[go: up one dir, main page]

CN112926092B - Privacy-protecting identity information storage and identity authentication method and device - Google Patents

Privacy-protecting identity information storage and identity authentication method and device Download PDF

Info

Publication number
CN112926092B
CN112926092B CN202110343701.5A CN202110343701A CN112926092B CN 112926092 B CN112926092 B CN 112926092B CN 202110343701 A CN202110343701 A CN 202110343701A CN 112926092 B CN112926092 B CN 112926092B
Authority
CN
China
Prior art keywords
identity
ciphertext
similarity
user
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110343701.5A
Other languages
Chinese (zh)
Other versions
CN112926092A (en
Inventor
颜林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110343701.5A priority Critical patent/CN112926092B/en
Publication of CN112926092A publication Critical patent/CN112926092A/en
Application granted granted Critical
Publication of CN112926092B publication Critical patent/CN112926092B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/50Maintenance of biometric data or enrolment thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/50Maintenance of biometric data or enrolment thereof
    • G06V40/53Measures to keep reference information secret, e.g. cancellable biometrics

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Multimedia (AREA)
  • Human Computer Interaction (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The embodiment of the specification provides an identity information storage and identity authentication method and device for protecting privacy. The identity information storage method for protecting privacy comprises the following steps: after the authentication of the real name of the user is passed, the identity authentication server generates a distributed identity of the user and sends the distributed identity to the terminal equipment of the user; the terminal equipment acquires biological characteristic information of a user as a biological characteristic template, encrypts the biological characteristic template by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain a ciphertext biological characteristic template, and sends an identity issuing request to an identity issuing server, wherein the identity issuing request comprises a distributed identity identifier and the ciphertext biological characteristic template; the identity issuing server side responds to the identity issuing request, generates an identity credential of the user, and stores the identity credential to the blockchain, wherein the identity credential comprises a distributed identity identifier and a ciphertext biological feature template.

