[go: up one dir, main page]

HK1246035B - Identity registration method and device based on biological features - Google Patents

Identity registration method and device based on biological features Download PDF

Info

Publication number
HK1246035B
HK1246035B HK18105213.0A HK18105213A HK1246035B HK 1246035 B HK1246035 B HK 1246035B HK 18105213 A HK18105213 A HK 18105213A HK 1246035 B HK1246035 B HK 1246035B
Authority
HK
Hong Kong
Prior art keywords
authentication
registration
biometric
request message
user
Prior art date
Application number
HK18105213.0A
Other languages
Chinese (zh)
Other versions
HK1246035A1 (en
HK1246035A (en
Inventor
孙元博
Original Assignee
创新先进技术有限公司
Filing date
Publication date
Application filed by 创新先进技术有限公司 filed Critical 创新先进技术有限公司
Publication of HK1246035A1 publication Critical patent/HK1246035A1/en
Publication of HK1246035A publication Critical patent/HK1246035A/en
Publication of HK1246035B publication Critical patent/HK1246035B/en

Links

Description

基于生物特征的身份注册方法和装置Biometric-based identity registration method and device

技术领域Technical Field

本申请涉及网络通信技术领域,尤其涉及一种基于生物特征的身份注册方法和装置。The present application relates to the field of network communication technology, and in particular to a method and device for identity registration based on biometrics.

背景技术Background Art

随着生物识别技术的发展,通过计算机与光学、声学、生物传感器和生物统计学等技术手段的结合,利用人体固有的指纹、人脸、虹膜、声音等生理特性进行个人身份的鉴定,已经成为可能。With the development of biometric technology, it has become possible to identify personal identity by combining computers with optics, acoustics, biosensors, biostatistics and other technical means, using the human body's inherent physiological characteristics such as fingerprints, faces, irises, and voices.

移动互联的蓬勃发展为生物识别技术提供了新的应用平台,例如采用指纹、人脸等在用户设备上可以登录账户、实现支付,而无需记忆并输入密码。生物识别所需的图像或视频数据由用户设备采集,生物识别可以在用户设备上进行,也可以由服务器进行。由于向服务器上传这些图像或视频数据往往会消耗大量的流量,因此生物识别往往在用户设备上完成。用户提供的生物数据在用户设备上通过校验后,用户设备将生物校验通过的结果上传给服务器,用户即可通过身份认证。The booming mobile internet has provided a new application platform for biometric technology. For example, fingerprints and facial recognition can be used to log in to accounts and make payments on user devices, eliminating the need to remember and enter passwords. The image or video data required for biometric identification is captured by the user device, and biometric identification can be performed on the user device or on a server. Because uploading this image or video data to a server consumes significant data traffic, biometric identification is often performed on the user device. Once the user's biometric data is verified on the device, the device uploads the verification result to the server, confirming the user's identity.

可见,上述过程中身份认证是否通过主要依赖于用户设备的生物校验结果,而校验结果只有通过校验和未通过校验,易于伪造,因此用户设备的是否可靠将极大的影响用户账户的安全性。现有技术中,在身份注册和认证流程中会采用用户设备的设备标识来代表采用本地生物验证的某个用户账户所使用的设备,但设备标识很容易被冒用(例如在一些虚拟机上可以设置设备标识),给用户账户的安全带来隐患。As can be seen, whether identity authentication succeeds in the above process depends primarily on the biometric verification results of the user's device. Verification results can only be either passed or failed, which is easy to forge. Therefore, the reliability of the user's device will greatly affect the security of the user's account. In the existing technology, the device identifier of the user's device is used in the identity registration and authentication process to represent the device used by a user account using local biometric verification. However, the device identifier can be easily misused (for example, the device identifier can be set on some virtual machines), posing a security risk to the user's account.

发明内容Summary of the Invention

有鉴于此,本申请提供一种基于生物特征的身份注册方法,应用在用户设备上,所述用户设备保存有用户侧设备认证参数,所述方法包括:In view of this, the present application provides a biometric identity registration method, which is applied to a user device, wherein the user device stores user-side device authentication parameters. The method includes:

获取用户设备的设备标识;Obtain the device ID of the user's device;

获取用户的生物数据,利用所述生物数据对用户身份进行生物特征校验;Obtaining biometric data of the user and performing biometric verification of the user's identity using the biometric data;

在通过生物特征校验后,向业务服务器发送注册请求报文,所述注册请求报文中包括设备标识和账户标识,并采用所述用户侧设备认证参数进行加密或签名;供认证服务器在收到业务服务器转发的注册请求报文后,采用与用户侧设备认证参数相同或相对应的网络侧设备认证参数对注册请求报文进行解密或验签,并在解密成功或验签通过后保存所述设备标识和账户标识的对应关系,以用来对所述账户进行身份认证。After passing the biometric verification, a registration request message is sent to the business server, wherein the registration request message includes the device identifier and the account identifier, and is encrypted or signed using the user-side device authentication parameters; after receiving the registration request message forwarded by the business server, the authentication server uses the network-side device authentication parameters that are the same as or corresponding to the user-side device authentication parameters to decrypt or verify the registration request message, and saves the correspondence between the device identifier and the account identifier after successful decryption or verification, so as to authenticate the account.

本申请提供的一种基于生物特征的身份注册方法,应用在认证服务器上,包括:This application provides a biometric identity registration method, which is applied on an authentication server and includes:

从业务服务器接收来自用户设备的注册请求报文,所述注册请求报文中包括所述用户设备的设备标识和账户标识,并采用所述用户设备的用户侧设备认证参数进行加密或签名;Receive a registration request message from a user device from a service server, where the registration request message includes a device identifier and an account identifier of the user device and is encrypted or signed using a user-side device authentication parameter of the user device;

根据所述设备标识,获取与所述用户侧设备认证参数相同或相对应的网络侧设备认证参数;According to the device identifier, obtaining a network-side device authentication parameter that is identical to or corresponds to the user-side device authentication parameter;

采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存所述设备标识与账户标识的对应关系,以用来对所述账户进行身份认证。The registration request message is decrypted or signed using the network-side device authentication parameter, and after successful decryption or signature verification, the corresponding relationship between the device identifier and the account identifier is saved for use in identity authentication of the account.

本申请还提供了一种基于生物特征的身份注册装置,应用在用户设备上,所述用户设备保存有用户侧设备认证参数,所述装置包括:The present application also provides a biometric identity registration device, which is applied to a user device that stores user-side device authentication parameters. The device includes:

设备标识获取单元,用于获取用户设备的设备标识;A device identification obtaining unit, configured to obtain a device identification of a user device;

生物特征校验单元,用于获取用户的生物数据,利用所述生物数据对用户身份进行生物特征校验;a biometric verification unit, configured to obtain biometric data of a user and perform biometric verification of the user's identity using the biometric data;

注册请求发送单元,用于在通过生物特征校验后,向业务服务器发送注册请求报文,所述注册请求报文中包括设备标识和账户标识,并采用所述用户侧设备认证参数进行加密或签名;供认证服务器在收到业务服务器转发的注册请求报文后,采用与用户侧设备认证参数相同或相对应的网络侧设备认证参数对注册请求报文进行解密或验签,并在解密成功或验签通过后保存所述设备标识和账户标识的对应关系,以用来对所述账户进行身份认证。The registration request sending unit is used to send a registration request message to the business server after passing the biometric verification. The registration request message includes a device identifier and an account identifier, and is encrypted or signed using the user-side device authentication parameters; after receiving the registration request message forwarded by the business server, the authentication server uses the network-side device authentication parameters that are the same as or corresponding to the user-side device authentication parameters to decrypt or verify the registration request message, and saves the correspondence between the device identifier and the account identifier after successful decryption or verification, so as to authenticate the account.

本申请提供的一种基于生物特征的身份注册装置,应用在认证服务器上,包括:This application provides a biometric identity registration device, which is applied to an authentication server and includes:

注册请求接收单元,用于从业务服务器接收来自用户设备的注册请求报文,所述注册请求报文中包括所述用户设备的设备标识和账户标识,并采用所述用户设备的用户侧设备认证参数进行加密或签名;A registration request receiving unit, configured to receive a registration request message from a user device from a service server, wherein the registration request message includes a device identifier and an account identifier of the user device, and is encrypted or signed using a user-side device authentication parameter of the user device;

设备认证参数获取单元,用于根据所述设备标识,获取与所述用户侧设备认证参数相同或相对应的网络侧设备认证参数;a device authentication parameter acquisition unit, configured to acquire, based on the device identifier, a network-side device authentication parameter that is identical to or corresponds to the user-side device authentication parameter;

注册请求处理单元,用于采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存所述设备标识与账户标识的对应关系,以用来对所述账户进行身份认证。The registration request processing unit is used to decrypt or verify the registration request message using the network-side device authentication parameter, and save the corresponding relationship between the device identifier and the account identifier after the decryption is successful or the verification is passed, so as to authenticate the account.

由以上技术方案可见,本申请的实施例中,用户设备采用用户侧设备认证参数对其发送的注册请求报文加密或签名,认证服务器根据设备标识,获取该用户设备的网络侧设备认证参数,对注册请求报文进行解密或验签,通过利用分别预存在用户设备端的用户侧设备认证参数和预存在服务端的网络侧设备认证参数来对用户设备是否可信进行校验,使得采用本地生物特征校验的身份认证在可信用户设备上进行,提高了用户账户的安全性,增加了身份认证的可靠性。It can be seen from the above technical solution that in the embodiment of the present application, the user device uses the user-side device authentication parameters to encrypt or sign the registration request message it sends, and the authentication server obtains the network-side device authentication parameters of the user device based on the device identifier, decrypts or verifies the registration request message, and verifies whether the user device is trustworthy by using the user-side device authentication parameters pre-stored on the user device end and the network-side device authentication parameters pre-stored on the server end, so that identity authentication using local biometric verification is performed on the trusted user device, thereby improving the security of the user account and increasing the reliability of identity authentication.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本申请实施例应用场景的一种网络结构图;FIG1 is a network structure diagram of an application scenario of an embodiment of the present application;

图2是本申请实施例中一种应用在用户设备上、基于生物特征的身份注册方法的流程图;FIG2 is a flowchart of a biometric-based identity registration method applied on a user device according to an embodiment of the present application;

图3是本申请实施例中一种应用在认证服务器上、基于生物特征的身份注册方法的流程图;FIG3 is a flowchart of a biometric-based identity registration method applied on an authentication server according to an embodiment of the present application;

图4是本申请应用示例中,一种用户设备、业务服务器与认证服务器之间身份注册的交互流程图;FIG4 is a flowchart of an interaction between a user device, a service server, and an authentication server for identity registration in an application example of the present application;

图5是本申请应用示例中,一种用户设备、业务服务器与认证服务器之间身份认证的交互流程图;FIG5 is an interactive flow chart of identity authentication between a user device, a service server, and an authentication server in an application example of the present application;

图6是用户设备或认证服务器的一种硬件结构图;FIG6 is a hardware structure diagram of a user device or an authentication server;

图7是本申请实施例中一种应用在用户设备上、基于生物特征的身份注册装置的逻辑结构图;FIG7 is a logical structure diagram of an identity registration device based on biometrics and applied on a user device according to an embodiment of the present application;

图8是本申请实施例中一种应用在认证服务器上、基于生物特征的身份注册装置的逻辑结构图。FIG8 is a logical structure diagram of a biometric-based identity registration device applied on an authentication server in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

本申请的实施例提出一种新的基于生物特征的身份注册方法,在用户设备上预存用户侧设备认证参数,在服务端预存与用户侧设备认证参数相同或相对应的网络侧设备认证参数,由用户设备采用用户侧设备认证参数对注册请求报文进行加密或签名,由认证服务器采用该用户设备的网络侧设备认证参数通过解密或验签来对该用户设备进行验证,从而能够确保身份注册及后续的身份认证在可信的用户设备上进行,增加了用于身份认证的用户设备的安全性和身份认证的可靠性,以解决现有技术存在的问题。An embodiment of the present application proposes a new biometric-based identity registration method, in which user-side device authentication parameters are pre-stored on the user device, and network-side device authentication parameters that are identical to or corresponding to the user-side device authentication parameters are pre-stored on the server side. The user device uses the user-side device authentication parameters to encrypt or sign the registration request message, and the authentication server uses the network-side device authentication parameters of the user device to verify the user device by decrypting or verifying the signature, thereby ensuring that identity registration and subsequent identity authentication are performed on a trusted user device, increasing the security of the user device used for identity authentication and the reliability of identity authentication, so as to solve the problems existing in the prior art.

