Search

CN-122001589-A - User identity verification method, device, equipment, storage medium and product

CN122001589ACN 122001589 ACN122001589 ACN 122001589ACN-122001589-A

Abstract

The application discloses a user identity verification method, a device, equipment, a storage medium and a product, and relates to the technical field of secure digital identity verification, wherein the method comprises the following steps: according to the application, the biological characteristic data is stored in the SIM card with higher performance, and when a user needs to carry out identity verification, the platform side can read the biological characteristic data in the SIM card in various modes, so that complex biological characteristic data comparison is realized; when the SIM card feeds back data, the biological characteristic metadata and the biological characteristic vector are encrypted in a sectionalized mode according to different modes, so that key updating is realized in the biological characteristic information encryption process with higher safety requirements, the safety of the key is improved, and meanwhile, signature verification and MAC message check codes are added to the whole data ciphertext to ensure the message integrity and non-repudiation.

Inventors

  • GU BO
  • WANG HAO
  • YU HAO
  • YANG JINYUAN

Assignees

  • 中移动金融科技有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260508
Application Date
20241101

Claims (13)

  1. 1. A method for authenticating a user, the method being applied to a SIM card side, the method comprising: when a biological characteristic data reading instruction sent by a mobile phone or a machine tool is received, carrying out asymmetric encryption on the biological characteristic metadata stored locally through a first national commercial cryptographic algorithm and an asymmetric public key to obtain a metadata encryption ciphertext; Symmetrically encrypting the locally stored biological feature vector and a preset public key through a second national commercial cryptographic algorithm and the metadata encryption ciphertext to obtain a feature vector encryption ciphertext; Splicing the metadata encrypted ciphertext and the feature vector encrypted ciphertext, and performing signature calculation on the spliced encrypted ciphertext according to the first national commercial cryptographic algorithm and the asymmetric public key to obtain a first signature value; writing data into an application protocol data unit instruction, the metadata encryption ciphertext, the feature vector encryption ciphertext and the first signature value to splice, so as to obtain encrypted biological feature data; Determining a first MAC value corresponding to the encrypted biological feature data through the second national commercial cryptographic algorithm and an MAC symmetric key; And feeding the encrypted biological characteristic data, the first MAC value and the first signature value back to a mobile phone or a machine tool so that the mobile phone or the machine tool can send the encrypted biological characteristic data, the first MAC value and the first signature value to a platform side for user identity verification.
  2. 2. A user identity verification method, wherein the method is applied to a platform side, and the method comprises the following steps: receiving encrypted biological characteristic data, a first MAC value and a first signature value sent by a mobile phone or a machine tool; Performing data integrity verification according to the first MAC value and the first signature value; When verification is passed, decrypting the encrypted biological feature data according to a preset encryption rule to obtain biological feature metadata and biological feature vectors; and comparing the biological characteristic metadata and the biological characteristic vector with pre-stored biological characteristic information respectively, and feeding back a user identity verification result to a mobile phone or a machine tool.
  3. 3. A user identity verification method, wherein the method is applied to a platform side, and the method comprises the following steps: the receiver collects and encrypts the user biological characteristic metadata ciphertext and decrypts the user biological characteristic metadata ciphertext to obtain user biological characteristic metadata; Extracting a user biological feature vector according to the user biological feature metadata; Formatting the user biological characteristic metadata, the user biological characteristic vector and biological characteristic preset information according to a preset format to obtain formatted biological characteristic data; Generating an external authentication application protocol data unit instruction, sending the external authentication application protocol data unit instruction to the SIM card side, establishing a secure channel with the SIM card side, and receiving an external authentication result fed back by the SIM card side; Generating a key writing application protocol data unit instruction, wherein the key writing application protocol data unit instruction comprises an encrypted key and a second MAC value, and the encrypted key consists of a metadata symmetric key, an asymmetric public key and an MAC symmetric key; transmitting the key writing application protocol data unit instruction to the SIM card side through the secure channel, so that the SIM card side verifies the second MAC value and stores the decrypted metadata symmetric key, the asymmetric public key and the MAC symmetric key; carrying out sectional encryption on the formatted biological characteristic data according to the metadata symmetric key and the external authentication result to obtain the biological characteristic data after sectional encryption; determining a third MAC value and a second signature value corresponding to the segmented encrypted biometric data according to the asymmetric public key; splicing the segmented encrypted biological characteristic data, the third MAC value and the second signature value according to a preset instruction format to generate a data writing application protocol data unit instruction; And sending the data writing application protocol data unit instruction to the SIM card side through the secure channel, so that the SIM card side verifies the third MAC value and the second signature value according to the data writing application protocol data unit instruction, and decrypts and stores the segmented encrypted biological characteristic data according to a preset encryption rule.