Description

Privacy-protecting identity information storage and identity authentication method and device
Technical Field
The embodiment of the specification relates to the technical field of identity authentication, in particular to an identity information storage method and device for protecting privacy and an identity authentication method and device for protecting privacy.
Background
At present, biometric information such as faces is used in the fields of payment, government affairs, finance, social contact and the like, and the fields such as face brushing payment, face brushing login, face brushing opening service and the like are common. The existing identity authentication scheme generally adopts a centralized management, storage and use mode aiming at biological characteristic information such as human faces, and has a certain distance from thorough user privacy security protection. Taking a face as an example, a face image is typically stored on the face brushing service provider side in the form of a feature vector, which can be reversely restored to the original face image. If the face brushing service provider generates data leakage, a large amount of face information is likely to be used maliciously, and serious injury is caused to user privacy and network security.
Therefore, a reasonable and reliable scheme is urgently needed, and identity authentication based on the biological characteristics of the user can be achieved under the condition that the security of the personal privacy of the user is ensured.
Disclosure of Invention
The embodiment of the specification provides an identity information storage method and device for protecting privacy and an identity authentication method and device for protecting privacy.
In a first aspect, an embodiment of the present disclosure provides a method for storing identity information for protecting privacy, including: after the authentication of the real name of the user is passed, the identity authentication server generates a distributed identity of the user and sends the distributed identity to the terminal equipment of the user; the terminal equipment acquires the biological characteristic information of the user as a biological characteristic template, encrypts the biological characteristic template by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain a ciphertext biological characteristic template, and sends an identity issuing request to an identity issuing server, wherein the identity issuing request comprises the distributed identity identifier and the ciphertext biological characteristic template; the identity issuing server responds to the identity issuing request, generates an identity credential of the user, and stores the identity credential to a blockchain, wherein the identity credential comprises the distributed identity identifier and the ciphertext biometric template.
In some embodiments, after the generating the identity credential of the user, the method further comprises: the identity signing server signs the identity certificate by using a second private key of the identity signing server; and said saving said identity credential to a blockchain, comprising: and storing the signed identity certificate to a blockchain.
In some embodiments, after the sending the distributed identity to the terminal device of the user, the method further comprises: the terminal equipment acquires target personal information of the user as a personal information template; and the identity issuance request and the identity credential further include the personal information template.
In some embodiments, the target personal information includes at least one of: the academic, political aspect, age.
In some embodiments, the identity issuance request and the identity credential further include the first public key.
In some embodiments, prior to said encrypting the biometric template using the homomorphic encryption algorithm, the method further comprises: the terminal device generates the first public key and the corresponding first private key.
In some embodiments, the terminal device comprises a trusted execution environment; and said generating said first public key and corresponding first private key, comprising: generating the first public key and the corresponding first private key by using a key generation algorithm in the trusted execution environment; the method further comprises: and storing the first public key and the first private key into a safe storage area of the trusted execution environment.
In some embodiments, the encrypting the biometric template using a homomorphic encryption algorithm comprises: and in the trusted execution environment, encrypting the biological feature template by adopting the homomorphic encryption algorithm.
In some embodiments, the biometric information comprises any one of: facial features, fingerprint features, palm print features, iris features, finger vein features, and voiceprint features.
In a second aspect, an embodiment of the present disclosure provides a method for storing identity information for protecting privacy, which is applied to a terminal device, and includes: receiving a distributed identity of a user from an identity authentication server, wherein the distributed identity is generated after the identity authentication server passes the authentication of the real name of the user; acquiring biological characteristic information of the user as a biological characteristic template; encrypting the biological characteristic template by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain a ciphertext biological characteristic template; sending an identity issuing request to an identity issuing server, wherein the identity issuing request comprises the distributed identity identifier and the ciphertext biological feature template; and the identity issuing server generates an identity credential of the user and stores the identity credential to a blockchain, wherein the identity credential comprises the distributed identity identifier and the ciphertext biological feature template.
In a third aspect, an embodiment of the present disclosure provides a method for storing identity information for protecting privacy, which is applied to an identity issue server, and includes: receiving an identity issuing request from terminal equipment, wherein the identity issuing request comprises a distributed identity identifier and a ciphertext biological feature template of a user to which the terminal equipment belongs, the distributed identity identifier is generated after an identity authentication server passes real-name authentication of the user, and the ciphertext biological feature template is obtained by encrypting the biological feature template of the user by the terminal equipment through a homomorphic encryption algorithm by utilizing a first public key of the terminal equipment; responding to the identity issuing request, generating an identity credential of the user, wherein the identity credential comprises the distributed identity identifier and the ciphertext biological feature template; and saving the identity certificate to a blockchain.
In a fourth aspect, an embodiment of the present disclosure provides an identity authentication method for protecting privacy, which is applied to a terminal device, and includes: acquiring biological characteristic information of a user to be authenticated; encrypting the biological characteristic information by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain ciphertext biological characteristic information; an identity authentication request is sent to a verification server, wherein the identity authentication request comprises a stored distributed identity and the ciphertext biological feature information; the verification server acquires a ciphertext biological feature template corresponding to the distributed identity from a blockchain, and calculates ciphertext similarity of the ciphertext biological feature template and ciphertext biological feature information; in response to receiving the ciphertext similarity returned by the verification server, decrypting the ciphertext similarity by using a first private key corresponding to the first public key and adopting a decryption algorithm corresponding to the homomorphic encryption algorithm to obtain a first similarity; and sending the first similarity to the verification server side so that the verification server side determines whether the user to be authenticated passes identity authentication according to the first similarity.
In some embodiments, before the sending the authentication request to the verification server, the method further includes: acquiring target personal information of the user to be authenticated; and the authentication request further includes the target personal information.
In a fifth aspect, an embodiment of the present disclosure provides an identity authentication method for protecting privacy, which is applied to a verification server, and includes: receiving an identity authentication request from a terminal device, wherein the identity authentication request comprises a distributed identity identifier stored by the terminal device and ciphertext biological characteristic information of a user to be authenticated, and the ciphertext biological characteristic information is obtained by encrypting the biological characteristic information of the user to be authenticated by the terminal device through a homomorphic encryption algorithm by utilizing a first public key of the terminal device; searching an identity certificate comprising the distributed identity identifier in a blockchain, and acquiring a ciphertext biological feature template from the identity certificate; calculating ciphertext similarity of the ciphertext biological feature template and the ciphertext biological feature information by adopting a ciphertext calculation algorithm corresponding to the homomorphic encryption algorithm; the ciphertext similarity is sent to the terminal equipment, so that the terminal equipment decrypts the ciphertext similarity by using a first private key corresponding to the first public key and a decryption algorithm corresponding to the homomorphic encryption algorithm; and responding to the first decrypted similarity received from the terminal equipment, and determining whether the user to be authenticated passes identity authentication according to the first similarity.
In some embodiments, the identity credential is a signed identity credential, the signature being added by the identity issuing server using its second private key; and prior to said obtaining a ciphertext biometric template from the identity credential, the method further comprises: verifying whether the signature is legal or not based on a second public key corresponding to the identity issuing server; and the obtaining of the ciphertext biometric template from the identity credential comprises: and in response to verifying that the signature is legal, obtaining a ciphertext biometric template from the identity credential.
In some embodiments, before the determining whether the user to be authenticated passes identity authentication according to the first similarity, the method further includes: obtaining the first public key from the identity credential; encrypting the first similarity by using the first public key and adopting the homomorphic encryption algorithm to obtain an encrypted first similarity; determining whether the encrypted first similarity and the ciphertext similarity are the same; and determining whether the user to be authenticated passes identity authentication according to the first similarity, including: and in response to determining that the encrypted first similarity is the same as the ciphertext similarity, determining whether the user to be authenticated passes identity authentication according to the first similarity.
In some embodiments, the determining whether the user to be authenticated passes identity authentication according to the first similarity includes: if the first similarity reaches a first similarity threshold, determining that the user to be authenticated passes identity authentication; and if the first similarity does not reach the similarity threshold, determining that the user to be authenticated fails identity authentication.
In some embodiments, the identity authentication request further includes target personal information of the user to be authenticated; and before the step of determining whether the user to be authenticated passes identity authentication according to the first similarity, the method further comprises: acquiring a personal information template from the identity credential; calculating a second similarity of the target personal information and the personal information template; and determining whether the user to be authenticated passes identity authentication according to the first similarity, including: and determining whether the user to be authenticated passes identity authentication or not according to the first similarity and the second similarity.
In some embodiments, the determining whether the user to be authenticated passes identity authentication according to the first similarity and the second similarity includes: if the first similarity reaches a first similarity threshold and the second similarity reaches a second similarity threshold, determining that the user to be authenticated passes identity authentication; and if the first similarity does not reach the first similarity threshold value and/or the second similarity does not reach the second similarity threshold value, determining that the user to be authenticated does not pass identity authentication.
In some embodiments, after said determining whether said user to be authenticated passes identity authentication according to said first similarity, said method further comprises: generating an authentication record aiming at the identity authentication; storing the authentication record to a database; and generating a digest of the authentication record by utilizing a hash algorithm, and storing the digest to the blockchain.
In a sixth aspect, an embodiment of the present disclosure provides an identity information storage device for protecting privacy, which is applied to a terminal device, and includes: the receiving unit is configured to receive a distributed identity of a user from an identity authentication server, wherein the distributed identity is generated after the identity authentication server passes the authentication of the real name of the user; an acquisition unit configured to acquire biometric information of the user as a biometric template; the encryption unit is configured to encrypt the biological characteristic template by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain a ciphertext biological characteristic template; the sending unit is configured to send an identity issuing request to the identity issuing server, wherein the identity issuing request comprises the distributed identity identifier and the ciphertext biological feature template; and the identity issuing server generates an identity credential of the user and stores the identity credential to a blockchain, wherein the identity credential comprises the distributed identity identifier and the ciphertext biological feature template.
