[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN106488452A - A kind of mobile terminal safety access authentication method of combination fingerprint - Google Patents

A kind of mobile terminal safety access authentication method of combination fingerprint Download PDF

Info

Publication number
CN106488452A
CN106488452A CN201611015948.XA CN201611015948A CN106488452A CN 106488452 A CN106488452 A CN 106488452A CN 201611015948 A CN201611015948 A CN 201611015948A CN 106488452 A CN106488452 A CN 106488452A
Authority
CN
China
Prior art keywords
user
registration information
information
client
characteristic information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611015948.XA
Other languages
Chinese (zh)
Other versions
CN106488452B (en
Inventor
李维
邓进
朱世顺
陆忞
娄征
臧燕
张滔
屠正伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing NARI Group Corp
Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
Nanjing NARI Group Corp
Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing NARI Group Corp, Nanjing Power Supply Co of State Grid Jiangsu Electric Power Co Ltd filed Critical Nanjing NARI Group Corp
Priority to CN201611015948.XA priority Critical patent/CN106488452B/en
Publication of CN106488452A publication Critical patent/CN106488452A/en
Application granted granted Critical
Publication of CN106488452B publication Critical patent/CN106488452B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明提供了一种结合指纹的移动终端安全接入认证方法,包括建立加密通道、用户注册、用户信息审核和用户业务访问四个步骤。客户端收集终端特性信息,包括USBKEY序列号、数字证书序列号、移动终端序列号和用户指纹特性信息,通过加密通道上传到安全接入网关,安全接入网关验证终端信息的完整性和有效性,根据验证结果决定终端是否能访问受保护的服务器。通过将指纹识别技术与传统的身份识别方式相结合,使得标识身份的媒介和自然人本身直接相关,实现了将身份识别和被识别人本身真正对应起来,有效提升移动终端信息接入的安全性水平,更有利于便捷的移动技术在信息化应用中发挥作用。

The invention provides a mobile terminal safety access authentication method combined with fingerprints, which includes four steps of establishing an encrypted channel, user registration, user information review and user service access. The client collects terminal characteristic information, including USBKEY serial number, digital certificate serial number, mobile terminal serial number and user fingerprint characteristic information, uploads it to the secure access gateway through an encrypted channel, and the secure access gateway verifies the integrity and validity of the terminal information , and determine whether the terminal can access the protected server according to the verification result. By combining fingerprint identification technology with traditional identification methods, the media for identifying identities is directly related to the natural person itself, realizing the real correspondence between identification and the identified person, and effectively improving the security level of mobile terminal information access , It is more conducive to the role of convenient mobile technology in information application.

Description

一种结合指纹的移动终端安全接入认证方法A mobile terminal security access authentication method combined with fingerprint

技术领域technical field

本发明涉及一种移动终端安全接入认证方法,尤其是一种结合指纹的移动终端安全接入认证方法。The invention relates to a mobile terminal security access authentication method, in particular to a mobile terminal security access authentication method combined with fingerprints.

背景技术Background technique

现阶段终端安全主要采用的身份识别手段是通过密码、USBKEY、数字证书等认证手段,仅仅验证了使用者是否知道确定的信息,而这些标识身份的媒介和被标识的人本身并不相关,不仅容易丢失和泄漏,而且在现有的技术条件下,伪造也并不困难,所以传统的身份识别方式已经不能适应快速发展的社会的各项智能要求,特别是安全和管理方面,客观上需要一种新的、更加准确可靠的身份识别技术。At present, terminal security mainly adopts authentication methods such as passwords, USBKEYs, digital certificates, etc., which only verify whether the user knows the certain information, and these media for identifying identities are not related to the identified person itself, not only It is easy to be lost and leaked, and under the existing technical conditions, it is not difficult to forge, so the traditional identification method can no longer meet the various intelligence requirements of the rapidly developing society, especially in terms of security and management. A new, more accurate and reliable identification technology.

指纹识别技术是目前最成熟且价格便宜的生物特征识别技术。目前指纹识别的技术应用最为广泛,不仅在门禁、考勤系统中可以看到指纹识别技术的身影,市场上有了更多指纹识别的应用:如笔记本电脑、手机、汽车、银行支付都可应用指纹识别的技术。Fingerprint identification technology is currently the most mature and cheap biometric identification technology. At present, the fingerprint recognition technology is the most widely used. Not only can fingerprint recognition technology be seen in access control and attendance systems, but there are more fingerprint recognition applications on the market: such as laptops, mobile phones, cars, and bank payments. recognition technology.

