[go: up one dir, main page]

WO2018165811A1 - Method for saving and verifying biometric template, and biometric recognition apparatus and terminal - Google Patents

Method for saving and verifying biometric template, and biometric recognition apparatus and terminal Download PDF

Info

Publication number
WO2018165811A1
WO2018165811A1 PCT/CN2017/076403 CN2017076403W WO2018165811A1 WO 2018165811 A1 WO2018165811 A1 WO 2018165811A1 CN 2017076403 W CN2017076403 W CN 2017076403W WO 2018165811 A1 WO2018165811 A1 WO 2018165811A1
Authority
WO
WIPO (PCT)
Prior art keywords
biometric
template
data
encryption
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/076403
Other languages
French (fr)
Chinese (zh)
Inventor
左勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Goodix Technology Co Ltd
Original Assignee
Shenzhen Huiding Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Huiding Technology Co Ltd filed Critical Shenzhen Huiding Technology Co Ltd
Priority to PCT/CN2017/076403 priority Critical patent/WO2018165811A1/en
Priority to CN201780000185.8A priority patent/CN107113170B/en
Publication of WO2018165811A1 publication Critical patent/WO2018165811A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Definitions

  • the embodiments of the present invention relate to the field of biometric identification technologies, and in particular, to a biometric template storage and verification method, a biometric identification device, and a terminal.
  • the biological characteristics of the human body such as fingerprints, palm prints, lip lines and irises are unique, they can be used for identity verification, etc., to meet the security and confidentiality requirements of different application scenarios. For example, when a laptop, a mobile phone, or a tablet is turned on, or enters a critical location, it is necessary to collect the fingerprint of the user for authentication.
  • biometrics As an authentication method, as shown in Figure 1a, it is common practice to first process the biometric raw data into a biometric template, ie, a registration template, and then save the biometric template as a whole in a relatively secure storage area.
  • a biometric template ie, a registration template
  • EMMC embedded Multi Media Card
  • TEE Trusted Execution Environment
  • biometric template Since the biometric template is stored in a storage area that is not very secure, if the storage area is attacked, the biometric template will be leaked as a whole, which will bring a larger application to the biometric template. Security risks.
  • biometric template storage and verification method the biometric identification device, and the terminal provided by the embodiments of the present application are used to solve at least the above problems in the prior art.
  • a first aspect of the embodiments of the present application provides a biometric template saving method, where the biometric template saving method includes:
  • the M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data exists in each storage area after storage, 1 ⁇ N ⁇ M.
  • At least one of the N storage areas is a storage area of a chip-level security environment.
  • the processing, by the biometric encryption template generated by the biometric template includes: performing a splitting process on the biometric encryption template.
  • the biometric encryption template generated according to the biometric template encryption is processed, and before the obtaining the M biometric encryption template data, the method further includes: encrypting the biometric encryption according to the biometric template.
  • the key used in the template is placed anywhere in the biometric encryption template.
  • the key is placed into a start position or an end position of the biometric encryption template.
  • the method further includes:
  • the biometric template containing the verification data is encrypted to generate the biometric encryption template.
  • the consistency check is a hash check
  • the obtained check data is a hash check value
  • the hash check value is placed. Before or after the start position of the biometric template.
  • the method further includes:
  • biometric and/or image feature extraction on the collected biometric raw data to obtain a plurality of biometric data
  • the biometric original data is fingerprint feature original data or fingerprint image data
  • the biometric data is fingerprint feature point data or fingerprint feature image extremum data
  • Performing biometric and/or image feature extraction on the collected biometric raw data to obtain a plurality of biometric data includes: extracting fingerprint feature points from the collected fingerprint feature point original data, and obtaining multiple fingerprint feature point data. And/or, performing fingerprint feature image extraction on the collected fingerprint feature raw data to obtain a plurality of fingerprint feature image extremum data.
  • a second aspect of the embodiments of the present application provides a biometric template verification method, including:
  • biometric template to be verified obtained according to the biometric encryption template. If the verification is passed, determining that the biometric template to be verified is consistent with the original biometric template.
  • the N storage areas include at least one storage area of a chip-level security environment.
  • the performing verification verification of the biometric template to be verified according to the biometric encryption template includes: generating a consistency check of the biometric template to be verified. The first verification data is compared with the second verification data obtained from the biometric verification template to be verified;
  • the verification is considered to pass.
  • performing consistency check on the biometric template to be verified includes: performing hash check on the biometric template to be verified.
  • the second check data is extracted from a header or a tail of the to-be-verified biometric template.
  • the obtaining a biometric template to be verified according to the biometric encryption template includes:
  • a third aspect of the embodiments of the present application provides a biometric identification device, which includes a biometrics collection module, a biometric data processing chip, and a storage module.
  • the biometric collection module is configured to collect biometric information of the user
  • the biometric data processing chip is configured to perform feature extraction on the biometric information, obtain biometric data and combine the biometric template into a biometric template, and perform encryption processing on the biometric template to generate a biometric encryption template;
  • the biometric template generated by the biometric template encryption is processed to obtain the M group biometric encryption template data, M ⁇ 2;
  • the storage module is configured to store the M sets of biometric encryption template data, where the storage module includes N storage areas, and the M sets of biometric encryption template data are stored in the storage module, and at least in each storage area There is a set of biometric encryption template data, 1 ⁇ N ⁇ M.
  • a template generating unit and a template processing unit are included;
  • the template generating unit is configured to perform feature extraction on the biometric information, obtain biometric data and combine the biometric template into a biometric template, and perform encryption processing on the biometric template to generate a biometric encryption template.
  • the template processing unit is configured to process the biometric encryption template generated according to the biometric template encryption to obtain M sets of biometric encryption template data.
  • the biometric data processing chip further includes: a template data acquiring unit, a template restoring unit, and a template verifying unit;
  • the template data acquiring unit is configured to acquire M sets of biometric encryption template data associated with each other from the N storage areas of the storage module;
  • the template restoring unit is configured to recombine the M group biometric encryption template data to obtain a biometric encryption template
  • the decryption verification unit is configured to decrypt the biometric encryption template to obtain a biometric template to be verified, and determine the biometric to be verified by performing consistency verification on the biometric template to be verified. Whether the template is consistent with the original biometric template.
  • a fourth aspect of the embodiments of the present application provides a terminal comprising the biometric identification device according to any one of claims 16 to 18.
  • the embodiment of the present application processes the biometric encryption template into, for example, split into multiple sets of biometric encryption template data, and then stores the plurality of biometric encryption template data in at least two storage areas. , so that multiple sets of biometric encryption template data are dispersed There are a plurality of storage areas.
  • the biometric template is stored in a storage area as a whole, and the probability of attacking multiple sets of biometric encryption template data dispersed in multiple storage areas is less.
  • the probability of being leaked as a whole is also lower, so that the large security risks brought by the prior art to the application of the biometric template can be effectively eliminated.
  • FIG. 1a is a schematic diagram of a prior art biometric template storage.
  • FIG. 1b is a flowchart of a biometric template saving method according to Embodiment 1 of the present application.
  • FIG. 2 is a flowchart of a biometric template saving method according to Embodiment 2 of the present application.
  • FIG. 3 is a flowchart of a biometric template saving method according to Embodiment 3 of the present application.
  • FIG. 4 is a flowchart of a biometric template verification method according to Embodiment 4 of the present application.
  • FIG. 5 is a structural diagram of a biometric identification device according to Embodiment 5 of the present application.
  • FIG. 1b is a flowchart of a biometric template saving method according to Embodiment 1 of the present application. As shown in FIG. 1b, the biometric template saving method includes:
  • the biometric template may be generated by combining a plurality of biometric data, that is, combining the plurality of biometric data to generate a biometric template.
  • the biometric data may be obtained by performing fingerprint feature extraction and/or image feature extraction processing on the collected biometric raw data.
  • the biometric encryption template is generated according to the biometric template encryption, and the biometric template may be encrypted by using an AES (128-bit or 256-bit) encryption algorithm to generate a biometric encryption template.
  • AES 128-bit or 256-bit
  • the AES256-CBC algorithm can be specifically employed.
  • the biometric template may be first divided into a plurality of cipher blocks to be encrypted (equivalent to plaintext blocks), and then each cipher block to be encrypted is encrypted according to the following method:
  • the second ciphertext to be encrypted is XORed with the first ciphertext, and then encrypted by the encryption key to generate a second ciphertext;
  • the AES256-CBC algorithm performs an exclusive OR operation with the previous ciphertext for the plaintext block (starting from the second one), the generated biometric encryption template is more complicated, so AES256-CBC is adopted.
  • the biometric encryption template generated by the algorithm has the advantages of difficulty in cracking and difficulty in active attack.
  • the AES128-CBC (encryption key is 128-bit) algorithm may be used for the encryption processing, and the processing method thereof is similar to the AES256-CBC algorithm, and details are not described herein again.
  • the biometric encryption template may be split and processed to form the M group biometric encryption template data.
  • the splitting process can also be processed by other splitting algorithms to meet the problem of splitting the biometric encryption template into M sets of biometric encryption template data.
  • the amount of data in each group of the M group biometric encrypted data may be the same, for example, 5 KB, or may be partially the same. Some are different, but they can also be different from each other, depending on actual needs.
  • S12 The M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data is stored in each of the stored storage areas, where 1 ⁇ N ⁇ M.
  • the biometric encryption template is processed into, for example, split into multiple sets of biometric encryption template data, and then the plurality of biometric encryption template data are dispersed and stored in at least two storage areas, so that multiple sets of biometric encryption are performed.
  • the template data is dispersed and stored in a plurality of storage areas, and the plurality of sets of biometric encryption template data dispersed in the plurality of storage areas are simultaneously attacked compared with the prior art in which the biometric templates are integrally stored in one storage area.
  • the probability is smaller, and the probability of being leaked by the whole is lower, which can effectively eliminate the large security risks brought by the prior art to the application of the biometric template. That is to say, the embodiment benefits from the feature of the decentralized storage of the biometric template data.
  • biometric encrypted data If it is attacked, the problem of the overall leakage of the feature template data is not easy to occur, and it is of course not excluded that some biometric encrypted data is leaked. Possibility, but since the biometric template can be decrypted only when the M group biometric template encrypted data is acquired as a whole, it is difficult to be restored to the biometric template even if part of the biometric encrypted data is leaked. Further, even if the plurality of sets of biometric encryption template data are illegally acquired, it is difficult to generate a corresponding organism because the corresponding processing method (such as the combined processing method is obviously unknown to the illegal acquirer) cannot be known. Feature encryption template. At the same time, since the biometric encryption template is encrypted data, it is also difficult to perform illegal decryption.
  • At least one of the N storage areas is a storage area of a chip-level security environment such as an SE (Secure Element).
  • a chip-level security environment such as an SE (Secure Element). Since the chip-level security environment is a hardware-level security environment, the possibility of successful attack is extremely low, and its data security protection, etc. The level is higher than the software-level and semi-software-level security environment, so it is difficult to leak the biometric encryption module data stored in the storage area of the chip-level security environment.
  • the biometric encryption template data stored in the storage area of the chip level security environment is hard to be leaked, thereby making the M group biometric template Encrypted data is difficult to be leaked as a whole, which can effectively eliminate the large security risks caused by the application of the biometric template in the prior art. Therefore, by using a storage area of a chip-level security environment to store at least one set of biometric encryption template data, the requirements for distributed preservation can be satisfied, and the requirements for biometric encrypted data to avoid overall leakage can be satisfied.
  • Biometric encryption template data when the total amount of data of the M group biometric encryption template data is large, the storage area of the chip level security environment is difficult to save one or more groups with a large amount of data due to a small total storage capacity.
  • Biometric encryption template data optionally, one or more sets of biometric encryption template data in the M group biometric encryption template data may be stored in a storage area of the chip level security environment, and the remaining one is Group or groups of biometric encryption template data with large data volume are stored in software-level or semi-software-level security environments with large total storage capacity such as TEE (Trusted Execution Environment), TrustZone (trust zone), SGX (Software Guard Extensions) , software protection extension instructions) or Rich OS (rich operating system) and other storage areas such as external storage media: EMMC memory, SD card, disk and so on.
  • TEE Trust Execution Environment
  • TrustZone trust zone
  • SGX Software Guard Extensions
  • Rich OS Rich operating system
  • FIG. 2 is a flowchart of a biometric template saving method according to Embodiment 2 of the present application. As shown in FIG. 2, on the basis of the first embodiment of the present application, the biometric template saving method includes:
  • the key used to generate the biometric encryption template according to the biometric template encryption is placed in any position in the biometric encryption template.
  • the biometric encryption template is essentially a data sequence having a certain length, whereby any position placed in the biometric encryption template may be placed in the biometric encryption template, ie, the data sequence. Before the first data, between any two data in the data sequence, after the last data of the data sequence. The location at which the key is placed can be recorded so that the key can be accurately extracted during subsequent applications, such as decryption.
  • the key is placed before the first data of the data sequence, That is, before the start position of the biometric encryption template, or after the key is placed after the last data of the data sequence, that is, after the end position of the biometric encryption template.
  • the key is included in the biometric encryption template.
  • the key belongs to a symmetric key, and may be randomly generated by a random number generating function of the system, or may be set in advance (such as writing in program code).
  • step S22 is consistent with the step S11 in the first embodiment of the present application, and the implementation principle is similar, and details are not described herein again. It should be noted that the key is already included in the bio-encryption template in this step.
  • S23 The M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data is stored in each of the stored storage areas, where 1 ⁇ N ⁇ M.
  • the key is usually the key to encryption and decryption, in order to make the key more difficult to be leaked, the key may also be stored in the storage area of the chip-level security environment, for example, including A set of biometric encryption template data (such as not less than 64 Bytes of data) of the key is stored in a storage area of the chip level security environment.
  • the biometric encryption template can be decrypted by the key in the subsequent application, so as to obtain the original biometric template (ie, the biometric encryption template is generated by encryption). Feature template).
  • FIG. 3 is a flowchart of a biometric template saving method according to Embodiment 3 of the present application. As shown in FIG. 3, based on the first embodiment of the present application, the biometric template saving method includes:
  • the verification data obtained by performing consistency check on the biometric template is placed in any position in the biometric template.
