HK1246038B - Methods and devices for identity registration and identity authentication based on biological features - Google Patents

Description

Method and device for identity registration and authentication based on biometrics

Technical Field

The present application relates to the field of network communication technology, and in particular to a method and device for identity registration based on biometrics, and a method and device for identity authentication based on biometrics.

Background Art

With the development of biometric technology, it has become possible to identify personal identity by combining computers with optics, acoustics, biosensors, biostatistics and other technical means, using the human body's inherent physiological characteristics such as fingerprints, faces, irises, and voices.

The booming mobile internet has provided a new platform for biometric technology applications. For example, fingerprints and facial recognition can be used to log in to accounts and make payments on user devices, eliminating the need to remember and enter passwords. Since biometric authentication is often used for critical applications such as mobile payments, security becomes a top priority during the registration and authentication process.

Summary of the Invention

In view of this, the present application provides a biometric identity registration method, which is applied on a user device. The user device runs a service client, biometric authentication middleware, a biometric authentication client, an identity authentication verifier, and a token and key manager. The method includes:

The service client initiates a device information request to the biometric authentication middleware. The biometric authentication middleware forwards the device information request to the biometric authentication client. The biometric authentication client forwards the device information request to the identity authentication verifier. The identity authentication verifier obtains the device information of the user device including the device identifier and returns the device information to the biometric authentication client in a device information response. The biometric authentication client returns the device information response to the biometric authentication middleware. The biometric authentication middleware returns the device information response to the service client.

The service client sends a registration information request message including a service account identifier to the service server, and receives a registration information response message returned by the service server; the registration information response message is signed by the authentication server using the server private key and sent to the service server. The message includes a virtual account identifier corresponding to the service account identifier, generated by the authentication server after receiving the registration information request message forwarded by the service server, and a server public key corresponding to the server private key;

The service client determines the biometric authentication type of the user, obtains biometric data of the user of the biometric authentication type, and sends the biometric data to the biometric authentication middleware in a local biometric authentication request. The biometric authentication middleware forwards the local biometric authentication request to the biometric authentication client. The biometric authentication client uses the biometric data to perform biometric feature verification on the user's identity and returns the verification result to the biometric authentication middleware in a local biometric authentication response. The biometric authentication middleware returns the local biometric authentication response to the service client.

When the local biometric verification result is passed, the business client sends a registration information response message to the biometric authentication middleware, and the biometric authentication middleware forwards the registration information response message to the biometric authentication client; the biometric authentication client forwards the registration information response message to the identity authentication verifier, and the identity authentication verifier uses the server public key to verify the signature of the registration information response message. After the signature verification is passed, it obtains the biometric token corresponding to the biometric data used when the user passed the local biometric verification most recently from the token and key manager, generates the corresponding business public key and business private key, and saves the correspondence between the virtual account identifier, biometric authentication type, biometric authentication token and business private key; the identity authentication verifier encapsulates the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key in a registration request message, and hands it over to the token and key manager to sign the registration request message with the device private key of the user device, and then returns the registration request message to the biometric authentication client, the biometric authentication client returns the registration request message to the biometric authentication middleware, and the biometric authentication middleware returns the registration request message to the business client;

The business client sends the registration request message to the business server, and the business server forwards the registration request message to the authentication server. After the authentication server verifies the signature using the device public key of the user device through the biometric authentication center server, it saves the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key for use in identity authentication of the account.

This application provides a biometric identity registration method, which is applied on an authentication server and includes:

receiving, from a service server, a registration information request message from a user device, the registration information request message including a service account identifier; generating a virtual account identifier corresponding to the service account identifier, encapsulating the virtual account identifier and the server public key in a registration information response message, signing the registration information response message with a server private key corresponding to the server public key, and sending the registration information response message to the service server, for the service server to forward the registration information response message to the user device;

Receive a registration request message from a user device from a service server, the registration request message including the user device's device identifier, virtual account identifier, biometric authentication type, biometric token, and service public key, and signed using the user device's device key; send the registration request message to a biometric authentication center server, and receive a signature verification result returned by the biometric authentication center server after verifying the registration request message using the device public key corresponding to the device identifier;

After the registration request message passes the signature verification, the corresponding relationship between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key is saved to be used for identity authentication of the account.

This application provides a biometric identity authentication method, which is applied to a user device. The user device runs a service client, biometric authentication middleware, a biometric authentication client, an identity authentication verifier, and a token and key manager, including:

The service client initiates a device information request to the biometric authentication middleware. The biometric authentication middleware forwards the device information request to the biometric authentication client. The biometric authentication client forwards the device information request to the identity authentication verifier. The identity authentication verifier obtains the device information of the user device including the device identifier and returns the device information to the biometric authentication client in a device information response. The biometric authentication client returns the device information response to the biometric authentication middleware. The biometric authentication middleware returns the device information response to the service client.

The service client sends an authentication information request message including a device identifier to the service server, and receives an authentication information response message returned by the service server; the authentication information response message is signed by the authentication server using the server private key and sent to the service server, and includes the virtual account identifier corresponding to the device identifier and the server public key corresponding to the server private key, which the authentication server obtained after receiving the authentication information request message forwarded by the service server;

The service client obtains the biometric data of the user of the biometric authentication type adopted during registration, carries the biometric data in a local biometric authentication request and sends it to the biometric authentication middleware. The biometric authentication middleware forwards the local biometric authentication request to the biometric authentication client. The biometric authentication client uses the biometric data to perform biometric feature verification on the user's identity and returns the verification result to the biometric authentication middleware in a local biometric authentication response. The biometric authentication middleware returns the local biometric authentication response to the service client.

When the local biometric verification result is passed, the business client sends the authentication information response message to the biometric authentication middleware, and the biometric authentication middleware forwards the authentication information response message to the biometric authentication client; the biometric authentication client forwards the authentication information response message to the identity authentication verifier, and the identity authentication verifier uses the server public key to verify the signature of the authentication information response message. After the signature verification is passed, the identity authentication verifier obtains the biometric token corresponding to the biometric data used when the user passed the local biometric verification for the last time from the token and key manager, obtains the business private key corresponding to the biometric authentication type, the virtual account identifier and the biometric token in the authentication information response message from the saved correspondence between the virtual account identifier, the biometric authentication type, the biometric token, and the business private key, encapsulates the device identifier, the virtual account identifier, the biometric authentication type and the biometric token in the authentication request message, and signs the authentication request message with the business private key, and returns it to the biometric authentication client; the biometric authentication client returns the authentication request message to the biometric authentication middleware, and the biometric authentication middleware returns the authentication request message to the business client;

The business client sends the authentication request message to the business server, which forwards the authentication request message to the authentication server for the authentication server to authenticate the user based on the registered biometric token and registered business public key corresponding to the virtual account identifier, device identifier and biometric authentication type.

This application provides a biometric identity authentication method, which is applied on an authentication server and includes:

Receive an authentication information request message from a user device from a service server, the authentication information request message including a device identifier of the user device; obtain a virtual account identifier corresponding to the device identifier, encapsulate the virtual account identifier and the server public key in an authentication information response message, sign the authentication information response message using a server private key corresponding to the server public key, and send the signature to the service server, for the service server to forward the authentication information response message to the user device;

Receive an authentication request message from a user device from a service server, the authentication request message including the user device's device identifier, virtual account identifier, biometric authentication type, and biometric token, and signed with a service public key; obtain a registered biometric token and a registered service public key corresponding to the device identifier, virtual account identifier, and biometric authentication type in the authentication request message;

The registered business public key is used to verify the signature of the authentication request message, and the user's identity is authenticated based on the biometric token in the authentication request message and the registered biometric token.

This application also provides a biometric identity registration device, which is applied to a user device and includes:

The business client is used to initiate a device information request to the biometric authentication middleware and receive a device information response with a device identifier returned by the biometric authentication middleware; send a registration information request message including a business account identifier to the business server and receive a registration information response message returned by the business server; the registration information response message is signed by the authentication server using the server private key and sent to the business server, including a virtual account identifier corresponding to the business account identifier and a server public key corresponding to the server private key generated by the authentication server after receiving the registration information request message forwarded by the business server; determine the user's biometric authentication type, obtain the biometric data of the user of the biometric authentication type, carry the biometric data in the local biometric authentication request and send it to the biometric authentication middleware, and receive the biometric authentication middleware. Returning a local biometric authentication response with a local biometric verification result; when the local biometric verification result is passed, sending a registration information response message to the biometric authentication middleware, receiving a registration request message returned by the biometric authentication middleware, wherein the registration request message includes a device identifier, a virtual account identifier, a biometric authentication type, a biometric token, and a business public key, and is signed with the device private key of the user device; sending the registration request message to the business server, which is forwarded by the business server to the authentication server, for the authentication server to save the corresponding relationship between the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key after handing it over to the biometric authentication center server for signature verification using the device public key of the user device, so as to authenticate the account;