本申请实施例应用场景的一种网络结构如图1所示,用户设备与业务服务器、业务服务器与认证服务器之间通过通信网络相互可访问。其中,用户设备是具有生物特征识别功能的终端设备,可以是手机、平板电脑、PC(Personal Computer,个人电脑)、笔记本等设备;业务服务器用来接收用户通过用户设备发起的业务请求(包括注册和认证请求),并向用户设备发送对其请求的响应;认证服务器用来对用户账户进行身份认证;业务服务器和认证服务器可以是一个物理或逻辑服务器,也可以是由两个或两个以上分担不同职责的物理或逻辑服务器、相互协同来实现本申请实施例中业务服务器或认证服务器的各项功能。本申请实施例对用户设备、业务服务器和认证服务器的种类,以及用户设备业务服务器之间、业务服务器与认证服务器之间通信网络的类型、协议等均不做限定。A network structure of the application scenario of the embodiment of the present application is shown in Figure 1, and the user device and the business server, and the business server and the authentication server are mutually accessible through the communication network. Among them, the user device is a terminal device with a biometric recognition function, which can be a mobile phone, tablet computer, PC (Personal Computer), notebook and other devices; the business server is used to receive business requests (including registration and authentication requests) initiated by the user through the user device, and send a response to its request to the user device; the authentication server is used to authenticate the user account; the business server and the authentication server can be a physical or logical server, or can be composed of two or more physical or logical servers that share different responsibilities and work together to realize the various functions of the business server or authentication server in the embodiment of the present application. The embodiment of the present application does not limit the types of user devices, business servers and authentication servers, as well as the types and protocols of the communication networks between user devices and business servers, and between business servers and authentication servers.

本申请的实施例中,基于生物特征的身份注册方法应用在用户设备上的流程如图2所示,应用在认证服务器上的流程如图3所示。In an embodiment of the present application, the process of applying the biometric-based identity registration method on a user device is shown in FIG2 , and the process of applying the method on an authentication server is shown in FIG3 .

本申请的实施例中,用户设备上保存有用户侧设备认证参数,认证服务器可以从本地或其他可访问的网络存储位置获取到用户设备的设备标识与该用户设备的网络侧设备认证参数的对应关系。同一个用户设备的用户侧设备认证参数与网络侧认证参数相同或相对应。In an embodiment of the present application, user-side device authentication parameters are stored on the user device. The authentication server can obtain the correspondence between the device identifier of the user device and the network-side device authentication parameters of the user device from a local or other accessible network storage location. The user-side device authentication parameters and network-side authentication parameters for the same user device are the same or correspond to each other.

用户侧设备认证参数可以在设备出厂前预存在用户设备上;也可以由用户设备、认证服务器或某个其他的网络节点生成对应的用户侧设备认证参数和网络侧设备认证参数后,分别交由用户设备和认证服务器保存;本申请的实施例不做限定。用户侧设备认证参数可以保存在用户设备上的安全存储区域,并可以限制能够访问该安全存储区域的软件或进程,以实现更好的安全性。User-side device authentication parameters can be pre-stored on the user device before the device leaves the factory; or the corresponding user-side device authentication parameters and network-side device authentication parameters can be generated by the user device, the authentication server, or some other network node and then stored by the user device and the authentication server, respectively; this is not limited in the embodiments of the present application. User-side device authentication parameters can be stored in a secure storage area on the user device, and the software or processes that can access this secure storage area can be restricted to achieve better security.

用户侧设备认证参数和网络侧设备认证参数可以是参照现有技术中各种算法所生成的密钥、口令等,例如采用非对称加密算法生成私钥(用户侧设备认证参数)和公钥(网络侧设备认证参数);再如采用对称加密算法生成相同的密钥(同时作为用户侧设备认证参数和网络侧设备认证参数);本申请的实施例不做限定。The user-side device authentication parameters and the network-side device authentication parameters can be keys, passwords, etc. generated by various algorithms in the prior art. For example, an asymmetric encryption algorithm is used to generate a private key (user-side device authentication parameter) and a public key (network-side device authentication parameter); for example, a symmetric encryption algorithm is used to generate the same key (which serves as both the user-side device authentication parameter and the network-side device authentication parameter); the embodiments of this application are not limited thereto.

在用户设备上,步骤210,获取用户设备的设备标识。On the user equipment, in step 210, a device identifier of the user equipment is obtained.

通常可以将用户设备上具有唯一性的硬件标识用来作为该用户设备的设备标识,例如可以是用户设备的UUID(Universally Unique Identifier,通用唯一识别码)、MAC(Media Access Control,媒体接入控制)地址、蓝牙地址等。Typically, a unique hardware identifier on a user device may be used as the device identifier of the user device, such as a UUID (Universally Unique Identifier), a MAC (Media Access Control) address, a Bluetooth address, etc. of the user device.

在用户设备上,步骤220,获取用户的生物数据,利用所述生物数据对用户身份进行生物特征校验。On the user device, in step 220, the user's biometric data is obtained, and the user's identity is biometrically verified using the biometric data.

当用户在用户设备上启动利用生物特征进行身份验证的注册流程时,用户设备要求用户提供其用于身份注册的生物数据。用户的生物数据可以是用户设备支持的生物认证类型(即用户设备具有的生物特征识别功能)中的任何一种,例如可以是指纹、声音、虹膜、人脸等;对相同生物认证类型而言,用户的生物数据可以是该用户设备能够识别的任何一个特定对象,例如对指纹而言,可以是任何一个手指的指纹;对虹膜而言,可以是任意一只眼睛的虹膜。When a user initiates a biometric authentication registration process on their device, the device requires the user to provide their biometric data for identity registration. This biometric data can be any type of biometric authentication supported by the device (i.e., the biometric recognition capabilities of the device), such as fingerprint, voice, iris, or face. For the same biometric authentication type, the biometric data can be any specific object that the device can recognize, such as a fingerprint from any finger or an iris from any eye.

用户可以针对某项业务或某个业务系统来进行身份认证的注册。在这种情况中,可以由该业务系统运行在用户设备上的客户端(可以是该业务系统安装在用户设备上的客户端软件,也可以是在浏览器中该业务系统的页面)来确定在该业务系统中进行身份认证时所采用的生物认证类型,并请求用户提供该类型的生物数据。A user can register for identity authentication for a specific service or service system. In this case, the service system's client running on the user's device (which can be client software installed on the user's device or a webpage of the service system in a browser) can determine the type of biometric authentication to use for identity authentication in the service system and request the user to provide biometric data of that type.

在用户设备获取到用户提供的生物数据(或所确定生物认证类型的生物数据)后,采用所获取的生物数据对用户身份进行生物特征校验。生物特征校验的具体方式可以参照现有技术中用户设备的生物特征识别方式来实现,例如可以是与用户设备上本地预先保存的样本数据进行比对,如果匹配程度满足某些预定条件,则生物特征校验成功。After the user device obtains the biometric data provided by the user (or biometric data of the determined biometric authentication type), it uses the obtained biometric data to perform biometric verification of the user's identity. The specific method of biometric verification can refer to the biometric identification method of user devices in the prior art. For example, it can be compared with sample data pre-stored locally on the user device. If the degree of match meets certain predetermined conditions, the biometric verification is successful.

需要说明的是,步骤210和步骤220之间没有时序关系。It should be noted that there is no time sequence relationship between step 210 and step 220 .

在用户设备上,步骤230,在通过生物特征校验后,向业务服务器发送注册请求报文。注册请求报文中包括设备标识和账户标识,并采用用户侧设备认证参数进行加密或签名;供认证服务器在收到业务服务器转发的注册请求报文后,采用与用户侧设备认证参数相同或相对应的网络侧设备认证参数对注册请求报文进行解密或验签,并在解密成功或验签通过后保存设备标识和账户标识的对应关系,以用来对该账户进行身份认证。On the user device, in step 230, after passing biometric verification, a registration request message is sent to the service server. The registration request message includes the device ID and account ID, and is encrypted or signed using the user-side device authentication parameters. Upon receiving the registration request message forwarded by the service server, the authentication server decrypts or verifies the registration request message using network-side device authentication parameters that are identical or corresponding to the user-side device authentication parameters. After successful decryption or verification, the corresponding relationship between the device ID and account ID is stored for use in authenticating the account.

在认证服务器上,步骤310,从业务服务器接收来自用户设备的注册请求报文,注册请求报文中包括该用户设备的设备标识和账户标识,并采用该用户设备的用户侧设备认证参数进行加密或签名。On the authentication server, in step 310, a registration request message from a user device is received from the service server. The registration request message includes the device identifier and account identifier of the user device and is encrypted or signed using the user-side device authentication parameters of the user device.

在通过生物特征校验后,用户设备将设备标识、账户标识封装在注册请求报文中,用本地保存的用户侧设备认证参数对注册请求报文加密或签名,之后将注册请求报文发送给业务服务器。业务服务将注册请求报文转发给认证服务器。After passing biometric verification, the user device encapsulates the device ID and account ID in a registration request message, encrypts or signs the registration request message using locally stored user-side device authentication parameters, and then sends the registration request message to the service server. The service forwards the registration request message to the authentication server.

账户标识可以是在认证服务器上唯一对应于进行身份注册的用户账户的信息,例如可以是账户名称、账户编码等等。The account identifier may be information that uniquely corresponds to the user account performing identity registration on the authentication server, such as an account name, an account code, and the like.

在认证服务器上,步骤320,根据注册请求报文中的设备标识,获取与该用户侧设备认证参数相同或相对应的网络侧设备认证参数。On the authentication server, in step 320, based on the device identifier in the registration request message, network-side device authentication parameters that are identical to or corresponding to the user-side device authentication parameters are obtained.

认证服务器在收到业务服务器转发的注册请求报文后,从中提取用户设备的设备标识,在设备标识与网络侧设备认证参数的对应关系中查找该用户设备的网络侧设备认证参数。如果未能找到对应于该设备标识的网络侧设备认证参数,则该用户设备不是可信设备,注册流程以失败结束。After receiving the registration request message forwarded by the service server, the authentication server extracts the user device's device ID and searches for the network-side device authentication parameters for the user device in the corresponding relationship between device IDs and network-side device authentication parameters. If no network-side device authentication parameters corresponding to the device ID are found, the user device is not a trusted device, and the registration process fails.

在认证服务器上,步骤330,采用所获取的网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存所述设备标识与账户标识的对应关系,以用来对所述账户进行身份认证。On the authentication server, in step 330, the registration request message is decrypted or signed using the acquired network-side device authentication parameters. After successful decryption or signature verification, the corresponding relationship between the device identifier and the account identifier is saved for use in authenticating the account.

在得到该用户设备的网络侧设备认证参数后,认证服务器采用该网络侧认证参数对注册请求报文进行解密或验签,如果解密不成功或验签未通过,则很可能是具有注册请求报文中设备标识的用户设备被冒用,注册流程以失败结束。解密成功或验签通过后,认证服务器保存设备标识和账户标识的对应关系,在后续的身份认证流程中可以将设备标识用来进行该账户的身份认证。After obtaining the network-side device authentication parameters for the user device, the authentication server uses them to decrypt or verify the registration request message. If decryption or signature verification fails, it is likely that the user device with the device identifier in the registration request message has been misused, and the registration process ends in failure. If decryption is successful or signature verification passes, the authentication server saves the correspondence between the device identifier and the account identifier and can use the device identifier to authenticate the account in subsequent identity authentication processes.

用户设备可以在注册请求报文中携带与本地生物校验相关的信息,例如可以将用户通过本地生物校验的结果在注册请求报文中通知业务服务器和认证服务器。The user equipment may carry information related to local biometric verification in the registration request message. For example, the user equipment may notify the service server and the authentication server of the result of the user passing the local biometric verification in the registration request message.