In a seventh aspect, an embodiment of the present disclosure provides an identity information storage device for protecting privacy, which is applied to an identity issue server, including: the receiving unit is configured to receive an identity issuing request from a terminal device, wherein the identity issuing request comprises a distributed identity identifier and a ciphertext biological feature template of a user to which the terminal device belongs, the distributed identity identifier is generated after an identity authentication server passes authentication of a real name of the user, and the ciphertext biological feature template is obtained by encrypting the biological feature template of the user by the terminal device through a homomorphic encryption algorithm by utilizing a first public key of the terminal device; a generation unit configured to generate an identity credential of the user in response to the identity issuance request, including the distributed identity and the ciphertext biometric template; a storage unit configured to save the identity credential to a blockchain.
In an eighth aspect, an embodiment of the present disclosure provides an identity authentication device for protecting privacy, which is applied to a terminal device, and includes: an acquisition unit configured to acquire biometric information of a user to be authenticated; the encryption unit is configured to encrypt the biological characteristic information by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain ciphertext biological characteristic information; the sending unit is configured to send an identity authentication request to the verification server, wherein the identity authentication request comprises a stored distributed identity identifier and the ciphertext biological feature information; the verification server acquires a ciphertext biological feature template corresponding to the distributed identity from a blockchain, and calculates ciphertext similarity of the ciphertext biological feature template and ciphertext biological feature information; the decryption unit is configured to respond to the received ciphertext similarity returned by the verification server, decrypt the ciphertext similarity by using a first private key corresponding to the first public key and a decryption algorithm corresponding to the homomorphic encryption algorithm to obtain a first similarity; the sending unit is further configured to send the first similarity to the verification server, so that the verification server determines whether the user to be authenticated passes identity authentication according to the first similarity.
In a ninth aspect, an embodiment of the present disclosure provides an identity authentication device for protecting privacy, which is applied to a verification server, including: the receiving unit is configured to receive an identity authentication request from a terminal device, wherein the identity authentication request comprises a distributed identity identifier stored by the terminal device and ciphertext biological characteristic information of a user to be authenticated, and the ciphertext biological characteristic information is obtained by encrypting the biological characteristic information of the user to be authenticated by the terminal device through a homomorphic encryption algorithm by utilizing a first public key of the terminal device; the acquisition unit is configured to search an identity credential comprising the distributed identity identifier in a blockchain and acquire a ciphertext biological feature template from the identity credential; the computing unit is configured to compute ciphertext similarity of the ciphertext biological feature template and the ciphertext biological feature information by adopting a ciphertext computing algorithm corresponding to the homomorphic encryption algorithm; the sending unit is configured to send the ciphertext similarity to the terminal equipment, so that the terminal equipment decrypts the ciphertext similarity by using a decryption algorithm corresponding to the homomorphic encryption algorithm by using a first private key corresponding to the first public key; and the determining unit is configured to determine whether the user to be authenticated passes identity authentication according to the first similarity in response to receiving the decrypted first similarity from the terminal equipment.
In a tenth aspect, embodiments of the present specification provide a computer readable storage medium having a computer program stored thereon, wherein the computer program, when executed in a computer, causes the computer to perform the method as described in any of the implementations of the second to fifth aspects.
In an eleventh aspect, embodiments of the present specification provide a computing device, including a memory and a processor, wherein the memory has executable code stored therein, and wherein the processor, when executing the executable code, implements a method as described in any of the implementations of the second to fifth aspects.
In a twelfth aspect, embodiments of the present specification provide a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the method as described in any one of the implementations of the second to fifth aspects.
The method and the device for storing and authenticating the identity information for protecting privacy provided by the embodiment of the specification are characterized in that after the authentication of the identity authentication server passes, the distributed identity of the user is generated, the distributed identity is sent to the terminal equipment of the user, the biological characteristic information of the user is obtained through the terminal equipment and used as a biological characteristic template, the first public key of the terminal equipment is utilized, the biological characteristic template is encrypted by adopting a homomorphic encryption algorithm to obtain a ciphertext biological characteristic template, and an identity signing request is sent to an identity signing server, so that the identity signing server generates an identity credential of the user, and the identity credential is stored in a block chain, wherein the identity credential comprises the distributed identity and the ciphertext biological characteristic template. Therefore, the desensitized identity information (distributed identity identification and ciphertext biological feature template) of the user is stored in a distributed mode in the blockchain, so that the decentralization, anonymity and non-falsification can be realized, the disclosure of personal privacy can be effectively avoided, the safety of the personal privacy of the user is ensured, and the authenticity of the identity information is greatly ensured.
In the subsequent identity authentication stage, the terminal equipment can acquire the biological characteristic information of the user to be authenticated, encrypt the biological characteristic information by using the first public key of the terminal equipment and adopting the homomorphic encryption algorithm to obtain ciphertext biological characteristic information, and send an identity authentication request to the authentication server, wherein the identity authentication request comprises the stored distributed identity identification and the ciphertext biological characteristic information. And then, the verification server can search the identity credentials comprising the distributed identity identifier in the blockchain, acquire a ciphertext biological feature template from the identity credentials, calculate ciphertext similarity of the ciphertext biological feature template and ciphertext biological feature information by adopting a ciphertext calculation algorithm corresponding to the homomorphic encryption algorithm, and send the ciphertext similarity to the terminal equipment. Then, the terminal device may decrypt the ciphertext similarity by using a first private key corresponding to the first public key and using a decryption algorithm corresponding to the homomorphic encryption algorithm, and send the decrypted first similarity to the verification server. Then, the verification server side can determine whether the user to be authenticated passes identity authentication according to the first similarity. Therefore, the distributed identity identification technology and the biological characteristic information can be combined, and under the condition of ensuring the security of the personal privacy of the user, the identity authentication based on the biological characteristics of the user can be realized.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments disclosed in the present specification, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only examples of the embodiments disclosed in the present specification, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is an exemplary system architecture diagram in which some embodiments of the present description may be applied;
FIG. 2 is a schematic diagram of one embodiment of a privacy preserving identity information storage method in accordance with the present specification;
FIG. 3 is a schematic diagram of one embodiment of a privacy preserving identity authentication method in accordance with the present specification;
FIG. 4 is a schematic diagram of a privacy preserving identity information store according to the present disclosure;
FIG. 5 is a schematic diagram of a privacy preserving identity information store according to the present disclosure;
FIG. 6 is a schematic diagram of a privacy preserving identity authentication device according to the present disclosure;
fig. 7 is a schematic structural view of an authentication apparatus for protecting privacy according to the present specification.
Detailed Description
The present specification is further described in detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. The described embodiments are only some of the embodiments of the present description and not all of the embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present application based on the embodiments herein.
For convenience of description, only a portion related to the present invention is shown in the drawings. Embodiments and features of embodiments in this specification may be combined with each other without conflict. In addition, the words "first", "second", and the like in the present specification are used for information distinction only, and do not serve as any limitation.
As described above, the existing identity authentication scheme generally adopts a centralized management, storage and use manner for biometric information such as a face, which is a certain distance from thorough user privacy security protection.
Based on this, some embodiments of the present specification provide an identity information storage method and an identity authentication method for protecting privacy, by which identity authentication based on user biometrics can be achieved while ensuring security of user personal privacy. In particular, FIG. 1 illustrates an exemplary system architecture diagram suitable for use with these embodiments.
As shown in fig. 1, the system architecture may include an identification server, a verification server, a blockchain, and a terminal device.
The identification service end can be any trusted identification service end of an identification organization. The identity issuing server may be the server of any trusted identity issuing authority. The verification server may be the server of any trusted verification authority. It should be appreciated that the identification mechanism, the issuing mechanism, and the verification mechanism may be national institutions or private institutions, and are not particularly limited herein. The terminal device may be various electronic devices such as a smart phone, a tablet computer, a desktop computer, a notebook computer, etc.
It should be noted that, the scheme provided in the present specification can be divided into two phases, namely, an identity issue phase and an identity authentication phase.
In the identity signing stage, the identity verification server can conduct real-name authentication on the user to which the terminal equipment belongs, and after the user passes the real-name authentication, a distributed identity of the user is generated and sent to the terminal equipment. Specifically, the identification server uses distributed identification (Decentralized Identifiers, DID) technology based on blockchain to generate the distributed identification of the user.
In practice, the distributed identity is a decentralised verifiable digital identifier, and has the characteristics of distributed, autonomous and controllable, cross-chain multiplexing and the like. In addition, the distributed identity can be regarded as the identity after desensitization, and the personal privacy of the user can be prevented from being revealed by storing the distributed identity.
The terminal device may then obtain the ciphertext biometric template of the user and may then send an identity issuance request to the identity issuance server, including but not limited to the distributed identity and ciphertext biometric templates. The ciphertext biological feature template is obtained by encrypting the biological feature template of the user by using the terminal equipment through a homomorphic encryption algorithm by using the first public key of the terminal equipment. Homomorphic encryption algorithms are encryption functions with the following characteristics: the plaintext is calculated and then encrypted, and the result is equivalent to the corresponding calculation of the ciphertext after encryption.
The identity issuance server may then generate an identity credential for the user, such as identity credential a shown in fig. 1, in response to the identity issuance request, and save the identity credential a to the blockchain. The identity credential a includes, but is not limited to, a distributed identity and a ciphertext biometric template.
Thus, the user's desensitized identity and biometric template may be stored in the blockchain. Because the biological characteristic template is stored after being encrypted, even if a third party acquires the ciphertext biological characteristic template, the third party cannot reversely restore the original biological characteristic template, and further cannot locate the real biological characteristic information. Meanwhile, anonymity on the blockchain can be guaranteed, information such as the position, the address and the like of a user cannot be positioned in the blockchain, and anonymity and privacy security protection can be thoroughly realized. In addition, the blockchain has the characteristics of decentralization, non-tampering and the like, so that the ciphertext biological feature template is stored in the blockchain, decentralization and non-tampering can be realized, the risks of losing, missing, tampering, revealing and the like of private data of a user can be effectively avoided, and the authenticity of identity information is greatly ensured.