  • the biometric template may be generated by combining a plurality of biometric data, that is, combining the plurality of biometric data to generate a biometric template.
  • the biometric data refers to fingerprint feature extraction and/or image feature extraction processing on the collected biometric raw data.
  • the obtained data that is, the biometric and/or image feature extraction of the collected biometric raw data, can obtain a plurality of biometric data.
  • biometric feature data can be collected multiple times, and then the biometric feature extraction and/or image feature extraction of the collected biometric raw data can be performed to obtain more biometric data.
  • biometric raw data may include fingerprints, palm prints, lip lines, and iris feature raw data.
  • the fingerprint feature original data may include fingerprint valley ridge original data or fingerprint image original data.
  • the fingerprint feature data is generally fingerprint feature point data or fingerprint feature image extremum data.
  • the biometric feature and/or image feature extraction is performed on the collected biometric raw data, and obtaining the plurality of biometric data specifically includes: extracting fingerprint feature points from the collected fingerprint feature point original data, such as fingerprint valley data. Obtaining a plurality of fingerprint feature point data, and/or performing fingerprint feature image extraction on the collected fingerprint feature original data, such as fingerprint image data, to obtain a plurality of fingerprint feature image extremum data.
  • the fingerprint data collected by the fingerprint module of a larger size (such as the fingerprint valley data) has a larger number and the fingerprint included.
  • the feature raw data is relatively complete. Therefore, the fingerprint feature point extraction method can be used to extract the fingerprint feature original data to obtain multiple fingerprint feature data.
  • the fingerprint image feature extraction method is generally used to extract the extreme value data of the plurality of fingerprint feature images, thereby obtaining multiple fingerprint feature data. .
  • both the original data of the fingerprint feature and the original data of the fingerprint image are collected, and then the fingerprint feature original data is extracted by fingerprint feature point extraction and extracted based on the fingerprint image feature.
  • the fingerprint feature template obtained on the basis of the fingerprint feature template may be a fingerprint feature template obtained based on the fingerprint valley data, may be a fingerprint feature template obtained based on the fingerprint image data, or may be based on fingerprint valley data and fingerprint image data.
  • the fingerprint feature template obtained by the combination may be a fingerprint feature template obtained based on the fingerprint valley data, or may be based on fingerprint valley data and fingerprint image data.
  • the fingerprint feature point data may include a fingerprint endpoint, a bifurcation point, a bifurcation point, and an isolated Point, ring point and/or short grain data.
  • a typical process for obtaining a fingerprint feature template is as follows:
  • the system prompts the user to press the fingerprint module through the interface
  • the system collects user fingerprint feature original data such as fingerprint valley data and/or fingerprint image data through the fingerprint module;
  • fingerprint feature extraction algorithm extraction for example, by fingerprint feature extraction algorithm extraction and/or fingerprint image feature extraction, to obtain multiple fingerprint feature data
  • the fingerprint feature template can be obtained through the fingerprint original feature data, but the reverse process is irreversible, that is, the fingerprint feature template cannot restore the fingerprint original feature data, because the fingerprint feature extraction algorithm extracts only the fingerprint feature.
  • the data of the point does not save all the texture information of the fingerprint, so there is a problem that part of the fingerprint texture information is lost, so the original data of the fingerprint feature cannot be restored by the fingerprint template.
  • the verification data may be placed in any position in the biometric encryption template, and the verification data may be determined to be obtained. Whether the biometric template is identical to the original biometric template. For example, the same hash check is performed on the acquired biometric template to be verified to obtain a hash check value that can be used as the check data, and the hash check value is obtained simultaneously with the biometric template to be verified. Obtaining another check data (such as another hash check value) for comparison. If the two hash check values are the same, it may be determined that the biometric template to be verified is completely consistent with the original biometric template, otherwise The biometric template to be verified may be determined to be an illegal biometric template.
  • the verification data for example, the location where the hash check value is placed in the biometric template can be freely selected, and is generally not limited. More commonly, the check data, for example the hash check value, can be placed before or after the start of the biometric template. In use, the location is usually recorded so that in the subsequent application, when the acquired biometric template needs to be consistently verified, the phase can be accurately extracted according to the location where the record is saved.
  • the verification data should be. Obviously, the verification data is placed in the biometric template, which is equivalent to the biometric template containing the verification data.
  • the biometric template or the biometric template to be verified may be hashed by the SHA-256 algorithm, and the corresponding hash check value obtained as the check data is obtained accordingly.
  • the encryption in this step may adopt the AES256-CBC algorithm in the first embodiment of the present application.
  • other encryption algorithms can also be used.
  • S34 The M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data exists in each storage area after the storage, 1 ⁇ N ⁇ M.
  • the biometric encryption template may be a biometric encryption template generated by encrypting the biometric template containing the verification data.
  • Steps S33 and S34 are respectively consistent with steps S11 and S12 in the first embodiment of the present application, and the implementation principle is similar to that of S11 and S12, and details are not described herein again.
  • the biometric template obtained by the verification data can be consistently verified in the subsequent application to ensure the acquired biometric template and the original creature.
  • the feature templates are identical.
  • the biometric template verification method includes:
  • the operation of acquiring the M sets of associated biometric encrypted data from the N storage areas of the N storage areas may specifically be related to the M related entities stored in the M group.
  • the corresponding inverse operation when the feature encrypts the data That is, the M group biometric encryption template data is stored in the N storage areas according to the deposit method, and then the M group biometric encryption template data is also acquired in a manner corresponding to the original deposit mode. Taken from the N storage areas.
  • the way to deposit is: 3 sets of biometric models
  • the board encryption data is stored in two storage areas, wherein the first group and the second group biometric encryption template data are stored in the first storage area, and the third group biometric encryption template data is stored in the second storage area;
  • the acquisition method is: taking out the first group and the second group of biometric encryption template data from the first storage area, and extracting the third group biometric encryption template data from the second storage area.
  • the processing of obtaining the biometric encryption template from the M group associated biometric encryption template data and the processing of obtaining the M group biometric encryption template data from the biometric encryption template may be a pair of reciprocal operations.
  • the process of obtaining the M group biometric encryption template data from the biometric encryption template is a splitting process, and then the process of obtaining the biometric encryption template from the M group associated biometric encryption template data is corresponding to the splitting process.
  • the process of obtaining the biometric template to be verified according to the biometric encryption template and the process of encrypting and generating the biometric encryption template according to the original biometric template are used to perform a pair of reciprocal operations.
  • the process of generating the biometric encryption template according to the original biometric template is to use the AES256-CBC algorithm to encrypt the original biometric template to generate the biometric template, and then the biometric template to be verified according to the biometric encryption template is utilized.
  • the inverse algorithm corresponding to the AES256-CBC algorithm decrypts the biometric encryption template to obtain a biometric template to be verified.
  • the method for obtaining the biometric template to be verified according to the biometric encryption template includes: decrypting the biometric encryption template according to the key obtained from the biometric encryption template to obtain a biometric template to be verified.
  • the method may be: extracting a key from an agreed position of the biometric encryption template, such as a header or a tail; and decrypting the biometric encryption template according to the key to obtain a biometric template to be verified.
  • the agreed location may be derived from a record holding a location of the key in the biometric encryption template.
  • the consistency check verification performed on the biometric template to be verified is consistent with the consistency check on the original biometric template. That is to verify the biometric template and pair
  • the consistency check processing performed by the original biometric template is the same.
  • the consistency check performed may be the same hash check as the SHA-256 check.
  • the process of obtaining the biometric template to be verified and the consistency verification verification of the biometric template to be verified may include:
  • the check data here can be regarded as the check data generated by the original biometric template through the same hash check.
  • the biometric template verification method provided in the fourth embodiment processes the M-type associated biometric encryption template data obtained from the N storage areas to obtain the biometric encryption template, and then obtains the biometric encryption template to be verified.
  • the biometric template is subjected to consistency verification, so as to determine whether the biometric template to be verified is consistent with the original biometric template, that is, whether the biometric template to be verified is legal.
  • biometric template saving method and the biometric template verification method provided in the above embodiments may be used in combination.
  • biometric template verification method provided in the above embodiments.
  • the data capacity of the set of biometric encryption template data containing the first key should be greater than or equal to 64 Bytes and less than or equal to 10 KB. Setting the capacity to 64 Bytes or more is to completely include the first key (such as 256 bits) in the data of the group, and setting it to not more than 10 KB is based on the consideration that the total capacity of the SE storage area is small.
  • FIG. 5 is a structural diagram of a biometric identification device according to Embodiment 5 of the present application.
  • the biometric device is a device including a biometrics acquisition module 1 (such as a fingerprint acquisition chip, a fingerprint sensor, etc.), a biometric data processing chip 2 (such as a microprocessor), and a storage module 3.
  • the biometric device may be applied to a mobile terminal (such as a smart phone, a tablet, etc.) or other electronic device for performing the biometric template saving method and/or the biometric template verification method as described in the above embodiments. .
  • the biometric collection module 1 is configured to collect biometric information of the user during the biometric registration phase.
  • the biometric collection module 1 may be specifically a biometric sensor (such as a fingerprint sensor) for collecting biometric information.
  • the biometric information may be specifically biometric raw data (such as fingerprint raw data).
  • the biometric data processing chip 2 is configured to perform feature extraction on the biometric information collected by the biometric collection module 1 to obtain biometric data and combine the biometric templates into a biometric template, and encrypt the biometric template to generate a biometric a feature encryption template; and processing the biometric encryption template generated according to the biometric template encryption to obtain the M group biometric encryption template data, M ⁇ 2, for example, the biometric data processing chip 2 can be decomposed by default The sub-algorithm splits the biometric encryption template into the M sets of biometric encryption template data.
  • the biometric data processing chip 2 includes: a template generating unit and a template processing unit.
  • the template generating unit is configured to perform feature extraction on the biometric information collected by the biometric feature collection module 1 to obtain biometric data and combine the biometric template into a biometric template, and encrypt the biometric template to generate a biometric Feature encryption template.
  • the template processing unit is configured to process the biometric encryption template generated by the biometric template encryption to obtain the M group biometric encryption template data, where M ⁇ 2.
  • the template processing unit may adopt a preset splitting algorithm. And dividing the biometric encryption template into the M group biometric encryption template data.
  • the template generating unit may be further configured to process the biometric encryption template in the template processing unit and obtain M sets of biometric encryption template data.
  • the key used to generate the biometric encryption template based on the biometric template encryption is placed in any location in the biometric encryption template.
  • the template generating unit may be further configured to: before the template processing unit processes the biometric encryption template and obtain M sets of biometric encryption template data, The template performs consistency check, and the verification data obtained by performing consistency check on the biometric template is placed in any position in the biometric template.
  • the template generating unit may specifically generate the biometric encryption template by encrypting the biometric template containing the verification data.
  • the storage module 3 is configured to store the M sets of biometric encryption template data.
  • the storage module 3 may include N storage areas, and after the M sets of biometric encryption template data are stored in the storage module, at least one set of biometric encryption template data exists in each storage area. 1 ⁇ N ⁇ M.
  • At least one of the M storage areas of the storage module is a storage area of a chip-level security environment such as an SE (Secure Element).
  • the biometric data processing chip may further include: a template data acquiring unit, a template restoring unit, and a template verifying unit.
  • the template data acquiring unit is configured to acquire M sets of biometric encryption template data associated with each other from the N storage areas of the storage module;
  • the template restoring unit is configured to recombine the M group biometric encryption template data to obtain a biometric encryption template
  • the decryption verification unit is configured to decrypt the biometric encryption template to obtain a biometric template to be verified, and determine the biometric to be verified by performing consistency verification on the biometric template to be verified. Whether the template is consistent with the original biometric template.
  • the decryption verification unit is specifically configured to: use the first verification data generated by performing consistency check on the biometric template to be verified, and the second verification data obtained from the to-be-verified biometric verification template. Verifying the data for comparison verification. If the first verification data is the same as the second verification data, the verification passes and may determine that the biometric template to be verified is consistent with the original biometric template; otherwise The verification fails and may determine that the biometric template to be verified does not match the original biometric template.
  • the biometric device may be used to perform the corresponding method or step in the first to fourth embodiments of the present application, or may further perform the corresponding method in the first to fourth embodiments of the present application by using the included module (unit) or the like. step.
  • the implementation principle is similar to the first to fourth embodiments of the present application, and details are not described herein again.
  • the biometric data processing chip in this embodiment may multiplex the CPU chip of the mobile terminal or other electronic device, and does not necessarily have to be a dedicated CPU chip (for example, a dedicated CPU integrated in the biometric module). That is, in the form of a reusable CPU chip, the processing power of the reusable CPU chip can be further exerted.
  • Embodiment 6 of the present application provides a terminal.
  • the terminal includes the biometric device as described in Embodiment 5 of the present application.
  • the terminal may be a mobile phone, a tablet, a personal computer, a server, a network device, or other electronic device, etc., including the biometric device as described in Embodiment 5 of the present application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Collating Specific Patterns (AREA)

Abstract

Disclosed are a method for saving and verifying a biometric template, and a biometric recognition apparatus and terminal, belonging to the technical field of biological recognition. The method for saving a biometric template comprises: processing a biometric encrypted template generated by means of biometric template encryption, so as to obtain M groups of biometric encrypted template data, where M ≥ 2 (S11, S33); and saving the M groups of biometric encrypted template data in N storage regions, so that at least one group of biometric encrypted template data is saved in each of the storage regions after a saving operation, where 1 < N ≤ M (S12, S34). By means of processing a biometric encrypted template into multiple groups of biometric encrypted template data and then separately saving the multiple pieces of biometric encrypted template data in at least two storage regions, the multiple groups of biometric encrypted template data are separately saved in the multiple storage regions and will thus not easily be fully leaked, so that the large security hazard brought about by the prior art for the application of a biometric template can be effectively eliminated.