在一种实现方式中,用户设备在通过生物特征校验后,获取与进行本地生物校验时用户提供的生物数据相对应的生物特征令牌,并且将该生物特征令牌携带在注册请求报文中发送给业务服务器;认证服务器在收到业务服务器转发的注册请求报文、并以网络侧设备认证参数对该注册请求报文解密成功或验签通过后,保存注册请求报文中设备标识、账户标识和生物特征令牌的对应关系,以便在后续的认证流程中以设备标识和生物特征令牌来对该账户进行身份认证。In one implementation, after the user device passes the biometric verification, it obtains a biometric token corresponding to the biometric data provided by the user during the local biometric verification, and carries the biometric token in a registration request message to the business server; after the authentication server receives the registration request message forwarded by the business server and successfully decrypts or verifies the registration request message with the network-side device authentication parameters, it saves the correspondence between the device identifier, account identifier and biometric token in the registration request message, so that the account can be authenticated with the device identifier and biometric token in the subsequent authentication process.

生物特征令牌是该用户设备上唯一对应于用于校验该生物数据的样本数据的特征量或索引值。也就是说,用户的每个手指的指纹分别对应于一个不同的生物特征令牌,人脸的对应于另外一个不同的生物特征令牌;每次用户采用拇指进行生物特征校验时,用户设备采集的拇指指纹数据都是用拇指指纹的样本数据进行校验,因而这些拇指指纹数据都对应于同一个生物特征令牌。A biometric token is a unique feature or index value on a user's device that corresponds to the sample data used to verify the biometric data. In other words, each fingerprint of a user's finger corresponds to a different biometric token, and each fingerprint of a user's face corresponds to another biometric token. Each time a user uses their thumb for biometric verification, the thumbprint data collected by the user's device is verified using the sample data of the thumbprint, and therefore all of these thumbprints correspond to the same biometric token.

本申请对生物特征令牌的形式和生成生物特征令牌的具体方式不做限定,例如可以是对该样本数据或该样本数据的一部分应用摘要算法后得到的信息摘要,也可以是一个对应于该样本数据的随机数。用户设备可以将用于校验该生物数据的样本数据与对应的生物特征令牌一并保存在用户设备的安全存储区。This application does not limit the form of the biometric token or the specific method of generating the biometric token. For example, it may be an information digest obtained by applying a digest algorithm to the sample data or a portion of the sample data, or it may be a random number corresponding to the sample data. The user device may store the sample data used to verify the biometric data together with the corresponding biometric token in a secure storage area of the user device.

本实现方式中将生物特征令牌作为注册信息,并且用户设备需要提供同样的生物特征令牌才能通过身份认证,相比于在身份认证时只需提供本地生物校验成功的结果,极大的增加了伪造本地生物校验结果的难度,使得用户账户安全性更高。In this implementation, the biometric token is used as registration information, and the user device needs to provide the same biometric token to pass the identity authentication. Compared with only providing the successful result of local biometric verification during identity authentication, it greatly increases the difficulty of forging the local biometric verification result, making the user account more secure.

对支持两种以上生物认证类型的用户设备,用户设备可以在这些生物认证类型中确定其中的一种作为用户注册和认证时采用的生物认证类型,并获取该生物认证类型的生物数据来进行本地生物特征校验。用户设备可以在注册请求报文中携带该生物认证类型;认证服务器在该注册请求报文解密成功或验签通过后,保存注册请求报文中设备标识、账户标识、生物特征令牌和生物认证类型的对应关系,以便在后续的认证流程中以设备标识、生物特征令牌和生物认证类型来对该账户进行身份认证。For user devices that support more than two biometric authentication types, the user device can determine one of these biometric authentication types as the biometric authentication type used for user registration and authentication, and obtain the biometric data of this biometric authentication type for local biometric verification. The user device can carry this biometric authentication type in the registration request message; after the registration request message is successfully decrypted or the signature is verified, the authentication server saves the correspondence between the device identifier, account identifier, biometric token, and biometric authentication type in the registration request message, so that the device identifier, biometric token, and biometric authentication type can be used to authenticate the account in the subsequent authentication process.

在用户提供的生物数据通过生物特征校验后,用户设备可以基于预置的算法生成相同或相对应的用户侧业务认证参数和网络侧业务认证参数;用户设备将用户侧业务认证参数保存在本地,将网络侧业务认证参数携带在注册请求报文中,上传给业务服务器并由业务服务器转发给认证服务器。认证服务器在该注册请求报文解密成功或验签通过后,保存其中设备标识、账户标识、生物特征令牌、生物认证类型和网络侧业务认证参数的对应关系。在后续的身份认证中,用户设备和认证服务器可以利用用户侧业务认证参数和网络侧业务认证参数来对认证流程中的报文进行加解密或签名及验签,以增加身份认证的可靠性。After the biometric data provided by the user passes the biometric verification, the user device can generate the same or corresponding user-side business authentication parameters and network-side business authentication parameters based on a preset algorithm; the user device saves the user-side business authentication parameters locally, carries the network-side business authentication parameters in the registration request message, uploads it to the business server, and the business server forwards it to the authentication server. After the registration request message is successfully decrypted or the signature is verified, the authentication server saves the correspondence between the device identifier, account identifier, biometric token, biometric authentication type, and network-side business authentication parameters. In subsequent identity authentication, the user device and the authentication server can use the user-side business authentication parameters and the network-side business authentication parameters to encrypt and decrypt or sign and verify the messages in the authentication process to increase the reliability of identity authentication.

用户侧业务认证参数和网络侧业务认证参数可以是参照现有技术中各种算法所生成的密钥、口令等,例如采用非对称加密算法生成私钥(用户侧业务认证参数)和公钥(网络侧业务认证参数);再如采用对称加密算法生成相同的密钥(同时作为用户侧业务认证参数和网络侧业务认证参数)。The user-side service authentication parameters and the network-side service authentication parameters can be keys, passwords, etc. generated by various algorithms in the prior art. For example, an asymmetric encryption algorithm is used to generate a private key (user-side service authentication parameter) and a public key (network-side service authentication parameter); or a symmetric encryption algorithm is used to generate the same key (which is used as both the user-side service authentication parameter and the network-side service authentication parameter).

需要说明的是,如果用户设备上可能将为两个以上业务系统的客户端生成的用户侧业务认证参数保存在一起、和/或将为一个业务系统的客户端生成的两个以上不同生物认证类型的用户侧业务认证参数保存在一起,则应保存用户业务认证参数与业务系统、和/或用户侧业务认证参数与生物认证类型的对应关系。It should be noted that if the user device may save together the user-side business authentication parameters generated for the clients of more than two business systems, and/or save together the user-side business authentication parameters of two or more different biometric authentication types generated for the clients of one business system, the correspondence between the user business authentication parameters and the business systems, and/or the user-side business authentication parameters and the biometric authentication types should be saved.

在一些应用场景中,认证服务器可以为多个不同的业务系统提供认证服务,这些业务系统分别拥有各自的用户账户,以下称为用户的业务账户,业务账户标识为在某个业务系统中唯一对应于某个业务账户的信息。In some application scenarios, the authentication server can provide authentication services for multiple different business systems. These business systems each have their own user accounts, hereinafter referred to as user business accounts. The business account identifier is the information that uniquely corresponds to a business account in a business system.

如果这些业务系统中的业务账户标识可能会有重复,则在向业务服务器发送注册请求报文前,用户设备可以向业务服务器发送注册信息请求报文,注册信息请求报文中包括用户的业务账户标识;业务服务器将注册信息请求报文转发给认证服务器;认证服务器在收到注册信息请求报文后,生成对应于该业务账户(即对应于该业务系统中的该业务账户)的虚拟账户标识,将虚拟账户标识封装在注册信息响应报文中发送给业务服务器;业务服务器在收到将注册信息响应报文转发给用户设备;用户设备从注册信息响应报文中提取虚拟账户标识,并在注册请求报文中以虚拟账户标识作为账户标识。If the business account identifiers in these business systems may be repeated, before sending the registration request message to the business server, the user device can send a registration information request message to the business server, and the registration information request message includes the user's business account identifier; the business server forwards the registration information request message to the authentication server; after receiving the registration information request message, the authentication server generates a virtual account identifier corresponding to the business account (that is, corresponding to the business account in the business system), encapsulates the virtual account identifier in a registration information response message and sends it to the business server; after receiving the registration information response message, the business server forwards the registration information response message to the user device; the user device extracts the virtual account identifier from the registration information response message, and uses the virtual account identifier as the account identifier in the registration request message.

虚拟账户标识在认证服务器上唯一对应于某个业务系统中的某个业务账户,本申请实施例对生成虚拟账户标识的方式不做限定,例如,可以将业务系统标识与用户在该业务系统的业务账户标识来作为虚拟账户标识;再如,可以将该业务系统的该用户账户在认证服务器上登记注册账户的数据库中的索引来作为虚拟账户标识。The virtual account identifier uniquely corresponds to a business account in a business system on the authentication server. The embodiment of the present application does not limit the method of generating the virtual account identifier. For example, the business system identifier and the user's business account identifier in the business system can be used as the virtual account identifier; for example, the index of the user account of the business system in the database of registered accounts on the authentication server can be used as the virtual account identifier.

需要说明的是,如果虚拟账户标识的生成方式不能确保对相同业务系统的相同业务账户生成同样的虚拟账户标识,则认证服务器要保存所生成的虚拟账户标识与业务系统的业务账户的对应关系,以便在后续的身份认证流程中,能够将与注册流程中相同的虚拟账户标识分配给同一个业务系统的同一个用户账户。It should be noted that if the method of generating the virtual account identifier cannot ensure that the same virtual account identifier is generated for the same business account in the same business system, the authentication server must save the correspondence between the generated virtual account identifier and the business account of the business system, so that in the subsequent identity authentication process, the same virtual account identifier as in the registration process can be assigned to the same user account in the same business system.

如果这些业务系统中的业务账户标识各不相同,认证服务器可以直接采用业务账户标识来作为账户标识,也可以生成对应于业务账户的虚拟账户标识,在注册信息响应报文中通过业务服务器发送给用户设备,以便用户设备在注册请求报文中将虚拟账户标识作为其账户标识。If the business account identifiers in these business systems are different, the authentication server can directly use the business account identifier as the account identifier, or generate a virtual account identifier corresponding to the business account, and send it to the user device through the business server in the registration information response message, so that the user device uses the virtual account identifier as its account identifier in the registration request message.

在身份注册流程中,可以采用各种安全措施来增加注册流程的安全性,以下举出两种实现方式作为例子。During the identity registration process, various security measures can be used to increase the security of the registration process. The following two implementation methods are given as examples.

第一个例子:在用户设备向业务服务器发送注册信息请求报文,以获取注册请求报文中所需注册信息(如虚拟账户标识)的实现方式中,在收到注册信息请求报文后,认证服务器生成虚拟账户标识和该虚拟账户的注册挑战码,注册挑战码的生成方式可以采用各种一次性口令的生成算法,本例中不做限定。认证服务器将虚拟账户标识和所生成的注册挑战码封装在注册信息响应报文中发送给业务服务器,并启动计时。用户设备在收到业务服务器转发的注册信息响应报文后,以其中的虚拟账户标识作为账户标识生成注册请求报文,并将注册响应报文中的注册挑战码封装在注册请求报文中,发送给业务服务器。认证服务器在该注册请求报文解密成功或验签通过后,如果注册请求报文中的注册挑战码和为注册请求报文中虚拟账户生成的注册挑战码相同、并且发送该虚拟账户的注册信息响应报文和收到注册请求报文的时间间隔在第一预定时长范围内时,保存该注册请求报文中设备标识与虚拟账户标识的对应关系;否则注册流程失败,认证服务器拒绝该注册请求。The first example: In the implementation method in which the user device sends a registration information request message to the service server to obtain the required registration information (such as a virtual account identifier) in the registration request message, after receiving the registration information request message, the authentication server generates a virtual account identifier and a registration challenge code for the virtual account. The registration challenge code can be generated using various one-time password generation algorithms, which are not limited in this example. The authentication server encapsulates the virtual account identifier and the generated registration challenge code in a registration information response message and sends it to the service server, and starts the timer. After receiving the registration information response message forwarded by the service server, the user device uses the virtual account identifier as the account identifier to generate a registration request message, and encapsulates the registration challenge code in the registration response message in the registration request message, and sends it to the service server. After the registration request message is successfully decrypted or the signature is verified, if the registration challenge code in the registration request message is the same as the registration challenge code generated for the virtual account in the registration request message, and the time interval between sending the registration information response message of the virtual account and receiving the registration request message is within the first predetermined time range, the authentication server saves the correspondence between the device identifier and the virtual account identifier in the registration request message; otherwise, the registration process fails and the authentication server rejects the registration request.

