CN-121462326-B - Server authentication method based on biological characteristics and dynamic token

Abstract

The invention discloses a server authentication method based on biological characteristics and dynamic tokens, which relates to the technical field of server authentication, and comprises the steps of S1, fusion registration of the biological characteristics and the dynamic tokens, S2, two-way verification authentication, S3, scene dynamic adaptation, S4, timeliness adjustment of biological characteristic matching threshold values, S5, synchronous refreshing of the biological characteristics and the dynamic tokens, and S6, attenuation associated authority management and control. The invention divides the biological characteristic into characteristic factors and is embedded with the characteristic fragments of the dynamic token basic key according to the weight layers to generate the unique biological characteristic and dynamic token fusion root key, and adopts a multiparty secret sharing mechanism to encrypt and store the root key sub-fragments in the terminal, the server and the third party, thereby realizing the deep confusion fusion and the distributed fault-tolerant storage of the biological characteristic template and the key data, and solving the problems that the static biological characteristic library is easy to be attacked by library segment matching and the token key has potential safety hazard in single-point storage.

Inventors

• TANG CANGSONG
• ZHENG GAOFEI

Assignees

• 航天联志技术有限公司

Dates

Publication Date

20260508

Application Date

20260108

Claims (10)

1. 1. The server authentication method based on the biological characteristics and the dynamic token is characterized by comprising the following steps of: S1, fusing and registering the biological characteristics and the dynamic token, collecting the biological characteristics of a user, splitting the biological characteristics into a core characteristic fragment and an auxiliary characteristic fragment, extracting the characteristic fragment of a basic key of the dynamic token, and performing hierarchical embedding on the two characteristic fragments according to weights to generate a unique fusion root key; S2, bidirectional verification authentication, namely acquiring the biological characteristic real-time data of the user by the terminal, injecting dynamic token generation logic to generate a dynamic token containing a temporary verification code, calling a fusion root key sub-segment recombination key stored in a distributed mode by the server, and performing bidirectional verification on the biological characteristic real-time data and the dynamic token temporary verification code to form a closed loop; S3, scene dynamic adaptation, namely a server identifies an access scene, and biological feature acquisition dimensions and token effective rules are adjusted according to the scene; S4, timeliness adjustment of the biological feature matching threshold value, namely setting a differential timeliness attenuation rule for the core feature segment and the auxiliary feature segment, adjusting an attenuation period according to the access frequency of a user, and automatically lifting the matching threshold value by the interval attenuation period until the updating is triggered; S5, synchronously refreshing the biological characteristics and the dynamic token, namely triggering the biological characteristic updating and the token key refreshing when the matching degree of the biological characteristic fragments is lower than a preset threshold value, and synchronously updating the key sub-fragments and the biological characteristic fragment ciphertext of each storage node; And S6, attenuation associated authority control, namely if the biological characteristic fragment exceeds the attenuation period and is not updated, performing token authority degradation or freezing operation according to the characteristic type, and recovering the authority after the user finishes updating.
2. 2. The server authentication method based on the biometric and dynamic token according to claim 1, wherein the biometric and dynamic token fusion registration process is as follows: after the biological characteristics of the user are collected, denoising pretreatment is carried out to remove environmental interference noise, and then the biological characteristics are split into a core characteristic segment and an auxiliary characteristic segment based on the recognition contribution rate, the stability and the anti-interference capability; The core feature segments are parts with the identification contribution rate of more than or equal to 80%, the annual attenuation rate of less than or equal to 5% and the identification uniqueness determined, and comprise fingerprint textures and iris core textures, the auxiliary feature segments are parts with the identification contribution rate of 10% -30%, the annual attenuation rate of less than or equal to 15% and the auxiliary identification, and comprise fingerprint pressure distribution and iris pigment distribution; Extracting characteristic fragments of a dynamic token basic key, and generating a unique fusion root key by 4 layers of exclusive-OR encryption chimeric according to the weight proportion of 80% of a core characteristic fragment and 20% of an auxiliary characteristic fragment and the time sequence of the core fragment 1, the auxiliary characteristic fragment, the core fragment 2 and the characteristic fragment of the dynamic token basic key; Dividing the fusion root key into three sub-segments, storing the three sub-segments in a terminal security chip, a server distributed node and a third party security server after AES encryption, realizing multiparty secret sharing, communicating the nodes through a TLS1.3 protocol, adopting multiparty secret sharing fault-tolerant mechanism, and completing verification by other nodes when any node fails, wherein any node can only acquire one sub-segment and can not restore the complete key.
3. 3. The server authentication method based on biometrics and dynamic tokens of claim 1, wherein the two-way check authentication process is as follows: after the terminal triggers the hardware fingerprint verification, collecting and encrypting the real-time data of the user biological characteristics, and injecting the real-time data serving as a dynamic factor into the dynamic token generation logic; The dynamic token is combined with the current time stamp to generate a token containing a temporary check code, and the check code is in one-to-one association with the biological characteristic data and the time stamp and is effective in a preset duration; Uploading the encrypted biological characteristic data and the dynamic token by the terminal, and calling the key sub-segments stored in a distributed mode by the server to recombine and fuse the root key, decrypting and checking the biological characteristic matching degree, the check code and the time stamp relevance; and if the verification result passes, the authentication is completed, and if the verification result passes, the request is refused and the reason is fed back, wherein the server distributed node is responsible for core verification operation, a third party security server participates in the record of the verification result, and a terminal security chip synchronously verifies the integrity of the local key subfragment.
