Background technology
Authentication is to guarantee the indispensable and vital step of system safety stable operation.User is when access application system, and whether the identity of should be first carrying out authentication of users by certain Authentication mechanism is with declared consistent, and whether the virtual identity in network system is consistent with the entity identities of real world.Current conventional authentication normally adopts existing static password authentication or dynamic password authentication or biological characteristic authentication (mainly containing fingerprint, iris, people's face and voice etc.) to carry out single authentication, and there is serious potential safety hazard in this single authentication, be easy to be imitated or distort by unauthorized person, and then cannot play safety certification truly.
In addition, in prior art, also there is comprehensive identity identifying method, for example, the patent that China Patent No. is 201310123555.0, patent name is the identification confirmation system based on dynamic password voice and method and China Patent No. 200910078848.5, patent name are that the patent of remote voice identification authentication system and method is exactly so comprehensive identity identifying method.
Wherein, the patent No. is 201310123555.0, patent name for the major programme of the patent of the identification confirmation system based on dynamic password voice and method is: user sends after logging request, server sends dynamic password text data to user, and on backstage, generates this user's dynamic password speech data.User sends to server by speech data after reading out dynamic password, and whether whether server is unanimously differentiated according to two speech datas is again validated user.Although this scheme has realized two authentications,, it does not belong to dynamic password language identity authentication techniques strictly speaking, because user side does not have password token, user side and server end do not carry out cryptography processing by shared key.In this, the benefit of the scheme voice messaging that just user sends is each time different, prevented password Replay Attack, and cannot avoid the intercepting of unauthorized person, when practical application, when unauthorized person has been intercepted and captured the voice messaging of certain user's some, by speech synthesis technique, just can pretend to be the identity of validated user, because the dynamic password that need to read aloud sends from server end, unauthorized person can directly obtain.
And its major programme of patent that the patent No. 200910078848.5, patent name are remote voice identification authentication system and method is: user sends after logging request, server sends random number to user, and user sends to server by voice messaging after reading out random number.Server carries out respectively speech recognition and Application on Voiceprint Recognition.The random number only proposing from voice is identical with server, and voice vocal print feature also conforms to and is only validated user.This scheme is very similar to the dynamic password technology of cross-examining/replying, but because do not carry out cryptography processing by shared key, so above-mentioned attack method is still difficult to prevent.
For the above-mentioned technical problem in correlation technique, effective solution is not yet proposed at present.
Summary of the invention
For the above-mentioned technical problem in correlation technique, the present invention proposes a kind of identity identifying method and system, and the fail safe in the time of can effectively improving authentication, accomplishes safety certification truly.
Technical scheme of the present invention is achieved in that
According to an aspect of the present invention, provide a kind of identity identifying method.
This identity identifying method comprises:
User, according to pre-configured dynamic password token, obtains dynamic password information; And according to described dynamic password information, generate the voice password information corresponding with described dynamic password information;
User inputs to certificate server by described voice password information, impel described certificate server to analyze described voice password information, determine the dynamic password information and the voiceprint that in described voice password information, comprise, and this dynamic password information and voiceprint are verified;
In the situation that the dynamic password information comprising in described voice password information and voiceprint all by checking, described certificate server judges that described user is as validated user.
In addition, described identity identifying method also comprises: in the situation that the dynamic password information comprising in described voice password information and/or voiceprint do not pass through checking, described certificate server judges that described user is as disabled user.
Wherein, when described certificate server is verified described dynamic password information, described certificate server can, according to the token serial number of pre-stored described dynamic password token and seed key, be verified described dynamic password information.
Wherein, when described certificate server is verified described voiceprint, described certificate server can, according to pre-configured vocal print reference information, be verified described voiceprint; Wherein, described vocal print reference information comprises described user's vocal print characteristic information.
Optionally, described dynamic password token comprises dynamic password token or the dynamic password token based on event synchronization based on time synchronized.
According to a further aspect in the invention, provide a kind of identity authorization system.
This identity authorization system comprises:
User side, for according to the dynamic password information of user's input, generates the voice password information corresponding with described dynamic password information, and wherein, described dynamic password information obtains according to pre-configured dynamic password token;
Certificate server, the voice password information sending for receiving described user side, and described voice password information is analyzed, determine the dynamic password information and the voiceprint that in described voice password information, comprise, and this dynamic password information and voiceprint are verified;
Wherein, in the situation that the dynamic password information comprising in described voice password information and voiceprint all by checking, described certificate server judges that described user is as validated user.
In addition,, in the situation that the dynamic password information comprising in described voice password information and/or voiceprint do not pass through checking, described certificate server judges that described user is as disabled user.