第二个例子:可以在认证服务器上预先生成相对应的服务器私钥和服务器公钥,在用户设备向业务服务器发送注册信息请求报文、以获取注册请求报文中所需注册信息(如虚拟账户标识、或虚拟账户标识和注册挑战码)的实现方式中,认证服务器可以将服务器公钥封装在注册信息响应报文中,在采用服务器私钥对注册信息响应报文进行签名后再发送给业务服务器。用户设备在收到业务服务器转发的注册信息响应报文后,从中提取服务器公钥,对注册信息响应报文进行验签,如果验签通过则继续生成并发送注册请求报文的流程;如果验签失败则说明注册信息响应报文很可能并非来自于可靠的认证服务器,注册流程以失败结束。In the second example, the corresponding server private key and server public key can be pre-generated on the authentication server. When the user device sends a registration information request message to the service server to obtain the registration information required in the registration request message (such as a virtual account identifier, or a virtual account identifier and a registration challenge code), the authentication server can encapsulate the server public key in a registration information response message, sign the registration information response message with the server private key, and then send it to the service server. After receiving the registration information response message forwarded by the service server, the user device extracts the server public key from it and verifies the signature of the registration information response message. If the signature verification succeeds, the process of generating and sending the registration request message continues. If the signature verification fails, it means that the registration information response message is likely not from a reliable authentication server, and the registration process ends in failure.

需要说明的是,上述两个例子中的实现方式可以单独使用,也可以结合使用,并且同样可以与上述虚拟账户标识、用户侧及网络侧业务认证参数、生物认证类型、生物特征令牌的实现方式相结合而使用。It should be noted that the implementation methods in the above two examples can be used alone or in combination, and can also be used in combination with the above-mentioned virtual account identification, user-side and network-side business authentication parameters, biometric authentication type, and biometric token implementation methods.

可见,本申请的实施例中,在用户设备上预存用户侧设备认证参数,在服务端预存与用户侧设备认证参数相同或相对应的网络侧设备认证参数,用户设备采用用户侧设备认证参数对其发送的注册请求报文加密或签名,认证服务器根据设备标识,获取该用户设备的网络侧设备认证参数,对注册请求报文进行解密或验签。通过采用用户侧设备认证参数和网络侧设备认证参数来对用户设备的可信度进行验证,本申请的实施例提高了用于身份认证的用户设备的安全性,并增加了身份认证的可靠性。As can be seen, in the embodiments of the present application, user-side device authentication parameters are pre-stored on the user device, and network-side device authentication parameters that are identical or corresponding to the user-side device authentication parameters are pre-stored on the server. The user device uses the user-side device authentication parameters to encrypt or sign the registration request message it sends. The authentication server obtains the network-side device authentication parameters of the user device based on the device identifier and decrypts or verifies the registration request message. By using the user-side device authentication parameters and the network-side device authentication parameters to verify the credibility of the user device, the embodiments of the present application improve the security of the user device used for identity authentication and increase the reliability of identity authentication.

在完成本申请实施例中的上述注册流程后,服务器保存了账户标识与设备标识、以及其他信息的对应关系,设备标识及保存的其他信息成为该账户的已注册信息。在用户通过用户设备发起基于生物特征的身份认证,用户设备向认证服务器提供其账户的这些已注册信息,即可实现对该账户的身份认证。After completing the registration process described above in the embodiments of this application, the server stores the correspondence between the account identifier and the device identifier, as well as other information. The device identifier and other stored information become the registered information for the account. When a user initiates biometric identity authentication through their user device, the user device provides the authentication server with this registered information for their account, thereby completing the authentication process.

具体而言,用户在用户设备上发起基于生物特征的身份认证流程后,用户设备获取设备标识;获取用户的生物数据并采用该生物数据对用户身份进行生物特征校验;在通过生物特征校验后,用户设备向业务服务器发送认证请求报文,其中包括设备标识和账户标识;业务服务器将认证请求报文转发给认证服务器;根据认证请求报文中的账户标识,认证服务器比对认证请求报文中的设备标识与该账户的已注册设备标识是否相同,相同则身份认证通过。Specifically, after the user initiates a biometric-based identity authentication process on the user device, the user device obtains the device identifier; obtains the user's biometric data and uses the biometric data to perform biometric verification of the user's identity; after passing the biometric verification, the user device sends an authentication request message to the business server, which includes the device identifier and account identifier; the business server forwards the authentication request message to the authentication server; based on the account identifier in the authentication request message, the authentication server compares the device identifier in the authentication request message with the registered device identifier of the account to see if they are the same. If they are the same, the identity authentication is passed.

如果认证服务器保存了账户的其他已注册信息,则在认证流程中,用户设备可以参照注册流程中相类似的方式来获取对应的信息并提供给认证服务器,例如通过认证信息请求报文和认证信息响应报文来获取虚拟账户标识、认证挑战码;再如获取生物认真类型、生物特征令牌等。详细的描述请参见本申请应用示例中的认证流程。需要说明的是,这些已注册信息可以单独使用,也可以相互结合使用,本申请的实施例不做限定。If the authentication server stores other registered account information, during the authentication process, the user device can obtain the corresponding information and provide it to the authentication server in a similar manner to the registration process. For example, this information can be used to obtain the virtual account identifier and authentication challenge code through authentication information request messages and authentication information response messages; or to obtain the biometric verification type and biometric token. For a detailed description, please refer to the authentication process in the application examples of this application. It should be noted that this registered information can be used independently or in combination, and the embodiments of this application are not limited to this.

在本申请的一个应用示例中,用户设备上安装有业务客户端和认证客户端,业务客户端与业务服务器通过请求和响应来完成其所在业务系统提供的各项功能,其中包括基于生物特征的身份认证功能。在用户设备上业务客户端通过调用认证客户端来实现与基于生物特征的身份认证相关的功能,而业务服务器则通过访问认证服务器来实现与基于生物特征的身份认证相关的功能。用户设备在出厂前预存有该用户设备的设备私钥(即用户侧设备认证参数),与该设备私钥相对应的设备公钥(即网络侧设备认证参数)保存在认证服务器可访问的网络存储位置。In an application example of the present application, a business client and an authentication client are installed on the user device. The business client and the business server complete the various functions provided by their business systems through requests and responses, including the biometric-based identity authentication function. On the user device, the business client implements functions related to biometric-based identity authentication by calling the authentication client, while the business server implements functions related to biometric-based identity authentication by accessing the authentication server. The user device is pre-stored with the device private key of the user device (i.e., the user-side device authentication parameter) before leaving the factory, and the device public key corresponding to the device private key (i.e., the network-side device authentication parameter) is stored in a network storage location accessible to the authentication server.

在身份注册流程中,用户设备上的业务客户端、认证客户端,以及用户设备、业务服务器与认证服务器之间的交互流程如图4所示。In the identity registration process, the interaction process between the service client and authentication client on the user device, and the user device, service server and authentication server is shown in Figure 4.

当用户通过业务客户端发起身份注册流程后,业务客户端调用认证客户端,请求用户设备的设备数据。认证客户端获取用户设备的设备标识、设备型号、设备支持的生物认证类型以及其他设备信息,将这些设备数据返回给业务客户端。After a user initiates the identity registration process through the business client, the business client calls the authentication client to request device data from the user's device. The authentication client obtains the device ID, device model, supported biometric authentication types, and other device information, and returns this device data to the business client.

业务客户端向业务服务器发送注册信息请求报文,注册信息请求报文中携带有用户设备的设备标识、用户在该业务系统的业务账户标识。业务服务器将注册信息请求报文转发给认证服务器。The service client sends a registration information request message to the service server. The registration information request message carries the device ID of the user device and the service account ID of the user in the service system. The service server forwards the registration information request message to the authentication server.

认证服务器上保存有向对应的服务器私钥和服务器公钥。认证服务器收到注册信息请求报文后,将业务系统标识和业务账户标识作为对应于该业务账户的虚拟账户标识,生成该虚拟账户的注册挑战码,将虚拟账户标识、注册挑战码和服务器公钥封装在注册信息响应报文中,采用服务器私钥对注册信息响应报文进行签名,之后将注册信息响应报文发送给业务服务器,并开始计时。业务服务器将注册信息响应报文转发给用户设备的业务客户端。The authentication server stores the corresponding server private key and server public key. Upon receiving the registration request message, the authentication server uses the service system ID and service account ID as the virtual account ID corresponding to the service account, generates a registration challenge code for the virtual account, encapsulates the virtual account ID, registration challenge code, and server public key in a registration response message, signs the registration response message with the server private key, sends the registration response message to the service server, and starts the timer. The service server forwards the registration response message to the service client of the user device.

根据认证客户端返回的设备数据中的设备支持的生物认证类型,业务客户端确定其中的一种生物认证类型作为用户注册和认证时采用的生物认证类型,并向用户请求、并获取用户提供的该生物认证类型的生物数据。Based on the biometric authentication types supported by the device in the device data returned by the authentication client, the business client determines one of the biometric authentication types as the biometric authentication type used for user registration and authentication, and requests and obtains the biometric data of the biometric authentication type provided by the user.

业务客户端以用户提供的该生物认证类型的生物数据调用认证客户端,认证客户端采用该生物数据进行本地的生物特征校验,并将生物特征校验的结果通知业务客户端。The service client calls the authentication client with the biometric data of the biometric authentication type provided by the user. The authentication client uses the biometric data to perform local biometric feature verification and notifies the service client of the result of the biometric feature verification.

如果生物特征校验未通过,则业务客户端结束注册流程,并告知用户未能通过本地的生物特征校验。在生物特征校验通过后,业务客户端以接收的注册信息响应报文调用认证客户端。If the biometric verification fails, the service client ends the registration process and informs the user that the local biometric verification has failed. After the biometric verification passes, the service client calls the authentication client with the received registration information response message.

认证客户端提取注册信息响应报文中的服务器公钥,对注册信息响应报文进行验签,如果验签未通过,则通知业务客户端,业务客户端以失败结束注册流程。在验签通过后,认证客户端获取最近一次本地生物特征校验成功时所采用的生物数据(即业务客户端在进行本地生物特征校验时所采用生物数据)对应的生物特征令牌,采用预置算法生成业务私钥(即用户侧业务认证参数)和业务公钥(即网络侧业务认证参数);保存从注册信息响应报文中提取的虚拟账户标识、最近一次本地生物特征校验成功时采用的生物认证类型、生物特征令牌、和业务私钥的对应关系。认证客户端组装生成注册请求报文,其中携带有设备标识、虚拟账户标识、生物认证类型、生物特征令牌、业务公钥、和从注册信息响应报文中提取的注册挑战码。认证客户端读取用户设备保存的设备私钥,对注册请求报文进行签名后,返回给业务客户端。The authentication client extracts the server public key from the registration information response message and verifies the signature of the registration information response message. If the signature verification fails, the service client is notified, and the service client terminates the registration process as a failure. After the signature verification succeeds, the authentication client obtains the biometric token corresponding to the biometric data used in the most recent successful local biometric verification (i.e., the biometric data used by the service client during local biometric verification) and uses a preset algorithm to generate a service private key (i.e., user-side service authentication parameters) and a service public key (i.e., network-side service authentication parameters). The authentication client also saves the correspondence between the virtual account identifier extracted from the registration information response message, the biometric authentication type used in the most recent successful local biometric verification, the biometric token, and the service private key. The authentication client then assembles and generates a registration request message, which carries the device identifier, virtual account identifier, biometric authentication type, biometric token, service public key, and the registration challenge code extracted from the registration information response message. The authentication client reads the device private key stored in the user device, signs the registration request message, and returns it to the service client.

业务客户端将注册请求报文发送给业务服务器。业务服务器将注册请求报文转发给认证服务器。The service client sends a registration request message to the service server. The service server forwards the registration request message to the authentication server.