  4. 4. A user authentication method as defined in claim 3, wherein the step of generating a key write application protocol data unit instruction comprises: Generating a metadata symmetric key, an asymmetric public key and an MAC symmetric key according to a preset data format; generating a random number acquisition instruction, and sending the random number acquisition instruction to the SIM card side so that the SIM card side feeds back the random number and the SIM card side key; splicing the obtained random number, the metadata symmetric key, the asymmetric public key and the MAC symmetric key to obtain a key to be written; determining a second MAC value corresponding to the key to be written; encrypting the key to be written according to the key at the side of the SIM card to obtain an encrypted key to be written; And generating a key write application protocol data unit instruction according to the second MAC value and the encrypted key to be written.
  5. 5. A user authentication method according to claim 3, wherein the step of performing segment encryption on the formatted biometric data based on the metadata symmetric key and the external authentication result to obtain segment-encrypted biometric data comprises: encrypting the user biological characteristic metadata in the formatted biological characteristic data according to a third country commercial cryptographic algorithm and a metadata symmetric key to obtain encrypted user metadata; Splicing the ciphertext data of the front preset bit number in the external authentication result, the ciphertext data of the preset byte in the encrypted user metadata and the MAC data of the rear preset bit number in the external authentication result, and calculating a hash value for the spliced data according to a hash function of a fourth-country commercial cryptographic algorithm to obtain a user biological characteristic metadata ciphertext; encrypting the user biological feature vector in the formatted biological feature data according to a second national commercial cryptographic algorithm and the user biological feature metadata ciphertext to obtain a user biological feature vector ciphertext; And generating the segmented encrypted biological characteristic data according to the user biological characteristic metadata ciphertext and the user biological characteristic vector ciphertext.
  6. 6. A method for authenticating a user, the method being applied to a SIM card side, the method comprising: when receiving an external authentication application protocol data unit instruction sent by a platform side, establishing a safety channel with the platform side, and feeding back a generated external authentication result to the platform side; Receiving a key writing application protocol data unit instruction sent by a platform side through the secure channel, and performing key integrity verification according to a second MAC value in the key writing application protocol data unit instruction; when the key integrity verification passes, decrypting the encrypted key, and storing the metadata symmetric key, the asymmetric public key and the MAC symmetric key obtained by decryption into the area with the highest security level in the storage area; Receiving a data writing application protocol data unit instruction sent by a platform side through the secure channel, and performing data integrity verification according to a third MAC value and a second signature value in the data writing application protocol data unit instruction; And when the data integrity check is passed, decrypting the segmented encrypted biological characteristic data according to a preset encryption rule, and storing the decrypted biological characteristic metadata and the biological characteristic vector.
  7. 7. A user authentication apparatus, wherein the user authentication apparatus is applied to a SIM card side, the user authentication apparatus comprising: The metadata encryption module is used for carrying out asymmetric encryption on the locally stored biological characteristic metadata through a first national commercial encryption algorithm and an asymmetric public key when a biological characteristic data reading instruction sent by a mobile phone or a machine tool is received, so as to obtain a metadata encryption ciphertext; the characteristic vector encryption module is used for symmetrically encrypting the locally stored biological characteristic vector and a preset public key through a second national commercial encryption algorithm and the metadata encryption ciphertext to obtain a characteristic vector encryption ciphertext; The first signature calculation module is used for splicing the metadata encryption ciphertext and the feature vector encryption ciphertext, and carrying out signature calculation on the spliced encryption ciphertext according to the first national commercial cryptographic algorithm and the asymmetric public key to obtain a first signature value; The biological characteristic data splicing module is used for writing data into an application protocol data unit instruction, the metadata encryption ciphertext, the feature vector encryption ciphertext and the first signature value to splice so as to obtain encrypted biological characteristic data; The first MAC determining module is used for determining a first MAC value corresponding to the encrypted biological characteristic data through the second national commercial cryptographic algorithm and the MAC symmetric key; And the data feedback module is used for feeding back the encrypted biological characteristic data, the first MAC value and the first signature value to the mobile phone or the machine tool so that the mobile phone or the machine tool can send the encrypted biological characteristic data, the first MAC value and the first signature value to the platform side for user identity verification.