Wherein, described certificate server comprises password authentication module, and described password authentication module, for according to the token serial number of pre-stored described dynamic password token and seed key, is verified described dynamic password information.
Wherein, described certificate server comprises vocal print authentication module, and described vocal print authentication module, for according to pre-configured vocal print reference information, is verified described voiceprint; Wherein, described vocal print reference information comprises described user's vocal print characteristic information.
Optionally, described dynamic password token comprises dynamic password token or the dynamic password token based on event synchronization based on time synchronized.
The present invention utilizes the characteristic of one time one change of dynamic password and the safety convenient of voice Application on Voiceprint Recognition, the two is organically combined to realize long-distance user's identification of the Internet (particularly mobile Internet), thereby reached not only safety but also user-friendly object.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, the every other embodiment that those of ordinary skills obtain, belongs to the scope of protection of the invention.
According to embodiments of the invention, provide a kind of identity identifying method.
As shown in Figure 1, according to the identity identifying method of the embodiment of the present invention, comprise:
Step S101, user, according to pre-configured dynamic password token, obtains dynamic password information; And according to described dynamic password information, generate the voice password information corresponding with described dynamic password information;
Step S103, user inputs to certificate server by described voice password information, impel described certificate server to analyze described voice password information, determine the dynamic password information and the voiceprint that in described voice password information, comprise, and this dynamic password information and voiceprint are verified; Wherein, in the situation that the dynamic password information comprising in described voice password information and voiceprint all by checking, described certificate server judges that described user is as validated user.
In addition, described identity identifying method also comprises: in the situation that the dynamic password information comprising in described voice password information and/or voiceprint do not pass through checking, described certificate server judges that described user is as disabled user.
Wherein, when described certificate server is verified described dynamic password information, described certificate server can, according to the token serial number of pre-stored described dynamic password token and seed key, be verified described dynamic password information.
Wherein, when described certificate server is verified described voiceprint, described certificate server can, according to pre-configured vocal print reference information, be verified described voiceprint; Wherein, described vocal print reference information comprises described user's vocal print characteristic information.
Optionally, described dynamic password token comprises dynamic password token or the dynamic password token based on event synchronization based on time synchronized.
According to embodiments of the invention, also provide a kind of identity authorization system.
As shown in Figure 2, according to the identity authorization system of the embodiment of the present invention, comprise:
User side 21, for according to the dynamic password information of user's input, generates the voice password information corresponding with described dynamic password information, and wherein, described dynamic password information obtains according to pre-configured dynamic password token;
Certificate server 22, the voice password information sending for receiving described user side, and described voice password information is analyzed, determine the dynamic password information and the voiceprint that in described voice password information, comprise, and this dynamic password information and voiceprint are verified; Wherein, in the situation that the dynamic password information comprising in described voice password information and voiceprint all by checking, described certificate server judges that described user is as validated user.
In addition,, in the situation that the dynamic password information comprising in described voice password information and/or voiceprint do not pass through checking, described certificate server judges that described user is as disabled user.
Wherein, described certificate server 22 comprises password authentication module (not shown), and described password authentication module, for according to the token serial number of pre-stored described dynamic password token and seed key, is verified described dynamic password information.
Wherein, described certificate server comprises vocal print authentication module (not shown), and described vocal print authentication module, for according to pre-configured vocal print reference information, is verified described voiceprint; Wherein, described vocal print reference information comprises described user's vocal print characteristic information.
Optionally, described dynamic password token comprises dynamic password token or the dynamic password token based on event synchronization based on time synchronized.
For convenient, understand technique scheme of the present invention, below by implementation process, technique scheme of the present invention is elaborated.
In the specific implementation, implementation process of the present invention mainly comprises that system initialization setting and certificate server enable two large processes.
1) system initialization setting: system initialization setting mainly contains two parts content, the one, by registration account number and dynamic password token binding, the 2nd, set up registration account user voice, Application on Voiceprint Recognition storehouse.Set up the binding relationship of registration account number and dynamic password token, namely will user account number and the password token that uses of user between set up relation one to one, this is that incidence relation by setting up in certificate server database between user account number and token serial number is realized.Each dynamic password token has unique token serial number, to distinguish with other token.Each token has different seed keys and synchronous regime value, and these numerical value are kept in token and certificate server database simultaneously.