Biometric authentication middleware, configured to receive and forward device information requests from a business client and forward device information responses from a biometric authentication client to a business client; receive and forward local biometric authentication requests from a business client and forward local biometric authentication responses from a biometric authentication client to a business client; receive and forward registration information response messages from a business client and forward registration request messages from a biometric authentication client to a business client;

The biometric authentication client is configured to receive and forward device information requests from the biometric authentication middleware to the identity authentication verifier, and to receive and forward device information responses from the identity authentication verifier to the biometric authentication middleware; receive local biometric authentication requests from the biometric authentication middleware, perform biometric feature verification of the user's identity using the biometric data in the local biometric authentication request, and return the verification result to the biometric authentication middleware in the local biometric authentication response; receive and forward registration information response messages from the biometric authentication middleware to the identity authentication verifier, and receive and forward registration request messages from the identity authentication verifier to the biometric authentication middleware;

The identity authentication verifier is used to, after receiving the device information request forwarded by the biometric authentication client, obtain the device information of the user device including the device identifier and return the device information to the biometric authentication client by carrying the device information in the device information response; after receiving the registration information response message forwarded by the biometric authentication client, use the server public key in the registration information response message to verify the signature of the registration information response message, obtain the biometric token corresponding to the biometric data used by the user when passing the local biometric verification for the last time from the token and key manager after the signature verification is passed, generate the corresponding business public key and business private key, save the correspondence between the virtual account identifier, biometric authentication type, biometric authentication token and business private key, encapsulate the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key in the registration request message, and hand it over to the token and key manager to sign the registration request message with the device private key of the user device, and then return the registration request message to the biometric authentication client;

The token and key manager is used to provide the identity authentication verifier with a biometric token corresponding to the biometric data used by the user when passing the local biometric verification for the last time; after receiving the registration request message from the identity authentication verifier, the registration request message is signed using the device private key of the user device stored and then returned to the identity authentication verifier.

This application provides a biometric identity registration device, which is applied to an authentication server and includes:

A registration information response unit is configured to receive a registration information request message from a user device from a service server, the registration information request message including a service account identifier; generate a virtual account identifier corresponding to the service account identifier, encapsulate the virtual account identifier and a server public key in a registration information response message, sign the registration information response message using a server private key corresponding to the server public key, and send the registration information response message to the service server, for the service server to forward the registration information response message to the user device;

A registration request receiving unit is configured to receive a registration request message from a user device from a service server, the registration request message including the device identifier, virtual account identifier, biometric authentication type, biometric token, and service public key of the user device, and signed using the device key of the user device; send the registration request message to a biometric authentication center server, and receive a verification result returned by the biometric authentication center server after verifying the registration request message using the device public key corresponding to the device identifier;

The registration information storage unit is used to save the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key after the registration request message passes the signature verification, so as to authenticate the account.

This application provides a biometric identity authentication device, which is applied to a user device and includes:

The business client is used to initiate a device information request to the biometric authentication middleware and receive a device information response with a device identifier returned by the biometric authentication middleware; send an authentication information request message including a device identifier to the business server, and receive an authentication information response message returned by the business server. The authentication information response message is signed by the authentication server using the server private key and sent to the business server, including the virtual account identifier corresponding to the device identifier and the server public key corresponding to the server private key obtained by the authentication server after receiving the authentication information request message forwarded by the business server; obtain the biometric data of the user of the biometric authentication type used during registration, and send the biometric data in a local biometric authentication request. to the biometric authentication middleware, and receive a local biometric authentication response with a local biometric verification result returned by the biometric authentication middleware; when the local biometric verification result is passed, send an authentication information response message to the biometric authentication middleware, and receive an authentication request message returned by the biometric authentication middleware, wherein the authentication request message includes a device identifier, a virtual account identifier, a biometric authentication type, and a biometric token, and is signed with a business private key; send the authentication request message to the business server, and the business server forwards the authentication request message to the authentication server, so that the authentication server can authenticate the user according to the registered biometric token and the registered business public key corresponding to the virtual account identifier, the device identifier, and the biometric authentication type;

Biometric authentication middleware, configured to receive and forward device information requests from a business client and forward device information responses from a biometric authentication client to a business client; receive and forward local biometric authentication requests from a business client and forward local biometric authentication responses from a biometric authentication client to a business client; receive and forward authentication information response messages from a business client and forward authentication request messages from a biometric authentication client to a business client;

The biometric authentication client is configured to receive and forward device information requests from the biometric authentication middleware to the identity authentication verifier, receive and forward device information responses from the identity authentication verifier to the biometric authentication middleware, receive local biometric authentication requests from the biometric authentication middleware, perform biometric feature verification of the user's identity using the biometric data in the local biometric authentication request, and return the verification result to the biometric authentication middleware in the local biometric authentication response, receive and forward authentication information response messages from the biometric authentication middleware to the identity authentication verifier, and receive and forward authentication request messages from the identity authentication verifier to the biometric authentication middleware.

An identity authentication verifier is configured to, after receiving a device information request forwarded by a biometric authentication client, obtain device information of the user device including a device identifier and return the device information to the biometric authentication client by carrying the device information in a device information response; after receiving an authentication information response message forwarded by the biometric authentication client, verify the signature of the authentication information response message using the server public key in the authentication information response message, obtain from the token and key manager a biometric token corresponding to the biometric data used when the user passed the most recent local biometric verification after the signature verification is passed, obtain a business private key corresponding to the biometric authentication type, the virtual account identifier in the authentication information response message, and the biometric token from the stored correspondence between the virtual account identifier, the biometric authentication type, the biometric token, and the business private key, encapsulate the device identifier, the virtual account identifier, the biometric authentication type, and the biometric token in an authentication request message, sign the authentication request message using the business private key, and then return the message to the biometric authentication client;

The token and key manager is used to provide the identity verification device with a biometric token corresponding to the biometric data used by the user when he or she passed the local biometric verification the last time.

This application provides a biometric identity authentication device, which is applied to an authentication server and includes:

An authentication information response unit is configured to receive an authentication information request message from a user device from a service server, the authentication information request message including a device identifier of the user device; obtain a virtual account identifier corresponding to the device identifier, encapsulate the virtual account identifier and a server public key in an authentication information response message, sign the authentication information response message using a server private key corresponding to the server public key, and send the signature to the service server, for the service server to forward the authentication information response message to the user device;

An authentication request receiving unit is configured to receive an authentication request message from a user device from a service server, the authentication request message including the device identifier, virtual account identifier, biometric authentication type, and biometric token of the user device, and signed with a service public key; and obtain a registered biometric token and a registered service public key corresponding to the device identifier, virtual account identifier, and biometric authentication type in the authentication request message;

The signature verification and authentication unit is used to verify the signature of the authentication request message using the registered business public key, and to authenticate the user based on the biometric token in the authentication request message and the registered biometric token.

It can be seen from the above technical solution that in the embodiment of the present application, the server public key and server private key are used to verify the business server during identity registration, and the device private key pre-stored on the user device and the device public key pre-stored on the server are used to verify whether the user device is trustworthy, so that the user device can safely register the correspondence between its device identification, virtual account identification, biometric authentication type, biometric token and business public key to the authentication server, thereby improving the security of the identity registration process; during identity authentication, the server public key and server private key are used to verify the business server, and the business private key and the registered business public key are used to verify the user device, and the user device needs to provide a device identification, virtual account identification, biometric authentication type and biometric token that match the registered information to pass the authentication, thereby greatly increasing the security of the identity authentication process.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a network structure diagram of an application scenario of an embodiment of the present application;

FIG2 is a flowchart of a biometric-based identity registration method applied on a user device in Example 1 of the present application;

FIG3 is a flowchart of a biometric-based identity registration method applied on an authentication server in Example 1 of the present application;

4 is a flowchart of the interaction between a user device, a service server, an authentication server and a biometric authentication center server for identity registration in Example 1 of the present application;

FIG5 is a flowchart of a biometric-based identity authentication method applied on a user device in Example 2 of the present application;

6 is a flowchart of a biometric-based identity authentication method applied on an authentication server in Example 2 of the present application;

7 is a flowchart of the interaction between a user device, a service server and an authentication server for identity authentication in Example 2 of the present application;

FIG8 is a hardware structure diagram of a user device or an authentication server;

FIG9 is a logical structure diagram of an identity registration device based on biometrics applied on a user device, or an identity authentication device based on biometrics applied on a user device, according to an embodiment of the present application;

FIG10 is a logical structure diagram of an identity registration device based on biometric features applied on an authentication server according to an embodiment of the present application;

FIG11 is a logical structure diagram of a biometric-based identity authentication device applied on an authentication server in an embodiment of the present application.

DETAILED DESCRIPTION

In a biometric application based on a user device, the user's biometric data is collected by the user device, and biometric identification can be performed on the user device or by a server. Because uploading these images or video data to the server often consumes a lot of data, in the embodiments of this application, biometric identification is performed on the user device.