4. 4. The server authentication method based on biological characteristics and dynamic token according to claim 1, wherein the scenerized dynamic adaptation process is as follows: The server identifies three scenes of local high-security access, remote conventional access and cross-domain call through access addresses, network types and operation request types, each scene adaptation rule is formulated by a server distributed node, and a third-party security server synchronously stores scene adaptation logs.
5. 5. The server authentication method based on biometrics and dynamic tokens of claim 4, wherein: Local high-security access, through intranet address and core data modification operation, multi-mode biological characteristics are adopted to participate in token generation, so that the effective duration of a check code is shortened, only a specified terminal is allowed to be used, and the distributed node of a server strengthens the check frequency; remote regular access, namely, through external network address and data query operation, single biological characteristics are adopted to participate in token generation, the effective duration of a check code is prolonged, the universality of a binding terminal is supported, and a third-party security server assists in monitoring the access state; And (3) cross-domain calling, namely, through other domain addresses, adopting multi-mode biological characteristics to participate in token generation, enabling the token to be valid only for the current request, enabling the token to be invalid immediately after the access is finished, and enabling the server distributed node to record a cross-domain log and synchronize to a third-party security server for recording.
6. 6. The server authentication method based on the biometric and dynamic token according to claim 1, wherein the biometric matching threshold time-efficiency adjustment process is as follows: Setting a long attenuation period and a gentle increment threshold for the core characteristic segment, and setting a short attenuation period and a steep increment threshold for the auxiliary characteristic segment, wherein the attenuation period is set according to characteristic stability, the core characteristic segment is less than or equal to 5% of annual attenuation rate, the auxiliary characteristic segment is less than or equal to 15% of annual attenuation rate, and the increment amplitude of the threshold is set according to identification uniqueness; Counting access frequencies according to a 24-hour sliding time window, dividing the access frequencies into three types of intervals of high frequency, medium frequency and low frequency, wherein the high frequency is more than or equal to 5 times/day, the medium frequency is 1-4 times/day, the low frequency is less than or equal to 1 time/7 days, the high frequency access is prolonged by 20 percent of attenuation period, the low frequency access is shortened by 30 percent of attenuation period, and the medium frequency is maintained in an initial period; And automatically increasing the matching threshold value every one attenuation period until the attenuation period is lower than a preset threshold value, triggering updating, executing the adjustment rule by the server distributed nodes, and synchronously storing the adjustment record by the third-party security server.
7. 7. The server authentication method based on biometrics and dynamic tokens of claim 6, wherein the association rule of the access frequency with decay period is as follows: The attenuation period extension amplitude is increased in steps according to the access times; the attenuation period shortening amplitude is increased in steps according to the inactive time length in the low-frequency interval; Maintaining the initial attenuation period unchanged in the intermediate frequency interval; the higher the access frequency, the longer the decay period, the lower the access frequency, the shorter the decay period, the positive correlation between the threshold increment and the decay period, the longer the period, the flatter the increment, and the steeper the reverse.
8. 8. The server authentication method based on the biological characteristics and the dynamic token according to claim 1, wherein the synchronous refreshing process of the biological characteristics and the dynamic token is as follows: The server distributed node monitors the attenuation state of the biological characteristic fragment in real time, compares the matching degree of the current fragment and the initial fragment, and triggers the generation of a refreshing instruction when the matching degree is lower than a preset threshold value; after receiving the instruction, the terminal prompts the user to collect the latest biological characteristics, the latest biological characteristics are embedded with the locally cached key subfragments in a weight layering manner, an updating check code is generated by adopting a factor embedding and exclusive-or encryption combination mode, and encryption is uploaded to a server; After the verification of the rest key sub-segments is passed, the server combines the latest generation feature with the newly generated token basic key to regenerate a fusion root key and split the sub-segments; and the terminal security chip, the server distributed node and the third-party security server are instructed to synchronously update the key sub-segments, the new token basic key is synchronized to the terminal and the third-party security server, the old key is timely invalid, and the terminal automatically deletes the old key cache.
9. 9. The server authentication method based on the biological characteristics and the dynamic token according to claim 8, wherein the distributed node updates the biological characteristic fragment ciphertext process as follows: Each node receives an update instruction sent by a server distributed node, wherein the update instruction comprises a node identifier, a new key sub-segment ciphertext and a check code; the terminal security chip and the third party security server respectively check the instruction validity, and cover the old ciphertext with the new ciphertext after passing the instruction validity; and generating confirmation information after the updating is finished, wherein the confirmation information comprises updating time, a characteristic identifier and a ciphertext check code, synchronizing the updating time, the characteristic identifier and the ciphertext check code to the server distributed node and the third-party security server for recording, and feeding back the server to trigger the re-updating if the updating is failed.
10. 10. The server authentication method based on biometrics and dynamic tokens of claim 1, wherein the decay association rights management procedure is as follows: the server distributed node records the initial generation and last update time of each characteristic segment and judges whether the attenuation period is exceeded or not; The core feature fragment is expired, namely a token is frozen, all authentication requests are forbidden, and only an update entry is opened; after the user completes the biological characteristic update and passes the verification, the server distributed node restores the normal authority of the token, pushes an authority restoration notification to the terminal, and the third-party security server synchronously updates the authority state.