随着智能手机、平板电脑等无线移动终端的普及使用,移动办公与远程作业趋于成熟,使移动办公与作业越发便捷和有效,大大提高了工作的效率和效益。但由于移动网络与终端的特性,各种网络病毒和黑客攻击引起信息安全问题也越发严重,保证机密数据不遭泄露,实现对移动接入对象的认证成为移动安全接入方案的重中之重。With the popularization and use of wireless mobile terminals such as smartphones and tablet computers, mobile office and remote operations have become more mature, making mobile office and operations more convenient and effective, and greatly improving work efficiency and benefits. However, due to the characteristics of mobile networks and terminals, information security problems caused by various network viruses and hacker attacks are becoming more and more serious. To ensure that confidential data is not leaked, and to realize the authentication of mobile access objects has become the top priority of mobile security access solutions. .

传统的身份认证技术一般采用安全芯片技术和PKI技术,其流程为:(1)调用安全芯片生成证书请求文件;(2)提交证书请求文件到CA系统签发证书,获得证书文件;(3)将安全芯片、证书文件和CA证书文件置于移动终端上,运行安全客户端软件;(4)安全客户端软件与服务端通信,交换双方证书,通过各自CA证书文件验证对方证书的签名,实现交互双方身份的双向验证;(5)通过密钥协商协议,如IPSec VPN、SSL VPN或自定义协议等,协商双方数据传输时的工作密钥;Traditional identity authentication technology generally adopts security chip technology and PKI technology, and its process is: (1) call the security chip to generate a certificate request file; (2) submit the certificate request file to the CA system to issue a certificate and obtain the certificate file; The security chip, certificate file and CA certificate file are placed on the mobile terminal, and the security client software is run; (4) The security client software communicates with the server, exchanges certificates of both parties, and verifies the signature of the other party's certificate through the respective CA certificate files to realize interaction Two-way verification of the identities of both parties; (5) Through key negotiation protocols, such as IPSec VPN, SSL VPN or custom protocols, etc., negotiate the working key for data transmission between the two parties;

传统的身份识别技术仅仅是对带有安全芯片和数字证书的设备进行验证,无法对使用设备的人的身份进行验证。如果设备被非法人员获得,将可以执行该设备允许的所有操作,这必将造成信息泄露和错误的责任追究。Traditional identification technology only verifies the device with security chip and digital certificate, but cannot verify the identity of the person using the device. If the device is obtained by an illegal person, it will be able to perform all the operations allowed by the device, which will inevitably lead to information disclosure and accountability for errors.

发明内容Contents of the invention

本发明要解决的技术问题是现有的身份识别技术仅仅是对带有安全芯片和数字证书的设备进行验证,无法对使用设备的人的身份进行验证。The technical problem to be solved by the present invention is that the existing identification technology only verifies the equipment with the safety chip and the digital certificate, but cannot verify the identity of the person using the equipment.

为了解决上述技术问题,本发明提供了一种结合指纹的移动终端安全接入认证方法,包括如下步骤:In order to solve the above-mentioned technical problems, the present invention provides a mobile terminal security access authentication method combined with fingerprints, comprising the following steps:

步骤1,建立加密通道,由客户端调用USBKEY以及存储于USBKEY中数字证书,按照SSLVPN协议完成基于数字证书的双向身份验证以及基于国密SM1算法的加密通道协商;Step 1, establish an encrypted channel, the client calls the USBKEY and the digital certificate stored in the USBKEY, and completes the two-way identity verification based on the digital certificate and the encrypted channel negotiation based on the national secret SM1 algorithm according to the SSLVPN protocol;

步骤2,用户注册,具体步骤为:Step 2, user registration, the specific steps are:

步骤2.1,由客户端收集终端特征信息,并提示用户输入指纹以获取指纹特性信息,再将终端特征信息和指纹特性信息作为用户注册信息通过加密通道上传至安全接入网关;Step 2.1, the client terminal collects the terminal characteristic information, and prompts the user to enter the fingerprint to obtain the fingerprint characteristic information, and then uploads the terminal characteristic information and fingerprint characteristic information as user registration information to the secure access gateway through an encrypted channel;

步骤2.2,安全接入网关接收客户端上传的用户注册信息,并将用户注册信息存储于数据库中,同时设定用户注册信息的初始审核结果为“未审核”,未审核的用户不具备访问受保护服务器的权限;In step 2.2, the secure access gateway receives the user registration information uploaded by the client, stores the user registration information in the database, and sets the initial audit result of the user registration information as "unverified", and unverified users do not have the access control information. Protect the authority of the server;

步骤3,用户信息审核,由受保护服务器对数据库中未审核的用户注册信息进行审核,检测其有效性和完整性,并重点审查是否为合法用户,对于不合法的用户注册信息,设置其审核结果为“未通过”,对于合法的用户注册信息,设置其审核结果为“通过”;Step 3, user information review, the protected server will review the unreviewed user registration information in the database, check its validity and integrity, and focus on checking whether it is a legitimate user, and set up its review for illegal user registration information The result is "failed", and for legitimate user registration information, set the review result to "passed";