A network structure of the application scenario of the embodiment of the present application is shown in Figure 1, and the user device and the business server, and the business server and the authentication server are mutually accessible through the communication network. Among them, the user device is a terminal device with a biometric recognition function, which can be a mobile phone, tablet computer, PC (Personal Computer), notebook and other devices; the business server is used to receive business requests (including registration and authentication requests) initiated by the user through the user device, and send a response to its request to the user device; the authentication server is used to authenticate the user account; the business server or authentication server can be a physical or logical server, or it can be composed of two or more physical or logical servers that share different responsibilities and work together to realize the various functions of the business server or authentication server in the embodiment of the present application. The embodiment of the present application does not limit the types of user devices, business servers and authentication servers, as well as the types and protocols of the communication networks between user devices and business servers, and between business servers and authentication servers.

Embodiment 1 of the present application describes a biometric-based identity registration method. The process of applying the method on a user device is shown in FIG2 , and the process of applying the method on an authentication server is shown in FIG3 .

In the embodiments of this application, the user device runs the following functional modules: a service client, biometric authentication middleware, a biometric authentication client, an identity verification device, and a token and key manager. These functional modules can be implemented as independent software, as components of independent software, or as a combination of software and hardware. The embodiments of this application do not limit their specific implementation.

In the embodiment of the present application, a device private key is stored on the user device, which is stored and used by the token and key manager; the biometric authentication center server can obtain the correspondence between the device identification of the user device and the device public key of the user device from a local or other accessible network storage location, and the device private key and device public key of the same user device correspond to each other. The authentication server can access the biometric authentication center server through the network. The device private key can be pre-stored on the user device before the device leaves the factory; or the corresponding device private key and device public key can be generated by the user device, the biometric authentication center server or some other network node, and then respectively handed over to the user device and the biometric authentication center server for storage; the embodiment of the present application is not limited thereto.

On the user device, in step 210, the business client initiates a device information request to the biometric authentication middleware, the biometric authentication middleware forwards the device information request to the biometric authentication client, the biometric authentication client forwards the device information request to the identity authentication verifier, the identity authentication verifier obtains the device information of the user device including the device identifier and carries the device information in the device information response and returns it to the biometric authentication client, the biometric authentication client returns the device information response to the biometric authentication middleware, and the biometric authentication middleware returns the device information response to the business client.

When a user starts a registration process using biometrics for identity authentication on a business client on a user device, the business client initiates a device information request to the biometric authentication middleware. The biometric authentication middleware forwards the device information request to the biometric authentication client, and the biometric authentication client forwards the device information request to the identity authentication verifier.

The identity verification device obtains the device information of the user device, including the device identifier, and may also include the device model, manufacturer, etc. The device identifier can be the user device's hardware identifier, such as the user device's UUID (Universally Unique Identifier), MAC (Media Access Control) address, Bluetooth address, etc.

The identity authentication verifier carries the acquired device information in the device information response and returns it to the biometric authentication client. The biometric authentication client returns the device information response to the biometric authentication middleware, and the biometric authentication middleware returns the device information response to the service client.

On the user device, in step 220, the service client sends a registration information request message including the service account identifier to the service server, and receives a registration information response message returned by the service server; the registration information response message is signed by the authentication server using the server private key and sent to the service server, and includes a virtual account identifier corresponding to the service account identifier generated by the authentication server after receiving the registration information request message forwarded by the service server, and a server public key corresponding to the server private key.

On the authentication server, in step 310, a registration information request message is received from the service server from the user device, the registration information request message including the service account identifier; a virtual account identifier corresponding to the service account identifier is generated, the virtual account identifier and the server public key are encapsulated in a registration information response message, the registration information response message is signed with the server private key corresponding to the server public key, and then sent to the service server for the service server to forward the registration information response message to the user device.

The service client of the user device sends a registration information request message to the service server. This message includes a service account identifier. This information uniquely corresponds to the user account being registered on the service server. For example, it can be the name or ID of the user account in the service system. The registration information request message may also include the device identifier of the user device. The service server forwards the registration information request message to the authentication server.

Since the authentication server may provide authentication services for multiple different business systems, each of these business systems has its own business account. In order to avoid duplication of business account identifiers in these business systems, which makes it difficult to distinguish different user accounts on the authentication server, the authentication server generates a virtual account identifier corresponding to the business account (i.e., corresponding to the business account in the business system) after receiving the registration information request message. The virtual account identifier uniquely corresponds to a business account in a certain business system on the authentication server. The embodiment of the present application does not limit the method of generating the virtual account identifier. For example, the business system identifier and the business account identifier of the user in the business system can be used as the virtual account identifier; for another example, the index of the user account of the business system in the database of the registered account on the authentication server can be used as the virtual account identifier.

It should be noted that if the method of generating the virtual account identifier cannot ensure that the same virtual account identifier is generated for the same business account in the same business system, the authentication server must save the correspondence between the generated virtual account identifier and the business account of the business system (or save the correspondence between the virtual account identifier and the device identifier) so that in the subsequent identity authentication process, the same virtual account identifier as in the registration process can be assigned to the same user account in the same business system.

The authentication server pre-stores the corresponding server private key and server public key. After generating a virtual account identifier, the authentication server encapsulates the virtual account identifier and server public key in a registration information response message, signs the registration information response message with the server private key, and sends it to the service server. The service server forwards the registration information response message to the service client of the user device.

On the user device, in step 230, the business client determines the user's biometric authentication type, obtains the biometric data of the user of the biometric authentication type, carries the biometric data in a local biometric authentication request and sends it to the biometric authentication middleware. The biometric authentication middleware forwards the local biometric authentication request to the biometric authentication client. The biometric authentication client uses the biometric data therein to perform biometric feature verification on the user's identity and returns the verification result to the biometric authentication middleware in a local biometric authentication response. The biometric authentication middleware returns the local biometric authentication response to the business client.

The service client determines the type of biometric authentication used by the user for identity authentication in this service system and requests the user to provide biometric data of that type. The service client can select one of the biometric authentication types supported by the user device (i.e., the biometric feature recognition function of the user device) according to a preset priority, or it can display several biometric authentication types accepted by this service system and supported by the user device for the user to choose from, which is not limited in the embodiments of this application. The biometric authentication type can be fingerprint, voice, iris, face, etc.

The user's biometric data may be any specific object that can be identified by the user device in the biometric authentication type determined by the service client. For example, for fingerprints, it may be the fingerprint of any finger; for irises, it may be the iris of any eye.

After the service client obtains the biometric data of the determined biometric authentication type, it encapsulates the biometric data in a local biometric authentication request and sends it to the biometric authentication middleware. The biometric authentication middleware forwards the local biometric authentication request to the biometric authentication client.

The biometric authentication client uses the biometric data to perform biometric verification of the user's identity. This verification can be implemented using methods similar to existing biometric identification methods for user devices. For example, it can be compared with sample data stored locally on the user device. If the match meets certain predetermined conditions, the biometric verification is considered successful. After the verification is complete, the biometric authentication client encapsulates the verification result (pass or fail) in a local biometric authentication response and returns it to the biometric authentication middleware. The biometric authentication middleware then returns the local biometric authentication response to the service client.

On the user device, in step 240, when the local biometric verification result is passed, the business client sends a registration information response message to the biometric authentication middleware, and the biometric authentication middleware forwards the registration information response message to the biometric authentication client; the biometric authentication client forwards the registration information response message to the identity authentication verifier, and the identity authentication verifier uses the server public key to verify the signature of the registration information response message. After the signature verification is passed, it obtains the biometric token corresponding to the biometric data used when the user passed the local biometric verification most recently from the token and key manager, generates the corresponding business public key and business private key, and saves the correspondence between the virtual account identifier, biometric authentication type, biometric authentication token and business private key; the identity authentication verifier encapsulates the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key in a registration request message, and hands it over to the token and key manager to sign the registration request message with the device private key of the user device, and then returns the registration request message to the biometric authentication client, the biometric authentication client returns the registration request message to the biometric authentication middleware, and the biometric authentication middleware returns the registration request message to the business client.

The business client extracts the local biometric verification result from the local biometric authentication response returned by the biometric authentication middleware. If the result is a failure, the identity registration process ends in failure. If the local biometric verification result is a success, the business client sends a registration information response message to the biometric authentication middleware, which forwards the registration information response message to the biometric authentication client. The biometric authentication client then forwards the registration information response message to the identity verification device.

The identity verification device extracts the server public key from the registration information response message and uses it to verify the registration information response message. If the verification fails, it indicates that the registration information response message is likely not from a reliable authentication server, and the registration process ends in failure. After the verification succeeds, the identity verification device requests a biometric token from the token and key manager. The token and key manager returns the biometric token corresponding to the user's most recent biometric data used in the local biometric verification (i.e., the biometric data obtained by the service client during the local biometric verification in step 230) to the identity verification device.

A biometric token is a unique characteristic quantity or index value on the user's device that corresponds to the sample data used to verify the biometric data. In other words, the fingerprint of each finger of the user corresponds to a different biometric token, and the fingerprint of the face corresponds to another different biometric token; each time the user uses the thumb for biometric verification, the thumb fingerprint data collected by the user device is verified with the sample data of the thumb fingerprint, so these thumb fingerprint data all correspond to the same biometric token. This application does not limit the form of the biometric token and the specific method of generating the biometric token. For example, it can be an information summary obtained by applying a summary algorithm to the sample data or a part of the sample data, or it can be a random number corresponding to the sample data.