Description

Server authentication method based on biological characteristics and dynamic token Technical Field The invention relates to the technical field of server authentication, in particular to a server authentication method based on biological characteristics and a dynamic token. Background The server authentication method is used for verifying the identity legitimacy of the visitor, preventing unauthorized access, confirming the authenticity and credibility of the client and the server, guaranteeing confidentiality and integrity in the data transmission process and avoiding data tampering or theft. At present, for a server authentication method based on biological characteristics and dynamic tokens, the existing biological characteristic templates and dynamic token keys mostly adopt independent or simply spliced storage modes, so that static biological characteristic libraries are easily attacked by library segment matching, potential safety hazards exist in single-point storage of the token keys, meanwhile, a fixed threshold authentication strategy is adopted, the method cannot adapt to changeable business scenes and timeliness attenuation of the biological characteristics, the biological characteristic authentication and the dynamic token authentication are mutually independent, and security holes exist for falsifying characteristics or hijacking token singles to pass the authentication, so that the reconstruction resistance and single-point leakage resistance of an authentication system are influenced, and scene adaptability, user authentication passing rate and overall security are influenced. Therefore, server authentication methods based on biometrics and dynamic tokens are now proposed to solve the above-mentioned problems. Disclosure of Invention The main objective of the present invention is to provide a server authentication method based on biometric features and dynamic tokens, so as to solve the problems set forth in the background above. In order to achieve the aim, the technical scheme adopted by the invention is that a server authentication method based on biological characteristics and a dynamic token comprises the following steps: S1, fusing and registering the biological characteristics and the dynamic token, collecting the biological characteristics of a user, splitting the biological characteristics into a core characteristic fragment and an auxiliary characteristic fragment, extracting the characteristic fragment of a basic key of the dynamic token, and performing hierarchical embedding on the two characteristic fragments according to weights to generate a unique fusion root key; S2, bidirectional verification authentication, wherein the terminal collects the real-time data of the biological characteristics of the user, and injects dynamic token generation logic to generate a dynamic token containing a temporary verification code; S3, scene dynamic adaptation, wherein the server identifies an access scene, and biological feature acquisition dimensions and token effective rules are adjusted according to the scene; S4, timeliness adjustment of the biological feature matching threshold value, namely setting a differential timeliness attenuation rule for the core feature segment and the auxiliary feature segment, adjusting an attenuation period according to the access frequency of a user, and automatically lifting the matching threshold value by the interval attenuation period until update is triggered; S5, synchronously refreshing the biological characteristics and the dynamic token, triggering the biological characteristic updating and the token key refreshing when the matching degree of the biological characteristic fragments is lower than a preset threshold value, and synchronously updating the key sub-fragments and the biological characteristic fragment ciphertext of each storage node; S6, attenuation associated authority control, if the biological characteristic fragments are not updated in excess of the attenuation period, performing token authority degradation or freezing operation according to the characteristic types, and recovering the authority after the user finishes updating. Preferably, the biometric and dynamic token fusion registration process is as follows: after the biological characteristics of the user are collected, denoising pretreatment is carried out to remove environmental interference noise, and then the biological characteristics are split into a core characteristic segment and an auxiliary characteristic segment based on the recognition contribution rate, the stability and the anti-interference capability; The core feature segments are parts with the recognition contribution rate of more than or equal to 80%, the annual attenuation rate of less than or equal to 5% and the determination of recognition uniqueness, and comprise fingerprint textures and iris core textures, and the auxiliary feature segments are parts with the recognition contribution rate of 10% -30%, th