步骤4,用户业务访问,具体步骤为:Step 4, user business access, the specific steps are:

步骤4.1,客户端采集用户的指纹特性信息,并将指纹特性信息连同终端特征信息一起上传至安全接入网关,安全接入网关根据终端特征信息中的一项数据来搜索数据库,若搜索到对应的用户注册信息记录,则进入步骤4.2,若未搜索到对应的用户注册信息记录,则进入步骤4.3;Step 4.1, the client collects the user's fingerprint feature information, and uploads the fingerprint feature information together with the terminal feature information to the secure access gateway. The secure access gateway searches the database according to one item of terminal feature information. If the corresponding If there is no user registration information record, go to step 4.2, if no corresponding user registration information record is found, go to step 4.3;

步骤4.2,安全接入网关检查该用户注册信息的审核状态,若审核结果为“未审核”或“未通过”,则由安全接入网关返回失败结果并终止该用户的客户端访问受保护服务器的行为;若审核结果为“通过”,则比较该用户的客户端本次提交的终端特征信息与数据库中存储的终端特征信息的全部数据内容是否完全一致,如果不完全一致,则由安全接入网关返回失败结果并终止该用户的客户端访问受保护服务器,如果完全一致,则由安全接入网关向该用户的客户端返回认证成功结果,并允许该用户的客户端访问受保护服务器;In step 4.2, the security access gateway checks the audit status of the user's registration information. If the audit result is "not audited" or "failed", the security access gateway returns a failure result and terminates the user's client access to the protected server If the audit result is "Passed", compare the terminal feature information submitted by the user's client this time with the terminal feature information stored in the database. The ingress gateway returns a failure result and terminates the user's client to access the protected server. If they are completely consistent, the security access gateway returns the authentication success result to the user's client and allows the user's client to access the protected server;

步骤4.3,安全接入网关在数据库中新增一条用户注册信息记录,设定该用户注册信息初始审核结果为“未审核”,等待受保护服务器审核。In step 4.3, the secure access gateway adds a new user registration information record in the database, sets the initial verification result of the user registration information as "unverified", and waits for the protected server to verify.

采用在用户注册过程中增加用户指纹特性信息,从而在进行用户业务访问时验证指纹特征信息,有效地对使用客户端的人的身份进行验证,防止受保护服务器被非法访问,增强使用安全性;采用终端特征信息中的一项数据来搜索数据库能够有确保收索数据库的时效性,提高系统的响应速度;采用安全接入网关对用户注册信息的审核状态进行检查,能够进一步确保对受保护服务器访问行为的安全性。Add user fingerprint feature information during user registration, so as to verify fingerprint feature information during user business access, effectively verify the identity of the person using the client, prevent the protected server from being accessed illegally, and enhance use security; Searching the database for a piece of data in the terminal feature information can ensure the timeliness of searching the database and improve the response speed of the system; using a secure access gateway to check the audit status of user registration information can further ensure access to protected servers behavioral security.

作为本发明的进一步限定方案,步骤2.1中的终端特征信息包括USBKEY序列号、数字证书序列号以及移动终端序列号。采用终端特征信息能够便于受保护服务器对客户端的合法性进行登记验证。As a further limiting solution of the present invention, the terminal feature information in step 2.1 includes the serial number of the USBKEY, the serial number of the digital certificate and the serial number of the mobile terminal. Using terminal characteristic information can facilitate the registered verification of the legitimacy of the client by the protected server.

作为本发明的进一步限定方案,步骤4.1中安全接入网关根据终端特征信息中的数字证书序列号来搜索数据库。采用数字证书序列号来搜索数据库能够有确保收索数据库的时效性,提高系统的响应速度。As a further limiting solution of the present invention, in step 4.1, the secure access gateway searches the database according to the serial number of the digital certificate in the terminal feature information. Using the digital certificate serial number to search the database can ensure the timeliness of searching the database and improve the response speed of the system.

作为本发明的进一步限定方案,步骤3中的不合法的用户注册信息分为用户注册信息不完整或用户注册信息错误。对不完整或错误的用户注册信息进行不合法性定义能够进一步确保受保护服务器访问的安全性。As a further limiting solution of the present invention, the illegal user registration information in step 3 is classified into incomplete user registration information or wrong user registration information. The illegal definition of incomplete or wrong user registration information can further ensure the security of protected server access.

作为本发明的进一步限定方案,步骤3中对于审核结果为“未通过”的用户注册信息,若为合法用户的错误操作引起,则由客户端向受保护服务器申请删除原有用户注册信息记录,并重新提交用户注册信息。该设计能够便于合法用户的申诉,避免造成合法用户的误伤。As a further limiting solution of the present invention, in step 3, for the user registration information whose audit result is "failed", if it is caused by a wrong operation of a legal user, the client will apply to the protected server to delete the original user registration information record, And resubmit the user registration information. This design can facilitate legal users to appeal and avoid accidental injury of legal users.