  8. 8. A user authentication apparatus, wherein the user authentication apparatus is applied to a platform side, the user authentication apparatus comprising: The data receiving module is used for receiving the encrypted biological characteristic data, the first MAC value and the first signature value sent by the mobile phone or the machine tool; The data checking module is used for checking the data integrity according to the first MAC value and the first signature value; the data decryption module is used for decrypting the encrypted biological characteristic data according to a preset encryption rule when the verification is passed, so as to obtain biological characteristic metadata and biological characteristic vectors; and the data comparison module is used for respectively comparing the biological characteristic metadata and the biological characteristic vector with pre-stored biological characteristic information and feeding back a user identity verification result to the mobile phone or the machine tool.
  9. 9. A user authentication apparatus, wherein the user authentication apparatus is applied to a platform side, the user authentication apparatus comprising: The data formatting module is used for collecting and encrypting the user biological characteristic metadata ciphertext by the receiver, decrypting the user biological characteristic metadata ciphertext to obtain user biological characteristic metadata, extracting a user biological characteristic vector according to the user biological characteristic metadata, formatting the user biological characteristic metadata, the user biological characteristic vector and biological characteristic preset information according to a preset format, and obtaining formatted biological characteristic data; The external authentication module is used for generating an external authentication application protocol data unit instruction, sending the external authentication application protocol data unit instruction to the SIM card side, establishing a secure channel with the SIM card side and receiving an external authentication result fed back by the SIM card side; the key writing module is used for generating a key writing application protocol data unit instruction, wherein the key writing application protocol data unit instruction comprises an encrypted key and a second MAC value, and the encrypted key consists of a metadata symmetric key, an asymmetric public key and an MAC symmetric key; transmitting the key writing application protocol data unit instruction to the SIM card side through the secure channel, so that the SIM card side verifies the second MAC value and stores the decrypted metadata symmetric key, the asymmetric public key and the MAC symmetric key; The data writing module is used for carrying out segmented encryption on the formatted biological characteristic data according to the metadata symmetric key and the external authentication result to obtain segmented encrypted biological characteristic data, determining a third MAC value and a second signature value corresponding to the segmented encrypted biological characteristic data according to the asymmetric public key, splicing the segmented encrypted biological characteristic data, the third MAC value and the second signature value according to a preset instruction format to generate a data writing application protocol data unit instruction, and sending the data writing application protocol data unit instruction to the SIM card side through the secure channel so that the SIM card side can check the third MAC value and the second signature value according to the data writing application protocol data unit instruction and decrypt and store the segmented encrypted biological characteristic data according to a preset encryption rule.
  10. 10. A user authentication apparatus, wherein the user authentication apparatus is applied to a SIM card side, the user authentication apparatus comprising: the system comprises a platform side, an external authentication module, a key write application protocol data unit instruction, a key integrity check module and a key verification module, wherein the platform side is used for receiving an external authentication application protocol data unit instruction sent by the platform side, establishing a security channel with the platform side and feeding back a generated external authentication result to the platform side; The key writing module is used for decrypting the encrypted key when the key integrity verification passes, and storing the metadata symmetric key, the asymmetric public key and the MAC symmetric key obtained by decryption into the area with the highest security level in the storage area; And the data writing module is used for writing the data sent by the security channel receiving platform side into an application protocol data unit instruction, carrying out data integrity verification according to a third MAC value and a second signature value in the data writing application protocol data unit instruction, decrypting the segmented encrypted biological characteristic data according to a preset encryption rule when the data integrity verification is passed, and storing the decrypted biological characteristic metadata and the biological characteristic vector.
  11. 11. A user authentication device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program being configured to implement the steps of the user authentication method as claimed in claim 1 or claim 2 or any one of claims 3 to 5 or claim 6.
  12. 12. A storage medium, characterized in that the storage medium is a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the user authentication method according to claim 1 or claim 2 or any one of claims 3 to 5 or claim 6.
  13. 13. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the steps of the user authentication method according to claim 1 or claim 2 or any one of claims 3 to 5 or claim 6.