Description

生物特征模板保存、验证方法及生物特征识别装置、终端Biometric template preservation, verification method, biometric identification device, terminal 技术领域Technical field

本申请实施例涉及生物识别技术领域,尤其涉及一种生物特征模板保存、验证方法及生物特征识别装置、终端。The embodiments of the present invention relate to the field of biometric identification technologies, and in particular, to a biometric template storage and verification method, a biometric identification device, and a terminal.

背景技术Background technique

由于人体的生物特征如指纹、掌纹、唇纹和虹膜等具有独一无二性,因此可用于身份验证等,以满足不同应用场景的安全、保密要求。例如,笔记本电脑、手机、平板电脑在开机时,或者进入重要涉密场所时,均需采集使用者的指纹来进行身份验证。Because the biological characteristics of the human body such as fingerprints, palm prints, lip lines and irises are unique, they can be used for identity verification, etc., to meet the security and confidentiality requirements of different application scenarios. For example, when a laptop, a mobile phone, or a tablet is turned on, or enters a critical location, it is necessary to collect the fingerprint of the user for authentication.

使用生物特征作为身份验证手段时,如图1a所示,通常的做法是先将生物特征原始数据处理成生物特征模板即注册模板,然后再将生物特征模板整体保存在一个相对安全的存储区域中,图1a中以保存在TEE(Trusted Execution Environment,可信存储环境)的EMMC(Embedded Multi Media Card,嵌入式多媒体卡)存储器中为例。需要进行身份验证比对时,再将所述生物特征模板整体提取出来与新采集的生物特征模板进行安全比对,比对通过则验证通过,否则验证不通过。When using biometrics as an authentication method, as shown in Figure 1a, it is common practice to first process the biometric raw data into a biometric template, ie, a registration template, and then save the biometric template as a whole in a relatively secure storage area. For example, in Figure 1a, an EMMC (Embedded Multi Media Card) memory stored in a TEE (Trusted Execution Environment) is taken as an example. When the authentication comparison is needed, the biometric template is extracted and compared with the newly collected biometric template, and the comparison is passed, otherwise the verification fails.

由于生物特征模板整体性地保存在一个并非十分安全的存储区域中,因此如果该存储区域遭到攻击,相应地,生物特征模板也会被整体泄漏,从而给生物特征模板的应用带来较大安全隐患。Since the biometric template is stored in a storage area that is not very secure, if the storage area is attacked, the biometric template will be leaked as a whole, which will bring a larger application to the biometric template. Security risks.

发明内容Summary of the invention

有鉴于此,本申请实施例提供的生物特征模板保存、验证方法及生物特征识别装置、终端,用以至少解决现有技术中存在的上述问题。In view of this, the biometric template storage and verification method, the biometric identification device, and the terminal provided by the embodiments of the present application are used to solve at least the above problems in the prior art.

本申请实施例第一个方面提供一种生物特征模板保存方法,该生物特征模板保存方法包括:A first aspect of the embodiments of the present application provides a biometric template saving method, where the biometric template saving method includes:

对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组 生物特征加密模板数据,M≥2;Processing the biometric encryption template generated according to the biometric template encryption to obtain the M group Biometric encryption template data, M≥2;

将M组生物特征加密模板数据存入N个存储区域中,存入后的每个存储区域中至少存有1组生物特征加密模板数据,1<N≤M。The M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data exists in each storage area after storage, 1<N≤M.

可选地,在本申请一具体实施例中,所述N个存储区域中至少有一个存储区域为芯片级安全环境的存储区域。Optionally, in a specific embodiment of the present application, at least one of the N storage areas is a storage area of a chip-level security environment.

可选地,在本申请一具体实施例中,所述对根据生物特征模板生成的生物特征加密模板进行处理包括:对所述生物特征加密模板进行拆分处理。Optionally, in a specific embodiment of the present application, the processing, by the biometric encryption template generated by the biometric template, includes: performing a splitting process on the biometric encryption template.

可选地,在本申请一具体实施例中,对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据之前还包括:将根据生物特征模板加密生成生物特征加密模板时所用的密钥置入到生物特征加密模板中的任一位置。Optionally, in a specific embodiment of the present application, the biometric encryption template generated according to the biometric template encryption is processed, and before the obtaining the M biometric encryption template data, the method further includes: encrypting the biometric encryption according to the biometric template. The key used in the template is placed anywhere in the biometric encryption template.

可选地,在本申请一具体实施例中,所述密钥被置入到所述生物特征加密模板的起始位置或末尾位置。Optionally, in a specific embodiment of the present application, the key is placed into a start position or an end position of the biometric encryption template.

可选地,在本申请一具体实施例中,该方法还包括:Optionally, in a specific embodiment of the present application, the method further includes:

将对所述生物特征模板进行一致性校验得到的校验数据置入到所述生物特征模板中的任一位置;Performing verification data obtained by performing consistency check on the biometric template into any position in the biometric template;

对含有校验数据的生物特征模板进行加密,生成所述生物特征加密模板。The biometric template containing the verification data is encrypted to generate the biometric encryption template.

可选地,在本申请一具体实施例中,所述一致性校验为哈希校验,所述得到的校验数据为哈希校验值,且所述哈希校验值被置入到所述生物特征模板的起始位置之前或末尾位置之后。Optionally, in a specific embodiment of the present application, the consistency check is a hash check, the obtained check data is a hash check value, and the hash check value is placed. Before or after the start position of the biometric template.

可选地,在本申请一具体实施例中,该方法还包括:Optionally, in a specific embodiment of the present application, the method further includes:

采集生物特征原始数据;Collect biometric raw data;

对所述采集到的生物特征原始数据进行生物特征和/或图像特征提取,得到多个生物特征数据;Performing biometric and/or image feature extraction on the collected biometric raw data to obtain a plurality of biometric data;

对所述多个生物特征数据进行组合,得到所述生物特征模板。Combining the plurality of biometric data to obtain the biometric template.

可选地,在本申请一具体实施例中,所述生物特征原始数据为指纹特征原始数据或指纹图像数据;Optionally, in a specific embodiment of the present application, the biometric original data is fingerprint feature original data or fingerprint image data;

其中,所述生物特征数据为指纹特征点数据或指纹特征图像极值数据; The biometric data is fingerprint feature point data or fingerprint feature image extremum data;

所述对采集到的生物特征原始数据进行生物特征和/或图像特征提取,得到多个生物特征数据包括:对采集到的指纹特征点原始数据进行指纹特征点提取,得到多个指纹特征点数据,和/或,对采集到的指纹特征原始数据进行指纹特征图像提取,得到多个指纹特征图像极值数据。Performing biometric and/or image feature extraction on the collected biometric raw data to obtain a plurality of biometric data includes: extracting fingerprint feature points from the collected fingerprint feature point original data, and obtaining multiple fingerprint feature point data. And/or, performing fingerprint feature image extraction on the collected fingerprint feature raw data to obtain a plurality of fingerprint feature image extremum data.

本申请实施例第二个方面提供一种生物特征模板验证方法,其特征在于,包括:A second aspect of the embodiments of the present application provides a biometric template verification method, including:

对从N个存储区域中获取的M组关联生物特征加密模板数据进行处理,得到生物特征加密模板,M≥2,1<N≤M;Processing the M group associated biometric encryption template data obtained from the N storage areas to obtain a biometric encryption template, M≥2, 1<N≤M;

对根据所述生物特征加密模板得到的待验证生物特征模板进行一致性校验验证,若验证通过,则判定所述待验证生物特征模板与原生物特征模板一致。And performing a consistency check verification on the biometric template to be verified obtained according to the biometric encryption template. If the verification is passed, determining that the biometric template to be verified is consistent with the original biometric template.

可选地,在本申请一具体实施例中,所述N个存储区域中至少含有一个芯片级安全环境的存储区域。Optionally, in a specific embodiment of the present application, the N storage areas include at least one storage area of a chip-level security environment.

可选地,在本申请一具体实施例中,所述将根据生物特征加密模板得到的待验证生物特征模板进行一致性校验验证包括:将对待验证生物特征模板进行一致性校验所生成的第一校验数据与从待验证生物校验模板中获取到的第二校验数据进行比对验证;Optionally, in a specific embodiment of the present application, the performing verification verification of the biometric template to be verified according to the biometric encryption template includes: generating a consistency check of the biometric template to be verified. The first verification data is compared with the second verification data obtained from the biometric verification template to be verified;

若第一校验数据与第二校验数据相同,则认为验证通过。If the first check data is the same as the second check data, the verification is considered to pass.

可选地,在本申请一具体实施例中,所述对待验证生物特征模板进行一致性校验包括:对待验证生物特征模板进行哈希校验。Optionally, in a specific embodiment of the present application, performing consistency check on the biometric template to be verified includes: performing hash check on the biometric template to be verified.

可选地,在本申请一具体实施例中,所述第二校验数据从所述待验证生物校验模板的头部或尾部提取出。Optionally, in a specific embodiment of the present application, the second check data is extracted from a header or a tail of the to-be-verified biometric template.

可选地,在本申请一具体实施例中,所述根据生物特征加密模板得到待验证生物特征模板包括:Optionally, in a specific embodiment of the present application, the obtaining a biometric template to be verified according to the biometric encryption template includes:

从所述生物特征加密模板的头部或尾部提取出密钥;Extracting a key from a header or a tail of the biometric encryption template;

根据所述密钥对生物特征加密模板进行解密,得到待验证生物特征模板。Decrypting the biometric encryption template according to the key to obtain a biometric template to be verified.

本申请实施例第三个方面提供一种生物特征识别装置,其特征在于,包括生物特征采集模块、生物特征数据处理芯片和存储模块; A third aspect of the embodiments of the present application provides a biometric identification device, which includes a biometrics collection module, a biometric data processing chip, and a storage module.

生物特征采集模块用于采集用户的生物特征信息;The biometric collection module is configured to collect biometric information of the user;

生物特征数据处理芯片用于对所述生物特征信息进行特征提取,得到生物特征数据并组合成生物特征模板,并对所述生物特征模板进行加密处理,生成生物特征加密模板;以及用于对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据,M≥2;The biometric data processing chip is configured to perform feature extraction on the biometric information, obtain biometric data and combine the biometric template into a biometric template, and perform encryption processing on the biometric template to generate a biometric encryption template; The biometric template generated by the biometric template encryption is processed to obtain the M group biometric encryption template data, M≥2;

存储模块用于存储所述M组生物特征加密模板数据,所述存储模块包括N个存储区域,且所述M组生物特征加密模板数据存入到所述存储模块后,每个存储区域中至少存有1组生物特征加密模板数据,1<N≤M。The storage module is configured to store the M sets of biometric encryption template data, where the storage module includes N storage areas, and the M sets of biometric encryption template data are stored in the storage module, and at least in each storage area There is a set of biometric encryption template data, 1 < N ≤ M.

可选地,在本申请一具体实施例中,包括模板生成单元和模板处理单元;Optionally, in a specific embodiment of the present application, a template generating unit and a template processing unit are included;

所述模板生成单元,用于对所述生物特征信息进行特征提取,得到生物特征数据并组合成生物特征模板,并对所述生物特征模板进行加密处理,生成生物特征加密模板;The template generating unit is configured to perform feature extraction on the biometric information, obtain biometric data and combine the biometric template into a biometric template, and perform encryption processing on the biometric template to generate a biometric encryption template.

所述模板处理单元,用于对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据。The template processing unit is configured to process the biometric encryption template generated according to the biometric template encryption to obtain M sets of biometric encryption template data.

可选地,在本申请一具体实施例中,所述生物特征数据处理芯片还包括:模板数据获取单元、模板还原单元以及模板验证单元;Optionally, in a specific embodiment of the present application, the biometric data processing chip further includes: a template data acquiring unit, a template restoring unit, and a template verifying unit;

所述模板数据获取单元,用于从所述存储模块的N个存储区域中获取相互关联的M组生物特征加密模板数据;The template data acquiring unit is configured to acquire M sets of biometric encryption template data associated with each other from the N storage areas of the storage module;

所述模板还原单元,用于将所述M组生物特征加密模板数据进行重组,还原得到生物特征加密模板;The template restoring unit is configured to recombine the M group biometric encryption template data to obtain a biometric encryption template;

所述解密验证单元,用于对所述生物特征加密模板进行解密处理,得到待验证生物特征模板,并通过对所述待验证生物特征模板进行一致性校验验证,判定所述待验证生物特征模板是否与原生物特征模板一致。The decryption verification unit is configured to decrypt the biometric encryption template to obtain a biometric template to be verified, and determine the biometric to be verified by performing consistency verification on the biometric template to be verified. Whether the template is consistent with the original biometric template.

本申请实施例第四个方面提供一种终端,该终端包括如权利要求16至18任一项所述的生物特征识别装置。A fourth aspect of the embodiments of the present application provides a terminal comprising the biometric identification device according to any one of claims 16 to 18.

由以上技术方案可见,本申请实施例通过将生物特征加密模板处理成例如拆分成多组生物特征加密模板数据后,再将上述多个生物特征加密模板数据分散保存在至少2个存储区域中,使得多组生物特征加密模板数据分散保 存在多个存储区域中,与现有技术中将生物特征模板整体性地保存在一个存储区域相比,分散保存在多个存储区域的多组生物特征加密模板数据同时遭攻击的概率更小,相应地被整体泄漏的概率也更低,从而可有效消除现有技术给生物特征模板的应用带来的较大安全隐患。As can be seen from the foregoing technical solutions, the embodiment of the present application processes the biometric encryption template into, for example, split into multiple sets of biometric encryption template data, and then stores the plurality of biometric encryption template data in at least two storage areas. , so that multiple sets of biometric encryption template data are dispersed There are a plurality of storage areas. Compared with the prior art, the biometric template is stored in a storage area as a whole, and the probability of attacking multiple sets of biometric encryption template data dispersed in multiple storage areas is less. Correspondingly, the probability of being leaked as a whole is also lower, so that the large security risks brought by the prior art to the application of the biometric template can be effectively eliminated.

