finds the top-level trust server corresponding to the user ID identification information according to the user ID identification information, and obtains the top-level trust server corresponding to the user ID identification information from the user ID identification information. The top-level trust server accesses, finds the authority trust server corresponding to the user ID identification information, and sends the second collection information to the authority trust server corresponding to the user ID identification information; The authority trust server corresponding to the user ID identification information is specifically configured to acquire the second collection information and store the second collection information.

Images