本发明的有益效果在于:(1)采用在用户注册过程中增加用户指纹特性信息,使得标识身份的媒介和自然人本身直接相关,从而在进行用户业务访问时验证指纹特征信息,可以实现将身份识别和被识别人本身真正对应起来,有效地对使用客户端的人的身份进行验证,防止受保护服务器被非法访问,增强使用安全性,解决传统身份认证技术只认证设备不认证设备使用人员的安全缺陷;(2)采用终端特征信息中的一项数据来搜索数据库能够有确保收索数据库的时效性,提高系统的响应速度;(3)采用安全接入网关对用户注册信息的审核状态进行检查,能够进一步确保对受保护服务器访问行为的安全性;(4)通过将用户指纹特征信息与数字证书信息、USBKEY信息、移动终端信息绑定,在验证设备合法性基础上验证用户的身份,实现了对使用人和使用设备的双重验证;(5)服务器端进行用户特性信息的比较,提高了非法用户绕过验证的难度;(6)通过安全加密技术传输用户特性信息,保证了信息在传输过程中的保密性与完整性;(7)将身份验证结果与终端访问权限相关联,通过安全接入网关将移动终端与受保护服务器隔离,只有通过身份验证的用户,安全接入网关才允许其访问受保护的服务器。The beneficial effects of the present invention are as follows: (1) By adding user fingerprint feature information during the user registration process, the medium for identifying identity is directly related to the natural person itself, so that the fingerprint feature information can be verified during user service access, and identity recognition can be realized. It truly corresponds to the identified person itself, effectively verifies the identity of the person using the client, prevents the protected server from being accessed illegally, enhances the security of use, and solves the security defect that the traditional identity authentication technology only authenticates the device but does not authenticate the user of the device ; (2) Using one item of terminal characteristic information to search the database can ensure the timeliness of searching the database and improve the response speed of the system; (3) Use the secure access gateway to check the audit status of user registration information, It can further ensure the security of access to protected servers; (4) By binding user fingerprint feature information with digital certificate information, USBKEY information, and mobile terminal information, the identity of the user is verified on the basis of verifying the legitimacy of the device, realizing Double verification of the user and the device used; (5) The comparison of user characteristic information on the server side increases the difficulty for illegal users to bypass verification; (6) The transmission of user characteristic information through secure encryption technology ensures that the information is transmitted (7) Associating the identity verification result with the terminal access authority, the mobile terminal is isolated from the protected server through the security access gateway, and only the authenticated user is allowed by the security access gateway. Access to protected servers.

附图说明Description of drawings

图1为本发明的系统原理框图;Fig. 1 is a system block diagram of the present invention;

图2为本发明的加密通道建立流程图;Fig. 2 establishes flow chart for the encryption channel of the present invention;

图3为本发明的用户注册流程图;Fig. 3 is the flow chart of user registration of the present invention;

图4为本发明的审核流程图;Fig. 4 is the audit flow chart of the present invention;

图5为本发明的使用流程图。Fig. 5 is a flow chart of the present invention.

具体实施方式detailed description

如图1-5所示,本发明公开的结合指纹的移动终端安全接入认证方法采用客户端/服务器模式,移动终端安装客户端软件,软件首先使用USBKEY和数字证书与安全接入网关协商完成基于证书的身份认证和基于国密算法的加密通道建立,然后收集终端特性信息,包括USBKEY序列号、数字证书序列号、移动终端序列号和用户指纹特性信息,通过加密通道上传到安全接入网关。安全接入网关验证终端信息的完整性和有效性,根据验证结果决定终端是否能访问受保护的服务器。具体包括如下步骤:As shown in Figures 1-5, the mobile terminal secure access authentication method combined with fingerprints disclosed by the present invention adopts the client/server mode, and the mobile terminal installs client software, and the software first uses USBKEY and digital certificate to negotiate with the secure access gateway Certificate-based identity authentication and encryption channel establishment based on national secret algorithm, and then collect terminal characteristic information, including USBKEY serial number, digital certificate serial number, mobile terminal serial number and user fingerprint characteristic information, and upload them to the secure access gateway through the encrypted channel . The secure access gateway verifies the integrity and validity of the terminal information, and determines whether the terminal can access the protected server according to the verification result. Specifically include the following steps:

步骤1,建立加密通道,由用户通过客户端调用USBKEY以及存储于USBKEY中数字证书,按照SSL VPN协议完成基于数字证书的双向身份验证以及基于国密SM1算法的加密通道协商,此过程与现有的加密通道建立过程相同;Step 1, establish an encrypted channel, the user calls the USBKEY and the digital certificate stored in the USBKEY through the client, and completes the two-way identity verification based on the digital certificate and the encrypted channel negotiation based on the national secret SM1 algorithm according to the SSL VPN protocol. This process is different from the existing The encrypted channel establishment process is the same;