认证服务器从接收的注册请求报文中提取设备标识,从可访问的网络存储位置查找与该设备标识对应的设备公钥,利用设备公钥对注册请求报文进行验签,如果验签未通过,则拒绝注册请求并通知业务服务器,由业务服务器将注册失败的结果通知业务客户端。在验签通过后,认证服务器比对注册请求报文中的注册验证码和由本认证服务器为该注册请求报文中虚拟账户生成的注册验证码是否相同,并获取发送注册信息响应报文和收到注册请求报文的时间差。如果两个注册验证码不同或者该时间差超过第一预定时长,认证服务器拒绝注册请求并通知业务服务器,由业务服务器将注册失败的结果通知业务客户端;否则认证服务器保存注册请求报文中设备标识、虚拟账户标识、生物认证类型、生物特征令牌和业务公钥的对应关系,并向业务服务器返回注册成功的注册响应报文,其中携带上述对应关系中的虚拟账户标识和生物认证类型,以及与该虚拟账户标识对应的业务账户标识。The authentication server extracts the device identifier from the received registration request message, searches for the device public key corresponding to the device identifier from an accessible network storage location, and uses the device public key to verify the signature of the registration request message. If the signature verification fails, the authentication server rejects the registration request and notifies the service server, which then notifies the service client of the registration failure. If the signature verification succeeds, the authentication server compares the registration verification code in the registration request message with the registration verification code generated by the authentication server for the virtual account in the registration request message. It also determines the time difference between sending the registration information response message and receiving the registration request message. If the two registration verification codes differ or the time difference exceeds a first predetermined time period, the authentication server rejects the registration request and notifies the service server, which then notifies the service client of the registration failure. Otherwise, the authentication server stores the corresponding relationship between the device identifier, virtual account identifier, biometric authentication type, biometric token, and service public key in the registration request message and returns a registration response message indicating successful registration to the service server, which carries the virtual account identifier and biometric authentication type in the aforementioned relationship, as well as the service account identifier corresponding to the virtual account identifier.

业务服务器保存注册成功的注册响应报文中业务账户标识、虚拟账户标识和生物认证类型的对应关系,并将注册成功的结果通知业务客户端。The business server saves the correspondence between the business account identifier, virtual account identifier and biometric authentication type in the registration response message of successful registration, and notifies the business client of the successful registration result.

在身份认证流程中,用户设备上的业务客户端、认证客户端,以及用户设备、业务服务器与认证服务器之间的交互流程如图5所示。In the identity authentication process, the interaction process between the service client and authentication client on the user device, and the user device, service server and authentication server is shown in FIG5 .

当用户通过业务客户端发起身份认证流程后,业务客户端调用认证客户端,请求用户设备的设备数据。认证客户端获取用户设备的设备标识、设备型号、设备支持的生物认证类型以及其他设备信息,将这些设备数据返回给业务客户端。After a user initiates identity authentication through a service client, the service client calls the authentication client to request device data from the user's device. The authentication client obtains the device ID, device model, supported biometric authentication types, and other device information, and returns this device data to the service client.

业务客户端向业务服务器发送认证信息请求报文,认证信息请求报文中携带有用户设备的设备标识、用户在该业务系统的业务账户标识。业务服务器从认证信息请求报文中提取业务账户标识,查询是否保存了对应于该业务账户标识的虚拟账户标识和生物认证类型,如果有则说明该业务账户已经向认证服务器注册了基于生物特征的身份认证,业务服务器将认证信息请求报文转发给认证服务器;如果没有则向业务客户端回复尚未开通身份认证的消息。The service client sends an authentication information request message to the service server. This message carries the device ID of the user's device and the user's service account ID in the service system. The service server extracts the service account ID from the authentication information request message and checks whether the virtual account ID and biometric authentication type corresponding to the service account ID are stored. If so, it indicates that the service account has registered for biometric-based identity authentication with the authentication server. The service server forwards the authentication information request message to the authentication server. If not, the service server responds to the service client with a message stating that identity authentication has not yet been activated.

认证服务器收到认证信息请求报文后,以该业务系统标识和认证信息请求报文中的业务账户标识作为虚拟账户标识,生成该虚拟账户的认证挑战码,将虚拟账户标识、认证挑战码和服务器公钥封装在认证信息响应报文中,采用服务器私钥对认证信息响应报文进行签名,之后将认证信息响应报文发送给业务服务器,并开始计时。业务服务器将认证信息响应报文转发给用户设备的业务客户端。After receiving the authentication information request message, the authentication server uses the service system identifier and the service account identifier in the authentication information request message as the virtual account identifier, generates an authentication challenge code for the virtual account, encapsulates the virtual account identifier, authentication challenge code, and server public key in an authentication information response message, signs the authentication information response message with the server private key, sends the authentication information response message to the service server, and starts the timer. The service server forwards the authentication information response message to the service client of the user device.

业务客户端按照已确定的生物认证类型向用户请求、并获取用户提供的该生物认证类型的生物数据。The service client requests the user according to the determined biometric authentication type and obtains the biometric data of the biometric authentication type provided by the user.

业务客户端以用户提供的该生物认证类型的生物数据调用认证客户端,认证客户端采用该生物数据进行本地的生物特征校验,并将生物特征校验的结果通知业务客户端。The service client calls the authentication client with the biometric data of the biometric authentication type provided by the user. The authentication client uses the biometric data to perform local biometric feature verification and notifies the service client of the result of the biometric feature verification.

如果生物特征校验未通过,则业务客户端结束认证流程,并告知用户未能通过本地的生物特征校验。在生物特征校验通过后,业务客户端以接收的认证信息响应报文调用认证客户端。If the biometric verification fails, the business client ends the authentication process and informs the user that the local biometric verification has failed. After the biometric verification passes, the business client calls the authentication client with the received authentication information response message.

认证客户端提取认证信息信息响应报文中的服务器公钥,对认证信息响应报文进行验签,如果验签未通过,则通知业务客户端,业务客户端以失败结束认证流程。在验签通过后,认证客户端获取最近一次本地生物特征校验成功时所采用的生物数据(即业务客户端在进行上述本地生物特征校验时所采用生物数据)对应的生物特征令牌,将设备标识、从认证信息响应报文中提取的虚拟账户标识、最近一次本地生物特征校验成功时采用的生物认证类型、生物特征令牌和从认证信息响应报文中提取的认证挑战码封装后生成认证请求报文。认证服务器在保存的虚拟账户标识、生物认证类型、生物特征令牌、和业务私钥的对应关系中,查找到与最近一次本地生物特征校验成功时所采用的生物认证类型、认证信息响应报文中的虚拟账户标识和生物特征令牌对应的业务私钥,采用该业务私钥对认证请求报文签名后,返回给业务客户端。The authentication client extracts the server public key from the authentication information response message and verifies the signature of the authentication information response message. If the signature verification fails, the service client is notified, and the service client ends the authentication process as a failure. After the signature verification passes, the authentication client obtains the biometric token corresponding to the biometric data used when the local biometric verification was most recently successful (i.e., the biometric data used by the service client when performing the above-mentioned local biometric verification), encapsulates the device identifier, the virtual account identifier extracted from the authentication information response message, the biometric authentication type used when the local biometric verification was most recently successful, the biometric token, and the authentication challenge code extracted from the authentication information response message, and generates an authentication request message. The authentication server searches the stored correspondence between the virtual account identifier, biometric authentication type, biometric token, and service private key, and finds the service private key corresponding to the biometric authentication type used when the local biometric verification was most recently successful, the virtual account identifier in the authentication information response message, and the biometric token. It then signs the authentication request message with the service private key and returns it to the service client.

业务客户端将认证请求报文发送给业务服务器。业务服务器将认证请求报文转发给认证服务器。The service client sends the authentication request message to the service server. The service server forwards the authentication request message to the authentication server.

认证服务器从收到的认证请求报文提取认证验证码,比对认证请求报文中的认证验证码和由本认证服务器为该认证请求报文中虚拟账户生成的认证验证码是否相同,并获取发送认证信息响应报文和收到认证请求报文的时间差。如果两个认证验证码不同或者该时间差超过第一预定时长,认证服务器拒绝认证请求并通知业务服务器,由业务服务器将认证失败的结果通知业务客户端。The authentication server extracts the authentication verification code from the received authentication request message, compares the authentication verification code in the authentication request message with the authentication verification code generated by the authentication server for the virtual account in the authentication request message, and determines the time difference between sending the authentication information response message and receiving the authentication request message. If the two authentication verification codes are different or the time difference exceeds a first predetermined time period, the authentication server rejects the authentication request and notifies the service server, which then notifies the service client of the authentication failure.

认证服务器查找与认证请求报文中虚拟账户标识、设备标识和生物认证类型对应的已注册生物特征令牌和已注册业务公钥,比对认证请求报文中的生物特征令牌与已注册生物特征令牌,并采用已注册业务公钥对认证请求报文进行验签。如果两个生物特征令牌不同、或者验签未通过,认证服务器拒绝认证请求并通知业务服务器,由业务服务器将认证失败的结果通知业务客户端。The authentication server searches for the registered biometric token and registered service public key corresponding to the virtual account identifier, device identifier, and biometric authentication type in the authentication request message. It compares the biometric token in the authentication request message with the registered biometric token and verifies the signature of the authentication request message using the registered service public key. If the two biometric tokens are different or the signature verification fails, the authentication server rejects the authentication request and notifies the service server, which then notifies the service client of the authentication failure.

在通过上述认证验证码、生物特征令牌和业务公钥的验证过程后,认证服务器身份认证通过的结果在认证响应报文中回复给业务服务器。业务服务器可以基于身份认证通过的结果进行相应的业务处理,并将身份认证通过的结果和/或业务处理的结果通知业务客户端。After the authentication code, biometric token, and service public key are verified, the authentication server sends a response message confirming the successful authentication. The service server then performs appropriate service processing based on the successful authentication result and notifies the service client of the successful authentication and/or service processing results.

与上述流程实现对应,本申请的实施例还提供了一种应用在用户设备上的基于生物特征的身份注册装置和一种应用在认证服务器上的基于生物特征的身份注册装置。上述装置均可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。以软件实现为例,作为逻辑意义上的装置,是通过用户设备或认证服务器的CPU(Central Process Unit,中央处理器)将对应的计算机程序指令读取到内存中运行形成的。从硬件层面而言,除了图6所示的CPU、内存以及非易失性存储器之外,用户设备通常还包括用于进行无线信号收发的芯片等其他硬件,认证服务器通常还包括用于实现网络通信功能的板卡等其他硬件。Corresponding to the above-mentioned process implementation, the embodiment of the present application also provides a biometric identity registration device applied on a user device and a biometric identity registration device applied on an authentication server. The above-mentioned devices can be implemented by software, or by hardware or a combination of software and hardware. Taking software implementation as an example, as a device in the logical sense, it is formed by the CPU (Central Process Unit) of the user device or the authentication server reading the corresponding computer program instructions into the memory and running them. From the hardware level, in addition to the CPU, memory and non-volatile memory shown in Figure 6, the user device usually also includes other hardware such as chips for sending and receiving wireless signals, and the authentication server usually also includes other hardware such as boards for implementing network communication functions.

图7所示为本申请实施例提供的一种基于生物特征的身份注册装置,应用在用户设备上,所述用户设备保存有用户侧设备认证参数,所述装置包括设备标识获取单元、生物特征校验单元和注册请求发送单元,其中:设备标识获取单元用于获取用户设备的设备标识;生物特征校验单元用于获取用户的生物数据,利用所述生物数据对用户身份进行生物特征校验;注册请求发送单元用于在通过生物特征校验后,向业务服务器发送注册请求报文,所述注册请求报文中包括设备标识和账户标识,并采用所述用户侧设备认证参数进行加密或签名;供认证服务器在收到业务服务器转发的注册请求报文后,采用与用户侧设备认证参数相同或相对应的网络侧设备认证参数对注册请求报文进行解密或验签,并在解密成功或验签通过后保存所述设备标识和账户标识的对应关系,以用来对所述账户进行身份认证。Figure 7 shows a biometric-based identity registration device provided by an embodiment of the present application, which is applied to a user device, and the user device stores user-side device authentication parameters. The device includes a device identification acquisition unit, a biometric verification unit and a registration request sending unit, wherein: the device identification acquisition unit is used to obtain the device identification of the user device; the biometric verification unit is used to obtain the user's biometric data and use the biometric data to perform biometric verification on the user's identity; the registration request sending unit is used to send a registration request message to the business server after passing the biometric verification, the registration request message includes a device identification and an account identification, and is encrypted or signed using the user-side device authentication parameters; after receiving the registration request message forwarded by the business server, the authentication server uses the network-side device authentication parameters that are the same as or corresponding to the user-side device authentication parameters to decrypt or verify the registration request message, and saves the correspondence between the device identification and the account identification after successful decryption or verification, so as to perform identity authentication on the account.