The identity verification device generates the corresponding business public key and business private key, and saves the virtual account identifier in the registration information response message, the biometric authentication type used by the user during the most recent local biometric verification, the biometric token returned by the token and key manager, and the corresponding relationship with the generated business private key. The identity verification device encapsulates the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key in a registration request message and sends the registration request message to the token and key manager. The token and key manager reads the stored device private key of the user device, signs the registration request message with the device private key, and returns the registration request message to the biometric authentication client.

The biometric authentication client returns the registration request message to the biometric authentication middleware, and the biometric authentication middleware returns the registration request message to the business client.

On the user device, in step 250, the business client sends a registration request message to the business server, which forwards the registration request message to the authentication server. After the authentication server verifies the signature using the device public key of the user device via the biometric authentication center server, it saves the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key for use in authenticating the user account.

On the authentication server, in step 320, a registration request message is received from the business server from the user device, where the registration request message includes the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key of the user device, and is signed using the device key of the user device; the registration request message is sent to the biometric authentication center server, and the biometric authentication center server receives the verification result returned after verifying the registration request message using the device public key corresponding to the device identifier.

On the authentication server, in step 330, after the registration request message passes the signature verification, the corresponding relationship between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key is saved to authenticate the user account.

The business client sends the registration request message returned by the biometric authentication middleware to the business server. The business server forwards the registration request message to the authentication server.

The authentication server sends the registration request message to the biometric authentication center server. The biometric authentication center server extracts the device ID from the received registration request message, searches for the device public key corresponding to the device ID from an accessible network storage location, verifies the signature of the registration request message using the device public key, and returns the verification result to the authentication server.

If the signature verification fails, the authentication server rejects the registration request and notifies the service server, which then notifies the service client of the registration failure. If the signature verification succeeds, the authentication server saves the corresponding relationship between the device ID, virtual account ID, biometric authentication type, biometric token, and service public key in the registration request message.

The authentication server may return a registration response message indicating successful registration to the service server, which will then notify the service client of the user device of the successful registration. The authentication server may include the virtual account identifier and biometric authentication type in the aforementioned correspondence, as well as the service account identifier corresponding to the virtual account identifier, in the registration response message. The service server will store the correspondence between the service account identifier, virtual account identifier, and biometric authentication type in the registration response message indicating successful registration.

In one implementation, the authentication server may generate a virtual account identifier and a registration challenge code for the virtual account after receiving the registration information request message. The registration challenge code may be generated using various one-time password generation algorithms, which are not limited in this example. The authentication server encapsulates the virtual account identifier, the server public key, and the generated registration challenge code in a registration information response message and sends it to the business server, and starts the timer. When generating the registration request message, the identity authentication verifier on the user device also encapsulates the registration challenge code in the registration information response message in the registration request message. The authentication server receives the registration request message forwarded by the business server, compares the registration challenge code in the registration request message with the registration challenge code generated for the virtual account in the registration request message, and obtains the time difference between sending the registration information response message and receiving the registration request message. If the two registration verification codes are different or the time difference exceeds the first predetermined time period, the authentication server rejects the registration request and notifies the business server, which then notifies the business client of the registration failure result; if the two registration verification codes are the same and the time difference does not exceed the first predetermined time period, the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key in the registration request message is saved.

In an implementation method of this embodiment including a registration challenge code, the interaction process between the functional modules of the user equipment, the service server, the authentication server and the biometric authentication center server is shown in FIG4 .

In embodiment 1 of the present application, the device private key and device public key pre-stored on the user device are used to ensure that the user device is a trusted device, and the reliability of the business server is verified by the server public key and server private key, so that the correspondence between the user device's device identification, virtual account identification, biometric authentication type, biometric token and business public key can be securely registered on the authentication server for subsequent identity authentication, thereby improving the security of the identity registration process.

Example 2 of this application describes a biometric-based identity authentication method. The process for applying this method on a user device is shown in Figure 5 , and the process for applying this method on an authentication server is shown in Figure 6 . The identity authentication process in Example 2 employs some of the same technical means as the identity registration process in Example 1. The following only describes the differences between Example 2 and Example 1. For the same parts, please refer to the content of Example 1 and will not be repeated.

On the user device, in step 510, the business client initiates a device information request to the biometric authentication middleware, the biometric authentication middleware forwards the device information request to the biometric authentication client, the biometric authentication client forwards the device information request to the identity authentication verifier, the identity authentication verifier obtains the device information of the user device including the device identifier and carries the device information in the device information response and returns it to the biometric authentication client, the biometric authentication client returns the device information response to the biometric authentication middleware, and the biometric authentication middleware returns the device information response to the business client.

When a user starts an authentication process using biometric features on a business client on a user device, the business client initiates a device information request to the biometric authentication middleware. The biometric authentication middleware forwards the device information request to the biometric authentication client, and the biometric authentication client forwards the device information request to the identity verification device.

The identity verification device obtains device information from the user's device, including the device ID and, optionally, the device model and manufacturer. The identity verification device returns this information in a device information response to the biometric authentication client. The biometric authentication client returns the device information response to the biometric authentication middleware, which then returns the device information response to the service client.

On the user device, in step 520, the business client sends an authentication information request message including the device identifier to the business server, and receives an authentication information response message returned by the business server; the authentication information response message is signed by the authentication server using the server private key and sent to the business server, and includes the virtual account identifier corresponding to the device identifier and the server public key corresponding to the server private key obtained by the authentication server after receiving the authentication information request message forwarded by the business server.

On the authentication server, in step 610, an authentication information request message from a user device is received from the business server, where the authentication information request message includes the device identifier of the user device; a virtual account identifier corresponding to the device identifier is obtained, the virtual account identifier and the server public key are encapsulated in an authentication information response message, the authentication information response message is signed with the server private key corresponding to the server public key, and then sent to the business server for the business server to forward the authentication information response message to the user device.

The service client of the user device sends an authentication information request message to the service server. The authentication information request message includes the device identifier of the user device. The authentication information request message may also include the user's service account identifier. The service server forwards the authentication information request message to the authentication server.

In the identity registration process of Example 1, the authentication server saves the correspondence between the device identification, virtual account identification, biometric authentication type, biometric token and business public key locally or in another accessible network storage location. The saved device identification, virtual account identification, biometric authentication type, biometric token and business public key are the registered device identification, registered virtual account identification, registered biometric authentication type, registered biometric token and registered business public key in Example 2.

After receiving the authentication request message forwarded by the service server, the authentication server extracts the user device's device ID from it, searches for the registered virtual account ID corresponding to the device ID, encapsulates the found virtual account ID and the server's public key in an authentication information response message, and signs the authentication information response message with the server's private key corresponding to the server's public key before sending it to the service server. The service server then forwards the authentication information response message to the user device.

On the user device, in step 530, the business client obtains the biometric data of the user of the biometric authentication type adopted during registration, carries the biometric data in a local biometric authentication request and sends it to the biometric authentication middleware. The biometric authentication middleware forwards the local biometric authentication request to the biometric authentication client. The biometric authentication client uses the biometric data therein to perform biometric feature verification on the user identity and returns the verification result to the biometric authentication middleware in a local biometric authentication response. The biometric authentication middleware returns the local biometric authentication response to the business client.

The service client requests and obtains the user's biometric data for the biometric authentication type determined during the identity registration process. The service client encapsulates the user's biometric data in a local biometric authentication request and sends it to the biometric authentication middleware. The biometric authentication middleware then forwards the local biometric authentication request to the biometric authentication client.

The biometric authentication client uses the biometric data in the biometric authentication request to perform biometric verification of the user's identity. After the verification is complete, the biometric authentication client encapsulates the verification result (pass or fail) in a local biometric authentication response and returns it to the biometric authentication middleware. The biometric authentication middleware then returns the local biometric authentication response to the service client.

On the user device, in step 540, when the local biometric verification result is passed, the business client sends the authentication information response message to the biometric authentication middleware, and the biometric authentication middleware forwards the authentication information response message to the biometric authentication client; the biometric authentication client forwards the authentication information response message to the identity authentication verifier, and the identity authentication verifier uses the server public key to verify the signature of the authentication information response message. After the signature verification is passed, the identity authentication verifier obtains the biometric token corresponding to the biometric data used when the user passed the local biometric verification for the last time from the token and key manager, obtains the business private key corresponding to the biometric authentication type, the virtual account identifier and the biometric token in the authentication information response message from the saved correspondence between the virtual account identifier, the biometric authentication type, the biometric token, and the business private key, encapsulates the device identifier, the virtual account identifier, the biometric authentication type and the biometric token in the authentication request message, and signs the authentication request message with the business private key, and returns it to the biometric authentication client; the biometric authentication client returns the authentication request message to the biometric authentication middleware, and the biometric authentication middleware returns the authentication request message to the business client.