附图说明DRAWINGS

图1a为现有技术生物特征模板存储示意图。FIG. 1a is a schematic diagram of a prior art biometric template storage.

图1b为本申请实施例一提供的生物特征模板保存方法流程图。FIG. 1b is a flowchart of a biometric template saving method according to Embodiment 1 of the present application.

图2为本申请实施例二提供的生物特征模板保存方法流程图。FIG. 2 is a flowchart of a biometric template saving method according to Embodiment 2 of the present application.

图3为本申请实施例三提供的生物特征模板保存方法流程图。FIG. 3 is a flowchart of a biometric template saving method according to Embodiment 3 of the present application.

图4为本申请实施例四提供的生物特征模板验证方法流程图。4 is a flowchart of a biometric template verification method according to Embodiment 4 of the present application.

图5为本申请实施例五提供的生物特征识别装置结构图。FIG. 5 is a structural diagram of a biometric identification device according to Embodiment 5 of the present application.

具体实施方式detailed description

为使本领域的普通技术人员更好地理解本申请实施例中的技术方案,下面结合附图对本申请实施例中的技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本申请的一部分实施例,而不是全部实施例。因此,本领域普通技术人员基于所描述的实施例而获得的其他实施例,都应当属于本申请实施例保护的范围。For a better understanding of the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application are clearly and completely described below with reference to the accompanying drawings. It is apparent that the described embodiments are only a part of the embodiments of the present application, and not all of them. Therefore, other embodiments obtained by those skilled in the art based on the described embodiments should fall within the scope of protection of the embodiments of the present application.

[实施例一][Example 1]

图1b为本申请实施例一提供的生物特征模板保存方法流程图。如图1b所示,所述生物特征模板保存方法包括:FIG. 1b is a flowchart of a biometric template saving method according to Embodiment 1 of the present application. As shown in FIG. 1b, the biometric template saving method includes:

S11、对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据,M≥2。S11. Process the biometric encryption template generated according to the biometric template encryption to obtain M group biometric encryption template data, where M≥2.

本步骤中,生物特征模板可由多个生物特征数据组合而生成,即对多个生物特征数据进行组合可生成生物特征模板。其中,生物特征数据可通过对采集到的生物特征原始数据进行指纹特征提取和/或图像特征提取处理所得到的数据。 In this step, the biometric template may be generated by combining a plurality of biometric data, that is, combining the plurality of biometric data to generate a biometric template. The biometric data may be obtained by performing fingerprint feature extraction and/or image feature extraction processing on the collected biometric raw data.

本步骤中,根据生物特征模板加密生成生物特征加密模板具体可以为使用AES(128位或256位)加密算法对生物特征模板进行加密生成生物特征加密模板。示例性地,如果使用AES256加密算法的话,具体可采用AES256-CBC算法。采用AES256-CBC算法对生物特征模板进行加密时,可先将生物特征模板分为若干个待加密密码块(相当于明文块),然后按照以下方法对每一个待加密密码块进行加密:In this step, the biometric encryption template is generated according to the biometric template encryption, and the biometric template may be encrypted by using an AES (128-bit or 256-bit) encryption algorithm to generate a biometric encryption template. Illustratively, if the AES256 encryption algorithm is used, the AES256-CBC algorithm can be specifically employed. When the biometric template is encrypted by the AES256-CBC algorithm, the biometric template may be first divided into a plurality of cipher blocks to be encrypted (equivalent to plaintext blocks), and then each cipher block to be encrypted is encrypted according to the following method:

将第一个待加密密码块与一个初始化向量数据块进行异或后再用加密密钥(256位,随机生成)进行加密,生成第一个密文;Exchanging the first block to be encrypted with an initialization vector block and then encrypting with an encryption key (256 bits, randomly generated) to generate the first ciphertext;

将第二个待加密密码块与第一个密文进行异或后再用所述加密密钥进行加密,生成第二个密文;And the second ciphertext to be encrypted is XORed with the first ciphertext, and then encrypted by the encryption key to generate a second ciphertext;

将第三个待加密密码块与第二个密文进行异或后再用所述加密密钥进行加密,生成第三个密文,以此类推,直至对全部待加密密码块加密完成,生成全部密文,所述全部密文即为生物特征加密模板。XORing the third block to be encrypted with the second ciphertext, encrypting with the encryption key, generating a third ciphertext, and so on, until all the cipher blocks to be encrypted are encrypted, and generating All ciphertexts are all biometric encryption templates.

上述加密过程中,由于AES256-CBC算法中对明文块(从第二个开始)进行了与前一个密文的异或运算,进而使得生成的生物特征加密模板更为复杂,因此采用AES256-CBC算法所生成的生物特征加密模板具有破解难度大、不易主动攻击的优点。In the above encryption process, since the AES256-CBC algorithm performs an exclusive OR operation with the previous ciphertext for the plaintext block (starting from the second one), the generated biometric encryption template is more complicated, so AES256-CBC is adopted. The biometric encryption template generated by the algorithm has the advantages of difficulty in cracking and difficulty in active attack.

可替代地,在本实施例中,还可采用AES128-CBC(加密密钥为128位)算法进行加密处理,其处理方法与AES256-CBC算法类似,在此不再赘述。Alternatively, in the embodiment, the AES128-CBC (encryption key is 128-bit) algorithm may be used for the encryption processing, and the processing method thereof is similar to the AES256-CBC algorithm, and details are not described herein again.

本步骤中,为了得到M组(至少2组)生物特征加密模板数据,在对生物特征加密模板进行处理时具体可以是对生物特征加密模板进行拆分处理,从而形成M组生物特征加密模板数据。其中,拆分处理可采用比较简便易行的拆分算法进行处理,例如将生物特征加密模板均匀地拆分成M组,或者将生物特征模板的前10KB数据拆分出来作为一组生物特征模板加密数据、将生物特征模板的剩余数据拆分出来作为另一组生物特征模板加密数据(此处以M=2为例)。拆分处理也可采用其他拆分算法进行处理,以能满足将生物特征加密模板拆分成M组生物特征加密模板数据为准。拆分处理后,M组生物特征加密数据中每一组中的数据量可以全部相同例如均为5KB,也可以部分相同、 部分不相同,还可以互不相同,具体可依实际需求而定。In this step, in order to obtain the M group (at least 2 groups) biometric encryption template data, when the biometric encryption template is processed, the biometric encryption template may be split and processed to form the M group biometric encryption template data. . The splitting process can be processed by a relatively simple splitting algorithm, such as uniformly splitting the biometric encryption template into M groups, or splitting the first 10 KB data of the biometric template into a set of biometric templates. Encrypt the data, split the remaining data of the biometric template and encrypt the data as another set of biometric templates (here, M=2 is taken as an example). The splitting process can also be processed by other splitting algorithms to meet the problem of splitting the biometric encryption template into M sets of biometric encryption template data. After the split processing, the amount of data in each group of the M group biometric encrypted data may be the same, for example, 5 KB, or may be partially the same. Some are different, but they can also be different from each other, depending on actual needs.

S12、将所述M组生物特征加密模板数据存入N个存储区域中,存入后的每个存储区域中至少存有1组生物特征加密模板数据,1<N≤M。S12: The M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data is stored in each of the stored storage areas, where 1<N≤M.

执行本步骤后,会出现以下两种情况之一:After performing this step, one of two things will happen:

⑴N个存储区域中的每个存储区域中均存有1组生物特征加密模板数据(即M=N时)。(1) One set of biometric encryption template data is stored in each of the N storage areas (ie, when M=N).

⑵N个存储区域中的每个存储区域中至少存有一组生物特征加密模板数据(即1<N<M时)。例如,M=3,N=2时,则2个存储区域中的其中1个存储区域中存有1组生物特征加密模板数据,另一个存储区域中存有2组生物特征加密模板数据。(2) At least one set of biometric encryption template data exists in each of the N storage areas (ie, when 1<N<M). For example, when M=3 and N=2, one set of biometric encryption template data exists in one of the two storage areas, and two sets of biometric encryption template data exist in the other storage area.

本实施例中,通过将生物特征加密模板处理成例如拆分成多组生物特征加密模板数据再将上述多个生物特征加密模板数据分散保存在至少2个存储区域中,使得多组生物特征加密模板数据分散保存在多个存储区域中,与现有技术中将生物特征模板整体性地保存在一个存储区域相比,分散保存在多个存储区域的多组生物特征加密模板数据同时遭攻击的概率更小,相应地被整体泄漏的概率也更低,从而可有效消除现有技术给生物特征模板的应用带来的较大安全隐患。也就是说,本实施例得益于生物特征模板数据分散存储的特点,如果遭到攻击,则不易发生物特征模板数据整体泄漏的问题,当然也并不排除有部分生物特征加密数据被泄漏的可能性,但由于只有将M组生物特征模板加密数据整体获取到才可以解密出生物特征模板,因此即使部分生物特征加密数据被泄漏也难以被还原成生物特征模板。进一步地,即使非法获取到所述多组生物特征加密模板数据,也会因无法得知相应的处理方法(如组合处理方法,显而易见对非法获取者而言是未知的)而难以生成相应的生物特征加密模板。同时,由于生物特征加密模板是加密数据,因此也难以进行非法解密。In this embodiment, the biometric encryption template is processed into, for example, split into multiple sets of biometric encryption template data, and then the plurality of biometric encryption template data are dispersed and stored in at least two storage areas, so that multiple sets of biometric encryption are performed. The template data is dispersed and stored in a plurality of storage areas, and the plurality of sets of biometric encryption template data dispersed in the plurality of storage areas are simultaneously attacked compared with the prior art in which the biometric templates are integrally stored in one storage area. The probability is smaller, and the probability of being leaked by the whole is lower, which can effectively eliminate the large security risks brought by the prior art to the application of the biometric template. That is to say, the embodiment benefits from the feature of the decentralized storage of the biometric template data. If it is attacked, the problem of the overall leakage of the feature template data is not easy to occur, and it is of course not excluded that some biometric encrypted data is leaked. Possibility, but since the biometric template can be decrypted only when the M group biometric template encrypted data is acquired as a whole, it is difficult to be restored to the biometric template even if part of the biometric encrypted data is leaked. Further, even if the plurality of sets of biometric encryption template data are illegally acquired, it is difficult to generate a corresponding organism because the corresponding processing method (such as the combined processing method is obviously unknown to the illegal acquirer) cannot be known. Feature encryption template. At the same time, since the biometric encryption template is encrypted data, it is also difficult to perform illegal decryption.

在具体应用中,N个存储区域中至少有一个存储区域是芯片级安全环境例如SE(Secure Element,安全元件)的存储区域。由于芯片级安全环境是一种硬件级别的安全环境,被攻击成功的可能性极低,其对数据的安全防护等 级较软件级、半软件级安全环境都要高,因此保存在该芯片级安全环境的储存区域中的生物特征加密模块数据被泄漏的难度较大。换句话说,即使其他存储区域中的生物特征加密模板数据被泄漏,那么保存在芯片级安全环境的存储区域中的生物特征加密模板数据也难以遭到泄漏,从而使得所述M组生物特征模板加密数据难以被整体泄漏,进而可有效消除现有技术对生物特征模板的应用所造成的较大安全隐患。因此,通过采用芯片级安全环境的存储区域来保存至少一组生物特征加密模板数据的方式,既可满足分散保存的要求,又可满足生物特征加密数据免遭整体泄漏的要求。In a specific application, at least one of the N storage areas is a storage area of a chip-level security environment such as an SE (Secure Element). Since the chip-level security environment is a hardware-level security environment, the possibility of successful attack is extremely low, and its data security protection, etc. The level is higher than the software-level and semi-software-level security environment, so it is difficult to leak the biometric encryption module data stored in the storage area of the chip-level security environment. In other words, even if the biometric encryption template data in other storage areas is leaked, the biometric encryption template data stored in the storage area of the chip level security environment is hard to be leaked, thereby making the M group biometric template Encrypted data is difficult to be leaked as a whole, which can effectively eliminate the large security risks caused by the application of the biometric template in the prior art. Therefore, by using a storage area of a chip-level security environment to store at least one set of biometric encryption template data, the requirements for distributed preservation can be satisfied, and the requirements for biometric encrypted data to avoid overall leakage can be satisfied.

进一步地,当M组生物特征加密模板数据总的数据量较大时,芯片级安全环境的存储区域的由于总存储容量较小的原因,难以用来保存数据量较大的一组或多组生物特征加密模板数据。为了解决这个问题,可选地,可将M组生物特征加密模板数据中的一组或几组数据量较小的生物特征加密模板数据存入芯片级安全环境的存储区域中,将其余的一组或几组数据量较大的生物特征加密模板数据存入总存储容量较大的软件级或半软件级安全环境例如TEE(可信执行环境)、TrustZone(信任区)、SGX(Software Guard Extensions,软件防护扩展指令)或Rich OS(富操作系统)等的存储区域如外部存储介质:EMMC存储器、SD卡、磁盘中等。Further, when the total amount of data of the M group biometric encryption template data is large, the storage area of the chip level security environment is difficult to save one or more groups with a large amount of data due to a small total storage capacity. Biometric encryption template data. In order to solve this problem, optionally, one or more sets of biometric encryption template data in the M group biometric encryption template data may be stored in a storage area of the chip level security environment, and the remaining one is Group or groups of biometric encryption template data with large data volume are stored in software-level or semi-software-level security environments with large total storage capacity such as TEE (Trusted Execution Environment), TrustZone (trust zone), SGX (Software Guard Extensions) , software protection extension instructions) or Rich OS (rich operating system) and other storage areas such as external storage media: EMMC memory, SD card, disk and so on.