可选的,所述用户侧设备认证参数保存在用户设备的安全存储区域。Optionally, the user-side device authentication parameters are stored in a secure storage area of the user device.

可选的,所述装置还包括生物特征令牌单元,用于在通过生物特征校验后,获取与所述生物数据对应的生物特征令牌;所述注册请求报文中还包括:所述生物特征令牌,供认证服务器在所述注册请求报文解密成功或验签通过后,保存所述设备标识、账户标识和生物特征令牌的对应关系,以用来对所述账户进行身份认证。Optionally, the device also includes a biometric token unit, which is used to obtain a biometric token corresponding to the biometric data after passing the biometric verification; the registration request message also includes: the biometric token, for the authentication server to save the correspondence between the device identifier, account identifier and biometric token after the registration request message is successfully decrypted or the signature is verified, so as to authenticate the account.

可选的,所述装置还包括生物认证类型确定单元,用于确定用户的生物认证类型;所述生物特征校验单元具体用于:根据所确定的生物认证类型,获取用户的生物数据,利用所述生物数据对用户身份进行生物特征校验;所述注册请求报文中还包括:生物认证类型,供认证服务器在所述注册请求报文解密成功或解密成功或验签通过后,保存所述设备标识、账户标识、生物特征令牌和生物认证类型的对应关系,以用来对所述账户进行身份认证。Optionally, the device also includes a biometric authentication type determination unit for determining the user's biometric authentication type; the biometric verification unit is specifically used to: obtain the user's biometric data based on the determined biometric authentication type, and use the biometric data to perform biometric verification on the user's identity; the registration request message also includes: the biometric authentication type, for the authentication server to save the correspondence between the device identifier, account identifier, biometric token and biometric authentication type after the registration request message is successfully decrypted or the decryption is successful or the signature verification is passed, so as to authenticate the account.

可选的,所述装置还包括业务认证参数生成单元,用于在通过生物特征校验后,生成相同或相对应的用户侧业务认证参数和网络侧业务认证参数,保存用户侧业务认证参数;所述注册请求报文中还包括:网络侧业务认证参数,供认证服务器在所述注册请求报文验签通过后,保存所述设备标识、账户标识、生物特征令牌、生物认证类型和网络侧业务认证参数的对应关系,以用来对所述账户进行身份认证。Optionally, the device also includes a business authentication parameter generation unit, which is used to generate the same or corresponding user-side business authentication parameters and network-side business authentication parameters after passing the biometric verification, and save the user-side business authentication parameters; the registration request message also includes: network-side business authentication parameters, for the authentication server to save the correspondence between the device identification, account identification, biometric token, biometric authentication type and network-side business authentication parameters after the registration request message is signed and passed, so as to perform identity authentication on the account.

一个例子中,所述装置还包括注册信息请求发送单元和注册信息响应接收单元,其中:注册信息请求发送单元用于向业务服务器发送注册信息请求报文,所述注册信息请求报文由业务服务器转发给认证服务器,其中包括业务账户标识;注册信息响应接收单元用于接收业务服务器返回的注册信息响应报文,所述注册信息响应报文由认证服务器发送给业务服务器,其中包括认证服务器生成的对应于所述业务账户的虚拟账户标识;所述注册请求报文中的账户标识包括:所述虚拟账户标识。In one example, the device also includes a registration information request sending unit and a registration information response receiving unit, wherein: the registration information request sending unit is used to send a registration information request message to the business server, and the registration information request message is forwarded by the business server to the authentication server, including a business account identifier; the registration information response receiving unit is used to receive a registration information response message returned by the business server, and the registration information response message is sent by the authentication server to the business server, including a virtual account identifier generated by the authentication server and corresponding to the business account; the account identifier in the registration request message includes: the virtual account identifier.

上述例子中,所述注册信息响应报文中还可以包括:认证服务器生成的所述虚拟账户的注册挑战码;所述注册请求报文中还包括:所述注册挑战码,供认证服务器在收到业务服务器转发的注册请求报文后,根据所述注册挑战码以及发送注册信息响应报文和收到注册请求报文的时间间隔,对注册请求报文进行验证。In the above example, the registration information response message may also include: the registration challenge code of the virtual account generated by the authentication server; the registration request message also includes: the registration challenge code, so that the authentication server can verify the registration request message based on the registration challenge code and the time interval between sending the registration information response message and receiving the registration request message after receiving the registration request message forwarded by the business server.

上述例子中,所述注册信息响应报文中还可以包括:服务器公钥;所述注册响应报文由认证服务器采用与所述服务器公钥对应的服务器私钥进行签名;所述装置还包括服务器公钥验签单元,用于在收到注册信息响应报文后,采用所述服务器公钥对所述注册信息响应报文进行验签,如果验签失败则注册流程结束。In the above example, the registration information response message may also include: a server public key; the registration response message is signed by the authentication server using a server private key corresponding to the server public key; the device also includes a server public key verification unit, which is used to verify the registration information response message using the server public key after receiving the registration information response message. If the verification fails, the registration process ends.

图8所示为本申请实施例提供的一种基于生物特征的身份注册装置,应用在认证服务器上,包括注册请求接收单元、设备认证参数获取单元和注册请求处理单元,其中:注册请求接收单元用于从业务服务器接收来自用户设备的注册请求报文,所述注册请求报文中包括所述用户设备的设备标识和账户标识,并采用所述用户设备的用户侧设备认证参数进行加密或签名;设备认证参数获取单元用于根据所述设备标识,获取与所述用户侧设备认证参数相同或相对应的网络侧设备认证参数;注册请求处理单元用于采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存所述设备标识与账户标识的对应关系,以用来对所述账户进行身份认证。Figure 8 shows a biometric-based identity registration device provided by an embodiment of the present application, which is applied on an authentication server and includes a registration request receiving unit, a device authentication parameter acquisition unit and a registration request processing unit, wherein: the registration request receiving unit is used to receive a registration request message from a user device from a business server, the registration request message includes the device identifier and account identifier of the user device, and is encrypted or signed using the user-side device authentication parameters of the user device; the device authentication parameter acquisition unit is used to obtain, based on the device identifier, a network-side device authentication parameter that is identical or corresponding to the user-side device authentication parameter; the registration request processing unit is used to decrypt or verify the registration request message using the network-side device authentication parameter, and save the correspondence between the device identifier and the account identifier after successful decryption or verification, so as to perform identity authentication on the account.

可选的,所述注册请求报文中还包括:对应于用户生物数据的生物特征令牌;所述注册请求处理单元具体用于:采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存设备标识、账户标识与所述生物特征令牌的对应关系,以用来对所述账户进行身份认证。Optionally, the registration request message also includes: a biometric token corresponding to the user's biometric data; the registration request processing unit is specifically used to: use the network-side device authentication parameters to decrypt or verify the registration request message, and save the correspondence between the device identification, account identification and the biometric token after the decryption is successful or the verification is passed, so as to authenticate the account.

可选的,所述注册请求报文中还包括:生物认证类型;所述注册请求处理单元具体用于:采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存设备标识、账户标识、生物特征令牌和生物认证类型的对应关系,以用来对所述账户进行身份认证。Optionally, the registration request message also includes: biometric authentication type; the registration request processing unit is specifically used to: use the network side device authentication parameters to decrypt or verify the registration request message, and save the correspondence between the device identification, account identification, biometric token and biometric authentication type after successful decryption or verification, so as to authenticate the account.

可选的,所述注册请求报文中还包括:由用户设备生成的网络侧业务认证参数,与保存在用户设备上的用户侧业务认证参数相同或相对应;所述注册请求处理单元具体用于:采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后,保存设备标识、账户标识、生物特征令牌、生物认证类型和网络侧业务认证参数的对应关系,以用来对所述账户进行身份认证。Optionally, the registration request message also includes: network-side service authentication parameters generated by the user device, which are the same as or corresponding to the user-side service authentication parameters stored on the user device; the registration request processing unit is specifically used to: use the network-side device authentication parameters to decrypt or verify the registration request message, and after the decryption is successful or the verification is passed, save the correspondence between the device identification, account identification, biometric token, biometric authentication type and network-side service authentication parameters for use in authenticating the account.

一个例子中,所述装置还包括注册信息请求接收单元和虚拟账户标识单元,其中:注册信息请求接收单元用于从业务服务器接收来自所述用户设备的注册信息请求报文,所述注册信息请求报文中包括业务账户标识;虚拟账户标识单元用于生成对应于所述业务账户的虚拟账户标识,将虚拟账户标识携带在注册信息响应报文中发送给业务服务器,供业务服务器将其转发给所述用户设备;所述注册请求报文中的账户标识包括:所述虚拟账户标识。In one example, the device further includes a registration information request receiving unit and a virtual account identification unit, wherein: the registration information request receiving unit is used to receive a registration information request message from the user device from the service server, and the registration information request message includes a service account identifier; the virtual account identification unit is used to generate a virtual account identifier corresponding to the service account, and carry the virtual account identifier in a registration information response message to the service server, so that the service server forwards it to the user device; the account identifier in the registration request message includes: the virtual account identifier.

上述例子中,所述装置还可以包括注册挑战码生成单元,用于生成所述虚拟账户的注册挑战码;所述注册信息响应报文中还包括:所生成的注册挑战码;所述注册请求报文中还包括:注册挑战码;所述注册请求处理单元具体用于:采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后,如果注册请求报文中的注册挑战码与为注册请求报文中虚拟账户生成的注册挑战码相同、并且发送注册信息响应报文和收到注册请求报文的时间间隔在第一预定时长范围内,保存所述设备标识与虚拟账户标识的对应关系。In the above example, the device may further include a registration challenge code generation unit for generating a registration challenge code for the virtual account; the registration information response message also includes: the generated registration challenge code; the registration request message also includes: the registration challenge code; the registration request processing unit is specifically used to: use the network-side device authentication parameters to decrypt or verify the registration request message, and after the decryption is successful or the verification is passed, if the registration challenge code in the registration request message is the same as the registration challenge code generated for the virtual account in the registration request message, and the time interval between sending the registration information response message and receiving the registration request message is within the first predetermined time range, the correspondence between the device identifier and the virtual account identifier is saved.

上述例子中,所述认证服务器可获取到服务器私钥;所述装置还包括服务器私钥签名单元,用于采用所述服务器私钥对注册信息响应报文进行签名;所述注册信息响应报文中还包括:与服务器公钥相对应的服务器公钥,供用户设备用来对注册信息响应报文进行验签。In the above example, the authentication server can obtain the server private key; the device also includes a server private key signing unit, which is used to use the server private key to sign the registration information response message; the registration information response message also includes: a server public key corresponding to the server public key, which is used by the user device to verify the registration information response message.

以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above description is only a preferred embodiment of the present application and is not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the scope of protection of the present application.

在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media includes permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. The information can be computer-readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include transitory computer-readable media (transitory media), such as modulated data signals and carrier waves.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "comprises," "includes," or any other variations thereof are intended to encompass non-exclusive inclusion, such that a process, method, commodity, or apparatus that includes a series of elements includes not only those elements but also other elements not explicitly listed, or includes elements inherent to such process, method, commodity, or apparatus. In the absence of further limitations, an element defined by the phrase "comprises a ..." does not exclude the presence of other identical elements in the process, method, commodity, or apparatus that includes the element.