After the identity credential a is saved to the blockchain, the user may grant the authentication server the right to use the identity credential already saved to the blockchain for identity authentication.
In the authentication stage, the terminal device can acquire the biological characteristic information of the user to be authenticated, encrypt the biological characteristic information by using the first public key and adopting the homomorphic encryption algorithm to obtain ciphertext biological characteristic information, and then can send an authentication request to the authentication server, wherein the authentication request comprises the stored distributed identity identifier and ciphertext biological characteristic information.
Then, the verification server can search the identity certificate in the blockchain according to the distributed identity identifier in the identity authentication request. If the authentication server side does not find the identity credential in the blockchain, the user to be authenticated can be determined to be an illegal user, and further the user to be authenticated can be determined to not pass the identity authentication. If the verification server side searches the identity credential in the blockchain, a ciphertext biometric template can be obtained from the identity credential, and then a subsequent identity authentication process can be executed according to the identity authentication request and the obtained ciphertext biometric template.
Therefore, the verification server can perform identity authentication on the user to be authenticated according to the ciphertext biological feature template adopting the distributed storage mode, and the security of the personal privacy of the user can be effectively ensured.
In the following, specific implementation steps of the above method are described in connection with specific embodiments.
Referring to FIG. 2, a schematic diagram of one embodiment of a privacy preserving identity information storage method is shown. The method comprises the following steps:
Step 202, after the authentication of the real name of the user is passed, the identity authentication server generates a distributed identity of the user;
Step 204, the identification server sends the distributed identification to the terminal equipment;
step 206, the terminal equipment acquires the biological characteristic information of the user as a biological characteristic template;
Step 208, the terminal equipment encrypts the biological characteristic template by using a homomorphic encryption algorithm by using the first public key of the terminal equipment to obtain a ciphertext biological characteristic template;
Step 212, the terminal device sends an identity issue request to the identity issue server;
Step 214, the identity issuing server responds to the identity issuing request and generates an identity credential of the user;
In step 218, the identity credential is saved to the blockchain by the identity issuing server.
The above steps are further described below.
In practice, before step 202, the user may apply for an identification from the identification server through the terminal device. The identification service end can respond to the application of the user for identification, and perform real-name authentication on the user. The real-name authentication is a verification and audit on the authenticity of the user data, is helpful for establishing a perfect and reliable internet credit basis, generally has authentication modes such as bank card authentication and/or identity card authentication, and can avoid a part of phishing.
In step 202, the identification server may generate a distributed identity of the user by using a blockchain-based distributed identity technology in response to the user passing the real-name authentication. Wherein, the generation rule of the distributed identity mark follows the DID specification. The components of the distributed identity typically include the fixed character "DID", DID method name, blockchain ID, address of entity (user) on the blockchain.
Thereafter, the identification server may perform step 204 to send the distributed identity to the terminal device used by the user.
Next, in step 206, the terminal device may acquire biometric information of the user as a biometric template. The biometric information may include facial features, fingerprint features, palm print features, iris features, finger vein features, or voiceprint features, among others.
In practice, the terminal device may comprise a biometric acquisition device, which may include, but is not limited to, an image acquisition device and/or a voice acquisition device. Further, the image capture device may include, but is not limited to, a camera, a fingerprint capture device, a palm print capture device, and/or a finger vein capture device. The voice capture device may include, but is not limited to, a microphone or microphone array. The terminal equipment can utilize the biological characteristic acquisition device to acquire biological characteristics of the user, so that biological characteristic information of the user is obtained.
As an example, if the biometric information belongs to a face feature, the terminal device may collect a face image of the user using the camera, and extract the face feature information from the face image. If the biological characteristic information belongs to the fingerprint characteristic, the terminal equipment can collect the fingerprint image of the user by utilizing the fingerprint collecting device and extract the fingerprint characteristic information from the fingerprint image.
The terminal equipment can adopt various feature extraction methods to extract biological features. Taking face features as an example, the terminal device may use FaceNet or SPHEREFACE algorithm to extract face features. The FaceNet algorithm and the SPHEREFACE algorithm are well known algorithms and will not be described in detail herein.
Next, in step 208, the terminal device may encrypt the biometric template with a homomorphic encryption algorithm using its own first public key to obtain a ciphertext biometric template. The homomorphic encryption algorithm may include an addition homomorphic encryption algorithm, a multiplication homomorphic encryption algorithm or an equal homomorphic encryption algorithm.
In practice, the addition homomorphic encryption algorithm may include, for example, but is not limited to, the Paillier encryption algorithm, the multiplication homomorphic encryption algorithm may include, for example, but is not limited to, the RSA encryption algorithm, and the homomorphic encryption algorithm may include, for example, but is not limited to, the FV, CKKS, BFV encryption algorithm. Since Paillier, RSA, FV, CKKS, BFV are well known homomorphic encryption algorithms, they will not be discussed in detail herein.
In some embodiments, before step 208, if the terminal device does not have its own first public key and corresponding first private key, the first public key and corresponding first private key may be generated. Wherein the first public key is used for encryption and the first private key is used for decryption.
In some embodiments, the terminal device may include a trusted execution environment (Trusted Execution Environment, TEE). In order to ensure the security of the first public key and the first private key, the terminal device may generate the first public key and the corresponding first private key using a key generation algorithm in a trusted execution environment. The terminal device may then save the first public key and the first private key to a secure storage area of the trusted execution environment.
In some embodiments, step 208 may specifically include: in a trusted execution environment, the biometric template is encrypted using a homomorphic encryption algorithm using a first public key. Thereby, the security of the biometric template can be ensured.
In some embodiments, in order to further improve the authentication accuracy of the identity authentication stage, other authentication factors may be added in addition to the biometric authentication factor. For example, personal information may be used as the verification factor. Thus, after step 204, before step 212, it may further include: step 210, obtaining target personal information of the user as a personal information template. The target personal information may include, among other things, an academic, political face, name, address, and/or age, etc. It should be noted that the information item in the target personal information may be set according to the actual service requirement, and is not particularly limited herein.
In step 212, the terminal device may send an identity issue request to the identity issue server, where the identity issue request includes at least a distributed identity of the user and a ciphertext biometric template. Optionally, the sign-on request may further include a first public key. Optionally, the identity issuance request may further include a personal information template upon performing step 210.
It should be noted that, by storing the first public key in the blockchain and storing the first private key locally in the terminal device, the security of the secret key can be ensured, and risks such as secret key leakage can be prevented.
Next, in step 214, the signing server may generate an identity credential of the user in response to the signing request, where the identity credential includes at least the distributed identity of the user and the cryptogram biometric template. Optionally, if the identity issuance request further includes the first public key, the identity credential may also include the first public key. Optionally, if the identity issuance request also includes a personal information template, the identity credential may also include a personal information template.
In practice, the identity credential may include, in addition to the information items described above, a credential identification, a credential type, meta information for uniquely indicating the identity credential. Wherein the credential type is related to the type of ciphertext biometric template in the identity credential. For example, if the ciphertext biometric template belongs to a face feature, the credential type may be a face. If the ciphertext biometric template belongs to a fingerprint feature, the credential type may be a fingerprint. Meta information is used to record other attributes of the identity credential, such as creation time, expiration time, etc.
In some embodiments, after step 214, before step 218, it may further include: in step 216, the identity signing server signs the identity credential with its own second private key. The signature may be used to verify the integrity of the identity credential.
Specifically, the identity signing server may generate a digest of the identity credential by using a hash algorithm, then encrypt the digest by using its own second private key to obtain a signature, and add the signature to the identity credential.
In step 218, the identity credential may be saved to the blockchain by the identity issuing server. Where step 216 is not performed, the identity credential generated in step 214 is saved to the blockchain. In the case of execution of step 216, the signed identity credential is saved to the blockchain.
The method provided by the embodiment corresponding to fig. 2 is applied to the identity issuing stage, and through carrying out distributed storage on the desensitized identity information of the user in the blockchain, the decentralization, anonymity and non-falsification can be realized, the disclosure of personal privacy can be effectively avoided, the security of the personal privacy of the user is ensured, and the authenticity of the identity information is greatly ensured.
Next, the content related to the authentication phase is described.
Referring to fig. 3, a schematic diagram of one embodiment of a privacy preserving identity authentication method is shown. The method comprises the following steps:
Step 302, the terminal equipment acquires the biological characteristic information of the user to be authenticated;
Step 304, the terminal equipment encrypts the biological characteristic information by using a homomorphic encryption algorithm by utilizing the first public key of the terminal equipment to obtain ciphertext biological characteristic information;
step 308, the terminal device sends an identity authentication request to the verification server;
step 310, the verification server searches the identity certificate including the distributed identity in the blockchain;
step 314, the verification server acquires a ciphertext biological feature template from the identity credential;
step 318, the verification server calculates the ciphertext similarity of the ciphertext biological feature template and the ciphertext biological feature information by adopting a ciphertext calculation algorithm corresponding to the homomorphic encryption algorithm;
Step 320, the verification server sends the ciphertext similarity to the terminal equipment;
step 322, the terminal device decrypts the ciphertext similarity by using a first private key corresponding to the first public key and a decryption algorithm corresponding to the homomorphic encryption algorithm to obtain a first similarity;
step 324, the terminal device sends the first similarity to the verification server;
Step 332, the verification server determines whether the user to be authenticated passes the identity authentication according to the first similarity.
The above steps are further described below.
In step 302, the terminal device may acquire biometric information of the user to be authenticated. The biometric information belongs to the same feature class as the biometric template in the previous text, for example, all belongs to facial features, fingerprint features, palm print features, iris features, finger vein features or voiceprint features, etc. In addition, the terminal device adopts the same feature acquisition method for the biological feature information and the biological feature template.
Next, in step 304, the terminal device may encrypt the biometric information with a homomorphic encryption algorithm by using its first public key to obtain ciphertext biometric information. It should be appreciated that the first public key and homomorphic encryption algorithm herein are the same as those used in the identity issuance stage.