Description

User identity verification method, device, equipment, storage medium and product Technical Field The present application relates to the field of secure digital authentication technologies, and in particular, to a user authentication method, apparatus, device, storage medium, and product. Background Biometric technology is a method for identity verification using individual unique physiological or behavioral characteristics, which relies on physical features or behavioral patterns inherent to humans, which are difficult to reproduce or forge, such as fingerprints, facial features, iris patterns, etc., and is widely used in various fields of personal identity verification, access control, transaction security, etc. The process of biometric identification is typically divided into two phases, enrollment (or entry) and matching (or verification). During the enrollment phase, a biometric sample of the individual is collected by the sensor and then digitized and stored. In the matching phase, when a user attempts to access a protected resource, a current biometric sample is obtained and compared to a stored template to determine if there is a match. In the prior art, after the SIM card receives the feature code of the biological feature information transmitted by the mobile phone, the feature code of the biological feature information is compared with the feature code stored in the SIM card, and a comparison result is returned, and in the process, the security and the uniqueness of data transmission are ensured by comparing the random number stored in the card with the written random number and asymmetrically encrypting the feature code of the biological feature information. The method is characterized in that the method comprises the steps of carrying out authentication, carrying out data integrity verification, carrying out authentication, carrying out data security, and carrying out data security, wherein the authentication is carried out on the data of the data, the calculation resources of the SIM card are limited, the complex biological characteristic comparison algorithm is not enough to support, the comparison speed and accuracy can be influenced, and the biological characteristic information is used as privacy data, only asymmetric encryption and random number judgment are adopted in the transmission process, and the authentication of the data integrity is not enough to be provided. Disclosure of Invention The application mainly aims to provide a user identity verification method, device, equipment, storage medium and product, and aims to solve the technical problem of low data security when complex biological characteristic data comparison is performed in identity verification. In order to achieve the above object, the present application provides a user authentication method, which is applied to a SIM card side, and the method includes: when a biological characteristic data reading instruction sent by a mobile phone or a machine tool is received, carrying out asymmetric encryption on the biological characteristic metadata stored locally through a first national commercial cryptographic algorithm and an asymmetric public key to obtain a metadata encryption ciphertext; Symmetrically encrypting the locally stored biological feature vector and a preset public key through a second national commercial cryptographic algorithm and the metadata encryption ciphertext to obtain a feature vector encryption ciphertext; Splicing the metadata encrypted ciphertext and the feature vector encrypted ciphertext, and performing signature calculation on the spliced encrypted ciphertext according to the first national commercial cryptographic algorithm and the asymmetric public key to obtain a first signature value; writing data into an application protocol data unit instruction, the metadata encryption ciphertext, the feature vector encryption ciphertext and the first signature value to splice, so as to obtain encrypted biological feature data; Determining a first MAC value corresponding to the encrypted biological feature data through the second national commercial cryptographic algorithm and an MAC symmetric key; And feeding the encrypted biological characteristic data, the first MAC value and the first signature value back to a mobile phone or a machine tool so that the mobile phone or the machine tool can send the encrypted biological characteristic data, the first MAC value and the first signature value to a platform side for user identity verification. The application also provides a user identity verification method, which is applied to the platform side and comprises the following steps: receiving encrypted biological characteristic data, a first MAC value and a first signature value sent by a mobile phone or a machine tool; Performing data integrity verification according to the first MAC value and the first signature value; When verification is passed, decrypting the encrypted biological feature data according to