本领域技术人员应明白,本申请的实施例可提供为方法、系统或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Furthermore, the present application may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to magnetic disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

Claims (26)

1.一种基于生物特征的身份注册方法,应用在用户设备上,其特征在于,所述用户设备保存有用户侧设备认证参数,所述方法包括:1. A biometric-based identity registration method applied to a user device, characterized in that the user device stores user-side device authentication parameters, and the method includes: 获取用户设备的设备标识;Obtain the device identifier of the user's device; 获取用户的生物数据,利用所述生物数据对用户身份进行生物特征校验;Acquire the user's biometric data and use the biometric data to verify the user's identity using biometric features; 在通过生物特征校验后,获取与所述生物数据对应的生物特征令牌;所述生物特征令牌是所述用户设备上唯一对应于用于校验所述生物数据的样本数据的索引值;After passing the biometric verification, a biometric token corresponding to the biometric data is obtained; the biometric token is a unique index value on the user device that corresponds to the sample data used to verify the biometric data. 向业务服务器发送注册请求报文,所述注册请求报文中包括设备标识、生物特征令牌和账户标识,并采用所述用户侧设备认证参数进行加密或签名;供认证服务器在收到业务服务器转发的注册请求报文后,采用与用户侧设备认证参数相同或相对应的网络侧设备认证参数对注册请求报文进行解密或验签,并在解密成功或验签通过后保存所述设备标识、生物特征令牌和账户标识的对应关系,以用来对所述账户进行身份认证。A registration request message is sent to the business server. The registration request message includes a device identifier, a biometric token, and an account identifier, and is encrypted or signed using the user-side device authentication parameters. After receiving the registration request message forwarded by the business server, the authentication server decrypts or verifies the registration request message using network-side device authentication parameters that are the same as or corresponding to the user-side device authentication parameters. After successful decryption or signature verification, the authentication server saves the correspondence between the device identifier, biometric token, and account identifier for use in authenticating the account. 2.根据权利要求1所述的方法,其特征在于,所述用户侧设备认证参数保存在用户设备的安全存储区域。2. The method according to claim 1, wherein the user-side device authentication parameters are stored in the secure storage area of the user device. 3.根据权利要求1所述的方法,其特征在于,所述方法还包括:确定用户的生物认证类型;3. The method according to claim 1, wherein the method further comprises: determining the user's biometric authentication type; 所述获取用户的生物数据,包括:根据所确定的生物认证类型,获取用户的生物数据;The acquisition of user biometric data includes: acquiring user biometric data according to the determined biometric authentication type; 所述注册请求报文中还包括:生物认证类型,供认证服务器在所述注册请求报文解密成功或解密成功或验签通过后,保存所述设备标识、账户标识、生物特征令牌和生物认证类型的对应关系,以用来对所述账户进行身份认证。The registration request message also includes a biometric authentication type, which the authentication server saves the correspondence between the device identifier, account identifier, biometric token, and biometric authentication type after the registration request message is successfully decrypted or the signature is verified, so as to authenticate the account. 4.根据权利要求3所述的方法,其特征在于,所述方法还包括:在通过生物特征校验后,生成相同或相对应的用户侧业务认证参数和网络侧业务认证参数,保存用户侧业务认证参数;4. The method according to claim 3, wherein the method further comprises: after passing biometric verification, generating identical or corresponding user-side service authentication parameters and network-side service authentication parameters, and saving the user-side service authentication parameters; 所述注册请求报文中还包括:网络侧业务认证参数,供认证服务器在所述注册请求报文验签通过后,保存所述设备标识、账户标识、生物特征令牌、生物认证类型和网络侧业务认证参数的对应关系,以用来对所述账户进行身份认证。The registration request message also includes: network-side service authentication parameters, which the authentication server saves the correspondence between the device identifier, account identifier, biometric token, biometric authentication type and network-side service authentication parameters after the registration request message is verified, so as to authenticate the account. 5.根据权利要求1所述的方法,其特征在于,所述方法还包括:5. The method according to claim 1, characterized in that the method further comprises: 向业务服务器发送注册信息请求报文,所述注册信息请求报文由业务服务器转发给认证服务器,其中包括业务账户标识;A registration information request message is sent to the business server, and the business server forwards the registration information request message to the authentication server, which includes the business account identifier; 接收业务服务器返回的注册信息响应报文,所述注册信息响应报文由认证服务器发送给业务服务器,其中包括认证服务器生成的对应于所述业务账户的虚拟账户标识;The system receives a registration information response message returned by the business server. The registration information response message is sent by the authentication server to the business server and includes a virtual account identifier generated by the authentication server corresponding to the business account. 所述注册请求报文中的账户标识包括:所述虚拟账户标识。The account identifier in the registration request message includes: the virtual account identifier. 6.根据权利要求5所述的方法,其特征在于,所述注册信息响应报文中还包括:认证服务器生成的所述虚拟账户的注册挑战码;6. The method according to claim 5, wherein the registration information response message further includes: a registration challenge code for the virtual account generated by the authentication server; 所述注册请求报文中还包括:所述注册挑战码,供认证服务器在收到业务服务器转发的注册请求报文后,根据所述注册挑战码以及发送注册信息响应报文和收到注册请求报文的时间间隔,对注册请求报文进行验证。The registration request message also includes: the registration challenge code, which the authentication server uses to verify the registration request message after receiving the registration request message forwarded by the business server, based on the registration challenge code and the time interval between sending the registration information response message and receiving the registration request message. 7.根据权利要求5所述的方法,其特征在于,所述注册信息响应报文中还包括:服务器公钥;所述注册响应报文由认证服务器采用与所述服务器公钥对应的服务器私钥进行签名;7. The method according to claim 5, wherein the registration information response message further includes: a server public key; the registration response message is signed by the authentication server using a server private key corresponding to the server public key; 所述方法还包括:在收到注册信息响应报文后,采用所述服务器公钥对所述注册信息响应报文进行验签,如果验签失败则注册流程结束。The method further includes: after receiving the registration information response message, using the server public key to verify the signature of the registration information response message; if the signature verification fails, the registration process ends. 8.一种基于生物特征的身份注册方法,应用在认证服务器上,其特征在于,包括:8. A biometric-based identity registration method, applied on an authentication server, characterized in that it includes: 从业务服务器接收来自用户设备的注册请求报文,所述注册请求报文中包括所述用户设备的设备标识、生物特征令牌和账户标识,并采用所述用户设备的用户侧设备认证参数进行加密或签名;所述生物特征令牌是所述用户设备上唯一对应于用于校验所述生物数据的样本数据的索引值;The system receives a registration request message from the user device from the business server. The registration request message includes the device identifier, biometric token, and account identifier of the user device, and is encrypted or signed using the user-side device authentication parameters of the user device. The biometric token is a unique index value on the user device that corresponds to the sample data used to verify the biometric data. 根据所述设备标识,获取与所述用户侧设备认证参数相同或相对应的网络侧设备认证参数;Based on the device identifier, obtain network-side device authentication parameters that are the same as or correspond to the user-side device authentication parameters; 采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存所述设备标识、生物特征令牌与账户标识的对应关系,以用来对所述账户进行身份认证。The registration request message is decrypted or verified using the network-side device authentication parameters. After successful decryption or verification, the correspondence between the device identifier, biometric token, and account identifier is saved for use in authenticating the account. 9.根据权利要求8所述的方法,其特征在于,所述注册请求报文中还包括:生物认证类型;9. The method according to claim 8, wherein the registration request message further includes: a biometric authentication type; 所述在解密成功或验签通过后保存所述设备标识与账户标识的对应关系,包括:在解密成功或验签通过后保存设备标识、账户标识、生物特征令牌和生物认证类型的对应关系,以用来对所述账户进行身份认证。Saving the correspondence between the device identifier and the account identifier after successful decryption or signature verification includes: saving the correspondence between the device identifier, account identifier, biometric token, and biometric authentication type after successful decryption or signature verification, so as to authenticate the account. 10.根据权利要求9所述的方法,其特征在于,所述注册请求报文中还包括:由用户设备生成的网络侧业务认证参数,与保存在用户设备上的用户侧业务认证参数相同或相对应;10. The method according to claim 9, wherein the registration request message further includes: network-side service authentication parameters generated by the user equipment, which are the same as or correspond to the user-side service authentication parameters stored on the user equipment; 所述在解密成功或验签通过后保存所述设备标识与账户标识的对应关系,包括:在解密成功或验签通过后,保存设备标识、账户标识、生物特征令牌、生物认证类型和网络侧业务认证参数的对应关系,以用来对所述账户进行身份认证。Saving the correspondence between the device identifier and the account identifier after successful decryption or signature verification includes: saving the correspondence between the device identifier, account identifier, biometric token, biometric authentication type, and network-side service authentication parameters after successful decryption or signature verification, so as to authenticate the account. 11.根据权利要求9所述的方法,其特征在于,所述方法还包括:11. The method according to claim 9, characterized in that the method further comprises: 从业务服务器接收来自所述用户设备的注册信息请求报文,所述注册信息请求报文中包括业务账户标识;The service server receives a registration information request message from the user equipment, the registration information request message including a service account identifier; 生成对应于所述业务账户的虚拟账户标识,将虚拟账户标识携带在注册信息响应报文中发送给业务服务器,供业务服务器将其转发给所述用户设备;A virtual account identifier corresponding to the business account is generated and sent to the business server in the registration information response message, so that the business server can forward it to the user equipment; 所述注册请求报文中的账户标识包括:所述虚拟账户标识。The account identifier in the registration request message includes: the virtual account identifier. 12.根据权利要求11所述的方法,其特征在于,所述方法还包括:生成所述虚拟账户的注册挑战码;12. The method according to claim 11, wherein the method further comprises: generating a registration challenge code for the virtual account; 所述注册信息响应报文中还包括:所生成的注册挑战码;The registration information response message also includes: the generated registration challenge code; 所述注册请求报文中还包括:注册挑战码;The registration request message also includes: a registration challenge code; 所述在解密成功或验签通过后保存所述设备标识与账户标识的对应关系,包括:在解密成功或验签通过后,如果注册请求报文中的注册挑战码与为注册请求报文中虚拟账户生成的注册挑战码相同、并且发送注册信息响应报文和收到注册请求报文的时间间隔在第一预定时长范围内,保存所述设备标识与虚拟账户标识的对应关系。The step of saving the correspondence between the device identifier and the account identifier after successful decryption or signature verification includes: after successful decryption or signature verification, if the registration challenge code in the registration request message is the same as the registration challenge code generated for the virtual account in the registration request message, and the time interval between sending the registration information response message and receiving the registration request message is within a first predetermined time range, the correspondence between the device identifier and the virtual account identifier is saved. 13.根据权利要求11所述的方法,其特征在于,所述认证服务器可获取到服务器私钥;13. The method according to claim 11, wherein the authentication server can obtain the server's private key; 所述方法还包括:采用所述服务器私钥对注册信息响应报文进行签名;The method further includes: signing the registration information response message using the server's private key; 所述注册信息响应报文中还包括:与服务器公钥相对应的服务器公钥,供用户设备用来对注册信息响应报文进行验签。The registration information response message also includes: a server public key corresponding to the server public key, which the user equipment can use to verify the signature of the registration information response message. 14.一种基于生物特征的身份注册装置,应用在用户设备上,其特征在于,所述用户设备保存有用户侧设备认证参数,所述装置包括:14. A biometric-based identity registration device, applied to a user equipment, characterized in that the user equipment stores user-side device authentication parameters, and the device comprises: 设备标识获取单元,用于获取用户设备的设备标识;The device identifier acquisition unit is used to acquire the device identifier of the user equipment. 生物特征校验单元,用于获取用户的生物数据,利用所述生物数据对用户身份进行生物特征校验;A biometric verification unit is used to acquire the user's biometric data and use the biometric data to verify the user's identity. 生物特征令牌单元,用于在通过生物特征校验后,获取与所述生物数据对应的生物特征令牌;所述生物特征令牌是所述用户设备上唯一对应于用于校验所述生物数据的样本数据的索引值;A biometric token unit is used to obtain a biometric token corresponding to the biological data after passing biometric verification; the biometric token is a unique index value on the user device corresponding to the sample data used to verify the biological data; 注册请求发送单元,用于向业务服务器发送注册请求报文,所述注册请求报文中包括设备标识、生物特征令牌和账户标识,并采用所述用户侧设备认证参数进行加密或签名;供认证服务器在收到业务服务器转发的注册请求报文后,采用与用户侧设备认证参数相同或相对应的网络侧设备认证参数对注册请求报文进行解密或验签,并在解密成功或验签通过后保存所述设备标识、生物特征令牌和账户标识的对应关系,以用来对所述账户进行身份认证。The registration request sending unit is used to send a registration request message to the business server. The registration request message includes a device identifier, a biometric token, and an account identifier, and is encrypted or signed using the user-side device authentication parameters. After receiving the registration request message forwarded by the business server, the authentication server decrypts or verifies the registration request message using network-side device authentication parameters that are the same as or corresponding to the user-side device authentication parameters. After successful decryption or signature verification, the authentication server saves the correspondence between the device identifier, biometric token, and account identifier for use in authenticating the account. 15.根据权利要求14所述的装置,其特征在于,所述用户侧设备认证参数保存在用户设备的安全存储区域。15. The apparatus according to claim 14, wherein the user-side device authentication parameters are stored in the secure storage area of the user device. 16.根据权利要求14所述的装置,其特征在于,所述装置还包括:生物认证类型确定单元,用于确定用户的生物认证类型;16. The apparatus according to claim 14, wherein the apparatus further comprises: a biometric authentication type determination unit, configured to determine the user's biometric authentication type; 所述生物特征校验单元具体用于:根据所确定的生物认证类型,获取用户的生物数据,利用所述生物数据对用户身份进行生物特征校验;The biometric verification unit is specifically used to: obtain the user's biometric data according to the determined biometric authentication type, and use the biometric data to perform biometric verification of the user's identity; 所述注册请求报文中还包括:生物认证类型,供认证服务器在所述注册请求报文解密成功或解密成功或验签通过后,保存所述设备标识、账户标识、生物特征令牌和生物认证类型的对应关系,以用来对所述账户进行身份认证。The registration request message also includes a biometric authentication type, which the authentication server saves the correspondence between the device identifier, account identifier, biometric token, and biometric authentication type after the registration request message is successfully decrypted or the signature is verified, so as to authenticate the account. 17.根据权利要求16所述的装置,其特征在于,所述装置还包括:业务认证参数生成单元,用于在通过生物特征校验后,生成相同或相对应的用户侧业务认证参数和网络侧业务认证参数,保存用户侧业务认证参数;17. The apparatus according to claim 16, wherein the apparatus further comprises: a service authentication parameter generation unit, configured to generate identical or corresponding user-side service authentication parameters and network-side service authentication parameters after passing biometric verification, and to save the user-side service authentication parameters; 所述注册请求报文中还包括:网络侧业务认证参数,供认证服务器在所述注册请求报文验签通过后,保存所述设备标识、账户标识、生物特征令牌、生物认证类型和网络侧业务认证参数的对应关系,以用来对所述账户进行身份认证。The registration request message also includes: network-side service authentication parameters, which the authentication server saves the correspondence between the device identifier, account identifier, biometric token, biometric authentication type and network-side service authentication parameters after the registration request message is verified, so as to authenticate the account. 18.根据权利要求14所述的装置,其特征在于,所述装置还包括:18. The apparatus according to claim 14, wherein the apparatus further comprises: 注册信息请求发送单元,用于向业务服务器发送注册信息请求报文,所述注册信息请求报文由业务服务器转发给认证服务器,其中包括业务账户标识;A registration information request sending unit is used to send a registration information request message to the business server. The registration information request message is forwarded by the business server to the authentication server, and includes a business account identifier. 注册信息响应接收单元,用于接收业务服务器返回的注册信息响应报文,所述注册信息响应报文由认证服务器发送给业务服务器,其中包括认证服务器生成的对应于所述业务账户的虚拟账户标识;The registration information response receiving unit is used to receive the registration information response message returned by the business server. The registration information response message is sent by the authentication server to the business server and includes a virtual account identifier generated by the authentication server corresponding to the business account. 所述注册请求报文中的账户标识包括:所述虚拟账户标识。The account identifier in the registration request message includes: the virtual account identifier. 19.根据权利要求18所述的装置,其特征在于,所述注册信息响应报文中还包括:认证服务器生成的所述虚拟账户的注册挑战码;19. The apparatus according to claim 18, wherein the registration information response message further includes: a registration challenge code for the virtual account generated by the authentication server; 所述注册请求报文中还包括:所述注册挑战码,供认证服务器在收到业务服务器转发的注册请求报文后,根据所述注册挑战码以及发送注册信息响应报文和收到注册请求报文的时间间隔,对注册请求报文进行验证。The registration request message also includes: the registration challenge code, which the authentication server uses to verify the registration request message after receiving the registration request message forwarded by the business server, based on the registration challenge code and the time interval between sending the registration information response message and receiving the registration request message. 20.根据权利要求18所述的装置,其特征在于,所述注册信息响应报文中还包括:服务器公钥;所述注册响应报文由认证服务器采用与所述服务器公钥对应的服务器私钥进行签名;20. The apparatus according to claim 18, wherein the registration information response message further includes: a server public key; the registration response message is signed by the authentication server using a server private key corresponding to the server public key; 所述装置还包括:服务器公钥验签单元,用于在收到注册信息响应报文后,采用所述服务器公钥对所述注册信息响应报文进行验签,如果验签失败则注册流程结束。The device further includes a server public key verification unit, which is used to verify the registration information response message using the server public key after receiving the registration information response message. If the verification fails, the registration process ends. 21.一种基于生物特征的身份注册装置,应用在认证服务器上,其特征在于,包括:21. A biometric-based identity registration device, applied on an authentication server, characterized in that it comprises: 注册请求接收单元,用于从业务服务器接收来自用户设备的注册请求报文,所述注册请求报文中包括所述用户设备的设备标识、生物特征令牌和账户标识,并采用所述用户设备的用户侧设备认证参数进行加密或签名;所述生物特征令牌是所述用户设备上唯一对应于用于校验所述生物数据的样本数据的索引值;The registration request receiving unit is used to receive a registration request message from a user device from a business server. The registration request message includes the device identifier, biometric token, and account identifier of the user device, and is encrypted or signed using the user-side device authentication parameters of the user device. The biometric token is a unique index value on the user device that corresponds to the sample data used to verify the biometric data. 设备认证参数获取单元,用于根据所述设备标识,获取与所述用户侧设备认证参数相同或相对应的网络侧设备认证参数;The device authentication parameter acquisition unit is used to acquire network-side device authentication parameters that are the same as or corresponding to the user-side device authentication parameters based on the device identifier. 注册请求处理单元,用于采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存所述设备标识、生物特征令牌与账户标识的对应关系,以用来对所述账户进行身份认证。The registration request processing unit is used to decrypt or verify the registration request message using the network-side device authentication parameters. After successful decryption or verification, it saves the correspondence between the device identifier, biometric token, and account identifier for use in authenticating the account. 22.根据权利要求21所述的装置,其特征在于,所述注册请求报文中还包括:生物认证类型;22. The apparatus according to claim 21, wherein the registration request message further includes: a biometric authentication type; 所述注册请求处理单元具体用于:采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后保存设备标识、账户标识、生物特征令牌和生物认证类型的对应关系,以用来对所述账户进行身份认证。The registration request processing unit is specifically used to: decrypt or verify the registration request message using the network-side device authentication parameters, and after successful decryption or verification, save the correspondence between the device identifier, account identifier, biometric token, and biometric authentication type for use in authenticating the account. 23.根据权利要求22所述的装置,其特征在于,所述注册请求报文中还包括:由用户设备生成的网络侧业务认证参数,与保存在用户设备上的用户侧业务认证参数相同或相对应;23. The apparatus according to claim 22, wherein the registration request message further includes: network-side service authentication parameters generated by the user equipment, which are the same as or correspond to the user-side service authentication parameters stored on the user equipment; 所述注册请求处理单元具体用于:采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后,保存设备标识、账户标识、生物特征令牌、生物认证类型和网络侧业务认证参数的对应关系,以用来对所述账户进行身份认证。The registration request processing unit is specifically used to: decrypt or verify the registration request message using the network-side device authentication parameters; and after successful decryption or verification, save the correspondence between the device identifier, account identifier, biometric token, biometric authentication type, and network-side service authentication parameters for use in authenticating the account. 24.根据权利要求22所述的装置,其特征在于,所述装置还包括:24. The apparatus according to claim 22, wherein the apparatus further comprises: 注册信息请求接收单元,用于从业务服务器接收来自所述用户设备的注册信息请求报文,所述注册信息请求报文中包括业务账户标识;A registration information request receiving unit is configured to receive a registration information request message from the user equipment from the service server, wherein the registration information request message includes a service account identifier. 虚拟账户标识单元,用于生成对应于所述业务账户的虚拟账户标识,将虚拟账户标识携带在注册信息响应报文中发送给业务服务器,供业务服务器将其转发给所述用户设备;The virtual account identifier unit is used to generate a virtual account identifier corresponding to the business account, and send the virtual account identifier in the registration information response message to the business server, so that the business server can forward it to the user equipment; 所述注册请求报文中的账户标识包括:所述虚拟账户标识。The account identifier in the registration request message includes: the virtual account identifier. 25.根据权利要求24所述的装置,其特征在于,所述装置还包括:注册挑战码生成单元,用于生成所述虚拟账户的注册挑战码;25. The apparatus according to claim 24, wherein the apparatus further comprises: a registration challenge code generation unit, configured to generate a registration challenge code for the virtual account; 所述注册信息响应报文中还包括:所生成的注册挑战码;The registration information response message also includes: the generated registration challenge code; 所述注册请求报文中还包括:注册挑战码;The registration request message also includes: a registration challenge code; 所述注册请求处理单元具体用于:采用所述网络侧设备认证参数对注册请求报文进行解密或验签,在解密成功或验签通过后,如果注册请求报文中的注册挑战码与为注册请求报文中虚拟账户生成的注册挑战码相同、并且发送注册信息响应报文和收到注册请求报文的时间间隔在第一预定时长范围内,保存所述设备标识与虚拟账户标识的对应关系。The registration request processing unit is specifically used to: decrypt or verify the registration request message using the network-side device authentication parameters; and after successful decryption or verification, if the registration challenge code in the registration request message is the same as the registration challenge code generated for the virtual account in the registration request message, and the time interval between sending the registration information response message and receiving the registration request message is within a first predetermined time range, save the correspondence between the device identifier and the virtual account identifier. 26.根据权利要求24所述的装置,其特征在于,所述认证服务器可获取到服务器私钥;26. The apparatus according to claim 24, wherein the authentication server can obtain the server private key; 所述装置还包括:服务器私钥签名单元,用于采用所述服务器私钥对注册信息响应报文进行签名;The device further includes: a server private key signing unit, used to sign the registration information response message using the server private key; 所述注册信息响应报文中还包括:与服务器公钥相对应的服务器公钥,供用户设备用来对注册信息响应报文进行验签。The registration information response message also includes: a server public key corresponding to the server public key, which the user equipment can use to verify the signature of the registration information response message.
HK18105213.0A 2018-04-23 Identity registration method and device based on biological features HK1246035B (en)