Concrete, certificate server is random produces one group of dynamic password (as 8,345 6712,4570 3,397 8 bit digital such as grade or 2,419 3,805 1278,3907 5,513 7,802 12 bit digital such as grade) send to registered user, user reads these dynamic password numerals (0 to 9 these ten numerals) with normal word speed and tone, and the speech data of recording is sent to certificate server.Certificate server calls speech recognition MBM, sets up this registered user to ten digital speech recognition modelings.After speech recognition modeling is built up, certificate server sends dynamic password data to user again, after user reads by speech data return service device.Server calls sound identification module is identified this section of speech data.If can repeatedly all correctly identify the numeral that user reads, this user's speech recognition modeling has just been set up.If can not all correctly identify, just need to adjust again the relevant parameter of speech recognition modeling, then carry out user's training and testing, until can repeatedly all correctly identify.The speech data that utilizes user to send over, whether certificate server calls Application on Voiceprint Recognition MBM, sets up the peculiar Application on Voiceprint Recognition model of this registered user, for identifying one section of dynamic password voice, read by this user.After user's Application on Voiceprint Recognition model is set up, certificate server sends dynamic password data to user again, after user reads by speech data return service device.Server calls voiceprint identification module is identified this section of speech data.If the higher letter rate of putting of can take is confirmed this section of voice, read by registered user, this user's Application on Voiceprint Recognition model has just been set up.If can not put letter rate with height, identify, adjust again the relevant parameter of Application on Voiceprint Recognition model, then carry out user's training and testing, until can correctly identify with the higher letter rate of putting.When all users' speech recognition, Application on Voiceprint Recognition modeling process all finishes, Verification System just can formally put into operation.
2) certificate server is enabled: after certificate server completes initialization and arranges, just can formally enable.Concrete identifying procedure is as follows:
The first step: user uses the dynamic password that produces current state with the dynamic password token of registration account number binding.User can use the dynamic password token based on time synchronized, also can use the dynamic password token based on event synchronization; The external form of token can be the LCD hardware token that carries display screen, also can be the software token that pure software is realized, can also be USBKey token, the smart card token with client-side program, or the token in the APP software token on smart mobile phone and other embedding APP application.
Second step: user inputs login account number, reads out the numeral of dynamic password and speech data is sent to certificate server.No matter user adopts the token of which kind of form, can produce a series of numerals of one time one change as new authenticate password, user does not need to be input in password input frame with the dynamic password that keyboard or hand-written mode produce token, but read out the numeral in password, this section of speech data is sent in certificate server, this will not only be user-friendly to, and also will greatly improve the fail safe of verification process.
The 3rd step: Verification System is carried out speech recognition to input voice and obtained dynamic password data, and verifies that whether dynamic password is correct, if correctly carry out next step, if mistake finishes this verification process.Verification System finds out this user's speech recognition modeling data according to user's login account number, the speech data that comprises dynamic password that user is read out is processed, extract dynamic password data wherein, and according to the dynamic password authentication rule of system employing, this dynamic password is authenticated, determine whether user can pass through this step of dynamic password authentication.
The 4th step: Verification System is carried out Application on Voiceprint Recognition to input voice, judges whether to conform to registered user's vocal print feature.Verification System, according to Application on Voiceprint Recognition template, proposes user's vocal print feature, and finds out when this user registers and be kept at the vocal print characteristic in server according to user's login account number from input speech data, and both are contrasted to authentication.If the identical rate of vocal print feature exceeds the threshold value of default, think that this section of voice are that registered user reads, and identify by the vocal print feature to user.If the identical rate of vocal print feature lower than the threshold value of default, may be for other people, pretend to be, refuse this logging in system by user.Only have and passed through the authentication of dynamic password authentication and vocal print feature simultaneously and just can be judged to be legal registered user.
As can be seen here, by means of technique scheme of the present invention, utilize the characteristic of one time one change of dynamic password and the safety convenient of voice Application on Voiceprint Recognition, the two is organically combined to realize long-distance user's identification of the Internet (particularly mobile Internet), thereby reach not only safety but also user-friendly object.
Wherein, for fail safe, even if assailant has obtained the dynamic password speech data before certain user, and can synthesize any dynamic password speech data (at this moment existing patent is just dangerous) of this user, but owing to there is no user's token, do not know what next dynamic password is, therefore can not be by the authentication of this method; If user's token or mobile phone are lost, it is very low emitting user's the vocal print feature probability very similar to the vocal print feature of validated user.Can before reporting the loss, user ensure the safety of user account number.
And for ease for use, prior art needs user to be input in password frame with the dynamic password that hand shows token, the present invention only needs to click or pin certain button of screen, read out the shown dynamic password numeral of token, ease for use has improved much by contrast, is particularly suitable for each application system of mobile Internet and uses.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.