步骤2,用户注册,具体步骤为:Step 2, user registration, the specific steps are:

步骤2.1,在用户首次运行客户端时,由客户端收集终端特征信息,并提示用户输入指纹以获取指纹特性信息,再将终端特征信息和指纹特性信息作为用户注册信息通过加密通道上传至安全接入网关,其中,终端特征信息包括USBKEY序列号、数字证书序列号以及移动终端序列号;Step 2.1, when the user runs the client for the first time, the client collects terminal feature information and prompts the user to enter the fingerprint to obtain the fingerprint feature information, and then uploads the terminal feature information and fingerprint feature information as user registration information to the secure interface through an encrypted channel. Incoming gateway, wherein, terminal characteristic information comprises USBKEY serial number, digital certificate serial number and mobile terminal serial number;

步骤2.2,安全接入网关接收客户端上传的用户注册信息,并将用户注册信息存储于数据库中,同时设定用户注册信息的初始审核结果为“未审核”,未审核的用户不具备访问受保护服务器的权限;In step 2.2, the secure access gateway receives the user registration information uploaded by the client, stores the user registration information in the database, and sets the initial audit result of the user registration information as "unverified", and unverified users do not have the access control information. Protect the authority of the server;

步骤3,用户信息审核,由受保护服务器的系统管理员对数据库中未审核的用户注册信息进行审核,检测其有效性和完整性,并重点审查是否为合法用户,对于不合法的用户注册信息,设置其审核结果为“未通过”,对于合法的用户注册信息,设置其审核结果为“通过”,其中,不合法的用户注册信息分为用户注册信息不完整或用户注册信息错误,对于审核结果为“未通过”的用户注册信息,若为合法用户的错误操作引起,则由用户通过客户端向受保护服务器的系统管理员申请删除原有用户注册信息记录,并重新提交用户注册信息;Step 3, user information review, the system administrator of the protected server will review the unreviewed user registration information in the database, check its validity and integrity, and focus on checking whether it is a legitimate user, and for illegal user registration information , set the audit result to "failed", and set the audit result to "pass" for legal user registration information. Among them, illegal user registration information is divided into incomplete user registration information or wrong user registration information. For audit If the result is "failed" user registration information, if it is caused by a legitimate user's wrong operation, the user will apply to the system administrator of the protected server through the client to delete the original user registration information record, and resubmit the user registration information;

步骤4,用户业务访问,具体步骤为:Step 4, user business access, the specific steps are:

步骤4.1,用户运行客户端,由客户端采集用户的指纹特性信息,并将指纹特性信息连同终端特征信息一起上传至安全接入网关,安全接入网关根据终端特征信息中的数字证书序列号来搜索数据库,若搜索到对应的用户注册信息记录,则进入步骤4.2,若未搜索到对应的用户注册信息记录,则进入步骤4.3;Step 4.1, the user runs the client, and the client collects the user's fingerprint characteristic information, and uploads the fingerprint characteristic information together with the terminal characteristic information to the secure access gateway, and the secure access gateway uses the digital certificate serial number in the terminal characteristic information to Search the database, if the corresponding user registration information record is found, then enter step 4.2, if no corresponding user registration information record is found, then enter step 4.3;

步骤4.2,安全接入网关检查该用户注册信息的审核状态,若审核结果为“未审核”或“未通过”,则由安全接入网关返回失败结果并终止该用户的客户端访问受保护服务器的行为;若审核结果为“通过”,则比较该用户的客户端本次提交的终端特征信息与数据库中存储的终端特征信息的全部数据内容(即USBKEY序列号、数字证书序列号以及移动终端序列号)是否完全一致,如果不完全一致,则由安全接入网关返回失败结果并终止该用户的客户端访问受保护服务器,如果完全一致,则由安全接入网关向该用户的客户端返回认证成功结果,并允许该用户的客户端访问受保护服务器;In step 4.2, the security access gateway checks the audit status of the user's registration information. If the audit result is "not audited" or "failed", the security access gateway returns a failure result and terminates the user's client access to the protected server If the audit result is "passed", compare the terminal feature information submitted by the user's client with all the data content of the terminal feature information stored in the database (that is, the serial number of the USBKEY, the serial number of the digital certificate, and the mobile terminal sequence number) are completely consistent, if not completely consistent, the security access gateway will return a failure result and terminate the user's client access to the protected server, if completely consistent, the security access gateway will return to the user's client The result of authentication is successful, and the user's client is allowed to access the protected server;

步骤4.3,安全接入网关在数据库中新增一条用户注册信息记录,设定该用户注册信息初始审核结果为“未审核”,等待受保护服务器审核。In step 4.3, the secure access gateway adds a new user registration information record in the database, sets the initial verification result of the user registration information as "unverified", and waits for the protected server to verify.