[实施例二][Embodiment 2]

图2为本申请实施例二提供的生物特征模板保存方法流程图。如图2所示,在本申请实施例一的基础上,所述生物特征模板保存方法包括:FIG. 2 is a flowchart of a biometric template saving method according to Embodiment 2 of the present application. As shown in FIG. 2, on the basis of the first embodiment of the present application, the biometric template saving method includes:

S21、将根据生物特征模板加密生成生物特征加密模板时所用的密钥置入生物特征加密模板中的任一位置。S21. The key used to generate the biometric encryption template according to the biometric template encryption is placed in any position in the biometric encryption template.

生物特征加密模板本质上是一个具有一定长度的数据序列,由此,将所述密钥置入生物特征加密模板中的任一位置则可以是置入到生物特征加密模板即所述数据序列的第一个数据之前、所述数据序列中任意两个数据之间、所述数据序列的最后一个数据之后。在对所述密钥进行置入时可对其所置入的位置进行记录,以便在后续应用中例如解密时能准确地对所述密钥进行定位提取。优选地方式是所述密钥被置入到所述数据序列的第一个数据之前, 即生物特征加密模板的起始位置之前,或者所述密钥被置入到所述数据序列的最后一个数据之后,即生物特征加密模板的末尾位置之后。所述密钥置入到生物特征加密模板中后,相当于生物特征加密模板中包含了所述密钥。示例性地,所述密钥属于对称密钥,具体可由系统的随机数生成函数随机生成,也可以预先进行设定(如在程序代码中写入)。The biometric encryption template is essentially a data sequence having a certain length, whereby any position placed in the biometric encryption template may be placed in the biometric encryption template, ie, the data sequence. Before the first data, between any two data in the data sequence, after the last data of the data sequence. The location at which the key is placed can be recorded so that the key can be accurately extracted during subsequent applications, such as decryption. Preferably, the key is placed before the first data of the data sequence, That is, before the start position of the biometric encryption template, or after the key is placed after the last data of the data sequence, that is, after the end position of the biometric encryption template. After the key is placed in the biometric encryption template, the key is included in the biometric encryption template. Exemplarily, the key belongs to a symmetric key, and may be randomly generated by a random number generating function of the system, or may be set in advance (such as writing in program code).

S22、对根据所述生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据,M≥2。S22. Process the biometric encryption template generated according to the biometric template encryption to obtain M group biometric encryption template data, where M≥2.

步骤S22与本申请实施例一中的步骤S11相一致,其实现原理类似,在此不再赘述。需要说明的是,本步骤中的生物特加密模板中已包含了所述密钥。The step S22 is consistent with the step S11 in the first embodiment of the present application, and the implementation principle is similar, and details are not described herein again. It should be noted that the key is already included in the bio-encryption template in this step.

S23、将所述M组生物特征加密模板数据存入N个存储区域中,存入后的每个存储区域中至少存有1组生物特征加密模板数据,1<N≤M。S23: The M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data is stored in each of the stored storage areas, where 1<N≤M.

本步骤与本申请实施例一中的步骤S12相一致,其实现原理与步骤S12类似,在此不再赘述。需要说明的是,由于密钥通常是加密和解密的关键,因此为使密钥更难于被泄漏,也可将所述密钥一并存入芯片级安全环境的存储区域中,例如将包含有所述密钥的一组生物特征加密模板数据(如不小于64Byte的数据)存入芯片级安全环境的存储区域中。This step is the same as the step S12 in the first embodiment of the present application, and the implementation principle is similar to the step S12, and details are not described herein again. It should be noted that since the key is usually the key to encryption and decryption, in order to make the key more difficult to be leaked, the key may also be stored in the storage area of the chip-level security environment, for example, including A set of biometric encryption template data (such as not less than 64 Bytes of data) of the key is stored in a storage area of the chip level security environment.

本实施例通过将密钥置入生物特征加密模板,可使得在后续应用中可通过该密钥对生物特征加密模板进行解密,以便得到原生物特征模板(即经加密生成生物特征加密模板的生物特征模板)。In this embodiment, by placing the key into the biometric encryption template, the biometric encryption template can be decrypted by the key in the subsequent application, so as to obtain the original biometric template (ie, the biometric encryption template is generated by encryption). Feature template).

[实施例三][Embodiment 3]

图3为本申请实施例三提供的生物特征模板保存方法流程图。如图3所示,在本申请实施例一的基础上,所述生物特征模板保存方法包括:FIG. 3 is a flowchart of a biometric template saving method according to Embodiment 3 of the present application. As shown in FIG. 3, based on the first embodiment of the present application, the biometric template saving method includes:

S31、将对生物特征模板进行一致性校验得到的校验数据置入到生物特征模板中的任一位置。S31. The verification data obtained by performing consistency check on the biometric template is placed in any position in the biometric template.

本步骤中,生物特征模板可由多个生物特征数据组合而生成,即对多个生物特征数据进行组合可生成生物特征模板。进一步地,生物特征数据是指对采集到的生物特征原始数据进行指纹特征提取和/或图像特征提取处理所 得到的数据,即对采集到的生物特征原始数据进行生物特征和/或图像特征提取,可得到多个生物特征数据。同时,为确保生物特征数据更加精确,可以通过多次采集生物特征原始数据,然后再对采集到的生物特征原始数据进行生物特征提取和/或图像特征提取,从而得到更多的生物特征数据。In this step, the biometric template may be generated by combining a plurality of biometric data, that is, combining the plurality of biometric data to generate a biometric template. Further, the biometric data refers to fingerprint feature extraction and/or image feature extraction processing on the collected biometric raw data. The obtained data, that is, the biometric and/or image feature extraction of the collected biometric raw data, can obtain a plurality of biometric data. At the same time, in order to ensure more accurate biometric data, biometric feature data can be collected multiple times, and then the biometric feature extraction and/or image feature extraction of the collected biometric raw data can be performed to obtain more biometric data.

通常,生物特征原始数据可以包括指指纹、掌纹、唇纹和虹膜特征原始数据等。本实施例中以指纹特征原始数据为例,指纹特征原始数据可包括指纹谷脊原始数据或指纹图像原始数据。指纹特征数据一般为指纹特征点数据或指纹特征图像极值数据。In general, biometric raw data may include fingerprints, palm prints, lip lines, and iris feature raw data. In this embodiment, taking the fingerprint feature raw data as an example, the fingerprint feature original data may include fingerprint valley ridge original data or fingerprint image original data. The fingerprint feature data is generally fingerprint feature point data or fingerprint feature image extremum data.

对应地,上述对采集到的生物特征原始数据进行生物特征和/或图像特征提取,得到多个生物特征数据具体包括:对采集到的指纹特征点原始数据例如指纹谷脊数据进行指纹特征点提取,得到多个指纹特征点数据,和/或对采集到的指纹特征原始数据例如指纹图像数据进行指纹特征图像提取,得到多个指纹特征图像极值数据。Correspondingly, the biometric feature and/or image feature extraction is performed on the collected biometric raw data, and obtaining the plurality of biometric data specifically includes: extracting fingerprint feature points from the collected fingerprint feature point original data, such as fingerprint valley data. Obtaining a plurality of fingerprint feature point data, and/or performing fingerprint feature image extraction on the collected fingerprint feature original data, such as fingerprint image data, to obtain a plurality of fingerprint feature image extremum data.

可选地,对于采集指纹特征原始数据的较大尺寸的指纹模组而言,由于较大尺寸的指纹模组采集到的指纹特征原始数据(如指纹谷脊数据)数量较大、包含的指纹特征原始数据也相对较为完整,因此可采用指纹特征点提取方式对指纹特征原始数据进行提取即可得到多个指纹特征数据;而对于小尺寸的指纹模组而言,由于其尺寸较小,采集到的指纹特征原始数据量相对较小、包含的指纹特征原始数据相对不够完整,因此通常采用基于指纹图像特征提取的方式来提取出多个指纹特征图像极值数据,进而得到多个指纹特征数据。或者也可以是,无论指纹模组的尺寸大小,既采集指纹特征原始数据,也采集指纹图像原始数据,而后分别以指纹特征点提取的方式对指纹特征原始数据进行提取并以基于指纹图像特征提取的方式对指纹图像原始数据进行提取,从而得到多个指纹特征数据。在此基础上得到的指纹特征模板可以是基于指纹谷脊数据所得到的指纹特征模板,可以是基于指纹图像数据所得到的指纹特征模板,还可以是基于指纹谷脊数据和指纹图像数据二者的结合所得到的指纹特征模板。Optionally, for the fingerprint module of the larger size that collects the original data of the fingerprint feature, the fingerprint data collected by the fingerprint module of a larger size (such as the fingerprint valley data) has a larger number and the fingerprint included. The feature raw data is relatively complete. Therefore, the fingerprint feature point extraction method can be used to extract the fingerprint feature original data to obtain multiple fingerprint feature data. For the small size fingerprint module, due to its small size, the collection is small. The original fingerprint data of the fingerprint feature is relatively small, and the original fingerprint data of the fingerprint feature is relatively incomplete. Therefore, the fingerprint image feature extraction method is generally used to extract the extreme value data of the plurality of fingerprint feature images, thereby obtaining multiple fingerprint feature data. . Alternatively, regardless of the size of the fingerprint module, both the original data of the fingerprint feature and the original data of the fingerprint image are collected, and then the fingerprint feature original data is extracted by fingerprint feature point extraction and extracted based on the fingerprint image feature. The method of extracting the fingerprint image raw data to obtain a plurality of fingerprint feature data. The fingerprint feature template obtained on the basis of the fingerprint feature template may be a fingerprint feature template obtained based on the fingerprint valley data, may be a fingerprint feature template obtained based on the fingerprint image data, or may be based on fingerprint valley data and fingerprint image data. The fingerprint feature template obtained by the combination.

可选地,指纹特征点数据可以包括指纹终结点、分叉点、分歧点、孤立 点、环点和/或短纹数据。Optionally, the fingerprint feature point data may include a fingerprint endpoint, a bifurcation point, a bifurcation point, and an isolated Point, ring point and/or short grain data.

一个典型的获得指纹特征模板的过程如下:A typical process for obtaining a fingerprint feature template is as follows:

a)系统通过界面提示用户按压指纹模组;a) the system prompts the user to press the fingerprint module through the interface;

b)用户根据界面提示以手指按压指纹模组;b) the user presses the fingerprint module with a finger according to the interface prompt;

c)系统检测到用户按压指纹模组后,通过指纹模组采集用户指纹特征原始数据例如指纹谷脊数据和/或指纹图像数据;c) after detecting that the user presses the fingerprint module, the system collects user fingerprint feature original data such as fingerprint valley data and/or fingerprint image data through the fingerprint module;

d)对指纹特征原始数据进行指纹特征提取例如通过指纹特征提取算法提取和/或指纹图像特征提取,得到多个指纹特征数据;d) performing fingerprint feature extraction on the fingerprint feature raw data, for example, by fingerprint feature extraction algorithm extraction and/or fingerprint image feature extraction, to obtain multiple fingerprint feature data;

e)反复执行步骤a至d,即可得到一个由大量指纹特征数据组成的指纹特征模板。e) Repeat steps a to d to obtain a fingerprint feature template consisting of a large number of fingerprint feature data.

需要说明的是,通过指纹原始特征数据可得到指纹特征模板,但反向过程是不可逆的,即通过指纹特征模板却不能还原指纹原始特征数据,原因是指纹特征提取算法提取的只是指纹上的特征点的数据,并没有保存指纹的所有纹理信息,因此必然存在部分指纹纹理信息丢失的问题,因此不能通过指纹模板还原出指纹特征原始数据。It should be noted that the fingerprint feature template can be obtained through the fingerprint original feature data, but the reverse process is irreversible, that is, the fingerprint feature template cannot restore the fingerprint original feature data, because the fingerprint feature extraction algorithm extracts only the fingerprint feature. The data of the point does not save all the texture information of the fingerprint, so there is a problem that part of the fingerprint texture information is lost, so the original data of the fingerprint feature cannot be restored by the fingerprint template.

在本步骤S31中,为了在后续验证生物特征模板被获取后是否遭到篡改或破坏,可将校验数据置入生物特征加密模板中的任一位置,通过该校验数据则可判断获取到的生物特征模板与原生物特征模板是否完全一致。例如,对获取到的待验证生物特征模板也进行同样的哈希校验则得到可作为校验数据的哈希校验值,将该哈希校验值与得到该待验证生物特征模板时同时得到的另一个校验数据(如另一个哈希校验值)进行比对,若这两个哈希校验值相同,则可判定该待验证生物特征模板与原生物特征模板完全一致,否则可判定该待验证生物特征模板为非法生物特征模板。In this step S31, in order to verify whether the biometric template is falsified or destroyed after being acquired, the verification data may be placed in any position in the biometric encryption template, and the verification data may be determined to be obtained. Whether the biometric template is identical to the original biometric template. For example, the same hash check is performed on the acquired biometric template to be verified to obtain a hash check value that can be used as the check data, and the hash check value is obtained simultaneously with the biometric template to be verified. Obtaining another check data (such as another hash check value) for comparison. If the two hash check values are the same, it may be determined that the biometric template to be verified is completely consistent with the original biometric template, otherwise The biometric template to be verified may be determined to be an illegal biometric template.

本步骤中,所述校验数据例如所述哈希校验值被置入到生物特征模板中的位置可自由选择,一般不做限制。较为常见的是,所述校验数据例如所述哈希校验值可被置入到所述生物特征模板的起始位置之前或末尾位置之后。在使用中,通常要将所述位置进行记录,以便在后续应用中需要对获取到的生物特征模板进行一致性验证时可以根据所述记录保存的位置准确提取出相 应的校验数据。显然,校验数据被置入到生物特征模板中,即相当于生物特征模板中包含了该校验数据。In this step, the verification data, for example, the location where the hash check value is placed in the biometric template can be freely selected, and is generally not limited. More commonly, the check data, for example the hash check value, can be placed before or after the start of the biometric template. In use, the location is usually recorded so that in the subsequent application, when the acquired biometric template needs to be consistently verified, the phase can be accurately extracted according to the location where the record is saved. The verification data should be. Obviously, the verification data is placed in the biometric template, which is equivalent to the biometric template containing the verification data.

本步骤中,可利用SHA-256算法对生物特征模板或者待验证生物特征模板进行哈希运算,相应地得到的对应的作为校验数据的哈希校验值。In this step, the biometric template or the biometric template to be verified may be hashed by the SHA-256 algorithm, and the corresponding hash check value obtained as the check data is obtained accordingly.

S32、对含有校验数据的生物特征模板进行加密,生成生物特征加密模板。S32. Encrypt the biometric template containing the verification data to generate a biometric encryption template.

示例性地,本步骤中的加密可采用本申请实施例一中AES256-CBC算法。当然,也可以采用其他加密算法。For example, the encryption in this step may adopt the AES256-CBC algorithm in the first embodiment of the present application. Of course, other encryption algorithms can also be used.

S33、对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据,M≥2。S33. Process the biometric encryption template generated according to the biometric template encryption to obtain M group biometric encryption template data, where M≥2.

S34、将M组生物特征加密模板数据存入N个存储区域中,存入后的每个存储区域中至少存有1组生物特征加密模板数据,1<N≤M。S34: The M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data exists in each storage area after the storage, 1<N≤M.

本实施例中,生物特征加密模板可以是对含有校验数据的生物特征模板进行加密所生成的生物特征加密模板。步骤S33、S34分别与本申请实施例一中的步骤S11、S12相一致,其实现原理与S11、S12类似,在此不再赘述。In this embodiment, the biometric encryption template may be a biometric encryption template generated by encrypting the biometric template containing the verification data. Steps S33 and S34 are respectively consistent with steps S11 and S12 in the first embodiment of the present application, and the implementation principle is similar to that of S11 and S12, and details are not described herein again.

本实施例通过将校验数据置入生物特征模板,可使得在后续应用中可通过该校验数据对获取到的生物特征模板进行一致性校验,以保证获取到的生物特征模板与原生物特征模板完全一致。In this embodiment, by placing the verification data into the biometric template, the biometric template obtained by the verification data can be consistently verified in the subsequent application to ensure the acquired biometric template and the original creature. The feature templates are identical.

[实施例四][Embodiment 4]

图4为本申请实施例四提供的生物特征模板验证方法流程图。如图4所示,所述生物特征模板验证方法包括:4 is a flowchart of a biometric template verification method according to Embodiment 4 of the present application. As shown in FIG. 4, the biometric template verification method includes:

S41、对从N个存储区域中获取的M组关联生物特征加密模板数据进行处理,得到生物特征加密模板,M≥2,1<N≤M。S41. Process the M sets of associated biometric encryption template data acquired from the N storage areas to obtain a biometric encryption template, where M≥2, 1<N≤M.

本步骤中,从N个存储区域中例如至少包括一个芯片级安全环境的储存区域的N个存储区域中获取M组关联生物特征加密数据的操作具体可以是,与存入所述M组关联生物特征加密数据时相对应的逆操作。即原来是按照存入的方式将M组生物特征加密模板数据存入N个存储区域的,那么获取的时候也要按照与原来存入方式相对应的方式将所述M组生物特征加密模板数据从所述N个存储区域中取出来。例如,存入时的方式是:将3组生物特征模 板加密数据存入2个存储区域中,其中第1组和第2组生物特征加密模板数据保存在第1个存储区域中,第3组生物特征加密模板数据保存在第2个存储区域中;那么获取时的方式则是:从第1个存储区域中取出第1组和第2组生物特征加密模板数据,从第2个存储区域中取出第3组生物特征加密模板数据。In this step, the operation of acquiring the M sets of associated biometric encrypted data from the N storage areas of the N storage areas, for example, the storage area including the at least one chip level security environment, may specifically be related to the M related entities stored in the M group. The corresponding inverse operation when the feature encrypts the data. That is, the M group biometric encryption template data is stored in the N storage areas according to the deposit method, and then the M group biometric encryption template data is also acquired in a manner corresponding to the original deposit mode. Taken from the N storage areas. For example, the way to deposit is: 3 sets of biometric models The board encryption data is stored in two storage areas, wherein the first group and the second group biometric encryption template data are stored in the first storage area, and the third group biometric encryption template data is stored in the second storage area; Then, the acquisition method is: taking out the first group and the second group of biometric encryption template data from the first storage area, and extracting the third group biometric encryption template data from the second storage area.

本步骤中,从M组关联生物特征加密模板数据得到生物特征加密模板的处理与从生物特征加密模板得到M组生物特征加密模板数据的处理可为一对互逆操作。例如,从生物特征加密模板得到M组生物特征加密模板数据的处理是拆分处理,那么从M组关联生物特征加密模板数据得到生物特征加密模板的处理则是与所述拆分处理相对应的组合处理。In this step, the processing of obtaining the biometric encryption template from the M group associated biometric encryption template data and the processing of obtaining the M group biometric encryption template data from the biometric encryption template may be a pair of reciprocal operations. For example, the process of obtaining the M group biometric encryption template data from the biometric encryption template is a splitting process, and then the process of obtaining the biometric encryption template from the M group associated biometric encryption template data is corresponding to the splitting process. Combined processing.

S42、对根据所述生物特征加密模板得到的待验证生物特征模板进行一致性校验验证,若验证通过,则判定所述待验证生物特征模板与原生物特征模板一致。S42. Perform consistency check verification on the biometric template to be verified obtained according to the biometric encryption template. If the verification is passed, determine that the biometric template to be verified is consistent with the original biometric template.

具体地,根据生物特征加密模板得到待验证生物特征模板的处理与根据原生物特征模板(相当于上述实施例中的生物特征模板,下同)加密生成生物特征加密模板的处理一对互逆操作。例如,根据原生物特征模板加密生成生物特征加密模板的处理是利用AES256-CBC算法对原生物特征模板进行加密生成生物特征模板,那么根据生物特征加密模板得到待验证生物特征模板的处理则是利用与AES256-CBC算法相对应的逆算法对生物特征加密模板进行解密得到待验证生物特征模板。Specifically, the process of obtaining the biometric template to be verified according to the biometric encryption template and the process of encrypting and generating the biometric encryption template according to the original biometric template (corresponding to the biometric template in the above embodiment) are used to perform a pair of reciprocal operations. . For example, the process of generating the biometric encryption template according to the original biometric template is to use the AES256-CBC algorithm to encrypt the original biometric template to generate the biometric template, and then the biometric template to be verified according to the biometric encryption template is utilized. The inverse algorithm corresponding to the AES256-CBC algorithm decrypts the biometric encryption template to obtain a biometric template to be verified.

示例性地,根据生物特征加密模板得到待验证生物特征模板的方式包括:根据从生物特征加密模板中获取到的密钥对生物特征加密模板进行解密,得到待验证生物特征模板。该方式具体可以是,从所述生物特征加密模板一个约定位置例如头部或尾部提取出密钥;根据所述密钥对生物特征加密模板进行解密,得到待验证生物特征模板。其中所述约定位置可以从保存有密钥在生物特征加密模板中的位置的记录中得到。For example, the method for obtaining the biometric template to be verified according to the biometric encryption template includes: decrypting the biometric encryption template according to the key obtained from the biometric encryption template to obtain a biometric template to be verified. Specifically, the method may be: extracting a key from an agreed position of the biometric encryption template, such as a header or a tail; and decrypting the biometric encryption template according to the key to obtain a biometric template to be verified. Wherein the agreed location may be derived from a record holding a location of the key in the biometric encryption template.

本步骤中,对待验证生物特征模板进行的一致性校验验证与对原生物特征模板进行的一致性校验的处理是相一致的。即对待验证生物特征模板和对 原生物特征模板所进行的一致性校验处理是相同的。例如所进行的一致性校验可以是相同的哈希校验如SHA-256校验。In this step, the consistency check verification performed on the biometric template to be verified is consistent with the consistency check on the original biometric template. That is to verify the biometric template and pair The consistency check processing performed by the original biometric template is the same. For example, the consistency check performed may be the same hash check as the SHA-256 check.

示例性地,得到待验证生物特征模板以及对待验证生物特征模板进行一致性校验验证的过程可包括:Illustratively, the process of obtaining the biometric template to be verified and the consistency verification verification of the biometric template to be verified may include:

a)对生物特征加密模板进行解密,得到待验证生物特征模板以及校验数据一。根据哈希校验原理,此处校验数据一可视为原生物特征模板经同样的哈希校验所产生的校验数据。a) Decrypting the biometric encryption template to obtain the biometric template to be verified and the verification data 1. According to the hash check principle, the check data here can be regarded as the check data generated by the original biometric template through the same hash check.

b)通过同样的哈希校验对待验证生物特征模板进行一致性校验,生成校验数据二。b) Perform the consistency check on the biometric template to be verified by the same hash check to generate the check data 2.

c)将校验数据二与校验数据一进行比对,若二者相同,则判定待验证生物特征模板与原生物特征模板完全一致,即待验证生物特征模板合法。否则,判定待验证生物特征模板与原生物特征模板不一致,即待验证生物特征模板不合法。c) Aligning the verification data 2 with the verification data one. If the two are the same, it is determined that the biometric template to be verified is completely consistent with the original biometric template, that is, the biometric template to be verified is legal. Otherwise, it is determined that the biometric template to be verified is inconsistent with the original biometric template, that is, the biometric template to be verified is invalid.

本实施例四提供的生物特征模板验证方法,通过对从N个存储区域中获取的M组关联生物特征加密模板数据进行处理,得到生物特征加密模板,再对由生物特征加密模板得到的待验证生物特征模板进行一致性验证,从而实现判定待验证生物特征模板与原生物特征模板是否一致,即待验证生物特征模板是否合法的目的。The biometric template verification method provided in the fourth embodiment processes the M-type associated biometric encryption template data obtained from the N storage areas to obtain the biometric encryption template, and then obtains the biometric encryption template to be verified. The biometric template is subjected to consistency verification, so as to determine whether the biometric template to be verified is consistent with the original biometric template, that is, whether the biometric template to be verified is legal.

通常,上述实施例中提供的生物特征模板保存方法与生物特征模板验证方法可以配合使用。下面介绍一下配合使用的流程:Generally, the biometric template saving method and the biometric template verification method provided in the above embodiments may be used in combination. Here's a look at the process used in conjunction with:

Figure PCTCN2017076403-appb-000001
Figure PCTCN2017076403-appb-000001

S501、对生物特征模板进行哈希校验(如SHA-256算法校验),产生第一哈希校验值。S501. Perform a hash check on the biometric template (such as a SHA-256 algorithm check) to generate a first hash check value.

S502、将第一哈希校验值置入生物特征模板的末尾位置之后,生成生物特征校验模板。S502. After the first hash check value is placed at the end position of the biometric template, generate a biometric verification template.

S503、通过第一密钥(相当于上述实施例中的密钥)对生物特征校验模板进行加密(例如采用AES256-CBC算法进行加密),生成生物特征加密模板,所述密钥可由系统的随机数生成函数随机生成,也可预先设定好,如在实现 程序(代码)中预先写入。S503. Encrypt the biometric verification template by using a first key (corresponding to the key in the foregoing embodiment) (for example, using an AES256-CBC algorithm for encryption) to generate a biometric encryption template, where the key may be implemented by a system. The random number generation function is randomly generated, and can also be preset, as in the implementation. Pre-written in the program (code).

S504、将第一密钥置入到生物特征加密模板中的起始位置之前。S504. Place the first key before the starting position in the biometric encryption template.

S505、对置入了第一密钥的生物特征加密模板进行拆分,得到2组生物特征加密模板数据。S505. Split the biometric encryption template into which the first key is placed to obtain two sets of biometric encryption template data.

S506、将其中一组例如含有第一密钥的一组生物特征加密模板数据存入SE安全环境的存储区域中,将另一组生物特征加密模板数据存入TEE安全环境的存储区域中。S506. Store one set of biometric encryption template data, for example, including the first key, in a storage area of the SE security environment, and store another set of biometric encryption template data in a storage area of the TEE security environment.

实际应用中,若上述流程中加密时采用了AES256-CBC算法进行加密,则其中含有第一密钥的那一组生物特征加密模板数据的数据容量应大于等于64Bytes并小于等于10KB。将容量设为大于等于64Bytes是为了将第一密钥(如256位)完整地包含在该组的数据中,同时设为不大于10KB是基于SE存储区域的总容量较小的考虑。In practical applications, if the AES256-CBC algorithm is used for encryption in the above process, the data capacity of the set of biometric encryption template data containing the first key should be greater than or equal to 64 Bytes and less than or equal to 10 KB. Setting the capacity to 64 Bytes or more is to completely include the first key (such as 256 bits) in the data of the group, and setting it to not more than 10 KB is based on the consideration that the total capacity of the SE storage area is small.

Figure PCTCN2017076403-appb-000002
Figure PCTCN2017076403-appb-000002

S507、从SE的存储区域中和TEE的存储区域中取出2组关联的待验证生物特征加密模板数据。S507. Extract two sets of associated biometric encryption template data to be verified from the storage area of the SE and the storage area of the TEE.