In some embodiments, if the identity credential of the legal user to which the terminal device belongs includes a personal information template, before step 308, the method may further include: step 306, obtaining target personal information of the user to be authenticated. For the explanation of the target personal information, reference may be made to the previous relevant explanation, and the description is not repeated here.
In step 308, the terminal device may send an authentication request to the verification server, where the authentication request includes at least the stored distributed identity and ciphertext biometric information of the user to be authenticated. Optionally, in the case of performing step 306, the authentication request may also include target personal information of the user to be authenticated.
Next, in step 310, the verification server may look up an identity credential including the distributed identity in the blockchain. If found, a subsequent authentication procedure may then be performed. If the user to be authenticated is not found, the user to be authenticated can be determined to be an illegal user, so that the user to be authenticated is determined to not pass the identity authentication.
In some embodiments, if the authentication server locates the identity credential, if the identity credential is a signed identity credential, and the signature is added by the authentication server using the second private key thereof, the authentication server may execute step 312 to verify whether the signature is legal based on the second public key corresponding to the authentication server. It should be understood that the authentication server may store the second public key in advance. By verifying whether the signature is legitimate, it can be checked whether the identity credential has been tampered with.
In practice, the signature of the identity credential may be obtained by encrypting the digests of other contents except the signature in the identity credential by the identity issuing server using the second private key. Based on this, the verification server may decrypt the signature using the second public key, and obtain a decrypted digest. In addition, the verification server side can also generate the digest of the other content by utilizing a hash algorithm. The verification server may then compare the decrypted digest with the generated digest. If the signature is the same, the verification server can determine that the signature is legal; otherwise, the verification server may determine that the signature is not legal.
In step 314, the verification server may obtain the ciphertext biometric template from the identity credential in response to finding the identity credential. Optionally, in the case of performing step 312, step 314 may further include: and in response to verifying that the signature of the identity credential is legal, obtaining a ciphertext biometric template from the identity credential.
In some embodiments, the verification server may also perform step 316 to obtain the first public key and/or the personal information template from the identity credential, either before or after the ciphertext biometric template is obtained. It should be appreciated that in the case where the authentication request includes target personal information of the user to be authenticated, the verification server needs to obtain a personal information template from the identity credential. Wherein the first public key may be used to verify the correctness of the first similarity hereinafter.
After the step 314 is performed, the verification server may then perform step 318 to calculate the ciphertext similarity between the ciphertext biometric template and the ciphertext biometric information by using the ciphertext calculation algorithm corresponding to the homomorphic encryption algorithm. The ciphertext calculation algorithm may be any algorithm suitable for ciphertext calculation.
In the following, a ciphertext calculation algorithm will be described, taking an isomorphic encryption algorithm as an example, and the use of the ciphertext calculation algorithm in ciphertext similarity calculation.
It should be appreciated that the ciphertext biometric templates and the ciphertext biometric information of the user to be authenticated may be recorded in a variety of forms, such as vectors, arrays, matrices, etc., and accordingly, there are a variety of ways to determine the similarity between the two. Typically, in some embodiments, both the ciphertext biometric templates and the ciphertext biometric information may be recorded as vectors, such as floating point number vectors of 128-dimension or 512-dimension, or the like. For two vectors, the similarity therebetween can be calculated by calculating the vector distance (euclidean distance, cosine distance).
Since the homomorphic encryption algorithm supports both addition homomorphic and multiplication homomorphic, its corresponding ciphertext calculation algorithm may involve both addition and multiplication operations, which may be as shown in the following equation (1):
Wherein d represents the vector distance, which may also be referred to as ciphertext similarity; m is the dimension of any one of a first vector corresponding to the ciphertext biological feature template and a second vector corresponding to the ciphertext biological feature information, wherein the first vector and the second vector have the same dimension; x represents a vector element in the first vector, and x i represents an ith vector element in the first vector; y represents a vector element in the second vector and y i represents an i-th vector element in the second vector. The addition operation and the multiplication operation in the above formula (1) are homomorphic operations under corresponding homomorphic encryption algorithms.
Step 318 may specifically include, according to equation (1): calculating the product of homomorphic multiplication operation of corresponding elements in a first vector corresponding to the ciphertext biological feature template and a second vector corresponding to the ciphertext biological feature information; and carrying out homomorphic addition operation on each calculated product, and determining the addition result as ciphertext similarity. It is to be understood that the homomorphic multiplication operation may be different from conventional arithmetic multiplication, and the homomorphic addition operation may be different from conventional arithmetic addition. For example, under the Pailler algorithm, homomorphic addition of two ciphertexts corresponds to a conventional arithmetic multiplication.
After calculating the ciphertext similarity, the verification server may then execute step 320 to send the ciphertext similarity to the terminal device.
Next, in step 322, the terminal device may decrypt the ciphertext similarity by using the first private key corresponding to the first public key and using the decryption algorithm corresponding to the homomorphic encryption algorithm to obtain a decrypted first similarity. The terminal device may then execute step 324 to send the first similarity to the authentication server.
In some embodiments, after receiving the first similarity, the verification server may check the correctness of the first similarity by executing steps 326 and 328 to determine whether the first similarity is tampered with. Specifically, the verification server may execute step 326, encrypt the first similarity with the homomorphic encryption algorithm by using the first public key, to obtain an encrypted first similarity. Next, the authentication server may execute step 328 to determine whether the encrypted first similarity and the ciphertext similarity are the same. If the two are the same, the first similarity is correct and is not tampered. If the two are different, the first similarity is incorrect and tampered.
It should be noted that, by decrypting the ciphertext similarity on the terminal device and verifying the correctness of the decrypted first similarity on the verification server, the whole process can be ensured to be correctly checked, and the possibility of being tampered and attacked in a certain link can be prevented.
In some embodiments, if the authentication request includes the target personal information of the user to be authenticated and the personal information template is obtained in step 316, the verification server may further perform step 330 to calculate the second similarity between the target personal information and the personal information template before step 332. Here, the verification server may use a cosine similarity (cosine similarity) algorithm or a well-known text similarity calculation method such as Jaccard coefficient to perform similarity calculation.
In step 332, the verification server may determine, according to the first similarity, whether the user to be authenticated passes the identity authentication. Optionally, in the case of performing step 326 and step 328, step 332 may further include: and the verification server side responds to the fact that the encryption first similarity is the same as the ciphertext similarity, and determines whether the user to be authenticated passes identity authentication or not according to the first similarity.
Further, in the case that the verification factor does not include personal information, that is, in the case that step 330 is not performed, determining whether the user to be authenticated passes the identity authentication according to the first similarity may specifically include: if the first similarity reaches a first similarity threshold, determining that the user to be authenticated passes identity authentication; and if the first similarity does not reach the first similarity threshold, determining that the user to be authenticated fails identity authentication.
Further, in the case that the verification factor includes personal information, that is, in the case of performing step 330, determining whether the user to be authenticated passes the identity authentication according to the first similarity may specifically include: and determining whether the user to be authenticated passes identity authentication or not according to the first similarity and the second similarity.
Further, determining whether the user to be authenticated passes the identity authentication according to the first similarity and the second similarity may specifically include: if the first similarity reaches a first similarity threshold and the second similarity reaches a second similarity threshold, determining that the user to be authenticated passes identity authentication; and if the first similarity does not reach the first similarity threshold value and/or the second similarity does not reach the second similarity threshold value, determining that the user to be authenticated does not pass the identity authentication. The first similarity threshold and the second similarity threshold may be the same or different, and are not specifically limited herein.
As an implementation manner, for the first similarity and the second similarity, the verification server may compare any one of the two with a corresponding similarity threshold, and if any one of the two does not reach the corresponding similarity threshold, it may be determined that the user to be authenticated fails identity authentication. If either term reaches the corresponding similarity threshold, the other term may continue to be compared to the corresponding similarity threshold. If the other item does not reach the corresponding similarity threshold, it can be determined that the user to be authenticated fails identity authentication. If the other term reaches the corresponding similarity threshold, the user to be authenticated can be determined to pass the identity authentication.
As another implementation, the verification server may compare the first similarity to the first similarity threshold and compare the second similarity to the second similarity threshold at the same time. And then, the verification server can determine whether the user to be authenticated passes the identity authentication according to the obtained comparison result.
It should be understood that the present specification does not specifically limit the execution process of determining whether the user to be authenticated passes the identity authentication according to the first similarity and the second similarity.
In some embodiments, after the verification server performs step 332, an authentication record may also be generated for the identity authentication, and the authentication record may be saved to the database. In addition, a hash algorithm can be used to generate a digest of the authentication record and save the digest to the blockchain. The authentication record may indicate an authorized object (e.g., a verification server), a data owner (e.g., a legal user of the terminal device), an authentication time, an authentication mode, an authentication result, and so on. The authentication mode may include, for example, distributed identity authentication and biometric authentication. Further, the biometric authentication may include, for example, face authentication, fingerprint authentication, palm print authentication, iris authentication, finger vein authentication, voiceprint authentication, or the like. Optionally, the authentication mode may further include personal information authentication. The authentication result may include authentication success or authentication failure.
It should be noted that, by saving the digest of the authentication record to the blockchain, the digest can be used for future compliance checking, and the purpose of increasing the credit can be achieved.
In some embodiments, if the verification server determines that the user to be authenticated fails identity authentication, a first prompt message for indicating authentication failure may be returned to the terminal device. If the verification server determines that the user to be authenticated passes the identity authentication, a second prompt message for indicating that the authentication passes can be returned to the terminal equipment.
The identity authentication method for protecting privacy provided in the corresponding embodiment of fig. 3 can combine the distributed identity identification technology and the biometric information, and realize the identity authentication based on the biometric feature of the user under the condition of ensuring the security of the personal privacy of the user.
The above describes the content related to the identity issuance phase and the identity authentication phase. It should be noted that the homomorphic encryption algorithm and/or decryption algorithm used in these two phases may be further optimized. Traditionally, multiplication under homomorphic encryption takes a long time, multiple polynomial operations are needed, and the multiplication implementation can be optimized through batch optimization. In addition, the ciphertext computing algorithm used in the identity authentication stage can be further optimized, for example, when the homomorphic encryption algorithm is the homomorphic encryption algorithm, transformation can be performed by combining the homomorphic encryption algorithm, and more accurate vector distance can be solved.