本发明利用基于指纹的身份识别技术,解决了传统身份识别技术安全性不足的问题,通过将基于指纹的身份识别技术与传统的身份识别方式相结合,将智能卡、数字证书、移动终端和使用人生物特征作为一个整体进行身份验证,任何一项缺失或不对应都将导致验证不通过,这样就使得标识身份的介质和使用人本身直接相关,实现了身份识别媒介与被识别人本身的真正对应,有效提升了移动终端信息接入的安全性水平,更有利于便捷的移动技术在信息化应用中发挥作用。The present invention uses the fingerprint-based identification technology to solve the problem of insufficient security of the traditional identification technology. By combining the fingerprint-based identification technology with the traditional identification method, the smart card, digital certificate, mobile terminal and user Biometrics are used as a whole for identity verification, and any lack or incompatibility of any item will lead to the failure of the verification, so that the identification medium is directly related to the user itself, and the true correspondence between the identity identification medium and the identified person itself is realized. , which effectively improves the security level of mobile terminal information access, and is more conducive to the role of convenient mobile technology in information applications.

由于现有的生物识别技术具有多样性,主要的生物识别技术包括人脸识别、虹膜识别、视网膜识别、指纹识别、掌纹识别、手形识别、签名识别、语音识别等,可采用其中一种或几种作为标识人的特征信息替代本发明中的指纹特征信息,实现组合认证功能。Due to the diversity of existing biometric technologies, the main biometric technologies include face recognition, iris recognition, retinal recognition, fingerprint recognition, palmprint recognition, hand shape recognition, signature recognition, voice recognition, etc. Several kinds of feature information used to identify people replace the fingerprint feature information in the present invention to realize the combined authentication function.

本发明中的相关技术术语名词解释:Interpretation of relevant technical terms in the present invention:

SSL VPN:是指采用SSL (Security Socket Layer)协议来实现远程接入的一种新型的VPN技术。SSL VPN: refers to a new type of VPN technology that uses the SSL (Security Socket Layer) protocol to achieve remote access.

IPSec VPN:指采用IPSec协议实现远程接入的一种VPN技术,其全称为InternetProtocol Security,是由Internet Engineering Task Force (IETF) 定义的安全标准框架,用以提供公用和专用网络的端对端加密和验证服务。IPSec VPN: refers to a VPN technology that uses the IPSec protocol to achieve remote access. Its full name is Internet Protocol Security, which is a security standard framework defined by the Internet Engineering Task Force (IETF) to provide end-to-end encryption for public and private networks. and authentication services.

国密SM1算法:一种国家商用密码分组加密算法,明文与密文分组长度为128比特,有效密钥长度为128比特。National secret SM1 algorithm: a national commercial cipher block encryption algorithm, the block length of plaintext and ciphertext is 128 bits, and the effective key length is 128 bits.

Claims (5)

1. a kind of mobile terminal safety access authentication method of combination fingerprint is it is characterised in that comprise the steps:
Step 1, sets up encrypted tunnel, by client call USBKEY and be stored in digital certificate in USBKEY, according to SSL VPN agreement completes bidirectional identification checking and the negotiation of the encrypted tunnel based on state's close SM1 algorithm based on digital certificate;
Step 2, user's registration, concretely comprise the following steps:
Step 2.1, by client collection terminal characteristic information, and points out user input fingerprint obtaining fingerprint characteristic information, then Terminal characteristic information and fingerprint characteristic information are uploaded to safe access gateway as user's registration information by encrypted tunnel;
Step 2.2, safe access gateway receives the user's registration information of client upload, and registers customers as information Store in number It is " examination & verification " according to the initial auditing result in storehouse, concurrently setting user's registration information;
Step 3, user profile is audited, and by protected server, the user's registration information do not audited in data base is audited, Detect its effectiveness and integrity, and whether high spot reviews is validated user, for illegal user's registration information, arranges it Auditing result is " not passing through ", and for legal user's registration information, arranging its auditing result is " passing through ";
Step 4, customer service accesses, and concretely comprises the following steps:
Step 4.1, client gathers the fingerprint characteristic information of user, and by fingerprint characteristic information together with terminal characteristic information It is uploaded to safe access gateway, safe access gateway searches for data base according to the item data in terminal characteristic information, if searching Rope to corresponding user's registration information record, then enters step 4.2, if not searching corresponding user's registration information record, Enter step 4.3;
Step 4.2, safe access gateway checks the examination & verification state of this user's registration information, if auditing result be " examination & verification " or " not passing through ", then the client returning failure result by safe access gateway and terminating this user accesses the row of protected server For;If auditing result is " passing through ", deposit in client this terminal characteristic information and data base of submitting to of comparing this user Whether the total data content of the terminal characteristic information of storage is completely the same, if not quite identical, is returned by safe access gateway Return failure result and terminate the client protected server of access of this user, if completely the same, by safe access gateway To the client return authentication successful result of this user, and the client of this user is allowed to access protected server;
Step 4.3, safe access gateway increases a user's registration information record newly in data base, sets this user's registration information Initial auditing result is " examination & verification ", waits server examination & verification to be protected.
2. the mobile terminal safety access authentication method of combination fingerprint according to claim 1 is it is characterised in that step Terminal characteristic information in 2.1 includes USBKEY serial number, digital certificate serial number and mobile terminal serial number.
3. the mobile terminal safety access authentication method of combination fingerprint according to claim 2 is it is characterised in that step In 4.1, safe access gateway searches for data base according to the digital certificate serial number in terminal characteristic information.
4. the mobile terminal safety access authentication method of combination fingerprint according to claim 1 and 2 is it is characterised in that walk Illegal user's registration information in rapid 3 is divided into user's registration information imperfect or user's registration information mistake.
5. the mobile terminal safety access authentication method of combination fingerprint according to claim 1 and 2 is it is characterised in that walk In rapid 3 for auditing result be " not passing through " user's registration information, if the faulty operation of validated user causes, then by client Hold and delete original user's registration information record to protected server application, and resubmit user's registration information.
CN201611015948.XA 2016-11-18 2016-11-18 A kind of mobile terminal security access authentication method combined with fingerprint Active CN106488452B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611015948.XA CN106488452B (en) 2016-11-18 2016-11-18 A kind of mobile terminal security access authentication method combined with fingerprint

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611015948.XA CN106488452B (en) 2016-11-18 2016-11-18 A kind of mobile terminal security access authentication method combined with fingerprint

Publications (2)

Publication Number Publication Date
CN106488452A true CN106488452A (en) 2017-03-08
CN106488452B CN106488452B (en) 2021-09-24

Family

ID=58272539

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611015948.XA Active CN106488452B (en) 2016-11-18 2016-11-18 A kind of mobile terminal security access authentication method combined with fingerprint

Country Status (1)

Country Link
CN (1) CN106488452B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273456A (en) * 2017-06-01 2017-10-20 四川新网银行股份有限公司 A kind of accurate recognition methods of multi dimensional analysis intelligent terminal feature
CN108400873A (en) * 2018-02-26 2018-08-14 深圳市博安达信息技术股份有限公司 A kind of multi-credential authentication system and method for computer
CN109389402A (en) * 2018-08-20 2019-02-26 天地融科技股份有限公司 Cipher-code input method and system, mobile terminal
CN109508531A (en) * 2018-10-17 2019-03-22 航天信息股份有限公司 Sign and issue the method, apparatus and storage medium of soft certificate
CN109874141A (en) * 2019-03-14 2019-06-11 公安部第一研究所 A method and device for a mobile phone terminal to securely access an information network
CN111147527A (en) * 2020-03-09 2020-05-12 深信服科技股份有限公司 Internet of things system and equipment authentication method, device, equipment and medium thereof
CN112422587A (en) * 2021-01-21 2021-02-26 腾讯科技(深圳)有限公司 Identity verification method and device, computer equipment and storage medium
CN112559456A (en) * 2020-12-28 2021-03-26 杭州趣链科技有限公司 Data sharing method with privacy protection auditing and deleting functions
CN113158213A (en) * 2021-04-30 2021-07-23 重庆市科学技术研究院 Data transmission method and system based on in-vivo verification
CN113313029A (en) * 2021-05-31 2021-08-27 华北电力大学 Integrated identity authentication method based on human and object feature fusion
CN113449621A (en) * 2021-06-17 2021-09-28 深圳大学 Biological feature recognition method, system and application thereof

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010005890A1 (en) * 1999-12-22 2001-06-28 Nec Corporation Access right managing system, portable terminal, gateway and contents server
CN1716278A (en) * 2004-06-28 2006-01-04 富士通株式会社 Registration method of biometric authentication system, biometric authentication system and program
CN101714918A (en) * 2009-10-23 2010-05-26 浙江维尔生物识别技术股份有限公司 Safety system for logging in VPN and safety method for logging in VPN
CN102111349A (en) * 2009-12-25 2011-06-29 上海格尔软件股份有限公司 Security certificate gateway
CN102984646A (en) * 2011-09-05 2013-03-20 中国移动通信集团辽宁有限公司 Providing method and system of mobile phone client-side location services
CN103152182A (en) * 2013-03-08 2013-06-12 新疆君盾信息技术有限公司 Method for authenticating and validating electronic data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010005890A1 (en) * 1999-12-22 2001-06-28 Nec Corporation Access right managing system, portable terminal, gateway and contents server
CN1716278A (en) * 2004-06-28 2006-01-04 富士通株式会社 Registration method of biometric authentication system, biometric authentication system and program
CN101714918A (en) * 2009-10-23 2010-05-26 浙江维尔生物识别技术股份有限公司 Safety system for logging in VPN and safety method for logging in VPN
CN102111349A (en) * 2009-12-25 2011-06-29 上海格尔软件股份有限公司 Security certificate gateway
CN102984646A (en) * 2011-09-05 2013-03-20 中国移动通信集团辽宁有限公司 Providing method and system of mobile phone client-side location services
CN103152182A (en) * 2013-03-08 2013-06-12 新疆君盾信息技术有限公司 Method for authenticating and validating electronic data

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107273456B (en) * 2017-06-01 2019-08-27 四川新网银行股份有限公司 A kind of accurate recognition methods of multi dimensional analysis intelligent terminal feature
CN107273456A (en) * 2017-06-01 2017-10-20 四川新网银行股份有限公司 A kind of accurate recognition methods of multi dimensional analysis intelligent terminal feature
CN108400873A (en) * 2018-02-26 2018-08-14 深圳市博安达信息技术股份有限公司 A kind of multi-credential authentication system and method for computer
CN109389402A (en) * 2018-08-20 2019-02-26 天地融科技股份有限公司 Cipher-code input method and system, mobile terminal
CN109508531A (en) * 2018-10-17 2019-03-22 航天信息股份有限公司 Sign and issue the method, apparatus and storage medium of soft certificate
CN109874141B (en) * 2019-03-14 2024-12-13 公安部第一研究所 A method and device for securely accessing an information network via a mobile terminal
CN109874141A (en) * 2019-03-14 2019-06-11 公安部第一研究所 A method and device for a mobile phone terminal to securely access an information network
CN111147527A (en) * 2020-03-09 2020-05-12 深信服科技股份有限公司 Internet of things system and equipment authentication method, device, equipment and medium thereof
CN112559456A (en) * 2020-12-28 2021-03-26 杭州趣链科技有限公司 Data sharing method with privacy protection auditing and deleting functions
CN112559456B (en) * 2020-12-28 2022-07-05 杭州趣链科技有限公司 Data sharing method with privacy protection auditing and deleting functions
CN112422587B (en) * 2021-01-21 2021-04-13 腾讯科技(深圳)有限公司 Identity verification method and device, computer equipment and storage medium
CN112422587A (en) * 2021-01-21 2021-02-26 腾讯科技(深圳)有限公司 Identity verification method and device, computer equipment and storage medium
CN113158213A (en) * 2021-04-30 2021-07-23 重庆市科学技术研究院 Data transmission method and system based on in-vivo verification
CN113313029A (en) * 2021-05-31 2021-08-27 华北电力大学 Integrated identity authentication method based on human and object feature fusion
CN113449621A (en) * 2021-06-17 2021-09-28 深圳大学 Biological feature recognition method, system and application thereof

Also Published As

Publication number Publication date
CN106488452B (en) 2021-09-24

Similar Documents

Publication Publication Date Title
CN106488452A (en) A kind of mobile terminal safety access authentication method of combination fingerprint
US9900163B2 (en) Facilitating secure online transactions
JP6865158B2 (en) Systems and methods for establishing trust using secure transmission protocols
KR102431834B1 (en) System and method for carrying strong authentication events over different channels
CN101374050B (en) Apparatus, system and method for implementing identification authentication
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
CN101951321B (en) Device, system and method for realizing identity authentication
CN108989346A (en) The effective identity trustship agility of third party based on account concealment authenticates access module
CN111931144A (en) Unified safe login authentication method and device for operating system and service application
CN109040139A (en) A kind of identity authorization system and method based on block chain and intelligent contract
CN105827571B (en) Multimodal biometric authentication method and device based on UAF protocol
CN107612949B (en) Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint
CN102457491B (en) Dynamic identity authenticating method and system
CN109359464A (en) A wireless security authentication method based on blockchain technology
CN114430324B (en) On-line rapid identity verification method based on hash chain
TWM595792U (en) Authorization system for cross-platform authorizing access to resources
CN117332395B (en) A data management method and system for data sharing
CN118784300A (en) Cross-platform secure login method and system based on privacy computing and intelligent context
CN112383401B (en) User name generation method and system for providing identity authentication service
CN104639528A (en) DBA (database administrator) mobile client counterattack method and DBA mobile client counterattack device
EP2070248B1 (en) System and method for facilitating secure online transactions
CN115567198A (en) IoT Identity Authentication Method Based on Consortium Chain
WO2020168586A1 (en) Blockchain and dnssec-based user authentication method, system, device and medium
CN209882108U (en) Device for mobile phone terminal to safely access information network
CN113468596B (en) Multi-element identity authentication method and system for outsourcing calculation of power grid data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant