A kind of identity authorization system and its implementation based on encrypting fingerprint
Technical field
The present invention relates to technical fields such as bio signal encryption, a kind of especially identity authorization system and its implementation based on encrypting fingerprint.
Background technology
In recent years, because the appearance of identity authorization system and universal day by day, we are home-confined just can to carry out ecommerce by modes such as authentification of user, phone-payments, participate in the efficient modern life such as remote information management, shopping at network, more and more individual and enterprise got used to sensitive data and trade secret through safety certification system carry out Network Transmission.Yet also there is shortcomings such as using inconvenience and memory difficulty in these traditional encryption systems.Typical encryption key all is at random and sufficiently long, and people are difficult to these tediously long character strings at random of memory, and therefore such key often is stored on certain medium, and then is protected the security of key by password.Like this, the security of whole cipher key system just is based on password.
With online transaction safety is example, and in order to ensure aspects such as data confidentiality in the whole communication process, data integrity, legal identity authentication and non-repudiation, the main flow authentication techniques of taking are divided into:
(1) SFA (authentication of Single-factor authentication single-factor): only by proving that a people's identity is referred to as the single-factor authentication meeting of a condition.The ID authentication mechanism of " user name+password " that everybody knows in fact is exactly a kind of single-factor authentication mode, because user name is easy to know.
(2) MFA (authentication of Multi-factor authentication multiple-factor): prove that by making up two kinds and two or more different condition a people's identity is referred to as the multiple-factor authentication.Common multiple-factor authentication mode is the method that combining cipher and material object conditions such as (credit card, SMS mobile phone, tokens) authenticate the user.
Because being static password (user name+password), the authentication of traditional single-factor has been considered to the authentication means that are in extreme danger for the technology of representative, therefore progressively develop the authentication that based on USB key in recent years, it is considered to a kind of convenience and reliable and secure identity identifying technology.It adopts the double factor authentication pattern of one-time pad, has solved the reliability problems of authentication well, and USB interface and advanced computer expert's usefulness are provided.It is built-in CPU, storer, chip operating systems (COS) etc. can be stored user's key or digital certificate, utilize the built-in cryptographic algorithm of USB to realize authentication for user identity.
Because each USB Key has the protection of hardware PIN code.PIN code and hardware have constituted two necessary factors that the user uses USB Key.The user has only and has obtained USB Key and user's PIN code simultaneously, just can login system, even user's USB key loses, the person of picking up is not owing to know user's PIN code, identity that yet can't counterfeit validated user.
Yet along with the upgrading layer by layer of the all-pervasive and hack tool of encoding and decoding technique, fishing technology and trojan horse, the security of adopting USB KEY mode to carry out network ID authentication will face the challenge of a new round.Especially at present the application of maximum-norm: on-line payment function.
The USB Key (being the U shield) that sells with bank gives an example, and has several big security breaches in current widespread use and practical operation:
1. utilize the crime of PIN code and mistiming
The PIN code of the USB Key that present most of banks use is all imported from computer, so the hacker can directly intercept and capture the PIN code of USB Key by trojan horse program, and this also is the leak that present most of USB Key exists.After having known PIN code, if the user forgets USB Key is taken out from computer, the hacker can also further operate USB Key by PIN code so.One very opposite extreme situations be: when personal user's computer by hacker's Long-distance Control, i.e. the operation of keyboard or screen is in hacker's monitoring, guarantee Secure Transaction with present USB Key function? answer is negated! Because this moment, the PIN code of USBKey was in the environment that can be intercepted by the hacker, as long as USB Key is not taken out after having been operated by the user at once, the hacker can forge once transaction by manually-operated or bogusware in this of short duration intermittent phase fully so, and this moment USB Key and PIN code all be in checking and pass through state.In fact, this is not simple what-if, but comes from many real cases.
2. read the key in the Key from the outside
The key of USB Key can't directly read from the outside from " theory ", this " theory " is based upon on the hypothesis that is perfectly safe of design, if design and the people who writes USB Key operating system COS are not intended to or have stayed the back door at COS artificially, deviser and hacker just can easily read the key of Key inside from the outside so.
Take any technology could improve and solve and become the research topic of quite being paid close attention in recent years such as above-mentioned potential safety hazard.Wherein, based on the encryption technology of biological characteristic the most the researchist pay attention to.It combines biometrics identification technology with conventional encryption technique, for encryption system provides a kind of mechanism of utilizing biological information protection key, solved the variety of problems that the current key protection mechanism exists well.When the user must obtain a protected key, as long as provide the biometric sample of oneself to system, if verify sample and enrollment coupling, then key was released immediately, has promptly realized the enciphering/deciphering data.Because key and biological information are not kept in the system memory space after finishing encryption, key and biological information all can't directly get access to from system.When and the characteristic information of just thinking correct living body biological could regenerating key when being submitted to system.Therefore; the biological characteristic encryption technology is as taking user's physical identity to encrypt key protection mechanism with the novelty of managing keys; not only from having solved the deficiency of intercepting and capturing user password (PIN code) by fishing software in essence; because biological characteristic is not easy victim and knows that security is higher.
The most classical practical algorithm in encrypted biometric field is a Fuzzy Vault scheme, and it has solved the contradiction between the accuracy of the ambiguity of biological characteristic and cipher mechanism well.This method is encoded key to be protected with biological template after; the biological template data hidden in a group random disturbance data; constitute Vault data with interfering data, be difficult to isolate True Data from these blended datas, True Data is considered to " locking ".The field samples that real user is shown then is used for " release " True Data.It relatively is suitable for the protection of the biological attribute data of authentication result and unique point sequence independence, even can tolerate the variation of unique point number.But also there are some safety defects in it:
(1) for different application, same user's primeval life template can be used for binding a plurality of keys, generates a plurality of vault.If but the assailant reaches out for two vault of same user, compare the primary template that just can obtain the user by intersecting simply, and then obtain key.Therefore primary template and key all have been subjected to threat.
(2) uniqueness of biometric templates has caused template irrevocable.As everyone knows, password can change at any time, in case running into safety problem, password originally just can solve problem by cancelling the old password enter new password, yet for same fingerprint, characteristic information is fixing unalterable, just can't reuse in case this fingerprint of safety problem occurs.
Summary of the invention
One of purpose of the present invention be to overcome current based on password encryption technology and key protection mechanism in the shortcoming and defect that exists, a kind of identity authorization system based on encrypting fingerprint is provided.The present invention have allow to cancel, can unlimited replacement biological characteristic password, safe and prevent to intersect the advantages such as leak of comparison.
Two of purpose of the present invention is to provide a kind of implementation method of the identity authorization system based on encrypting fingerprint.
One of purpose of the present invention is achieved through the following technical solutions: a kind of identity authorization system based on encrypting fingerprint, comprise user interface, cipher key interface and database, also comprise password processing unit, fingerprint processing unit, conversion processing unit, decryption processing unit and cryptographic processing unit;
Described user interface is connected with password processing unit, fingerprint processing unit respectively, and password processing unit, fingerprint processing unit, decryption processing unit and cryptographic processing unit are connected with conversion processing unit respectively; Described decryption processing unit is connected with database respectively with cryptographic processing unit, and described decryption processing unit links to each other with cipher key interface respectively with cryptographic processing unit.
To better implement the present invention, described password processing unit comprises password read module, password matrix generation module and the matrix deformation module that links to each other successively, described password read module also is connected with user interface, and described matrix deformation module also is connected with conversion processing unit.
Preferably, described fingerprint processing unit comprises the fingerprint read module that links to each other successively, level and smooth filtering module, field of direction evaluation module, active domain detecting module, crestal line detecting module, refinement module and minutiae point locating module, wherein said fingerprint read module also links to each other with user interface, and described minutiae point locating module also is connected with conversion processing unit.
Preferably, described conversion processing unit comprises template extraction module, division module and the template modular converter that links to each other successively, described template extraction module also is connected with the fingerprint processing unit, and described cryptographic processing unit, decryption processing unit and password processing unit are connected with the template modular converter respectively.
Preferably, described decryption processing unit comprises data read module, fractionation module, filtering module, grouping module, reconstructed module and the verification module that links to each other successively, described data read module also is connected with database, described filtering module also is connected with conversion processing unit, and described verification module also is connected with cipher key interface.
Preferably, described cryptographic processing unit comprises the key read module, the polynomial expression composition module, obscure module, pretreatment module, true dot generation module, locking module and data writing module, described key read module, the polynomial expression composition module, obscure module, locking module links to each other successively with the data writing module, described polynomial expression composition module, pretreatment module links to each other with true dot generation module respectively with locking module, described pretreatment module links to each other with conversion processing unit, described key read module links to each other with cipher key interface, and described data writing module links to each other with database.
Two of purpose of the present invention is achieved through the following technical solutions: a kind of implementation method of the identity authorization system based on encrypting fingerprint comprises secret key encryption and secret key decryption;
Wherein secret key encryption specifically may further comprise the steps:
S1, user are by fingerprint image, the password of user interactive module input oneself and the key information that needs encipherment protection;
S2, the user fingerprint image of fingerprint processing unit from user interface read step S1, the fingerprint processing unit is handled fingerprint image, and the fingerprint image after will handling passes to conversion processing unit;
S3, the user password of password processing unit from user interface read step S1 generate the password matrix and carry out conversion process, obtain transformation matrix and send to conversion processing unit;
Fingerprint image among S4, the conversion processing unit receiving step S2 generates primary template and also carries out subregion, carries out irreversible conversion according to the primary template of the transformation matrix among the step S3 after to subregion, obtains conversion module and is sent to cryptographic processing unit;
S5, cryptographic processing unit from cipher key interface read step S1 key information and make up a n rank polynomial expression, the conversion module among the receiving step S4 also carries out pre-service; Carry out calculation process according to pretreated conversion module and n rank polynomial expression, finally generate a new point set V and it is stored into database; Wherein n is a positive integer;
Wherein secret key decryption specifically may further comprise the steps:
G1, user conciliate password by the fingerprint image of user interactive module input deciphering;
G2, the deciphering fingerprint image of fingerprint processing unit from user interface read step G1, the fingerprint processing unit is handled fingerprint image, and the fingerprint image after will handling passes to conversion processing unit;
G3, password processing unit are separated password from user interface read step G1, generate the password matrix and also carry out conversion process, obtain transformation matrix and send to conversion processing unit;
Fingerprint image among G4, the conversion processing unit receiving step G2 generates primary template and also carries out subregion, carries out irreversible conversion according to the primary template of the transformation matrix among the step G3 after to subregion, obtains conversion module and sends to the decryption processing unit;
G5, decryption processing unit read the point set V that is stored in the database, and to its split, filtration, permutation and combination, polynomial expression reconstruct and checking treatment, if by verification, then recover key; If not by verification, step G1 is returned in then deciphering failure.
To better implement the present invention, described step S2 specifically may further comprise the steps:
S2.1 fingerprint processing unit reads user fingerprint image by the fingerprint read module from user interface, and carries out smoothing processing in level and smooth filtering module, allows entire image obtain the chiaroscuro effect of uniformity;
S2.2 field of direction estimation module is calculated it after receiving the fingerprint image that sends from level and smooth filtering module, obtains the field of direction;
S2.3 active domain detecting module carries out the locking of active domain to it after receiving the fingerprint image that transmits from field of direction estimation module, remove useless null field and the image of handling is sent to the crestal line detecting module;
S2.4 crestal line detecting module carries out binary conversion treatment to receiving image, obtains the fingerprint ridge line image;
S2.5 refinement module is behind the fingerprint ridge line image that receives from the crestal line detecting module, the width of crestal line is made as the width of single pixel, obtain the skeleton image of crestal line, thereby sharpening the form of crestal line, and needs carried out the crestal line skeleton image that minutiae point extracts send the minutiae point locating module to;
S2.6 minutiae point locating module carries out the detection and the location of bifurcation and breakpoint to the image that receives, and finally obtains the minutiae point image;
S2.7 minutiae point locating module is given conversion processing unit with the minutiae point image transfer;
Described step S3 specifically may further comprise the steps:
S3.1 password read module reads user password and is sent to password matrix generation module from user interface;
S3.2 password matrix generation module carries out following processing to the user password that step S3.1 passes over:
The user password W of 8bytes is divided into 8 unit, wherein w
1~w
8The ASC sign indicating number of representing each unit successively;
W=w
1|w
2|w
3|w
4|w
5|w
6|w
7|w
8
With w
1~w
8Be converted into binary code, wherein m
I1~m
I8Expression w
iEverybody on binary code, i=1 wherein, 2 ... 8;
w
i=m
i1|m
i2|m
i3|m
i4|m
i5|m
i6|m
i7|m
i8
Generate 8 * 8 password matrix M and send it to matrix deformation module:
S3.3 matrix deformation module is carried out following calculation process to the matrix that receives:
Carry out matrix computations, obtain intermediary matrix C
t, wherein
Expression C
tElement; Wherein C represents initial matrix, i.e. [1 234567 8];
Carry out modular arithmetic, obtain transformation matrix C ' and send to conversion processing unit; Wherein
Represent C
tI element,
Represent i the element of C ';
Described step S4 specifically may further comprise the steps:
S4.1 template extraction module receives the minutiae point image from the minutiae point locating module of fingerprint processing unit, extracts the three-dimensional coordinate of minutiae point and generates a unordered point set T, is sent in the division module as primary template with unordered point set T, wherein x
iThe horizontal ordinate of expression minutiae point i, y
iThe ordinate of expression minutiae point i, θ
iThe angle of expression minutiae point i, r represents the number of minutiae point;
T={(x
i,y
i,θ
i)|i=1,2……r}
Minutiae point coordinate information in the read step S4.1 of the S4.2 division module elder generation primary template is divided into them in 8 different zones according to the coordinate in-scope then, and at last that subregion is good primary template is sent to the template modular converter;
After S4.3 template modular converter receives the transformation matrix of step S3, the primary template that comes from division module among the step S4.2 is carried out irreversible conversion, former regional minutiae point i is moved to the zone
Coordinate is by (x
i, y
i, θ
i) be transformed into
Finally obtain conversion module T ' and send it to cryptographic processing unit, wherein r represents the number of minutiae point;
Described step S5 specifically comprises:
S5.1 key read module reads from cipher key interface needs protected key information, and key information is sent to the polynomial expression composition module;
The S5.2 pretreatment module is carried out pre-service to the conversion module that comes among the step S4, the horizontal ordinate of template mid point is merged into one, wherein d
iCoordinate after expression merges,
Conversion module after expression merges;
S5.3 polynomial expression composition module utilizes the key information of step S5.1, makes up a n rank polynomial expression:
With length is the unit that 16n bit key K resolves into n long 16bit; K wherein
nRepresent n the subelement of K;
K=k
n|k
n-1…|k
1
Utilize IBM CRC-16 cyclic redundancy check (CRC) to make up n rank polynomial expression P (x), wherein k
0It is the CRC sign indicating number of key K; k
nN the subelement of expression K;
P(x)=k
nx
n+k
n-1x
n-1+…+k
0
N rank polynomial expression P (x) that make up are sent to true dot generation module and obscure module;
The polynomial expression P (x) that the true dot generation module of S5.4 utilizes step S5.3 to pass over handles the information that step S5.2 passes over, and generates a new point set, and the point set that this is new is called true some point set R and sends to locking module, wherein
R={(d
i,p(d
i))|i=1,2…r}
S5.5 obscures the polynomial expression P (x) that module passes over according to step S5.3, generates one and disturbs point set C and be sent to locking module, and wherein N is the number of noise spot, e
jAnd f
jBe produce at random and the p (e that satisfies condition
j) ≠ f
j
C={(e
j,f
j)|j=1,2…N}
The set that S5.6 locking module integration step S5.4 and step S5.5 pass over generates a new point set V and it is stored into database; a
iRepresent horizontal ordinate, b
iRepresent ordinate, ∪ represents to merge;
V=R∪C
V={(a
i,b
i)|i=1,2…r+N}
Preferably, described step G2 specifically may further comprise the steps:
G2.1 fingerprint processing unit reads user fingerprint image by the fingerprint read module from user interface, and carries out smoothing processing in level and smooth filtering module, allows entire image obtain the chiaroscuro effect of uniformity;
G2.2 field of direction estimation module is calculated it after receiving the fingerprint image that sends from level and smooth filtering module, obtains the field of direction;
G2.3 active domain detecting module carries out the locking of active domain to it after receiving the fingerprint image that transmits from field of direction estimation module, remove useless null field and the image of handling is sent to the crestal line detecting module;
G2.4 crestal line detecting module carries out binary conversion treatment to receiving image, obtains the fingerprint ridge line image;
G2.5 refinement module is behind the fingerprint ridge line image that receives from the crestal line detecting module, the width of crestal line is made as the width of single pixel, obtain the skeleton image of crestal line, thereby sharpening the form of crestal line, and needs carried out the crestal line skeleton image that minutiae point extracts send the minutiae point locating module to;
G2.6 minutiae point locating module carries out the detection and the location of bifurcation and breakpoint to the image that receives, and finally obtains the minutiae point image;
G2.7 minutiae point locating module is given conversion processing unit with the minutiae point image transfer;
Described step G3 specifically may further comprise the steps:
G3.1 password read module reads the user from user interface and separates password and send to password matrix generation module;
The user that G3.2 password matrix generation module passes over step S3.1 separates password and handles, and obtains one 8 * 8 password matrix and sends it to matrix deformation module;
The user of 8bytes is separated password W
qBe divided into 8 unit, wherein
The ASC sign indicating number of representing each unit successively;
Will
Be converted into binary code, wherein
Expression
Everybody on binary code, i=1 wherein, 2 ... 8;
Generate 8 * 8 password matrix M
qAnd send it to matrix deformation module:
The matrix M of G3.3 matrix deformation module to receiving
qCarry out following computing;
Carry out matrix computations, obtain intermediary matrix C
Qt, wherein
Expression C
QtElement; Wherein C represents initial matrix, i.e. [1 234567 8]
Carry out modular arithmetic, obtain transformation matrix C
QtAnd send to conversion processing unit; Wherein
Represent C
QtI element,
Represent C
qI element:
Described step G4 specifically may further comprise the steps:
G4.1 template extraction module receives the minutiae point image from the minutiae point locating module of fingerprint processing unit, extracts the three-dimensional coordinate of minutiae point and generates a unordered point set Q, is sent in the division module as primary template with unordered point set Q; X wherein
iThe horizontal ordinate of expression minutiae point i, y
iThe ordinate of expression minutiae point i, θ
iThe angle of expression minutiae point i, r represents the number of minutiae point;
Q={(x
i,y
i,θ
i)|i=1,2……r}
Minutiae point coordinate information in the read step G4.1 of the G4.2 division module elder generation primary template is divided into them in 8 different zones according to the coordinate in-scope, and at last that subregion is good primary template is sent to location conversion module;
After G4.3 template modular converter receives the transformation matrix of step G3, the primary template that comes from division module among the step G4.2 is carried out irreversible conversion, finally obtain conversion module Q ' and it is transmitted the decryption processing unit;
Described step G5 specifically may further comprise the steps:
The G5.1 data read module reads the point set V that is stored in the database, and sends it to the fractionation module;
G5.2 splits the horizontal ordinate a of module with the point in the point set V
iBe sent to filtering module after splitting into two parts, suppose a
iLength is 16bit, then
8bit before the representative,
Represent back 8bit, wherein
With
Part after expression splits, the point set V after the fractionation is expressed as:
Wherein N represents the number of noise spot;
The conversion module that the G5.3 filtering module utilizes step G4.3 to pass over filters splitting back point set V, and the point that does not satisfy restrictive condition is disallowable, obtain candidate's point set U and send it to grouping module, wherein E represents the number of candidate point, and restrictive condition is expressed as inequality, wherein
The expression point
And the point
Distance, D is distance threshold, j=1,2 ... r, k=1,2 ... r+N;
U={(a
i,b
i)|i=1,2……E}
The point that the G5.4 grouping module is concentrated candidate point carries out permutation and combination, obtains all subclass U
c, wherein the element number of subclass is n+1, the number of subclass is
c=1,2…Z
The G5.5 reconstructed module utilizes the Lagrange's interpolation principle that each subclass is carried out polynomial expression reconstruct, if the polynomial expression number that reconstructs is 0, then deciphering failure need be re-entered and be separated password and fingerprint; If the polynomial expression number of reconstruct is not 0, then the polynomial expression that reconstructs is sent to the verification module;
G5.5 verification module is carried out verification to the polynomial expression that each comes from reconstructed module, the polynomial expression correct to verification calculates, recover key and discharge by cipher key interface, if all polynomial expression does not all have verification correct, then deciphering failure, need the user to re-enter and separate password and fingerprint, return step G1.
The present invention has following advantage and effect with respect to prior art:
(1) for different application, the user can select different passwords to come the intrinsic constant fingerprint characteristic information of conversion, and the encryption and decryption process of vault all is the fingerprint characteristic information of utilizing after the conversion, therefore can prevent to intersect the leak of comparison effectively.
(2) transfer algorithm of the present invention is irreversible, even known the fingerprint template information that finger print information after the conversion and transformation equation also can't be derived the user, security is improved.
(3) allow to cancel, can unlimited replacement biological characteristic password.If vault reveals, can regenerate new Vault by revising password, therefore effectively solved the irrevocable problem of template of former fuzzy vault, using value is improved.
(4) Chuan Xin encrypting fingerprint algorithm, user's fingerprint characteristic information has also been protected in protection key the time.
(5) different with simple encipherment protection in the past, substitute and improve the security of current identity authorization system based on the password verification, the present invention combines traditional cryptographic algorithm with biological characteristic validation.
Description of drawings
Fig. 1 is the structural representation of a kind of identity authorization system based on encrypting fingerprint in the present embodiment;
Fig. 2 is the structural representation of password processing unit in the present embodiment;
Fig. 3 is the structural representation of fingerprint processing unit in the present embodiment;
Fig. 4 is the structural representation of conversion processing unit in the present embodiment;
Fig. 5 is the structural representation of decryption processing unit in the present embodiment;
Fig. 6 is the structural representation of cryptographic processing unit in the present embodiment;
Fig. 1 is the structural representation of a kind of identity authorization system based on encrypting fingerprint in the present embodiment;
Specific implementation method
The present invention is described in further detail below in conjunction with embodiment and accompanying drawing, but embodiments of the present invention are not limited thereto.
Embodiment
A kind of identity authorization system based on encrypting fingerprint, it is by user interactive module and user interactions fingerprint image, password and key information;
As shown in Figure 1, native system comprises user interface, cipher key interface and database, also comprises password processing unit, fingerprint processing unit, conversion processing unit, decryption processing unit and cryptographic processing unit;
Described user interface is connected with password processing unit, fingerprint processing unit respectively, and password processing unit, fingerprint processing unit, decryption processing unit and cryptographic processing unit are connected with conversion processing unit respectively; Described decryption processing unit is connected with database respectively with cryptographic processing unit, and described decryption processing unit links to each other with cipher key interface respectively with cryptographic processing unit.
User interface sends user's password to the password processing unit, perhaps sends finger print information to the fingerprint processing unit.
The key that the cipher key interface transmission needs encipherment protection is perhaps accepted the protection key that discharges from the decryption processing unit to cryptographic processing unit.
As shown in Figure 2, described password processing unit comprises password read module, password matrix generation module and the matrix deformation module that links to each other successively, described password read module also is connected with user interface, and described matrix deformation module also is connected with conversion processing unit.Described password processing unit adopts the general-purpose chip STM32f103 by the ARM3 series of STC Corporation to realize.
As shown in Figure 3, described fingerprint processing unit comprises the fingerprint read module that links to each other successively, level and smooth filtering module, field of direction evaluation module, active domain detecting module, crestal line detecting module, refinement module and minutiae point locating module, wherein said fingerprint read module also links to each other with user interface, and described minutiae point locating module also is connected with conversion processing unit.Described fingerprint processing unit adopts the Touch fingerprint recognition chip AES3500 by Authentek company to realize.
As shown in Figure 4, described conversion processing unit comprises template extraction module, division module and the template modular converter that links to each other successively, described template extraction module also is connected with the fingerprint processing unit, and described cryptographic processing unit, decryption processing unit and password processing unit are connected with the template modular converter respectively.Described conversion processing unit adopts the general-purpose chip STM32f103 of the ARM3 series of STC Corporation to realize.
As shown in Figure 5, described decryption processing unit comprises data read module, fractionation module, filtering module, grouping module, reconstructed module and the verification module that links to each other successively, described data read module also is connected with database, described filtering module also is connected with conversion processing unit, and described verification module also is connected with cipher key interface.Described decryption processing unit adopts the general-purpose chip STM32f103 of the ARM3 series of STC Corporation to realize.
As shown in Figure 6, described cryptographic processing unit comprises the key read module, the polynomial expression composition module, obscure module, pretreatment module, true dot generation module, locking module and data writing module, described key read module, the polynomial expression composition module, obscure module, locking module links to each other successively with the data writing module, described polynomial expression composition module, pretreatment module links to each other with true dot generation module respectively with locking module, described pretreatment module links to each other with conversion processing unit, described key read module links to each other with cipher key interface, and described data writing module links to each other with database.Described cryptographic processing unit adopts the general-purpose chip STM32f103 of the ARM3 series of STC Corporation to realize.
The workflow of above-mentioned a kind of identity authorization system based on encrypting fingerprint comprises secret key encryption and secret key decryption;
Wherein secret key encryption specifically may further comprise the steps:
S1, user are by fingerprint image, the password (8byte) of user interactive module input oneself and the key information (16n bit) that needs encipherment protection;
S2, the user fingerprint image of fingerprint processing unit from user interface read step S1, the fingerprint processing unit is handled fingerprint image, and the fingerprint image after will handling passes to conversion processing unit;
S3, the user password of password processing unit from user interface read step S1 generate the password matrix and carry out conversion process, obtain transformation matrix and send to conversion processing unit;
Fingerprint image among S4, the conversion processing unit receiving step S2 generates primary template and also carries out subregion, carries out irreversible conversion according to the primary template of the transformation matrix among the step S3 after to subregion, obtains conversion module and is sent to cryptographic processing unit;
S5, cryptographic processing unit from cipher key interface read step S1 key information and make up a n rank polynomial expression, the conversion module among the receiving step S4 also carries out pre-service; Carry out calculation process according to pretreated conversion module and n rank polynomial expression, finally generate a new point set V and it is stored into database.
Described step S2 specifically may further comprise the steps:
S2.1 fingerprint processing unit reads user fingerprint image by the fingerprint read module from user interface, and carries out smoothing processing in level and smooth filtering module, allows entire image obtain the chiaroscuro effect of uniformity;
S2.2 field of direction estimation module is calculated it after receiving the fingerprint image that sends from level and smooth filtering module, obtains the field of direction;
S2.3 active domain detecting module carries out the locking of active domain to it after receiving the fingerprint image that transmits from field of direction estimation module, remove useless null field and the image of handling is sent to the crestal line detecting module;
S2.4 crestal line detecting module carries out binary conversion treatment to receiving image, obtains the fingerprint ridge line image;
S2.5 refinement module is behind the fingerprint ridge line image that receives from the crestal line detecting module, the width of crestal line is made as the width of single pixel, obtain the skeleton image of crestal line, thereby sharpening the form of crestal line, and needs carried out the crestal line skeleton image that minutiae point extracts send the minutiae point locating module to;
S2.6 minutiae point locating module carries out the detection and the location of bifurcation and breakpoint to the image that receives, and finally obtains the minutiae point image;
S2.7 minutiae point locating module is given conversion processing unit with the minutiae point image transfer;