With further reference to fig. 4, the present description provides an embodiment of a privacy preserving identity information store that may be applied to a terminal device as shown in fig. 1.
As shown in fig. 4, the privacy-preserving identity information storage apparatus 400 of the present embodiment includes: a receiving unit 401, an acquiring unit 402, an encrypting unit 403, and a transmitting unit 404. Wherein, the receiving unit 401 is configured to receive a distributed identity of the user from the identity verification server, where the distributed identity is generated after the identity verification server passes the authentication of the real name of the user; the acquisition unit 402 is configured to acquire biometric information of a user as a biometric template; the encryption unit 403 is configured to encrypt the biometric template by using a homomorphic encryption algorithm by using the first public key of the terminal device, so as to obtain a ciphertext biometric template; the sending unit 404 is configured to send an identity issue request to the identity issue server, where the identity issue request includes a distributed identity and a ciphertext biometric template; the identity issuing server generates an identity credential of the user and stores the identity credential to the blockchain, wherein the identity credential comprises a distributed identity identifier and a ciphertext biological feature template.
In some embodiments, the acquisition unit 402 may be further configured to: after the receiving unit 401 receives the distributed identity of the user from the identification server, the target personal information of the user is acquired as a personal information template. Based on this, the identity issuance request and the identity credential may also include a personal information template.
In some embodiments, the targeted personal information may include an academic, political face, and/or age, etc.
In some embodiments, the identity issuance request and the identity credential may also include a first public key.
In some embodiments, the apparatus 400 may further include: a key generation unit (not shown in the figure) is configured to generate a first public key and a corresponding first private key before the encryption unit 403 encrypts the biometric template using a homomorphic encryption algorithm.
In some embodiments, the terminal device includes a trusted execution environment; and the key generation unit may be further configured to: in a trusted execution environment, generating a first public key and a corresponding first private key by using a key generation algorithm; and storing the first public key and the first private key into a safe storage area of the trusted execution environment.
In some embodiments, the encryption unit 403 may be further configured to: in a trusted execution environment, a homomorphic encryption algorithm is adopted to encrypt the biometric template.
In some embodiments, the biometric information may include facial features, fingerprint features, palm print features, iris features, finger vein features, or voiceprint features, among others.
With further reference to fig. 5, the present disclosure provides an embodiment of an identity information storage device for protecting privacy, which may be applied to the identity issuing server shown in fig. 1.
As shown in fig. 5, the privacy-preserving identity information storage apparatus 500 of the present embodiment includes: a receiving unit 501, a generating unit 502 and a storing unit 503. The receiving unit 501 is configured to receive an identity issue request from a terminal device, where the request includes a distributed identity identifier and a ciphertext biometric template of a user to which the terminal device belongs, where the distributed identity identifier is generated by an identity authentication server after passing a real name authentication of the user, and the ciphertext biometric template is obtained by encrypting a biometric template of the user by the terminal device using a first public key thereof and using a homomorphic encryption algorithm; the generating unit 502 is configured to generate an identity credential of the user in response to the identity issuance request, including the distributed identity and the ciphertext biometric template; the storage unit 502 is configured to save the identity credential to the blockchain.
In some embodiments, the generation unit 502 may be further configured to: signing the identity certificate by using a second private key of the identity issuing server; and the storage unit 503 may be further configured to: and saving the signed identity certificate to the blockchain.
In some embodiments, the identity issuance request and the identity credential may also include a personal information template and/or a first public key.
In some embodiments, the personal information templates include an academy, political face, and/or age, etc.
In some embodiments, the biometric information may include facial features, fingerprint features, palm print features, iris features, finger vein features, or voiceprint features, among others.
With further reference to fig. 6, the present description provides an embodiment of an authentication apparatus for protecting privacy, which may be applied to a terminal device as shown in fig. 1.
As shown in fig. 6, the privacy-preserving identity authentication apparatus 600 of the present embodiment includes: an acquisition unit 601, an encryption unit 602, a transmission unit 603, and a decryption unit 604. Wherein the acquisition unit 601 is configured to acquire biometric information of a user to be authenticated; the encryption unit 602 is configured to encrypt the biometric information by using a homomorphic encryption algorithm by using a first public key of the terminal device to obtain ciphertext biometric information; the sending unit 603 is configured to send an identity authentication request to the verification server, where the identity authentication request includes the stored distributed identity and ciphertext biometric information; so that the verification server side obtains a ciphertext biological feature template corresponding to the distributed identity mark from the blockchain, and calculates ciphertext similarity of the ciphertext biological feature template and ciphertext biological feature information; the decryption unit 604 is configured to decrypt the ciphertext similarity by using a decryption algorithm corresponding to the homomorphic encryption algorithm by using a first private key corresponding to the first public key in response to receiving the ciphertext similarity returned by the verification server, so as to obtain the first similarity; the sending unit 603 is further configured to send the first similarity to the verification server, so that the verification server determines whether the user to be authenticated passes the identity authentication according to the first similarity.
In some embodiments, the acquisition unit 601 may be further configured to: acquiring target personal information of a user to be authenticated; and the authentication request may also include target personal information.
In some embodiments, the targeted personal information includes an academy, political face, and/or age, etc.
In some embodiments, the biometric information may include facial features, fingerprint features, palm print features, iris features, finger vein features, or voiceprint features, among others.
With further reference to fig. 7, the present disclosure provides an embodiment of an authentication apparatus for protecting privacy, which may be applied to the verification server shown in fig. 1.
As shown in fig. 7, the privacy-preserving identity authentication apparatus 700 of the present embodiment includes: a receiving unit 701, an acquiring unit 702, a calculating unit 703, a transmitting unit 704, and a determining unit 705. The receiving unit 701 is configured to receive an identity authentication request from a terminal device, where the identity authentication request includes a distributed identity stored in the terminal device and ciphertext biometric information of a user to be authenticated, where the ciphertext biometric information is obtained by encrypting, by the terminal device, biometric information of the user to be authenticated by using a homomorphic encryption algorithm with a first public key of the terminal device; the obtaining unit 702 is configured to find an identity credential including a distributed identity in the blockchain, and obtain a ciphertext biometric template from the identity credential; the calculating unit 703 is configured to calculate ciphertext similarity of the ciphertext biometric template and the ciphertext biometric information using a ciphertext calculation algorithm corresponding to the homomorphic encryption algorithm; the sending unit 704 is configured to send the ciphertext similarity to the terminal device, so that the terminal device decrypts the ciphertext similarity by using a decryption algorithm corresponding to the homomorphic encryption algorithm and using a first private key corresponding to the first public key; the determining unit 705 is configured to determine, in response to receiving the decrypted first similarity from the terminal device, whether the user to be authenticated passes the identity authentication according to the first similarity.
In some embodiments, the identity credential is a signed identity credential, the signature being added by the identity issuing server using its second private key; and the apparatus 700 may further include: a verification unit (not shown in the figure) configured to verify whether the signature is legal or not based on a second public key corresponding to the identity issuance server before the obtaining unit 702 obtains the ciphertext biometric template from the identity credential; and the acquisition unit 702 may be further configured to: and in response to the verification unit verifying that the signature is legal, acquiring a ciphertext biometric template from the identity credential.
In some embodiments, the acquisition unit 702 may be further configured to: acquiring a first public key from an identity credential; the determination unit 705 may be further configured to: encrypting the first similarity by using the first public key and adopting a homomorphic encryption algorithm to obtain an encrypted first similarity; determining whether the encrypted first similarity is the same as the ciphertext similarity; and in response to determining that the encrypted first similarity is the same as the ciphertext similarity, determining whether the user to be authenticated passes identity authentication according to the first similarity.
In some embodiments, the determining unit 705 may be further configured to: if the first similarity reaches a first similarity threshold, determining that the user to be authenticated passes identity authentication; and if the first similarity does not reach the similarity threshold, determining that the user to be authenticated fails identity authentication.
In some embodiments, the authentication request further includes target personal information of the user to be authenticated; and the acquisition unit 702 may be further configured to: acquiring a personal information template from the identity certificate; and the computing unit 703 may be further configured to: calculating a second similarity of the target personal information and the personal information template; the determination unit 705 may be further configured to: and determining whether the user to be authenticated passes identity authentication or not according to the first similarity and the second similarity.
In some embodiments, the determining unit 705 may be further configured to: if the first similarity reaches a first similarity threshold and the second similarity reaches a second similarity threshold, determining that the user to be authenticated passes identity authentication; and if the first similarity does not reach the first similarity threshold value and/or the second similarity does not reach the second similarity threshold value, determining that the user to be authenticated does not pass the identity authentication.
In some embodiments, the apparatus 700 may further include: a generating unit (not shown in the figure) configured to generate an authentication record for the present identity authentication; a storage unit (not shown in the figure) configured to save the authentication record to the database, and generate a digest of the authentication record using a hash algorithm and save the digest to the blockchain.
In the embodiment of the apparatus corresponding to fig. 4 to fig. 7, the specific processing of each unit and the technical effects brought by the processing may refer to the related descriptions in the embodiments corresponding to fig. 2 and fig. 3, and are not described herein again.
The embodiments of the present disclosure also provide a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed in a computer, causes the computer to execute the privacy-preserving identity information storage method or the identity authentication method shown in the above method embodiments, respectively.
The embodiment of the specification also provides a computing device, which comprises a memory and a processor, wherein executable codes are stored in the memory, and when the processor executes the executable codes, the identity information storage method or the identity authentication method for protecting privacy, which are respectively shown in the above method embodiments, are realized.
The embodiments of the present specification also provide a computer program, where the computer program, when executed in a computer, causes the computer to execute the identity information storage method or the identity authentication method for protecting privacy shown in the above method embodiments, respectively.
Those of skill in the art will appreciate that in one or more of the above examples, the functions described in the various embodiments disclosed herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
While the foregoing detailed description has described the objects, aspects and advantages of the embodiments disclosed herein in further detail, it should be understood that the foregoing detailed description is merely illustrative of the embodiments disclosed herein and is not intended to limit the scope of the embodiments disclosed herein, but rather any modifications, equivalents, improvements or the like that may be made to the embodiments disclosed herein are intended to be included within the scope of the embodiments disclosed herein.