S508、将2组待验证生物特征加密模板数据进行组合处理(与上述拆分处理相对应),得到待验证生物特征加密模板(相当于上述生物特征加密模板)。S508. Combine the two sets of biometric encryption template data to be verified (corresponding to the splitting process) to obtain a biometric encryption template to be verified (corresponding to the biometric encryption template).

S509、根据从待验证生物特征加密模板头部取出的第二密钥对待验证生物特征加密模板(除去第二密钥的部分)进行解密,得到待验证生物特征校验模板(相当于上述生物特征校验模板)。S509. Decrypt the biometric encryption template (the part excluding the second key) to be verified according to the second key extracted from the biometric encryption template header to be verified, to obtain a biometric verification template to be verified (corresponding to the biometric feature) Check template).

S510、从待验证生物特征校验模板的尾部取出第二哈希校验值(相当于上述第一哈希校验值),以及待验证生物特征模板。S510. Extract a second hash check value (corresponding to the first hash check value) from a tail of the biometric verification template to be verified, and a biometric template to be verified.

S511、对待验证生物特征模板进行哈希校验(与上述哈希校验相同),得到第三哈希校验值,若第三哈希校验值与第二哈希校验值相同,则判定待验证生物特征模板与上述生物特征模板完全一致,即待验证生物特征模板为合法生物特征模板。否则,判定待验证生物特征模板与上述生物特征模板不一致,即待验证生物特征模板为非法生物特征模板。 S511. Perform a hash check on the biometric template to be verified (same as the hash check) to obtain a third hash check value. If the third hash check value is the same as the second hash check value, The biometric template to be verified is completely consistent with the biometric template, that is, the biometric template to be verified is a legal biometric template. Otherwise, it is determined that the biometric template to be verified is inconsistent with the biometric template, that is, the biometric template to be verified is an illegal biometric template.

[实施例五][Embodiment 5]

图5为本申请实施例五提供的生物特征识别装置结构图。该生物特征识别装置是包括生物特征采集模块1(比如指纹采集芯片、指纹传感器等)、生物特征数据处理芯片2(比如微处理器)和存储模块3的装置。所述生物特征识别装置可以应用在移动终端(比如智能手机、平板电脑等)或者其他电子设备上,以用于执行如上述各个实施例描述的生物特征模板保存方法和/或生物特征模板验证方法。FIG. 5 is a structural diagram of a biometric identification device according to Embodiment 5 of the present application. The biometric device is a device including a biometrics acquisition module 1 (such as a fingerprint acquisition chip, a fingerprint sensor, etc.), a biometric data processing chip 2 (such as a microprocessor), and a storage module 3. The biometric device may be applied to a mobile terminal (such as a smart phone, a tablet, etc.) or other electronic device for performing the biometric template saving method and/or the biometric template verification method as described in the above embodiments. .

具体地,作为一种实施例,生物特征采集模块1用于在生物特征注册阶段采集用户的生物特征信息。所述生物特征采集模块1可以具体为用于采集生物特征信息的生物特征传感器(比如指纹传感器)。所述生物特征信息可以具体为生物特征原始数据(比如指纹原始数据)。Specifically, as an embodiment, the biometric collection module 1 is configured to collect biometric information of the user during the biometric registration phase. The biometric collection module 1 may be specifically a biometric sensor (such as a fingerprint sensor) for collecting biometric information. The biometric information may be specifically biometric raw data (such as fingerprint raw data).

生物特征数据处理芯片2用于对所述生物特征采集模块1采集到的生物特征信息进行特征提取来得到生物特征数据并组合成生物特征模板,并且对所述生物特征模板进行加密处理,生成生物特征加密模板;以及用于对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据,M≥2,比如,所述生物特征数据处理芯片2可以通过预设拆分算法将所述生物特征加密模板拆分成所述M组生物特征加密模板数据。The biometric data processing chip 2 is configured to perform feature extraction on the biometric information collected by the biometric collection module 1 to obtain biometric data and combine the biometric templates into a biometric template, and encrypt the biometric template to generate a biometric a feature encryption template; and processing the biometric encryption template generated according to the biometric template encryption to obtain the M group biometric encryption template data, M≥2, for example, the biometric data processing chip 2 can be decomposed by default The sub-algorithm splits the biometric encryption template into the M sets of biometric encryption template data.

可选地,所述生物特征数据处理芯片2包括:模板生成单元和模板处理单元。Optionally, the biometric data processing chip 2 includes: a template generating unit and a template processing unit.

所述模板生成单元,用于对所述生物特征采集模块1采集到的生物特征信息进行特征提取来得到生物特征数据并组合成生物特征模板,并且对所述生物特征模板进行加密处理,生成生物特征加密模板。The template generating unit is configured to perform feature extraction on the biometric information collected by the biometric feature collection module 1 to obtain biometric data and combine the biometric template into a biometric template, and encrypt the biometric template to generate a biometric Feature encryption template.

所述模板处理单元,用于对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据,M≥2,比如,所述模板处理单元可以通过预设拆分算法将所述生物特征加密模板拆分成所述M组生物特征加密模板数据。The template processing unit is configured to process the biometric encryption template generated by the biometric template encryption to obtain the M group biometric encryption template data, where M≥2. For example, the template processing unit may adopt a preset splitting algorithm. And dividing the biometric encryption template into the M group biometric encryption template data.

可选地,在具体实施例中,所述模板生成单元还可以用于在所述模板处理单元对所述生物特征加密模板进行处理并得到M组生物特征加密模板数据 之前,将根据生物特征模板加密生成生物特征加密模板时所用的密钥置入到生物特征加密模板中的任一位置。Optionally, in a specific embodiment, the template generating unit may be further configured to process the biometric encryption template in the template processing unit and obtain M sets of biometric encryption template data. Previously, the key used to generate the biometric encryption template based on the biometric template encryption is placed in any location in the biometric encryption template.

可选地,在具体实施例中,所述模板生成单元还可以用于在所述模板处理单元对所述生物特征加密模板进行处理并得到M组生物特征加密模板数据之前,对所述生物特征模板进行一致性校验,并将对生物特征模板进行一致性校验得到的校验数据置入到生物特征模板中的任一位置。所述模板生成单元具体可以通过对含有所述校验数据的生物特征模板进行加密,生成所述生物特征加密模板。Optionally, in a specific embodiment, the template generating unit may be further configured to: before the template processing unit processes the biometric encryption template and obtain M sets of biometric encryption template data, The template performs consistency check, and the verification data obtained by performing consistency check on the biometric template is placed in any position in the biometric template. The template generating unit may specifically generate the biometric encryption template by encrypting the biometric template containing the verification data.

存储模块3用于存储所述M组生物特征加密模板数据。具体地,所述存储模块3可以包括N个存储区域,且所述M组生物特征加密模板数据存入到所述存储模块后,每个存储区域中至少存有1组生物特征加密模板数据,1<N≤M。The storage module 3 is configured to store the M sets of biometric encryption template data. Specifically, the storage module 3 may include N storage areas, and after the M sets of biometric encryption template data are stored in the storage module, at least one set of biometric encryption template data exists in each storage area. 1 < N ≤ M.

作为一种优选的实施例,在所述存储模块的M个存储区域中,至少有一个存储区域是芯片级安全环境例如SE(Secure Element,安全元件)的存储区域。As a preferred embodiment, at least one of the M storage areas of the storage module is a storage area of a chip-level security environment such as an SE (Secure Element).

实际应用中,所述生物特征识数据处理芯片一般还可包括:模板数据获取单元、模板还原单元以及模板验证单元。In a practical application, the biometric data processing chip may further include: a template data acquiring unit, a template restoring unit, and a template verifying unit.

所述模板数据获取单元,用于从所述存储模块的N个存储区域中获取相互关联的M组生物特征加密模板数据;The template data acquiring unit is configured to acquire M sets of biometric encryption template data associated with each other from the N storage areas of the storage module;

所述模板还原单元,用于将所述M组生物特征加密模板数据进行重组,还原得到生物特征加密模板;The template restoring unit is configured to recombine the M group biometric encryption template data to obtain a biometric encryption template;

所述解密验证单元,用于对所述生物特征加密模板进行解密处理,得到待验证生物特征模板,并通过对所述待验证生物特征模板进行一致性校验验证,判定所述待验证生物特征模板是否与原生物特征模板一致。The decryption verification unit is configured to decrypt the biometric encryption template to obtain a biometric template to be verified, and determine the biometric to be verified by performing consistency verification on the biometric template to be verified. Whether the template is consistent with the original biometric template.

可选地,所述解密验证单元具体用于将对所述待验证生物特征模板进行一致性校验所生成的第一校验数据与从所述待验证生物校验模板中获取到的第二校验数据进行比对验证,若所述第一校验数据与所述第二校验数据相同,则验证通过并可判定所述待验证生物特征模板与原生物特征模板一致;否则 验证不通过并可判定所述待验证生物特征模板与原生物特征模板不致。Optionally, the decryption verification unit is specifically configured to: use the first verification data generated by performing consistency check on the biometric template to be verified, and the second verification data obtained from the to-be-verified biometric verification template. Verifying the data for comparison verification. If the first verification data is the same as the second verification data, the verification passes and may determine that the biometric template to be verified is consistent with the original biometric template; otherwise The verification fails and may determine that the biometric template to be verified does not match the original biometric template.

可选地,所述生物特征识别装置可用于执行本申请实施例一至四中的相应方法或步骤,或者可进一步通过所包含的模块(单元)等执行本申请实施例一至四中的相应方法或步骤。其实现原理与本申请实施例一至四类似,在此不再赘述。Optionally, the biometric device may be used to perform the corresponding method or step in the first to fourth embodiments of the present application, or may further perform the corresponding method in the first to fourth embodiments of the present application by using the included module (unit) or the like. step. The implementation principle is similar to the first to fourth embodiments of the present application, and details are not described herein again.

示例性地,本实施例所述生物特征数据处理芯片可以复用所述移动终端或者其他电子设备的CPU芯片,而不一定必须是专用CPU芯片(例如集成在生物采集模块中的专用CPU),即采用可复用的CPU芯片的形式,从而可进一步发挥所述可复用的CPU芯片的处理功效。Illustratively, the biometric data processing chip in this embodiment may multiplex the CPU chip of the mobile terminal or other electronic device, and does not necessarily have to be a dedicated CPU chip (for example, a dedicated CPU integrated in the biometric module). That is, in the form of a reusable CPU chip, the processing power of the reusable CPU chip can be further exerted.

[实施例六][Embodiment 6]

本申请实施例六提供一种终端。该终端包括如本申请实施例五所述的生物特征识别装置。示例性地,该终端可以是包含有如本申请实施例五所述的生物特征识别装置的手机、平板、个人计算机、服务器、网络设备或其他电子设备等。Embodiment 6 of the present application provides a terminal. The terminal includes the biometric device as described in Embodiment 5 of the present application. Illustratively, the terminal may be a mobile phone, a tablet, a personal computer, a server, a network device, or other electronic device, etc., including the biometric device as described in Embodiment 5 of the present application.

最后应说明的是:以上实施例仅用以说明本申请实施例的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。 Finally, it should be noted that the above embodiments are only used to explain the technical solutions of the embodiments of the present application, and are not limited thereto; although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that The technical solutions described in the foregoing embodiments may be modified, or some of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the spirit of the technical solutions of the embodiments of the present application. range.

Claims (19)