Described step S3 specifically may further comprise the steps:
S3.1 password read module reads user password and is sent to password matrix generation module from user interface;
S3.2 password matrix generation module carries out following processing to the user password that step S3.1 passes over:
The user password W of 8bytes is divided into 8 unit, wherein w
1~w
8The ASC sign indicating number of representing each unit successively;
W=w
1|w
2|w
3|w
4|w
5|w
6|w
7|w
8
With w
1~w
8Be converted into binary code, wherein m
I1~m
I8Expression w
iEverybody on binary code;
w
i=m
i1|m
i2|m
i3|m
i4|m
i5|m
i6|m
i7|m
i8 (i=1,2……8)
Generate 8 * 8 password matrix M and send it to matrix deformation module:
S3.3 matrix deformation module is carried out following calculation process to the matrix that receives:
Carry out matrix computations, obtain intermediary matrix C
t, wherein
Expression C
tElement; Wherein C represents initial matrix, i.e. [1 234567 8];
Carry out modular arithmetic, obtain transformation matrix C ' and send to conversion processing unit; Wherein
Representing matrix C
tI element,
I the element of representing matrix C ';
Described step S4 specifically may further comprise the steps:
S4.1 template extraction module receives the minutiae point image from the minutiae point locating module of fingerprint processing unit, extracts the three-dimensional coordinate of minutiae point and generates a unordered point set T, is sent in the division module as primary template with unordered point set T, wherein x
iThe horizontal ordinate of expression minutiae point i, y
iThe ordinate of expression minutiae point i, θ
iThe angle of expression minutiae point i, r represents the number of minutiae point;
T={(x
i,y
i,θ
i)|i=1,2……r}
Minutiae point coordinate information in the read step S4.1 of the S4.2 division module elder generation primary template is divided into them in 8 different zones according to the coordinate in-scope, and at last that subregion is good primary template is sent to the template modular converter;
After S4.3 template modular converter receives the transformation matrix of step S3, the primary template that comes from division module among the step S4.2 is carried out irreversible conversion, former regional minutiae point i is moved to the zone
Coordinate is by (x
i, y
i, θ
i) be transformed into
Finally obtain conversion module T ' and send it to cryptographic processing unit, wherein r represents the number of minutiae point;
Described step S5 specifically comprises:
S5.1 key read module reads from cipher key interface needs protected key information, and key information is sent to the polynomial expression composition module;
Conversion module carries out pre-service to the S5.2 pretreatment module among the step S4 to coming from, and the horizontal ordinate of template mid point is merged into one, wherein d
iCoordinate after expression merges,
Conversion module after expression merges;
S5.3 polynomial expression composition module utilizes the key information of step S5.1, makes up a n rank polynomial expression:
With length is the unit that 16n bit key K resolves into n long 16bit; K wherein
nThe n subelement of expression K;
K=k
n|k
n-1…|k
1
Utilize IBM CRC-16 (IBM CRC-16 is a kind of method in the cyclic redundancy check (CRC)) cyclic redundancy school verification to make up n rank polynomial expression P (x), wherein k
0It is the CRC sign indicating number of key K; k
nN the subelement of expression K;
P(x)=k
nx
n+k
n-1x
n-1+…+k
0
N rank polynomial expression P (x) that make up are sent to true dot generation module and obscure module;
The polynomial expression P (x) that the true dot generation module of S5.4 utilizes step S5.3 to pass over handles the information that step S5.2 passes over, and generates a new point set, and the point set that this is new is called true some point set R and sends to locking module, wherein
R={(d
i,p(d
i))|i=1,2…r}
S5.5 obscures the polynomial expression P (x) that module passes over according to step S5.3, generates one and disturbs point set C and be sent to locking module, and wherein N is the number of noise spot, e
jAnd f
jBe produce at random and the p (e that satisfies condition
j) ≠ f
j
C={(e
j,f
j)|j=1,2…N}
The set that S5.6 locking module integration step S5.4 and step S5.5 pass over generates a new point set V and it is stored into database; a
iRepresent horizontal ordinate, b
iRepresent ordinate, ∪ represents to merge;
V=R∪C
V={(a
i,b
i)|i=1,2…r+N}
Wherein secret key decryption specifically may further comprise the steps:
G1, user conciliate password by the fingerprint image of user interactive module input deciphering;
G2, the deciphering fingerprint image of fingerprint processing unit from user interface read step G1, the fingerprint processing unit is handled fingerprint image, and the fingerprint image after will handling passes to conversion processing unit;
G3, password processing unit are separated password from user interface read step G1, generate the password matrix and also carry out conversion process, obtain transformation matrix and send to conversion processing unit;
Fingerprint image among G4, the conversion processing unit receiving step G2 generates primary template and also carries out subregion, carries out irreversible conversion according to the primary template of the transformation matrix among the step G3 after to subregion, obtains conversion module and sends to the decryption processing unit;
G5, decryption processing unit read the point set V that is stored in the database, and it is split, after filtration, permutation and combination, polynomial expression reconstruct and the checking treatment, if by verification, then recovers key; If not by verification, step G1 is returned in then deciphering failure.
Described step G2 specifically may further comprise the steps:
G2.1 fingerprint processing unit reads user fingerprint image by the fingerprint read module from user interface, and carries out smoothing processing in level and smooth filtering module, allows entire image obtain the chiaroscuro effect of uniformity;
G2.2 field of direction estimation module is calculated it after receiving the fingerprint image that sends from level and smooth filtering module, obtains the field of direction;
G2.3 active domain detecting module carries out the locking of active domain to it after receiving the fingerprint image that transmits from field of direction estimation module, remove useless null field and the image of handling is sent to the crestal line detecting module;
G2.4 crestal line detecting module carries out binary conversion treatment to receiving image, obtains the fingerprint ridge line image;
G2.5 refinement module is behind the fingerprint ridge line image that receives from the crestal line detecting module, the width of crestal line is made as the width of single pixel, obtain the skeleton image of crestal line, thereby sharpening the form of crestal line, and needs carried out the crestal line skeleton image that minutiae point extracts send the minutiae point locating module to;
G2.6 minutiae point locating module carries out the detection and the location of bifurcation and breakpoint to the image that receives, and finally obtains the minutiae point image;
G2.7 minutiae point locating module is given conversion processing unit with the minutiae point image transfer;
Described step G3 specifically may further comprise the steps:
G3.1 password read module reads the user from user interface and separates password and send to password matrix generation module;
The user that G3.2 password matrix generation module passes over step S3.1 separates password and handles, and obtains one 8 * 8 password matrix and sends it to matrix deformation module;
The user of 8bytes is separated password W
qBe divided into 8 unit, wherein
The ASC sign indicating number of representing each unit successively;
Will
Be converted into binary code, wherein
Expression
Everybody on binary code;
Generate 8 * 8 password matrix M
qAnd send it to matrix deformation module:
The matrix M of G3.3 matrix deformation module to receiving
qCarry out following calculation process;
Carry out matrix computations, obtain intermediary matrix C
Qt, wherein
Expression C
QtElement; Wherein C represents initial matrix, i.e. [1 234567 8]
Carry out modular arithmetic, obtain transformation matrix C
QtAnd send to conversion processing unit; Wherein
Represent C
QtI element,
Represent C
qI element:
Described step G4 specifically may further comprise the steps:
G4.1 template extraction module receives the minutiae point image from the minutiae point locating module of fingerprint processing unit, extracts the three-dimensional coordinate of minutiae point and generates a unordered point set Q, is sent in the division module as primary template with unordered point set Q; X wherein
iThe horizontal ordinate of expression minutiae point i, y
iThe ordinate of expression minutiae point i, θ
iThe angle of expression minutiae point i, r represents the number of minutiae point;
Q={(x
i,y
i,θ
i)|i=1,2……r}
Minutiae point coordinate information in the read step G4.1 of the G4.2 division module elder generation primary template is divided into them in 8 different zones according to the coordinate in-scope, and at last that subregion is good primary template is sent to location conversion module;
After G4.3 template modular converter receives the transformation matrix of step G3, the primary template that comes from division module among the step G4.2 is carried out irreversible conversion, finally obtain conversion module Q ' and it is transmitted the decryption processing unit;
Described step G5 specifically may further comprise the steps:
The G5.1 data read module reads the point set V that is stored in the database, and sends it to the fractionation module;
G5.2 splits the horizontal ordinate a of module with the point in the point set V
iBe sent to filtering module after splitting into two parts, suppose a
iLength is 16bit, then
8bit before the representative,
Represent back 8bit, wherein
With
Part after expression splits, the point set V after the fractionation is expressed as:
Wherein N represents the number of noise spot;
The conversion module that the G5.3 filtering module utilizes step G4.3 to pass over filters splitting back point set V, and the point that does not satisfy restrictive condition is disallowable, obtain candidate's point set U and send it to grouping module, wherein E represents the number of candidate point, and restrictive condition is expressed as inequality, wherein
The expression point
And the point
Distance, D is distance threshold;
U={(a
i,b
i)|i=1,2……E}
The point that the G5.4 grouping module is concentrated candidate point carries out permutation and combination, obtains all subclass U
c, wherein the element number of subclass is n+1, the number of subclass is Z, wherein
c=1,2…Z
The G5.5 reconstructed module utilizes the Lagrange's interpolation principle that each subclass is carried out polynomial expression reconstruct, if the polynomial expression number that reconstructs is 0, then deciphering failure need be re-entered and be separated password and fingerprint; If the polynomial expression number of reconstruct is not 0, then the polynomial expression that reconstructs is sent to the verification module;
G5.5 verification module is carried out verification to the polynomial expression that each comes from reconstructed module, and the polynomial expression correct to verification calculates, and supposes that the correct polynomial expression of verification is
The key that then recovers is K
c=k
c n| k
c N-1| k
1 c, key K
cDischarge by cipher key interface, if all polynomial expression does not all have verification correct, then deciphering failure needs the user to re-enter and separates password and fingerprint, returns step G1.
The foregoing description is a preferred implementation of the present invention; but embodiments of the present invention are not limited by the examples; other any do not deviate from change, the modification done under spirit of the present invention and the principle, substitutes, combination, simplify; all should be the substitute mode of equivalence, be included within protection scope of the present invention.