Claims (25)

1. A method of storing identity information that protects privacy, comprising:
after the authentication of the real name of the user is passed, the identity authentication server generates a distributed identity of the user and sends the distributed identity to the terminal equipment of the user;
The terminal equipment acquires the biological characteristic information of the user as a biological characteristic template, encrypts the biological characteristic template by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain a ciphertext biological characteristic template, and sends an identity issuing request to an identity issuing server, wherein the identity issuing request comprises the distributed identity identifier and the ciphertext biological characteristic template;
The identity issuing server responds to the identity issuing request, generates an identity credential of the user, and stores the identity credential to a blockchain, wherein the identity credential comprises the distributed identity identifier and the ciphertext biometric template, so that the ciphertext biometric template is used for verifying that the server calculates ciphertext similarity in an identity authentication stage.
2. The method of claim 1, wherein after the generating the identity credential of the user, the method further comprises:
The identity signing server signs the identity certificate by using a second private key of the identity signing server; and
The saving the identity credential to the blockchain includes:
and storing the signed identity certificate to a blockchain.
3. The method of claim 1, wherein after the sending the distributed identity to the user's terminal device, the method further comprises:
The terminal equipment acquires target personal information of the user as a personal information template; and
The identity issuance request and the identity credential also include the personal information template.
4. A method according to claim 3, wherein the target personal information comprises at least one of: the academic, political aspect, age.
5. A method according to claim 1 or 3, wherein the identity issuance request and the identity credential further comprise the first public key.
6. The method of claim 1, wherein prior to said encrypting the biometric template using a homomorphic encryption algorithm, the method further comprises:
The terminal device generates the first public key and the corresponding first private key.
7. The method of claim 6, wherein the terminal device comprises a trusted execution environment; and
The generating the first public key and the corresponding first private key includes:
Generating the first public key and the corresponding first private key by using a key generation algorithm in the trusted execution environment; and
The method further comprises the steps of:
and storing the first public key and the first private key into a safe storage area of the trusted execution environment.
8. The method of claim 7, wherein the encrypting the biometric template using a homomorphic encryption algorithm comprises:
and in the trusted execution environment, encrypting the biological feature template by adopting the homomorphic encryption algorithm.
9. The method of claim 1, wherein the biometric information comprises any of: facial features, fingerprint features, palm print features, iris features, finger vein features, and voiceprint features.
10. The identity information storage method for protecting privacy is applied to terminal equipment and comprises the following steps:
Receiving a distributed identity of a user from an identity authentication server, wherein the distributed identity is generated after the identity authentication server passes the authentication of the real name of the user;
acquiring biological characteristic information of the user as a biological characteristic template;
Encrypting the biological characteristic template by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain a ciphertext biological characteristic template;
Sending an identity issuing request to an identity issuing server, wherein the identity issuing request comprises the distributed identity identifier and the ciphertext biological feature template; the identity issuing server generates an identity credential of the user and stores the identity credential to a blockchain, wherein the identity credential comprises the distributed identity identifier and the ciphertext biometric template, so that the ciphertext biometric template is used for verifying that the server calculates ciphertext similarity in an identity authentication stage.
11. A privacy-protecting identity information storage method is applied to an identity issuing server and comprises the following steps:
receiving an identity issuing request from terminal equipment, wherein the identity issuing request comprises a distributed identity identifier and a ciphertext biological feature template of a user to which the terminal equipment belongs, the distributed identity identifier is generated after an identity authentication server passes real-name authentication of the user, and the ciphertext biological feature template is obtained by encrypting the biological feature template of the user by the terminal equipment through a homomorphic encryption algorithm by utilizing a first public key of the terminal equipment;
responding to the identity issuing request, generating an identity credential of the user, wherein the identity credential comprises the distributed identity identifier and the ciphertext biological feature template;
And storing the identity certificate to a blockchain so that the ciphertext biometric template is used for verifying that the server calculates ciphertext similarity in an identity authentication stage.
12. An identity authentication method for protecting privacy is applied to terminal equipment and comprises the following steps:
acquiring biological characteristic information of a user to be authenticated;
Encrypting the biological characteristic information by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain ciphertext biological characteristic information;
An identity authentication request is sent to a verification server, wherein the identity authentication request comprises a stored distributed identity and the ciphertext biological feature information; the verification server side obtains a ciphertext biological feature template from an identity credential comprising the distributed identity in a blockchain, and calculates ciphertext similarity of the ciphertext biological feature template and ciphertext biological feature information;
In response to receiving the ciphertext similarity returned by the verification server, decrypting the ciphertext similarity by using a first private key corresponding to the first public key and adopting a decryption algorithm corresponding to the homomorphic encryption algorithm to obtain a first similarity;
And sending the first similarity to the verification server side so that the verification server side determines whether the user to be authenticated passes identity authentication according to the first similarity.
13. The method of claim 12, wherein prior to the sending the identity authentication request to the verification server, the method further comprises:
Acquiring target personal information of the user to be authenticated; and
The authentication request also includes the target personal information.
14. An identity authentication method for protecting privacy is applied to a verification server and comprises the following steps:
receiving an identity authentication request from a terminal device, wherein the identity authentication request comprises a distributed identity identifier stored by the terminal device and ciphertext biological characteristic information of a user to be authenticated, and the ciphertext biological characteristic information is obtained by encrypting the biological characteristic information of the user to be authenticated by the terminal device through a homomorphic encryption algorithm by utilizing a first public key of the terminal device;
Searching an identity certificate comprising the distributed identity identifier in a blockchain, and acquiring a ciphertext biological feature template from the identity certificate;
calculating ciphertext similarity of the ciphertext biological feature template and the ciphertext biological feature information by adopting a ciphertext calculation algorithm corresponding to the homomorphic encryption algorithm;
the ciphertext similarity is sent to the terminal equipment, so that the terminal equipment decrypts the ciphertext similarity by using a first private key corresponding to the first public key and a decryption algorithm corresponding to the homomorphic encryption algorithm;
and responding to the first decrypted similarity received from the terminal equipment, and determining whether the user to be authenticated passes identity authentication according to the first similarity.
15. The method of claim 14, wherein the identity credential is a signed identity credential, the signature being added by an identity issuing server using its second private key; and
Before the obtaining of the ciphertext biometric template from the identity credential, the method further comprises:
Verifying whether the signature is legal or not based on a second public key corresponding to the identity issuing server; and
The obtaining the ciphertext biometric template from the identity credential comprises:
And in response to verifying that the signature is legal, obtaining a ciphertext biometric template from the identity credential.
16. The method of claim 14, wherein prior to the determining whether the user to be authenticated is authenticated based on the first similarity, the method further comprises:
Obtaining the first public key from the identity credential;
Encrypting the first similarity by using the first public key and adopting the homomorphic encryption algorithm to obtain an encrypted first similarity;
Determining whether the encrypted first similarity and the ciphertext similarity are the same; and
The determining whether the user to be authenticated passes identity authentication according to the first similarity comprises:
And in response to determining that the encrypted first similarity is the same as the ciphertext similarity, determining whether the user to be authenticated passes identity authentication according to the first similarity.
17. The method according to claim 14 or 16, wherein the determining whether the user to be authenticated passes identity authentication according to the first similarity comprises:
if the first similarity reaches a first similarity threshold, determining that the user to be authenticated passes identity authentication;
And if the first similarity does not reach the similarity threshold, determining that the user to be authenticated fails identity authentication.
18. The method of claim 14 or 16, wherein the authentication request further comprises target personal information of the user to be authenticated; and
Before the step of determining whether the user to be authenticated passes identity authentication according to the first similarity, the method further comprises:
acquiring a personal information template from the identity credential;
Calculating a second similarity of the target personal information and the personal information template; and
The determining whether the user to be authenticated passes identity authentication according to the first similarity comprises:
And determining whether the user to be authenticated passes identity authentication or not according to the first similarity and the second similarity.
19. The method of claim 18, wherein the determining whether the user to be authenticated is authenticated based on the first similarity and the second similarity comprises:
if the first similarity reaches a first similarity threshold and the second similarity reaches a second similarity threshold, determining that the user to be authenticated passes identity authentication;
And if the first similarity does not reach the first similarity threshold value and/or the second similarity does not reach the second similarity threshold value, determining that the user to be authenticated does not pass identity authentication.
20. The method of claim 14, wherein after the determining whether the user to be authenticated passes identity authentication according to the first similarity, the method further comprises:
generating an authentication record aiming at the identity authentication;
Storing the authentication record to a database;
and generating a digest of the authentication record by utilizing a hash algorithm, and storing the digest to the blockchain.
21. An identity information storage device for protecting privacy, which is applied to terminal equipment, comprises:
The receiving unit is configured to receive a distributed identity of a user from an identity authentication server, wherein the distributed identity is generated after the identity authentication server passes the authentication of the real name of the user;
an acquisition unit configured to acquire biometric information of the user as a biometric template;
The encryption unit is configured to encrypt the biological characteristic template by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain a ciphertext biological characteristic template;
The sending unit is configured to send an identity issuing request to the identity issuing server, wherein the identity issuing request comprises the distributed identity identifier and the ciphertext biological feature template; the identity issuing server generates an identity credential of the user and stores the identity credential to a blockchain, wherein the identity credential comprises the distributed identity identifier and the ciphertext biometric template, so that the ciphertext biometric template is used for verifying that the server calculates ciphertext similarity in an identity authentication stage.
22. An identity information storage device for protecting privacy, which is applied to an identity issuing server, comprises:
The receiving unit is configured to receive an identity issuing request from a terminal device, wherein the identity issuing request comprises a distributed identity identifier and a ciphertext biological feature template of a user to which the terminal device belongs, the distributed identity identifier is generated after an identity authentication server passes authentication of a real name of the user, and the ciphertext biological feature template is obtained by encrypting the biological feature template of the user by the terminal device through a homomorphic encryption algorithm by utilizing a first public key of the terminal device;
A generation unit configured to generate an identity credential of the user in response to the identity issuance request, including the distributed identity and the ciphertext biometric template;
And the storage unit is configured to store the identity certificate into a blockchain so that the ciphertext biometric template is used for verifying that the server side calculates ciphertext similarity in an identity authentication stage.
23. An identity authentication device for protecting privacy is applied to terminal equipment, and comprises:
An acquisition unit configured to acquire biometric information of a user to be authenticated;
The encryption unit is configured to encrypt the biological characteristic information by using a homomorphic encryption algorithm by using a first public key of the terminal equipment to obtain ciphertext biological characteristic information;
the sending unit is configured to send an identity authentication request to the verification server, wherein the identity authentication request comprises a stored distributed identity identifier and the ciphertext biological feature information; the verification server side obtains a ciphertext biological feature template from an identity credential comprising the distributed identity in a blockchain, and calculates ciphertext similarity of the ciphertext biological feature template and ciphertext biological feature information;
The decryption unit is configured to respond to the received ciphertext similarity returned by the verification server, decrypt the ciphertext similarity by using a first private key corresponding to the first public key and a decryption algorithm corresponding to the homomorphic encryption algorithm to obtain a first similarity;
the sending unit is further configured to send the first similarity to the verification server, so that the verification server determines whether the user to be authenticated passes identity authentication according to the first similarity.
24. An identity authentication device for protecting privacy is applied to a verification server and comprises:
the receiving unit is configured to receive an identity authentication request from a terminal device, wherein the identity authentication request comprises a distributed identity identifier stored by the terminal device and ciphertext biological characteristic information of a user to be authenticated, and the ciphertext biological characteristic information is obtained by encrypting the biological characteristic information of the user to be authenticated by the terminal device through a homomorphic encryption algorithm by utilizing a first public key of the terminal device;
the acquisition unit is configured to search an identity credential comprising the distributed identity identifier in a blockchain and acquire a ciphertext biological feature template from the identity credential;
The computing unit is configured to compute ciphertext similarity of the ciphertext biological feature template and the ciphertext biological feature information by adopting a ciphertext computing algorithm corresponding to the homomorphic encryption algorithm;
the sending unit is configured to send the ciphertext similarity to the terminal equipment, so that the terminal equipment decrypts the ciphertext similarity by using a decryption algorithm corresponding to the homomorphic encryption algorithm by using a first private key corresponding to the first public key;
and the determining unit is configured to determine whether the user to be authenticated passes identity authentication according to the first similarity in response to receiving the decrypted first similarity from the terminal equipment.
25. A computing device comprising a memory and a processor, wherein the memory has executable code stored therein, which when executed by the processor, implements the method of any of claims 10-20.
CN202110343701.5A 2021-03-30 2021-03-30 Privacy-protecting identity information storage and identity authentication method and device Active CN112926092B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110343701.5A CN112926092B (en) 2021-03-30 2021-03-30 Privacy-protecting identity information storage and identity authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110343701.5A CN112926092B (en) 2021-03-30 2021-03-30 Privacy-protecting identity information storage and identity authentication method and device