The business client extracts the local biometric verification result from the local biometric authentication response returned by the biometric authentication middleware. If the result is a failure, the identity authentication process ends in failure. If the local biometric verification result is a success, the business client sends an authentication information response message to the biometric authentication middleware, which forwards the authentication information response message to the biometric authentication client. The biometric authentication client then forwards the authentication information response message to the identity authentication verifier.

The identity verification device extracts the server public key from the authentication information response message and uses it to verify the signature of the authentication information response message. If the signature verification fails, it indicates that the authentication information response message is likely not from a reliable authentication server, and the authentication process ends in failure. After the signature verification succeeds, the identity verification device requests a biometric token from the token and key manager. The token and key manager returns the biometric token corresponding to the user's most recent biometric data used in the local biometric verification (i.e., the biometric data obtained by the service client during the local biometric verification in step 530) to the identity verification device.

The identity authentication verifier encapsulates the user device's device identifier, the virtual account identifier extracted from the authentication information response message, the biometric authentication type used when the most recent local biometric verification was successful, and the biometric token returned by the token and key manager in the authentication request message. The identity authentication verifier searches the stored correspondence between virtual account identifiers, biometric authentication types, biometric tokens, and business private keys to find the business private key corresponding to the biometric authentication type used when the most recent local biometric verification was successful, the virtual account identifier in the authentication information response message, and the biometric token returned by the token and key manager. The identity authentication verifier then signs the authentication request message with this business private key and returns it to the biometric authentication verifier.

The biometric authentication client returns the authentication request message to the biometric authentication middleware, and the biometric authentication middleware returns the authentication request message to the business client.

On the user device, in step 550, the business client sends an authentication request message to the business server, which forwards the authentication request message to the authentication server for the authentication server to authenticate the user based on the registered biometric token and registered business public key corresponding to the virtual account identifier, device identifier and biometric authentication type.

On the authentication server, step 620, an authentication request message is received from the business server from the user device, where the authentication request message includes the device identifier, virtual account identifier, biometric authentication type, and biometric token of the user device, and is signed with the business public key; and a registered biometric token and a registered business public key corresponding to the device identifier, virtual account identifier, and biometric authentication type in the authentication request message are obtained.

On the authentication server, in step 630, the authentication request message is signed using the registered service public key, and the user's identity is authenticated based on the biometric token in the authentication request message and the registered biometric token.

The service client sends the authentication request message returned by the biometric authentication middleware to the service server. The service server forwards the authentication request message to the authentication server. The authentication server searches its stored database for the corresponding relationships between registered device identifiers, registered virtual account identifiers, registered biometric authentication types, registered biometric tokens, and registered service public keys. It then searches for the registered biometric token and registered service public key that correspond to the virtual account identifier, device identifier, and biometric authentication type in the authentication request message.

The authentication server compares the biometric token in the authentication request message with the registered biometric token and verifies the signature of the authentication request message using the registered business public key. If the two biometric tokens are different or the signature verification fails, the authentication server rejects the authentication request and notifies the business server, which then notifies the business client of the authentication failure. If the two biometric tokens are identical and the signature verification passes, the user is authenticated. The authentication server sends the authentication result to the business server in an authentication response message. The business server can perform appropriate business processing based on the authentication result and notify the business client of the authentication result and/or business processing result.

In one implementation, the authentication server may generate an authentication challenge code corresponding to the virtual account of the device identifier in the authentication information request message after receiving the authentication information request message. The authentication server encapsulates the virtual account identifier, the server public key and the generated authentication challenge code in an authentication information response message and sends it to the business server, and starts the timer. When generating the authentication request message, the identity authentication verifier on the user device also encapsulates the authentication challenge code in the authentication information response message in the authentication request message. The authentication server receives the authentication request message forwarded by the business server, compares the authentication challenge code in the authentication request message with the authentication challenge code generated for the virtual account in the authentication request message, and obtains the time difference between sending the authentication information response message and receiving the authentication request message. If the two authentication verification codes are different or the time difference exceeds the second predetermined time period, the authentication server rejects the authentication request and notifies the business server, which then notifies the business client of the authentication failure result; if the two authentication verification codes are the same and the time difference does not exceed the second predetermined time period, the registered business public key is used to verify the signature of the authentication request message, and the user is authenticated based on the biometric token in the authentication request message and the registered biometric token.

In an implementation method of this embodiment including an authentication challenge code, the interaction process between the functional modules of the user equipment, the service server, the authentication server and the biometric authentication center server is shown in FIG7 .

In the second embodiment of the present application, the user device is ensured to be a trusted device by pre-existing a device private key and a device public key on the user device, and the reliability of the business server is verified by the server public key and the server private key, so that the correspondence between the device identification, virtual account identification, biometric authentication type, biometric token and business public key of the user device can be securely registered on the authentication server for subsequent identity authentication, thereby improving the security of the identity registration process.

In Example 2 of the present application, the server public key and server private key are used to verify the business server, and the business private key and registered business public key are used to verify the user device. The user device needs to provide a device identifier, virtual account identifier, biometric authentication type and biometric token that match the registered information to pass the authentication, making the identity authentication process extremely secure.

In the above two embodiments, the identity verification device and the token and key manager can be run in a secure environment on the user device to increase the security of the registration and authentication process. For example, the identity verification device, token and key manager can be isolated from other software modules (such as processes or threads) and other software modules cannot access their cache space (the two modules are also isolated from each other and cannot access each other's cache space). For another example, the code and stored files of the identity verification device, token and key manager can be stored in the most secure and access-controlled storage area on the user device.

Corresponding to the above-mentioned process implementation, the embodiments of the present application also provide a biometric-based identity registration device applied on a user device, a biometric-based identity registration device applied on an authentication server, a biometric-based identity authentication device applied on a user device, and a biometric-based identity authentication device applied on an authentication server. The above-mentioned devices can all be implemented by software, or by hardware or a combination of software and hardware. Taking software implementation as an example, as a device in the logical sense, it is formed by the CPU (Central Process Unit) of the user device or authentication server reading the corresponding computer program instructions into the memory and running them. From the hardware level, in addition to the CPU, memory and non-volatile memory shown in Figure 8, the user device usually also includes other hardware such as chips for wireless signal transmission and reception, and the authentication server usually also includes other hardware such as boards for implementing network communication functions.

FIG9 shows a biometric identity registration device provided by an embodiment of the present application, which is applied to a user device and includes a service client, biometric authentication middleware, a biometric authentication client, an identity authentication verifier, and a token and key manager, wherein:

The business client is used to initiate a device information request to the biometric authentication middleware and receive a device information response with a device identifier returned by the biometric authentication middleware; send a registration information request message including a business account identifier to the business server and receive a registration information response message returned by the business server; the registration information response message is signed by the authentication server using the server private key and sent to the business server, including a virtual account identifier corresponding to the business account identifier and a server public key corresponding to the server private key generated by the authentication server after receiving the registration information request message forwarded by the business server; determine the user's biometric authentication type, obtain the biometric data of the user of the biometric authentication type, carry the biometric data in the local biometric authentication request and send it to the biometric authentication middleware, and receive a response from the biometric authentication middleware The user device then sends a local biometric authentication response with a local biometric verification result; when the local biometric verification result is passed, the user device sends a registration information response message to the biometric authentication middleware, and receives a registration request message returned by the biometric authentication middleware, wherein the registration request message includes the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key, and is signed with the device private key of the user device; the user device sends the registration request message to the business server, which forwards the registration request message to the authentication server, for the authentication server to hand over the message to the biometric authentication center server for signature verification using the device public key of the user device, and then save the corresponding relationship between the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key for use in authenticating the account;

The biometric authentication middleware is used to receive and forward device information requests from the business client and forward device information responses from the biometric authentication client to the business client; receive and forward local biometric authentication requests from the business client and forward local biometric authentication responses from the biometric authentication client to the business client; receive and forward registration information response messages from the business client and forward registration request messages from the biometric authentication client to the business client;

The biometric authentication client is used to receive and forward device information requests from the biometric authentication middleware and the identity authentication verifier, and receive and forward device information responses from the identity authentication verifier to the biometric authentication middleware; receive local biometric authentication requests from the biometric authentication middleware, perform biometric feature verification on the user's identity using the biometric data in the local biometric authentication request, and return the verification result to the biometric authentication middleware in the local biometric authentication response; receive and forward registration information response messages from the biometric authentication middleware and the identity authentication verifier, and receive and forward registration request messages from the identity authentication verifier to the biometric authentication middleware;

The identity authentication verifier is used to, after receiving the device information request forwarded by the biometric authentication client, obtain the device information of the user device including the device identifier and return the device information to the biometric authentication client by carrying the device information in the device information response; after receiving the registration information response message forwarded by the biometric authentication client, use the server public key in the registration information response message to verify the signature of the registration information response message, and after the signature verification is passed, obtain the biometric token corresponding to the biometric data used by the user when passing the local biometric verification for the last time from the token and key manager, generate the corresponding business public key and business private key, save the correspondence between the virtual account identifier, biometric authentication type, biometric authentication token and business private key, encapsulate the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key in the registration request message, and hand it over to the token and key manager to sign the registration request message with the device private key of the user device, and then return the registration request message to the biometric authentication client;

The token and key manager is used to provide the identity authentication verifier with a biometric token corresponding to the biometric data used by the user when passing the local biometric verification for the last time; after receiving the registration request message from the identity authentication verifier, the registration request message is signed using the stored device private key of the user device and then returned to the identity authentication verifier.

Optionally, the registration information response message also includes: the registration challenge code of the virtual account generated by the authentication server; the registration request message also includes: the registration challenge code, so that the authentication server can verify the registration request message after receiving the registration request message based on the registration challenge code and the time interval between sending the registration information response message and receiving the registration request message.

Optionally, the identity authentication verifier and token and key manager run in a secure environment on the user device.

FIG10 shows a biometric identity registration device provided by an embodiment of the present application, which is applied to an authentication server and includes a registration information response unit, a registration request receiving unit, and a registration information storage unit, wherein:

The registration information response unit is configured to receive a registration information request message from a user device from a service server, the registration information request message including a service account identifier; generate a virtual account identifier corresponding to the service account identifier, encapsulate the virtual account identifier and the server public key in a registration information response message, sign the registration information response message using a server private key corresponding to the server public key, and send the registration information response message to the service server, for the service server to forward the registration information response message to the user device;

The registration request receiving unit is configured to receive a registration request message from a user device from a service server, the registration request message including the device identifier, virtual account identifier, biometric authentication type, biometric token, and service public key of the user device, and signed with the device key of the user device; send the registration request message to a biometric authentication center server, and receive a verification result returned by the biometric authentication center server after verifying the registration request message using the device public key corresponding to the device identifier;

The registration information storage unit is used to save the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key after the registration request message passes the signature verification, so as to authenticate the account.

Optionally, the device also includes a registration challenge code generation unit for generating a registration challenge code for the virtual account; the registration information response message also includes: the generated registration challenge code; the registration request message also includes: the registration challenge code; the registration information storage unit is specifically used to: after the registration request message passes the signature verification, when the registration challenge code in the registration request message is the same as the registration challenge code generated for the virtual account in the registration request message, and the time interval between sending the registration information response message and receiving the registration request message is within a first predetermined time range, save the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key.

FIG9 shows a biometric identity authentication device provided by an embodiment of the present application, which is applied to a user device and includes a service client, biometric authentication middleware, a biometric authentication client, an identity authentication verifier, and a token and key manager, wherein:

The business client is used to initiate a device information request to the biometric authentication middleware and receive a device information response with a device identifier returned by the biometric authentication middleware; send an authentication information request message including a device identifier to the business server and receive an authentication information response message returned by the business server, the authentication information response message is signed by the authentication server using the server private key and sent to the business server, including the virtual account identifier corresponding to the device identifier and the server public key corresponding to the server private key obtained by the authentication server after receiving the authentication information request message forwarded by the business server; obtain the biometric data of the user of the biometric authentication type used during registration, carry the biometric data in the local biometric authentication request and send it to the The biometric authentication middleware receives a local biometric authentication response with a local biometric verification result returned by the biometric authentication middleware; when the local biometric verification result is passed, sends an authentication information response message to the biometric authentication middleware, receives an authentication request message returned by the biometric authentication middleware, the authentication request message including the device identifier, the virtual account identifier, the biometric authentication type and the biometric token, and is signed with a business private key; sends the authentication request message to the business server, and the business server forwards the authentication request message to the authentication server for the authentication server to authenticate the user based on the registered biometric token and the registered business public key corresponding to the virtual account identifier, the device identifier and the biometric authentication type;

The biometric authentication middleware is used to receive and forward device information requests from the business client and forward device information responses from the biometric authentication client to the business client; receive and forward local biometric authentication requests from the business client and forward local biometric authentication responses from the biometric authentication client to the business client; receive and forward authentication information response messages from the business client and forward authentication request messages from the biometric authentication client to the business client;

The biometric authentication client is configured to receive and forward device information requests from the biometric authentication middleware and the identity authentication verifier, and to receive and forward device information responses from the identity authentication verifier to the biometric authentication middleware; receive local biometric authentication requests from the biometric authentication middleware, perform biometric feature verification on the user's identity using the biometric data in the local biometric authentication request, and return the verification result to the biometric authentication middleware in the local biometric authentication response; receive and forward authentication information response messages from the biometric authentication middleware and the identity authentication verifier, and receive and forward authentication request messages from the identity authentication verifier to the biometric authentication middleware;

The identity authentication verifier is used to, after receiving a device information request forwarded by the biometric authentication client, obtain the device information of the user device including the device identifier and return the device information to the biometric authentication client by carrying the device information in the device information response; after receiving the authentication information response message forwarded by the biometric authentication client, use the server public key in the authentication information response message to verify the signature of the authentication information response message, obtain the biometric token corresponding to the biometric data used when the user passed the local biometric verification for the last time from the token and key manager after the signature verification is passed, obtain the business private key corresponding to the biometric authentication type, the virtual account identifier and the biometric token in the authentication information response message from the saved correspondence between the virtual account identifier, the biometric authentication type, the biometric token, and the business private key, encapsulate the device identifier, the virtual account identifier, the biometric authentication type and the biometric token in the authentication request message, sign the authentication request message with the business private key, and then return it to the biometric authentication client;

The token and key manager is used to provide the identity verification device with a biometric token corresponding to the biometric data used by the user when he or she passed the local biometric verification the last time.

Optionally, the authentication information response message also includes: an authentication challenge code of the virtual account generated by the authentication server; the authentication request message also includes: the authentication challenge code encapsulated by the identity authentication verifier, so that the authentication server can verify the authentication request message after receiving the authentication request message based on the authentication challenge code and the time interval between sending the authentication information response message and receiving the authentication request message.

Optionally, the identity authentication verifier and token and key manager run in a secure environment on the user device.

FIG11 shows a biometric identity authentication device provided by an embodiment of the present application, which is applied to an authentication server and includes an authentication information response unit, an authentication request receiving unit, and a signature verification and authentication unit, wherein:

The authentication information response unit is configured to receive an authentication information request message from a user device from a service server, the authentication information request message including a device identifier of the user device; obtain a virtual account identifier corresponding to the device identifier, encapsulate the virtual account identifier and the server public key in an authentication information response message, sign the authentication information response message using a server private key corresponding to the server public key, and send the signature to the service server, for the service server to forward the authentication information response message to the user device;

The authentication request receiving unit is configured to receive an authentication request message from a user device from a service server, the authentication request message including the device identifier, virtual account identifier, biometric authentication type, and biometric token of the user device, and signed with a service public key; obtain a registered biometric token and a registered service public key corresponding to the device identifier, virtual account identifier, and biometric authentication type in the authentication request message;

The signature verification and authentication unit is used to verify the signature of the authentication request message using the registered business public key, and to authenticate the user based on the biometric token in the authentication request message and the registered biometric token.

Optionally, the device also includes: an authentication challenge code generation unit, used to generate an authentication challenge code for the virtual account; the authentication information response message also includes: the generated authentication challenge code; the authentication request message also includes: the authentication challenge code; the signature verification and authentication unit is specifically used to: when the authentication challenge code in the authentication request message is the same as the authentication challenge code generated for the virtual account in the authentication request message, and the time interval between sending the authentication information response message and receiving the authentication request message is within a second predetermined time range, use the registered business public key to verify the signature of the authentication request message, and authenticate the user based on the biometric token in the authentication request message and the registered biometric token.

The above description is only a preferred embodiment of the present application and is not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the scope of protection of the present application.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

Memory may include non-permanent storage in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.

Computer-readable media includes permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. The information can be computer-readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include transitory computer-readable media (transitory media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "includes," or any other variations thereof are intended to encompass non-exclusive inclusion, such that a process, method, commodity, or apparatus that includes a series of elements includes not only those elements but also other elements not explicitly listed, or includes elements inherent to such process, method, commodity, or apparatus. In the absence of further limitations, an element defined by the phrase "comprises a ..." does not exclude the presence of other identical elements in the process, method, commodity, or apparatus that includes the element.

Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Furthermore, the present application may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to magnetic disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

Claims (20)

1. A biometric-based identity registration method applied to a user device, characterized in that the user device runs a business client, a biometric authentication middleware, a biometric authentication client, an identity authentication verifier, and a token and key manager, the method comprising: The business client initiates a device information request to the biometric authentication middleware. The biometric authentication middleware forwards the device information request to the biometric authentication client. The biometric authentication client forwards the device information request to the identity authentication verifier. The identity authentication verifier obtains the device information of the user device, including the device identifier, and returns the device information in the device information response to the biometric authentication client. The biometric authentication client returns the device information response to the biometric authentication middleware. The biometric authentication middleware returns the device information response to the business client. The business client sends a registration information request message including a business account identifier to the business server and receives a registration information response message returned by the business server. The registration information response message is sent to the business server by the authentication server after being signed by the server's private key. It includes a virtual account identifier corresponding to the business account identifier generated by the authentication server after receiving the registration information request message forwarded by the business server, and a server public key corresponding to the server's private key. The business client determines the user's biometric authentication type, obtains the user's biometric data for that type, and sends the biometric data in a local biometric authentication request to the biometric authentication middleware. The biometric authentication middleware forwards the local biometric authentication request to the biometric authentication client. The biometric authentication client uses the biometric data to perform biometric verification on the user's identity and returns the verification result in a local biometric authentication response to the biometric authentication middleware. The biometric authentication middleware then returns the local biometric authentication response to the business client. When the local biometric verification result is successful, the business client sends a registration information response message to the biometric authentication middleware. The biometric authentication middleware forwards the registration information response message to the biometric authentication client. The biometric authentication client forwards the registration information response message to the identity authentication verifier. The identity authentication verifier uses the server public key to verify the signature of the registration information response message. After successful verification, it obtains the biometric token corresponding to the biometric data used by the user during the most recent local biometric verification from the token and key manager, generates the corresponding business public key and business private key, and saves the correspondence between the virtual account identifier, biometric authentication type, biometric authentication token, and business private key. The identity authentication verifier encapsulates the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key in a registration request message, and submits it to the token and key manager to sign the registration request message using the user device's device private key. The token and key manager then returns the registration request message to the biometric authentication client, which in turn returns the registration request message to the biometric authentication middleware. The biometric authentication middleware then returns the registration request message to the business client. The business client sends the registration request message to the business server, which then forwards it to the authentication server. After the authentication server has the biometric authentication center server verify the signature using the user device's public key, it saves the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key for use in authenticating the account. 2. The method according to claim 1, wherein the registration information response message further includes: a registration challenge code for the virtual account generated by the authentication server; The registration request message also includes: the registration challenge code encapsulated by the identity authentication verifier, which the authentication server uses to verify the registration request message after receiving it, based on the registration challenge code and the time interval between sending the registration information response message and receiving the registration request message. 3. The method according to claim 1, wherein the identity authentication verifier and the token and key manager operate in a secure environment on the user device. 4. A biometric-based identity registration method, applied on an authentication server, characterized in that it includes: The system receives a registration information request message from the user device via the service server. The registration information request message includes a service account identifier. A virtual account identifier corresponding to the service account identifier is generated. The virtual account identifier and the server public key are encapsulated in a registration information response message. The registration information response message is signed with the server private key corresponding to the server public key and sent to the service server for the service server to forward the registration information response message to the user device. The system receives a registration request message from a user device from the business server. The registration request message includes the user device's device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key, and is signed using the user device's device key. The system then sends the registration request message to the biometric authentication center server and receives the verification result returned by the biometric authentication center server after verifying the signature of the registration request message using the device public key corresponding to the device identifier. After the registration request message passes the signature verification, the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key is saved for use in authenticating the account. 5. The method according to claim 4, wherein the method further comprises: generating a registration challenge code for the virtual account; The registration information response message also includes: the generated registration challenge code; The registration request message also includes: a registration challenge code; The step of saving the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key includes: when the registration challenge code in the registration request message is the same as the registration challenge code generated for the virtual account in the registration request message, and the time interval between sending the registration information response message and receiving the registration request message is within a first predetermined time range, the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key is saved. 6. A biometric-based identity authentication method applied to a user device, characterized in that the user device runs a business client, a biometric authentication middleware, a biometric authentication client, an identity authentication verifier, and a token and key manager, comprising: The business client initiates a device information request to the biometric authentication middleware. The biometric authentication middleware forwards the device information request to the biometric authentication client. The biometric authentication client forwards the device information request to the identity authentication verifier. The identity authentication verifier obtains the device information of the user device, including the device identifier, and returns the device information in the device information response to the biometric authentication client. The biometric authentication client returns the device information response to the biometric authentication middleware. The biometric authentication middleware returns the device information response to the business client. The business client sends an authentication information request message including the device identifier to the business server and receives an authentication information response message returned by the business server. The authentication information response message is sent to the business server by the authentication server after being signed by the server's private key. It includes a virtual account identifier corresponding to the device identifier obtained by the authentication server after receiving the authentication information request message forwarded by the business server, and a server public key corresponding to the server's private key. The business client obtains the biometric data of the user who used the biometric authentication type during registration, sends the biometric data in a local biometric authentication request to the biometric authentication middleware, the biometric authentication middleware forwards the local biometric authentication request to the biometric authentication client, the biometric authentication client uses the biometric data to perform biometric verification of the user's identity and returns the verification result to the biometric authentication middleware in a local biometric authentication response, and the biometric authentication middleware returns the local biometric authentication response to the business client. When the local biometric verification result is successful, the business client sends an authentication information response message to the biometric authentication middleware. The biometric authentication middleware forwards the authentication information response message to the biometric authentication client. The biometric authentication client forwards the authentication information response message to the identity authentication verifier. The identity authentication verifier uses the server's public key to verify the signature of the authentication information response message. After successful verification, it retrieves the biometric token corresponding to the biometric data used by the user during the most recent local biometric verification from the token and key manager. It then retrieves the business private key corresponding to the biometric authentication type, the virtual account identifier, and the biometric token in the authentication information response message from the stored mapping relationship between virtual account identifier, biometric authentication type, biometric token, and business private key. The device identifier, virtual account identifier, biometric authentication type, and biometric token are encapsulated in an authentication request message, and the authentication request message is signed using the business private key before being returned to the biometric authentication client. The biometric authentication client returns the authentication request message to the biometric authentication middleware, and the biometric authentication middleware returns the authentication request message to the business client. The business client sends the authentication request message to the business server, which then forwards it to the authentication server. The authentication server then uses the registered biometric token and the registered business public key that correspond to the virtual account identifier, device identifier, and biometric authentication type to authenticate the user's identity. 7. The method according to claim 6, wherein the authentication information response message further includes: an authentication challenge code for the virtual account generated by the authentication server; The authentication request message also includes: the authentication challenge code encapsulated by the identity authentication verifier, which the authentication server uses to verify the authentication request message after receiving it, based on the authentication challenge code and the time interval between sending the authentication information response message and receiving the authentication request message. 8. The method according to claim 6, wherein the identity authentication verifier and the token and key manager operate in a secure environment on the user device. 9. A biometric-based identity authentication method, applied on an authentication server, characterized in that it includes: The system receives an authentication information request message from the user device from the business server. The authentication information request message includes the device identifier of the user device. The system obtains a virtual account identifier corresponding to the device identifier, encapsulates the virtual account identifier and the server public key in an authentication information response message, signs the authentication information response message with the server private key corresponding to the server public key, and sends it to the business server for the business server to forward the authentication information response message to the user device. The system receives an authentication request message from a user device on the business server. The authentication request message includes the user device's device identifier, virtual account identifier, biometric authentication type, and biometric token, and is signed using a business public key. The system also retrieves the registered biometric token and registered business public key corresponding to the device identifier, virtual account identifier, and biometric authentication type in the authentication request message. The authentication request message is verified using the registered business public key, and the user's identity is authenticated based on the biometric token in the authentication request message and the registered biometric token. 10. The method according to claim 9, wherein the method further comprises: generating an authentication challenge code for the virtual account; The authentication information response message also includes: the generated authentication challenge code; The authentication request message also includes: an authentication challenge code; The step of verifying the signature of the authentication request message using the registered business public key and authenticating the user's identity based on the biometric token and the registered biometric token in the authentication request message includes: when the authentication challenge code in the authentication request message is the same as the authentication challenge code generated for the virtual account in the authentication request message, and the time interval between sending the authentication information response message and receiving the authentication request message is within a second predetermined time range, the authentication request message is verified using the registered business public key, and the user's identity is authenticated based on the biometric token and the registered biometric token in the authentication request message. 11. A biometric-based identity registration device, applied to a user device, characterized in that it comprises: The business client is used to initiate device information requests to the biometric authentication middleware, and receive device information responses with device identifiers returned by the biometric authentication middleware; to send registration information request messages including business account identifiers to the business server, and receive registration information response messages returned by the business server; the registration information response messages are sent to the business server by the authentication server after being signed by the server's private key, including a virtual account identifier corresponding to the business account identifier generated by the authentication server after receiving the registration information request messages forwarded by the business server, and a server public key corresponding to the server's private key; to determine the user's biometric authentication type, obtain the biometric data of the user of the biometric authentication type, and send the biometric data to the biometric authentication middleware in a local biometric authentication request, and receive the biometric authentication middleware. The system returns a local biometric authentication response with the local biometric verification result. If the local biometric verification result is successful, a registration information response message is sent to the biometric authentication middleware. The system then receives a registration request message returned by the biometric authentication middleware. This registration request message includes a device identifier, a virtual account identifier, a biometric authentication type, a biometric token, and a business public key, and is signed using the user device's device private key. The registration request message is then sent to the business server, which forwards it to the authentication server. The authentication server, after having the biometric authentication center server verify the signature using the user device's device public key, saves the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key for use in authenticating the account. The biometric authentication middleware is used to receive and forward device information requests from business clients to biometric authentication clients, receive and forward device information responses from biometric authentication clients to business clients, receive and forward local biometric authentication requests from business clients to biometric authentication clients, receive and forward local biometric authentication responses from biometric authentication clients to business clients, receive and forward registration information response messages from business clients to biometric authentication clients, and receive and forward registration request messages from biometric authentication clients to business clients. The biometric authentication client is used to receive and forward device information requests from the biometric authentication middleware to the identity authentication verifier, and to receive and forward device information responses from the identity authentication verifier to the biometric authentication middleware; it also receives local biometric authentication requests from the biometric authentication middleware, uses the biometric data in the local biometric authentication requests to verify the user's identity using biometric features, and returns the verification result to the biometric authentication middleware in the local biometric authentication response; and it receives and forwards registration information response messages from the biometric authentication middleware to the identity authentication verifier, and receives and forwards registration request messages from the identity authentication verifier to the biometric authentication middleware. An identity authentication verifier is used to, upon receiving a device information request forwarded by a biometric authentication client, obtain device information of the user device, including a device identifier, and return the device information to the biometric authentication client in a device information response; upon receiving a registration information response message forwarded by the biometric authentication client, it uses the server public key in the registration information response message to verify the signature of the registration information response message; after successful verification, it obtains a biometric token corresponding to the biometric data used by the user during the most recent local biometric verification from the token and key manager, generates corresponding business public and private keys, saves the correspondence between the virtual account identifier, biometric authentication type, biometric token, and business private key, encapsulates the device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key in a registration request message, and has the token and key manager sign the registration request message using the user device's device private key before returning the registration request message to the biometric authentication client; The token and key manager is used to provide the identity authentication verifier with a biometric token corresponding to the biometric data used by the user during the most recent local biometric verification; after receiving a registration request message from the identity authentication verifier, the manager signs the registration request message with the stored device private key of the user device and returns it to the identity authentication verifier. 12. The apparatus according to claim 11, wherein the registration information response message further includes: a registration challenge code for the virtual account generated by the authentication server; The registration request message also includes: the registration challenge code, which the authentication server uses to verify the registration request message after receiving it, based on the registration challenge code and the time interval between sending the registration information response message and receiving the registration request message. 13. The apparatus according to claim 11, wherein the identity verification device and the token and key manager operate in a secure environment on the user equipment. 14. A biometric-based identity registration device, applied on an authentication server, characterized in that it comprises: The registration information response unit is used to receive a registration information request message from a user device from a business server. The registration information request message includes a business account identifier. The unit generates a virtual account identifier corresponding to the business account identifier, encapsulates the virtual account identifier and a server public key in the registration information response message, signs the registration information response message with a server private key corresponding to the server public key, and sends it to the business server for the business server to forward the registration information response message to the user device. The registration request receiving unit is configured to receive a registration request message from a user device from a business server. The registration request message includes the user device's device identifier, virtual account identifier, biometric authentication type, biometric token, and business public key, and is signed using the user device's device key. The unit then sends the registration request message to a biometric authentication center server and receives the verification result returned by the biometric authentication center server after verifying the signature of the registration request message using the device public key corresponding to the device identifier. The registration information storage unit is used to store the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key after the registration request message passes the signature verification, so as to perform identity authentication on the account. 15. The apparatus according to claim 14, wherein the apparatus further comprises: a registration challenge code generation unit, configured to generate a registration challenge code for the virtual account; The registration information response message also includes: the generated registration challenge code; The registration request message also includes: a registration challenge code; The registration information storage unit is specifically used to: after the registration request message passes the signature verification, when the registration challenge code in the registration request message is the same as the registration challenge code generated for the virtual account in the registration request message, and the time interval between sending the registration information response message and receiving the registration request message is within a first predetermined time range, store the correspondence between the device identifier, virtual account identifier, biometric authentication type, biometric token and business public key. 16. A biometric-based identity authentication device, applied to a user device, characterized in that it comprises: The business client is used to initiate device information requests to the biometric authentication middleware, receive device information responses with device identifiers returned by the middleware, send authentication information request messages including device identifiers to the business server, and receive authentication information response messages returned by the business server. The authentication information response messages are sent to the business server after being signed by the authentication server using its private key. These messages include a virtual account identifier corresponding to the device identifier obtained by the authentication server upon receiving the authentication information request message forwarded by the business server, and a server public key corresponding to the server's private key. The client also retrieves the biometric data of the user using the biometric authentication type employed during registration and sends this data along with a local biometric authentication request. The system provides a biometric authentication middleware, receives a local biometric authentication response with local biometric verification results, and sends an authentication information response message to the biometric authentication middleware when the local biometric verification result is successful. It also receives an authentication request message from the middleware, which includes a device identifier, virtual account identifier, biometric authentication type, and biometric token, and is signed using a business private key. The system then sends the authentication request message to a business server, which forwards it to an authentication server. The authentication server then uses the registered biometric token and registered business public key corresponding to the virtual account identifier, device identifier, and biometric authentication type to authenticate the user. The biometric authentication middleware is used to receive and forward device information requests from business clients to biometric authentication clients, receive and forward device information responses from biometric authentication clients to business clients, receive and forward local biometric authentication requests from business clients to biometric authentication clients, receive and forward local biometric authentication responses from biometric authentication clients to business clients, receive and forward authentication information response messages from business clients to biometric authentication clients, and receive and forward authentication request messages from biometric authentication clients to business clients. The biometric authentication client is used to receive and forward device information requests from the biometric authentication middleware to the identity authentication verifier, and to receive and forward device information responses from the identity authentication verifier to the biometric authentication middleware; it also receives local biometric authentication requests from the biometric authentication middleware, uses the biometric data in the local biometric authentication requests to verify the user's identity and returns the verification result to the biometric authentication middleware in the local biometric authentication response; and it receives and forwards authentication information response messages from the biometric authentication middleware to the identity authentication verifier, and receives and forwards authentication request messages from the identity authentication verifier to the biometric authentication middleware. An identity authentication verifier is used to, upon receiving a device information request forwarded by a biometric authentication client, obtain device information including a device identifier from the user device and return the device information to the biometric authentication client in a device information response; upon receiving an authentication information response message forwarded by the biometric authentication client, it uses the server public key in the authentication information response message to verify the signature of the authentication information response message; after successful signature verification, it obtains a biometric token corresponding to the biometric data used by the user during the most recent local biometric verification from the token and key manager; it obtains the business private key corresponding to the biometric authentication type, the virtual account identifier in the authentication information response message, and the biometric token from the stored correspondence between virtual account identifier, biometric authentication type, biometric token, and business private key; it encapsulates the device identifier, virtual account identifier, biometric authentication type, and biometric token in an authentication request message; and after signing the authentication request message with the business private key, it returns it to the biometric authentication client. The token and key manager is used to provide the identity verification verifier with a biometric token corresponding to the biometric data used by the user during the most recent local biometric verification. 17. The apparatus according to claim 16, wherein the authentication information response message further includes: an authentication challenge code for the virtual account generated by the authentication server; The authentication request message also includes: the authentication challenge code encapsulated by the identity authentication verifier, which the authentication server uses to verify the authentication request message after receiving it, based on the authentication challenge code and the time interval between sending the authentication information response message and receiving the authentication request message. 18. The apparatus according to claim 16, wherein the identity verification device and the token and key manager operate in a secure environment on the user equipment. 19. A biometric-based identity authentication device, applied on an authentication server, characterized in that it comprises: The authentication information response unit is configured to receive an authentication information request message from a user device from a business server, the authentication information request message including a device identifier of the user device; obtain a virtual account identifier corresponding to the device identifier; encapsulate the virtual account identifier and a server public key in an authentication information response message; sign the authentication information response message using a server private key corresponding to the server public key; and send it to the business server for the business server to forward the authentication information response message to the user device. The authentication request receiving unit is configured to receive an authentication request message from a user device from a business server. The authentication request message includes the user device's device identifier, virtual account identifier, biometric authentication type, and biometric token, and is signed using a business public key; and to obtain the registered biometric token and registered business public key corresponding to the device identifier, virtual account identifier, and biometric authentication type in the authentication request message. The signature verification and authentication unit is used to verify the signature of the authentication request message using the registered business public key, and to authenticate the user's identity based on the biometric token in the authentication request message and the registered biometric token. 20. The apparatus according to claim 19, wherein the apparatus further comprises: an authentication challenge code generation unit, configured to generate an authentication challenge code for the virtual account; The authentication information response message also includes: the generated authentication challenge code; The authentication request message also includes: an authentication challenge code; The signature verification and authentication unit is specifically used to: verify the signature of the authentication request message using the registered business public key when the authentication challenge code in the authentication request message is the same as the authentication challenge code generated for the virtual account in the authentication request message, and the time interval between sending the authentication information response message and receiving the authentication request message is within a second predetermined time range, and to authenticate the user's identity based on the biometric token in the authentication request message and the registered biometric token.