Publications (3)

Publication Number Publication Date
HK1246035A1 HK1246035A1 (en) 2018-08-31
HK1246035A HK1246035A (en) 2018-08-31
HK1246035B true HK1246035B (en) 2021-04-30

Family

ID=

Similar Documents

Publication Publication Date Title
CN113114624B (en) Biometric-based identity authentication method and device
RU2730087C2 (en) Method and device for biometric identification and biometric identification authentication
US10326761B2 (en) Web-based user authentication techniques and applications
US10762181B2 (en) System and method for user confirmation of online transactions
US9053310B2 (en) System and method for verifying status of an authentication device through a biometric profile
EP4274165B1 (en) System and method for efficiently enrolling, registering, and authenticating with multiple authentication devices
US20190281028A1 (en) System and method for decentralized authentication using a distributed transaction-based state machine
CN103119975B (en) User account recovers
CN111931144A (en) Unified safe login authentication method and device for operating system and service application
WO2008156772A1 (en) Token-based system and method for secure authentication to a service provider
US10333707B1 (en) Systems and methods for user authentication
US11323431B2 (en) Secure sign-on using personal authentication tag
Al Rousan et al. A comparative analysis of biometrics types: literature review
CN116112242B (en) Unified safety authentication method and system for power regulation and control system
Ziyad et al. Critical review of authentication mechanisms in cloud computing
CN112020716A (en) Remote Biometrics
KR102284876B1 (en) System and method for federated authentication based on biometrics
TWI736280B (en) Identity verification method based on biometrics
WO2018109014A1 (en) Authentication systems and methods
HK1246035B (en) Identity registration method and device based on biological features
CN116318909B (en) A multi-factor authentication method, device and storage medium
TW202127289A (en) Method for cross-platform authorizing access to resources and authorization system thereof
HK1246035A1 (en) Identity registration method and device based on biological features
HK1246035A (en) Identity registration method and device based on biological features
HK1246038B (en) Methods and devices for identity registration and identity authentication based on biological features