一种生物特征模板保存方法,其特征在于,包括:A biometric template saving method, comprising: 对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据,M≥2;Processing the biometric encryption template generated according to the biometric template encryption to obtain M group biometric encryption template data, M≥2; 将所述M组生物特征加密模板数据存入N个存储区域中,存入后的每个存储区域中至少存有1组生物特征加密模板数据,1<N≤M。The M group biometric encryption template data is stored in the N storage areas, and at least one set of biometric encryption template data is stored in each of the stored storage areas, 1<N≤M. 根据权利要求1所述的生物特征模板保存方法,其特征在于,所述N个存储区域中至少有一个存储区域为芯片级安全环境的存储区域。The biometric template saving method according to claim 1, wherein at least one of the N storage areas is a storage area of a chip level security environment. 根据权利要求1所述的生物特征模板保存方法,其特征在于,所述对根据生物特征模板生成的生物特征加密模板进行处理包括:对所述生物特征加密模板进行拆分处理。The biometric template saving method according to claim 1, wherein the processing the biometric encryption template generated according to the biometric template comprises: performing a splitting process on the biometric encryption template. 根据权利要求1所述的生物特征模板保存方法,其特征在于,对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据之前还包括:将根据生物特征模板加密生成生物特征加密模板时所用的密钥置入到生物特征加密模板中的任一位置。The biometric template saving method according to claim 1, wherein the biometric encryption template generated by the biometric template is processed to obtain the M biometric encryption template data, and the method further comprises: encrypting according to the biometric template. The key used to generate the biometric encryption template is placed anywhere in the biometric encryption template. 根据权利要求4所述的生物特征模板保存方法,其特征在于,所述密钥被置入到所述生物特征加密模板的起始位置或末尾位置。The biometric template saving method according to claim 4, wherein the key is placed at a start position or an end position of the biometric encryption template. 根据权利要求1所述的生物特征模板保存方法,其特征在于,还包括:The biometric template saving method according to claim 1, further comprising: 将对所述生物特征模板进行一致性校验得到的校验数据置入到所述生物特征模板中的任一位置;Performing verification data obtained by performing consistency check on the biometric template into any position in the biometric template; 对含有校验数据的生物特征模板进行加密,生成所述生物特征加密模板。The biometric template containing the verification data is encrypted to generate the biometric encryption template. 根据权利要求6所述的生物特征模板保存方法,其特征在于,所述一致性校验为哈希校验,所述得到的校验数据为哈希校验值,且所述哈希校验值被置入到所述生物特征模板的起始位置之前或末尾位置之后。The biometric template saving method according to claim 6, wherein the consistency check is a hash check, the obtained check data is a hash check value, and the hash check is performed. The value is placed before or after the start of the biometric template. 根据权利要求1所述的生物特征模板保存方法,其特征在于,还包括:The biometric template saving method according to claim 1, further comprising: 采集生物特征原始数据;Collect biometric raw data; 对所述采集到的生物特征原始数据进行生物特征和/或图像特征提取,得到多个生物特征数据; Performing biometric and/or image feature extraction on the collected biometric raw data to obtain a plurality of biometric data; 对所述多个生物特征数据进行组合,得到所述生物特征模板。Combining the plurality of biometric data to obtain the biometric template. 根据权利要求8所述的生物特征模板保存方法,其特征在于,所述生物特征原始数据为指纹特征原始数据或指纹图像数据;The biometric template saving method according to claim 8, wherein the biometric raw data is fingerprint feature original data or fingerprint image data; 其中,所述生物特征数据为指纹特征点数据或指纹特征图像极值数据;The biometric data is fingerprint feature point data or fingerprint feature image extremum data; 所述对采集到的生物特征原始数据进行生物特征和/或图像特征提取,得到多个生物特征数据包括:对采集到的指纹特征点原始数据进行指纹特征点提取,得到多个指纹特征点数据,和/或,对采集到的指纹特征原始数据进行指纹特征图像提取,得到多个指纹特征图像极值数据。Performing biometric and/or image feature extraction on the collected biometric raw data to obtain a plurality of biometric data includes: extracting fingerprint feature points from the collected fingerprint feature point original data, and obtaining multiple fingerprint feature point data. And/or, performing fingerprint feature image extraction on the collected fingerprint feature raw data to obtain a plurality of fingerprint feature image extremum data. 一种生物特征模板验证方法,其特征在于,包括:A biometric template verification method, comprising: 对从N个存储区域中获取的M组关联生物特征加密模板数据进行处理,得到生物特征加密模板,M≥2,1<N≤M;Processing the M group associated biometric encryption template data obtained from the N storage areas to obtain a biometric encryption template, M≥2, 1<N≤M; 对根据所述生物特征加密模板得到的待验证生物特征模板进行一致性校验验证,若验证通过,则判定所述待验证生物特征模板与原生物特征模板一致。And performing a consistency check verification on the biometric template to be verified obtained according to the biometric encryption template. If the verification is passed, determining that the biometric template to be verified is consistent with the original biometric template. 根据权利要求10所述的生物特征模板,其特征在于,所述N个存储区域中至少含有一个芯片级安全环境的存储区域。The biometric template according to claim 10, wherein the N storage areas contain at least one storage area of a chip level security environment. 根据权利要求11所述的生物特征模板,其特征在于,所述将根据生物特征加密模板得到的待验证生物特征模板进行一致性校验验证包括:将对待验证生物特征模板进行一致性校验所生成的第一校验数据与从待验证生物校验模板中获取到的第二校验数据进行比对验证;The biometric template according to claim 11, wherein the performing the consistency check verification on the biometric template to be verified obtained according to the biometric encryption template comprises: performing consistency check on the biometric template to be verified The generated first verification data is compared with the second verification data obtained from the biometric verification template to be verified; 若第一校验数据与第二校验数据相同,则验证通过。If the first verification data is the same as the second verification data, the verification is passed. 根据权利要求12所述的生物特征模板,其特征在于,所述对待验证生物特征模板进行一致性校验包括:对待验证生物特征模板进行哈希校验。The biometric template according to claim 12, wherein the performing the consistency check on the biometric template to be verified comprises: performing a hash check on the biometric template to be verified. 根据权利要求12所述的生物特征模板,其特征在于,所述第二校验数据从所述待验证生物校验模板的头部或尾部提取出。The biometric template according to claim 12, wherein the second verification data is extracted from a header or a tail of the biometric template to be verified. 根据权利要求10所述的生物特征模板,其特征在于,所述根据生物特征加密模板得到待验证生物特征模板包括:The biometric template according to claim 10, wherein the obtaining the biometric template to be verified according to the biometric encryption template comprises: 从所述生物特征加密模板的头部或尾部提取出密钥; Extracting a key from a header or a tail of the biometric encryption template; 根据所述密钥对生物特征加密模板进行解密,得到待验证生物特征模板。Decrypting the biometric encryption template according to the key to obtain a biometric template to be verified. 一种生物特征识别装置,其特征在于,包括生物特征采集模块、生物特征数据处理芯片和存储模块;A biometric identification device, comprising: a biometrics acquisition module, a biometric data processing chip and a storage module; 所述生物特征采集模块用于采集用户的生物特征信息;The biometric collection module is configured to collect biometric information of a user; 所述生物特征数据处理芯片用于对所述生物特征信息进行特征提取,得到生物特征数据并组合成生物特征模板,并对所述生物特征模板进行加密处理,生成生物特征加密模板;以及用于对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据,M≥2;The biometric data processing chip is configured to perform feature extraction on the biometric information, obtain biometric data and combine the biometric template into a biometric template, and perform encryption processing on the biometric template to generate a biometric encryption template; Processing the biometric encryption template generated according to the biometric template encryption to obtain M group biometric encryption template data, M≥2; 所述存储模块用于存储所述M组生物特征加密模板数据,所述存储模块包括N个存储区域,且所述M组生物特征加密模板数据存入到所述存储模块后,每个存储区域中至少存有1组生物特征加密模板数据,1<N≤M。The storage module is configured to store the M sets of biometric encryption template data, the storage module includes N storage areas, and the M sets of biometric encryption template data are stored in the storage module, each storage area There is at least one set of biometric encryption template data, 1<N≤M. 根据权利要求16所述的生物特征识别装置,其特征在于,包括模板生成单元和模板处理单元;The biometric device according to claim 16, comprising a template generating unit and a template processing unit; 所述模板生成单元用于对所述生物特征信息进行特征提取,得到生物特征数据并组合成生物特征模板,并对所述生物特征模板进行加密处理,生成生物特征加密模板;The template generating unit is configured to perform feature extraction on the biometric information, obtain biometric data and combine the biometric template into a biometric template, and perform encryption processing on the biometric template to generate a biometric encryption template. 所述模板处理单元用于对根据生物特征模板加密生成的生物特征加密模板进行处理,得到M组生物特征加密模板数据。The template processing unit is configured to process the biometric encryption template generated according to the biometric template encryption to obtain M sets of biometric encryption template data. 根据权利要求17所述的生物特征识别装置,其特征在于,所述生物特征数据处理芯片还包括:模板数据获取单元、模板还原单元以及模板验证单元;The biometric identification device according to claim 17, wherein the biometric data processing chip further comprises: a template data acquiring unit, a template restoring unit, and a template verifying unit; 所述模板数据获取单元用于从所述存储模块的N个存储区域中获取相互关联的M组生物特征加密模板数据;The template data acquiring unit is configured to acquire M sets of biometric encryption template data associated with each other from the N storage areas of the storage module; 所述模板还原单元用于将所述M组生物特征加密模板数据进行重组,还原得到生物特征加密模板;The template restoring unit is configured to recombine the M group biometric encryption template data to obtain a biometric encryption template. 所述解密验证单元用于对所述生物特征加密模板进行解密处理,得到待验证生物特征模板,并通过对所述待验证生物特征模板进行一致性校验验证,判定所述待验证生物特征模板是否与原生物特征模板一致。 The decryption verification unit is configured to decrypt the biometric encryption template to obtain a biometric template to be verified, and determine the biometric template to be verified by performing consistency verification on the biometric template to be verified. Whether it is consistent with the original biometric template. 一种终端,其特征在于,包括如权利要求16至18任一项所述的生物特征识别装置。 A terminal characterized by comprising the biometric identification device according to any one of claims 16 to 18.
PCT/CN2017/076403 2017-03-13 2017-03-13 Method for saving and verifying biometric template, and biometric recognition apparatus and terminal Ceased WO2018165811A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2017/076403 WO2018165811A1 (en) 2017-03-13 2017-03-13 Method for saving and verifying biometric template, and biometric recognition apparatus and terminal
CN201780000185.8A CN107113170B (en) 2017-03-13 2017-03-13 Biometric template storage and verification method, biometric identification device and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/076403 WO2018165811A1 (en) 2017-03-13 2017-03-13 Method for saving and verifying biometric template, and biometric recognition apparatus and terminal

Publications (1)

Publication Number Publication Date
WO2018165811A1 true WO2018165811A1 (en) 2018-09-20

Family

ID=59663552

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/076403 Ceased WO2018165811A1 (en) 2017-03-13 2017-03-13 Method for saving and verifying biometric template, and biometric recognition apparatus and terminal

Country Status (2)

Country Link
CN (1) CN107113170B (en)
WO (1) WO2018165811A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4116849A1 (en) * 2021-07-07 2023-01-11 iCognize GmbH Computer implemented method for managing a data set comprising security-relevant information

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110462620A (en) * 2018-01-31 2019-11-15 华为技术有限公司 Sensitive data is decomposed to be stored in different application environment
CN109703571A (en) * 2018-12-24 2019-05-03 北京长城华冠汽车技术开发有限公司 A kind of vehicle entertainment system login system and login method based on recognition of face
WO2020191547A1 (en) * 2019-03-22 2020-10-01 华为技术有限公司 Biometric recognition method and apparatus
CN110235140A (en) * 2019-04-29 2019-09-13 深圳市汇顶科技股份有限公司 Biological feather recognition method and electronic equipment
CN110162951B (en) * 2019-05-28 2022-09-09 吉林无罔生物识别科技有限公司 Iris information registration and verification method, system and computer readable storage medium
CN110400223B (en) * 2019-07-26 2022-05-17 中国工商银行股份有限公司 Block chain-based interactive log encryption, calling and anti-theft method and device
CN112464261A (en) * 2020-11-26 2021-03-09 深圳市迪安杰智能识别科技有限公司 Fingerprint data encryption method, fingerprint chip and intelligent terminal
CN112926041B (en) * 2021-02-08 2022-09-09 西安电子科技大学 Remote identity authentication system based on biological characteristics

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005149093A (en) * 2003-11-14 2005-06-09 Toppan Printing Co Ltd Storage device with access right control function, control program for storage device with access right control function, and access right control method
CN101478541A (en) * 2008-10-21 2009-07-08 刘洪利 Living creature characteristic authentication method, living creature characteristic authentication system
CN102223233A (en) * 2011-06-15 2011-10-19 刘洪利 Biological code authentication system and biological code authentication method
CN105160316A (en) * 2015-08-31 2015-12-16 宇龙计算机通信科技(深圳)有限公司 Fingerprint feature template encrypted storage method and system of mobile terminal
CN105608355A (en) * 2015-07-08 2016-05-25 宇龙计算机通信科技(深圳)有限公司 Biological information verification method, biological information verification system and terminal

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4919744B2 (en) * 2006-09-12 2012-04-18 富士通株式会社 Biometric authentication device and biometric authentication method
CN101815063A (en) * 2009-12-04 2010-08-25 强敏 File security management system applied to network and management method thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005149093A (en) * 2003-11-14 2005-06-09 Toppan Printing Co Ltd Storage device with access right control function, control program for storage device with access right control function, and access right control method
CN101478541A (en) * 2008-10-21 2009-07-08 刘洪利 Living creature characteristic authentication method, living creature characteristic authentication system
CN102223233A (en) * 2011-06-15 2011-10-19 刘洪利 Biological code authentication system and biological code authentication method
CN105608355A (en) * 2015-07-08 2016-05-25 宇龙计算机通信科技(深圳)有限公司 Biological information verification method, biological information verification system and terminal
CN105160316A (en) * 2015-08-31 2015-12-16 宇龙计算机通信科技(深圳)有限公司 Fingerprint feature template encrypted storage method and system of mobile terminal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4116849A1 (en) * 2021-07-07 2023-01-11 iCognize GmbH Computer implemented method for managing a data set comprising security-relevant information

Also Published As

Publication number Publication date
CN107113170B (en) 2019-01-29
CN107113170A (en) 2017-08-29

Similar Documents

Publication Publication Date Title
WO2018165811A1 (en) Method for saving and verifying biometric template, and biometric recognition apparatus and terminal
JP5816750B2 (en) Authentication method and apparatus using disposable password including biometric image information
US10594688B2 (en) Privacy-enhanced biometrics-secret binding scheme
CN101976321B (en) Generated encrypting method based on face feature key
KR101888903B1 (en) Methods and apparatus for migrating keys
JP4938678B2 (en) Secure calculation of similarity measures
US9935947B1 (en) Secure and reliable protection and matching of biometric templates across multiple devices using secret sharing
US9813246B2 (en) Encryption using biometric image-based key
Barman et al. Fingerprint-based crypto-biometric system for network security
CN112948795B (en) Identity authentication method and device for protecting privacy
TWI675308B (en) Method and apparatus for verifying the availability of biometric images
CN101093626B (en) Palm print cipher key system
CN106452770B (en) Data encryption method, data decryption method, device and system
KR20190001177A (en) Method and apparatus for authentification of user using biometric
CN106533697A (en) Random number generating and extracting method and application thereof to identity authentication
US11308190B2 (en) Biometric template handling
CN111475690B (en) Character string matching method and device, data detection method and server
CN105337742B (en) LFSR file encryption and decryption method based on face image features and GPS information
WO2018166484A1 (en) Data encryption and decryption methods and apparatuses, electronic device and readable storage medium
CN106921489A (en) A kind of data ciphering method and device
JP7024709B2 (en) Cryptographic information collation device, cryptographic information collation method, and cryptographic information collation program
CN116405211B (en) Multiple encryption method, device, equipment and storage medium based on biological characteristics
WO2024150508A1 (en) Verification method and verification system
Sarkar et al. RSA key generation from cancelable fingerprint biometrics
CN112187477A (en) Iris privacy authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17900738

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17900738

Country of ref document: EP

Kind code of ref document: A1