Publications (2)

Publication Number Publication Date
CN112926092A CN112926092A (en) 2021-06-08
CN112926092B true CN112926092B (en) 2024-07-02

Family

ID=76176638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110343701.5A Active CN112926092B (en) 2021-03-30 2021-03-30 Privacy-protecting identity information storage and identity authentication method and device

Country Status (1)

Country Link
CN (1) CN112926092B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113486098A (en) * 2021-06-23 2021-10-08 北京德风新征程科技有限公司 Industrial internet big data platform system
CN113420307B (en) * 2021-06-28 2023-03-28 未鲲(上海)科技服务有限公司 Ciphertext data evaluation method and device, computer equipment and storage medium
TWI788946B (en) * 2021-08-05 2023-01-01 財團法人聯合信用卡處理中心 Blockchain identity recognition system and blockchain identity recognition method
CN113781689A (en) * 2021-08-25 2021-12-10 安徽高山科技有限公司 Access control system based on block chain
CN113794716B (en) * 2021-09-14 2023-06-06 中钞信用卡产业发展有限公司杭州区块链技术研究院 Network access authentication method, device and equipment for terminal equipment and readable storage medium
CN115810208A (en) * 2021-09-14 2023-03-17 超聚变数字技术有限公司 A face recognition method, device and system
CN114117386B (en) * 2021-11-26 2024-08-23 京东方科技集团股份有限公司 Conference management method and device, computer readable storage medium and electronic equipment
CN114157473B (en) * 2021-11-29 2025-02-07 广发银行股份有限公司 Biometric technology sharing and verification method, system, device and medium
CN113971274B (en) * 2021-12-02 2022-12-27 国家石油天然气管网集团有限公司 An identification method and device
CN118401955A (en) * 2021-12-31 2024-07-26 华为技术有限公司 Identity authentication method, device and system
CN114417424B (en) * 2022-01-27 2024-09-13 成都质数斯达克科技有限公司 Blockchain identity privacy protection method, device and equipment, and readable storage medium
CN114547589A (en) * 2022-02-17 2022-05-27 支付宝(杭州)信息技术有限公司 User registration, user authentication method and device for protecting privacy
CN114826689B (en) * 2022-03-31 2024-01-12 北京极感科技有限公司 Information input method, security authentication method and electronic equipment
CN114973352A (en) * 2022-03-31 2022-08-30 北京瑞莱智慧科技有限公司 Face recognition method, device, equipment and storage medium
CN115174146B (en) * 2022-06-02 2024-02-23 浙江毫微米科技有限公司 Communication method and device based on distributed identity
CN115396085B (en) * 2022-06-20 2024-04-30 中国联合网络通信集团有限公司 Method and equipment for negotiating and authenticating based on biological characteristics and third secret key
CN115118441B (en) * 2022-08-29 2022-11-04 中航信移动科技有限公司 Identity verification system based on block chain
CN115396220A (en) * 2022-08-30 2022-11-25 东北大学 A blockchain-based iris privacy authentication system and method
CN116318776A (en) * 2022-11-30 2023-06-23 上海浦东发展银行股份有限公司 Digital identity login method, device, computer equipment and storage medium
CN116188007B (en) * 2023-01-13 2024-06-14 北京邮电大学 Authentication method and system
CN115801222B (en) * 2023-01-13 2023-05-23 佰聆数据股份有限公司 Power consumer authenticity verification system and method based on homomorphic encryption communication data
CN116248368A (en) * 2023-02-10 2023-06-09 广西七识数字科技有限公司 Identity authentication method, system, equipment and storage medium based on block chain
CN115987690B (en) * 2023-03-20 2023-08-08 天聚地合(苏州)科技股份有限公司 Privacy computing method based on API, API calling terminal and API providing terminal
CN116405283B (en) * 2023-04-06 2023-11-24 广州大有网络科技有限公司 Data encryption authentication system based on information data protection

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109359601A (en) * 2018-10-19 2019-02-19 平安科技(深圳)有限公司 Authentication and identification method, electronic device and computer-readable storage medium
CN111431936A (en) * 2020-04-17 2020-07-17 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment and system based on verifiable statement

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200026834A1 (en) * 2018-07-23 2020-01-23 One Kosmos Inc. Blockchain identity safe and authentication system
CN112199714B (en) * 2020-12-04 2021-09-07 支付宝(杭州)信息技术有限公司 Privacy protection method and device based on block chain and electronic equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109359601A (en) * 2018-10-19 2019-02-19 平安科技(深圳)有限公司 Authentication and identification method, electronic device and computer-readable storage medium
CN111431936A (en) * 2020-04-17 2020-07-17 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment and system based on verifiable statement

Also Published As

Publication number Publication date
CN112926092A (en) 2021-06-08

Similar Documents

Publication Publication Date Title
CN112926092B (en) Privacy-protecting identity information storage and identity authentication method and device
EP1815637B1 (en) Securely computing a similarity measure
Gunasinghe et al. PrivBioMTAuth: Privacy preserving biometrics-based and user centric protocol for user authentication from mobile phones
Wei et al. An intelligent terminal based privacy-preserving multi-modal implicit authentication protocol for internet of connected vehicles
JP6882254B2 (en) Safety verification methods based on biological characteristics, client terminals, and servers
US7131009B2 (en) Multiple factor-based user identification and authentication
Xi et al. A fingerprint based bio‐cryptographic security protocol designed for client/server authentication in mobile computing environment
US8239685B2 (en) Biometric authentication method
US20200358614A1 (en) Securing Transactions with a Blockchain Network
US20180241558A1 (en) 1:n biometric authentication, encryption, signature system
US20060235729A1 (en) Application-specific biometric templates
JP7302606B2 (en) system and server
US9384338B2 (en) Architectures for privacy protection of biometric templates
CN106612259A (en) Identity recognition method and device, service information processing method and device and biological feature information processing method and device
CN112329519B (en) Safe online fingerprint matching method
US20220078020A1 (en) Biometric acquisition system and method
CN114547589A (en) User registration, user authentication method and device for protecting privacy
US20070106903A1 (en) Multiple Factor-Based User Identification and Authentication
Meshram et al. An efficient remote user authentication with key agreement procedure based on convolution-Chebyshev chaotic maps using biometric
Abdulmalik et al. Secure two-factor mutual authentication scheme using shared image in medical healthcare environment
KR101010218B1 (en) Biometric Authentication Method
US20240169350A1 (en) Securing transactions with a blockchain network
JP7632477B2 (en) Recovery verification system, collation system, recovery verification method and program
KR100986980B1 (en) Biometric Authentication Methods, Clients, and Servers
Neha et al. An efficient biometric based remote user authentication technique for multi-server environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant