本發明是有關一種安全認證方法,尤其是一種應用生物辨識於工業物聯網的安全認證方法及系統。The present invention relates to a security authentication method, in particular to a security authentication method and system that applies biometric identification to the industrial Internet of Things.
現行的密碼技術包括加密(Encryption)與解密(Decryption)的計算方法、密碼分析、辨認、電子簽章、密碼私鑰的管理等,其主要是為瞭解決信息傳遞、交換、存儲,及為實現信息保密性、隱密性、完整性、交易安全的核心技術,但是,利用其用冗長的私鑰密碼來保護密碼鑰鎖有兩大明顯問題:(1)難以記憶或保存;(2)易於被駭客(Hacker)以各種方式來破解。Current cryptography technology includes encryption and decryption calculation methods, cryptanalysis, identification, electronic signatures, password private key management, etc. It is mainly used to solve the problem of information transmission, exchange, storage, and implementation. It is the core technology of information confidentiality, privacy, integrity and transaction security. However, there are two obvious problems in using lengthy private key passwords to protect cryptographic key locks: (1) it is difficult to remember or save; (2) it is easy to Cracked by hackers in various ways.
另外,一般密碼技術使用密碼金鑰的方式,分為下列幾種方式:In addition, the general cryptographic technology uses cryptographic keys, which are divided into the following methods:
(1)私鑰密碼(Private Key or Secret Key):為一種對稱性的加解密的方法,所使用的加解密碼鑰匙相同,其缺點為容易被破解密碼、不安全,而比較著名的私鑰密碼體制包括3DES(Triple Data Encryption Standard)、AES(Advanced Encryption Standard)與IDEA(International Data Encryption Algorithm)等。(1) Private Key (Private Key or Secret Key): It is a symmetrical encryption and decryption method. The encryption and decryption keys used are the same. Its disadvantages are that it is easy to crack the password and is unsafe. The more famous private key Cryptosystems include 3DES (Triple Data Encryption Standard), AES (Advanced Encryption Standard), IDEA (International Data Encryption Algorithm), etc.
(2)公鑰密碼(Public Key):為一種非對稱性的加解密方法,所使用的加解密鑰匙是完全不相同的,因此,較不易被破解密碼,而比較著名的公鑰密碼機制包括RSA(Revest、Shamir and Adlemn)。(2) Public Key: It is an asymmetric encryption and decryption method. The encryption and decryption keys used are completely different. Therefore, it is less easy to crack the password. The more famous public key cryptography mechanisms include RSA (Revest, Shamir and Adlemn).
(3)複合式密碼(Combing Private and Public Key):為一種結合私鑰與公鑰密碼的方法,也是一般普遍採用的技術,在實際應用上,使用公私密碼加密隨機產生密碼,再用私鑰密碼加密傳送資料,其方法較實用且安全。(3) Combing Private and Public Key: It is a method that combines private key and public key cryptography. It is also a commonly used technology. In practical applications, the public and private cryptography is used to encrypt a randomly generated password, and then the private key is used. Password-encrypted data transmission is a more practical and secure method.
(4)又如圖1所示,一般密碼信息交換的方式,是由發送者將明文M經由EK鑰匙的加密方法變更為密文C而進行傳送,最後再由接收者以DK解密鑰匙將密文C解密為明文M以供獲取資料,因此,由從上述方式可以瞭解到,不管是私鑰密碼還是公鑰密碼機制(Mechanism),都涉及到用戶安全穩妥地保存其密碼,及防止被別人獲取的問題。(4) As shown in Figure 1, the general method of exchanging cryptographic information is that the sender changes the plaintext M into the ciphertext C through the encryption method of the EK key and transmits it, and finally the recipient uses the DK decryption key to transfer the encrypted text. Text C is decrypted into plain text M for obtaining information. Therefore, from the above method, we can understand that whether it is a private key cryptography or a public key cryptography mechanism (Mechanism), it involves users safely and securely storing their passwords and preventing them from being used by others. Acquisition problem.
為解決傳統密碼的存取方式可能會發生被盜用,已不能滿足安全機制的需要。針對廣泛應用於信息交換安全的密碼技術其冗長的私鑰難以記憶或隱密儲存等問題,如何提供一種具有獨特性及高安全性的方法,為本發明所要解決的技術問題,本發明提供了一種應用生物辨識於工業物聯網的安全認證方法及系統。In order to solve the problem that traditional password access methods may be stolen, they can no longer meet the needs of security mechanisms. In view of the problems of cryptographic technology that is widely used in information exchange security, such as long private keys that are difficult to remember or store secretly, how to provide a unique and highly secure method is a technical problem to be solved by the present invention. The present invention provides A security authentication method and system that applies biometrics to the industrial Internet of Things.
本發明所提供的一種應用生物辨識於工業物聯網的安全認證方法,包括:由一用戶本機根據AES私鑰演算法產生一第一本機私鑰;由該用戶本機的生物感測設備收集至少一用戶生物辨識特徵模板信息;由該用戶本機的輸入裝置接受至少一用戶資料信息;由一密碼認證中心產生的公鑰對該第一本機私鑰、該至少一用戶生物辨識特徵模板信息及該至少一用戶資料信息進行加密後通過工業物聯網的安全通道傳送至該密碼認證中心;由該密碼認證中心產生的私鑰對加密後的該第一本機私鑰、該至少一用戶生物辨識特徵模板信息及該至少一用戶資料信息進行解密;由該密碼認證中心將預存在該用戶本機的密碼和生物特徵資料與解密後的該第一本機私鑰和該至少一用戶生物辨識特徵模板信息進行比對是否匹配,若是,匹配結果成功,若否,結束;由該密碼認證中心驗證該至少一用戶資料信息的用戶身份是否正確,若是,該密碼認證中心根據該用戶本機的RSA公鑰演算法產生一第二本機私鑰,若否,該密碼認證中心拒絕產生該第二本機私鑰;由該密碼認證中心將該第一本機私鑰和該第二本機私鑰傳送至該用戶本機。The present invention provides a security authentication method for applying biometric identification to the industrial Internet of Things, including: a user's local machine generates a first local private key according to the AES private key algorithm; and a biometric sensing device of the user's local machine generates a first local private key. Collect at least one user biometric feature template information; accept at least one user profile information from the user's local input device;The public key generated by a password authentication center encrypts the first local private key, the at least one user biometric feature template information and the at least one user profile information and then transmits it to the password authentication center through a secure channel of the Industrial Internet of Things. ; The private key generated by the password authentication center decrypts the encrypted first local private key, the at least one user biometric feature template information and the at least one user profile information; the password authentication center will pre-store the The user's local password and biometric data are compared with the decrypted first local private key and the at least one user biometric feature template information to see if they match. If so, the matching result is successful. If not, the end; The authentication center verifies whether the user identity of the at least one user profile is correct. If so, the password authentication center generates a second local private key based on the user's local RSA public key algorithm. If not, the password authentication center refuses to generate it. The second local private key; the password authentication center transmits the first local private key and the second local private key to the user's local machine.
在本發明提供的一種應用生物辨識於工業物聯網的安全認證系統,包括:產生電路,用於根據AES私鑰演算法產生一第一本機私鑰;收集電路,用於收集至少一用戶生物辨識特徵模板信息;接受電路,用於接受至少一用戶資料信息;加密電路,通過一公鑰對該第一本機私鑰、該至少一用戶生物辨識特徵模板信息及該至少一用戶資料信息進行加密後通過工業物聯網的安全通道傳送至一密碼認證中心;解密電路,用於對加密後的該第一本機私鑰、該至少一用戶生物辨識特徵模板信息及該至少一用戶資料信息進行解密;比對電路,用於對預存在一用戶本機的密碼和生物特徵資料與解密後的該第一本機私鑰和該至少一用戶生物辨識特徵模板信息進行比對是否匹配,若是,匹配結果成功,若否,結束;第一驗證電路,用於驗證該至少一用戶資料信息的用戶身份是否正確,若是,一密碼認證中心根據該用戶本機的RSA公鑰演算法產生一第二本機私鑰,若否,該密碼認證中心拒絕產生該第二本機私鑰;傳送電路,用於將預存在該用戶本機的密碼、該第一本機私鑰和該第二本機私鑰傳送至該用戶本機。The present invention provides a security authentication system that applies biometric identification to the industrial Internet of Things, including: a generating circuit for generating a first local private key according to the AES private key algorithm; and a collecting circuit for collecting at least one user biometric Identification feature template information; a receiving circuit for receiving at least one user profile information; an encryption circuit for performing a public key on the first local private key, the at least one user biometric feature template information and the at least one user profile information After encryption, it is transmitted to a password authentication center through the secure channel of the Industrial Internet of Things; the decryption circuit is used to perform encrypted first local private key, the at least one user biometric feature template information and the at least one user profile information. decrypt;A comparison circuit for comparing the password and biometric data pre-stored on a user's machine with the decrypted first local private key and the at least one user biometric template information to see if they match, and if so, the matching result Success, if not, end; the first verification circuit is used to verify whether the user identity of the at least one user profile information is correct. If so, a password authentication center generates a second local machine based on the RSA public key algorithm of the user machine. Private key, if not, the password authentication center refuses to generate the second local private key; the transmission circuit is used to transfer the password prestored on the user's local machine, the first local private key and the second local private key sent to the user's computer.
本發明提出一種應用生物辨識於工業物聯網的安全認證方法是針對廣泛應用於工業物聯網信息交換安全的密碼技術以解決其冗長的私鑰難以記憶或隱密儲存的缺陷,本發明提供一種結合密碼與生物辨識技術應用於工業物聯網安全認證的方法,其是應用生物特徵辨識(Biometric Feature)的唯一性,人體與生俱有等特質,以進行一種動態生物特徵資料的非對稱性對比、除了消除利用密碼技術從事安全認證的缺陷,同時改善人類不擅保管私鑰(Private Key)的困擾,且事實證明其結合生物特徵辨識與密碼技術(Crytography Technology)可以去除單以生物特徵從事認證的隱私性暴露問題。The present invention proposes a security authentication method that applies biometric identification to the Industrial Internet of Things. It aims at cryptographic technology that is widely used in the security of information exchange in the Industrial Internet of Things to solve the problem that lengthy private keys are difficult to remember or store secretly. The present invention provides a method that combines The method of applying password and biometric technology to industrial Internet of Things security authentication is to apply the uniqueness of biometric features and the inherent characteristics of the human body to conduct an asymmetric comparison of dynamic biometric data. In addition to eliminating the shortcomings of using cryptographic technology for security authentication, it also improves the problem that humans are not good at keeping private keys (Private Key). It has been proven that combining biometric identification and cryptography technology can eliminate the problem of using biometrics alone for authentication. Privacy exposure issues.
因此,本發明提出的安全認證方法可以提昇工業物聯網的認證安全等級,並帶來高度的商用實用價值。本發明提出的安全認證方法另外具有以下功效;可消除單一利用密碼技術從串安全認證的缺陷;可去除單一生物特徵從事認證的隱私性暴露問題;具有高度安全確認身份的優點;其獨特、唯一的特徵,可確保使用者從事工業物聯網之自動化或智慧控制,以確認商業交易、經濟活動或其他用途的安全保障性;採用密碼與生物辨識結合方式,可避免遭到不法分子的盜取及偽造的危險;可避免用戶自行保存密碼的困擾;可廣泛地應用於多種身份認證的領域;具有工業物聯網產業及商業界上的應用價值。Therefore, the security authentication method proposed by the present invention can improve the authentication security level of the industrial Internet of Things and bring a high degree of commercial practical value. The security authentication method proposed by the present invention also has the following effects: it can eliminate the defects of string security authentication using only cryptographic technology; it can eliminate the privacy exposure problem of single biometric authentication; it has the advantage of highly secure identity confirmation; it is unique and unique features to ensure that users engage in automation or intelligent control of the Industrial Internet of Things to confirm the safety and security of commercial transactions, economic activities or other purposes; the combination of passwords and biometrics can avoid being stolen and stolen by criminals Danger of counterfeiting; mayIt avoids the trouble of users saving their own passwords; it can be widely used in a variety of identity authentication fields; it has application value in the industrial Internet of Things industry and the commercial world.
為讓本發明之上述和其他目的、特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式,作詳細說明如下。In order to make the above and other objects, features and advantages of the present invention more clearly understood, embodiments are given below and described in detail with reference to the accompanying drawings.
410:產生電路410: Generate circuit
420:收集電路420:Collection circuit
430:接受電路430:Receive circuit
440:加密電路440: Encryption circuit
450:解密電路450: Decryption circuit
460:比對電路460:Comparison circuit
470:第一驗證電路470: First verification circuit
480:傳送電路480:Transmission circuit
490:第二驗證電路490: Second verification circuit
S1~S10:步驟S1~S10: steps
圖1為先前技術中所提供的是一般密碼信息交換方式的方塊示意圖;圖2為本發明一實施例所提供應用生物辨識於工業物聯網的安全認證方法的流程示意圖;圖3為本發明另一實施例所提供應用生物辨識於工業物聯網的安全認證方法的流程示意圖;圖4為本發明另一實施例所提供應用生物辨識於工業物聯網的安全認證系統的方塊示意圖。Figure 1 is a block diagram of a general cryptographic information exchange method provided in the prior art; Figure 2 is a flow diagram of a security authentication method using biometrics in the industrial Internet of Things provided by one embodiment of the present invention; Figure 3 is another example of the present invention. A schematic flowchart of a security authentication method using biometrics in the Industrial Internet of Things provided by one embodiment; FIG. 4 is a block diagram of a security authentication system using biometrics in the Industrial Internet of Things provided by another embodiment of the present invention.
在下文中,將藉由圖式說明本發明之各種實施例來詳細描述本發明。然而,本發明概念可能以許多不同形式來體現,且不應解釋為限於本文中所闡述之例示性實施例。此外,在圖式中相同參考數字可用以表示類似的元件。In the following, the present invention will be described in detail by illustrating various embodiments of the invention in the drawings. The inventive concepts may, however, be embodied in many different forms and should not be construed as limited to the illustrative embodiments set forth herein. Additionally, the same reference numbers may be used to identify similar elements in the drawings.
請參照圖2,圖2為本發明一實施例所提供應用生物辨識於工業物聯網的安全認證方法(以下簡稱“安全認證方法”)的流程示意圖。下面將針對圖2所示的流程進行詳細的闡述,上述安全認證方法具體地可以包括以下步驟:Please refer to FIG. 2 , which is a schematic flowchart of a security authentication method using biometrics in the Industrial Internet of Things (hereinafter referred to as the “security authentication method”) according to an embodiment of the present invention. The process shown in Figure 2 will be described in detail below. The above security authentication method may specifically include the following steps:
步驟S1:由一用戶本機根據AES私鑰演算法產生一第一本機私鑰。Step S1: A user's local machine generates a first local private key according to the AES private key algorithm.
當使用者在操作用戶本機(例如桌上型電腦、平板電腦、筆記型電腦)內建的安全認證方法的軟體時,會根據AES私鑰演算法產生第一本機私鑰,本發明提出的安全認證方法的資料通信方式採用AES私鑰演算法進行編碼和解碼方式隨機生成解鎖金鑰,且接著通過安全通道收發資料,其中,金鑰還可以為公開金鑰(簡稱公鑰)和私密金鑰(簡稱私鑰)。進一步來說,非對稱式加密就是每個使用者都擁有一對金鑰,也就是公開金鑰(Public key)及私密金鑰(Private key),公開金鑰能被廣泛的發佈與流傳,而私密金鑰則必須被妥善的保存,當訊息由其中一把金鑰加密後,就必須用另一把金鑰解密,加解密的鑰匙要是完整一對的,所以可以是公鑰加密私鑰解密,也可以是私鑰加密公鑰解密。運作原理是傳送方與接收方在傳送之前,先把彼此的公鑰傳給對方,當傳送方要傳送時,就用接收方的公鑰將訊息加密,接收方收到加密訊息後,再用自己的密鑰解開。When the user operates the software of the security authentication method built into the user's machine (such as a desktop computer, tablet computer, notebook computer), a first local private key will be generated based on the AES private key algorithm. The present invention proposes The data communication method of the security authentication method uses the AES private key algorithm for encoding and decoding to randomly generate an unlocking key, and then sends and receives data through a secure channel. The key can also be a public key (referred to as a public key) and a private key. Golden key (referred to as private key). Furthermore, asymmetric encryption means that each user has a pair of keys, namely a public key and a private key. The public key can be widely released and circulated, and The private key must be properly kept. When the message is encrypted by one of the keys, it must be decrypted with the other key. The encryption and decryption keys must be a complete pair, so it can be public key encryption and private key decryption. , or it can be private key encryption and public key decryption. The operating principle is that the sender and the receiver first pass each other's public keys to each other before transmitting. When the sender wants to transmit, it uses the receiver's public key to encrypt the message. After the receiver receives the encrypted message, it uses Unlock it with your own key.
步驟S2:由該用戶本機的生物感測設備收集至少一用戶生物辨識特徵模板信息(以下簡稱“用戶生物辨識特徵模板信息”)。Step S2: Collect at least one user biometric feature template information (hereinafter referred to as "user biometric feature template information") by the user's local biometric sensing device.
在一實施例中,使用者通過用戶本機的生物感測設備產生用戶生物辨識特徵模板信息。例如,生物感測設備可以是麥克風、攝影機、觸控螢幕或指紋感測器,用戶生物辨識特徵模板信息可以是指紋(Fingerprint)信息、聲紋(Voiceprint)信息、面貌(Face)信息、視網膜(Retina)信息、瞳孔(Pupilla)信息、掌紋信息(Palm Print)、掌型信息(Palm Shape)或簽名(Signature)信息的其中至少一,可代表人類生物特徵的型式,有效增加本發明安全認證方法的感測多樣性。用戶生物辨識特徵模板信息的規範為國際生物特徵工業協會(IBIA,International Biometric Industry Association)所製定的標準。IBIA主要專注於生物識別技術的應用。IBIA的企業成員大多是生物識別領域領先的開發商、製造商或集成商。In one embodiment, the user generates user biometric feature template information through the user's local biosensing device. For example, the biosensing device may be a microphone, camera, touch screen or fingerprint sensor, and the user biometric template information may be fingerprint information, voiceprint information, face information, or retinal information. At least one of Retina information, Pupilla information, Palm Print, Palm Shape or Signature information can represent the type of human biometric characteristics, effectively increasing the security authentication method of the present invention. sensing diversity. The specification for user biometric template information is the International Biometric Industry Association (IBIA,standards set by the International Biometric Industry Association. IBIA mainly focuses on the application of biometric technology. Most of IBIA's corporate members are leading developers, manufacturers or integrators in the biometric field.
步驟S3:由該用戶本機的輸入裝置接受至少一用戶資料信息(以下簡稱“用戶資料信息”)。Step S3: Accept at least one user profile information (hereinafter referred to as "user profile information") through the user's local input device.
在一實施例中,使用者可以通過用戶本機的輸入裝置(例如鍵盤或滑鼠)輸入用戶資料信息,用戶資料信息的樣式範本資料可以為ppt格式頁面、pps格式頁面、pptx格式頁面、doc格式頁面、docx格式頁面或excel格式頁面對應格式檔的整體佈局,整體佈局至少包括相應資料代表的圖片、文字或影音檔案,有效增加用戶資料信息的多樣性。In one embodiment, the user can input user profile information through the user's local input device (such as a keyboard or mouse). The style template data of the user profile information can be a ppt format page, pps format page, pptx format page, doc The format page, docx format page or excel format page corresponds to the overall layout of the format file. The overall layout at least includes pictures, text or audio and video files represented by the corresponding data, effectively increasing the diversity of user data information.
步驟S4:由一密碼認證中心產生的公鑰對該第一本機私鑰、該至少一用戶生物辨識特徵模板信息及該至少一用戶資料信息進行加密後通過工業物聯網的安全通道傳送至該密碼認證中心。Step S4: The first local private key, the at least one user biometric feature template information and the at least one user profile information are encrypted with a public key generated by a password authentication center and then transmitted to the computer through a secure channel of the Industrial Internet of Things. Password Authentication Center.
在一實施例中,將用戶的密碼(例如為用戶資料信息)和生物辨識特徵範本信息統一存儲在密碼認證中心,而密碼認證中心則將由用戶本機所傳送的密碼及生物辨識特徵範本信息進行加密後,將加密後第一本機私鑰、用戶生物辨識特徵模板信息及用戶資料信息的通過工業物聯網的安全通道傳送至密碼認證中心。進一步來說,工業物聯網(Industrial Internet of Things)簡稱IIoT,是應用在工業上的物聯網,是互聯的感測器、儀表以及其他設備和電腦的工業應用程式以網路相連所成的系統,其中包括了製造以及能源管理。網路連線可以進行資料蒐集、交換以及分析,有助於提昇生產力以及效率,也有其他的經濟效益。IIoT是由分散式控制系統(DCS,distributed control system)演進而成,利用雲端運算完善和優化過程式控制制,達到較高程度的自動化。In one embodiment, the user's password (for example, user profile information) and biometric feature template information are stored in a password authentication center, and the password authentication center performs the verification process using the password and biometric feature template information sent from the user's local machine. After encryption, the encrypted first local private key, user biometric template information and user profile information are transmitted to the password authentication center through the secure channel of the Industrial Internet of Things. Furthermore, the Industrial Internet of Things (IIoT), abbreviated as IIoT, is the Internet of Things used in industry. It is a system of interconnected sensors, instruments and other equipment and computer industrial applications connected through the network. , which includes manufacturing and energy management. Network connections enable data collection, exchange and analysis, helping to improve productivity and efficiency, and also have other economic benefits. IIoT is evolved from distributed control system (DCS), which uses cloud computing to improve and optimize process control to achieve a higher degree of automation.
步驟S5:由該密碼認證中心產生的私鑰對加密後的該第一本機私鑰、該至少一用戶生物辨識特徵模板信息及該至少一用戶資料信息進行解密。Step S5: Decrypt the encrypted first local private key, the at least one user biometric feature template information and the at least one user profile information with the private key generated by the password authentication center.
在一實施例中,密碼認證中心接收到加密後的第一本機私鑰、至少一用戶生物辨識特徵模板信息及至少一用戶資料信息後,通過非對稱式加密的私鑰將加密後的第一本機私鑰、至少一用戶生物辨識特徵模板信息及至少一用戶資料信息後進行解密,有效增加信息安全性。In one embodiment, after receiving the encrypted first local private key, at least one user biometric template information, and at least one user profile information, the password authentication center uses the asymmetrically encrypted private key to encrypt the third A machine's private key, at least one user biometric template information and at least one user profile information are then decrypted, effectively increasing information security.
步驟S6:由該密碼認證中心將預存在該用戶本機的密碼和生物特徵資料與解密後的該第一本機私鑰和該至少一用戶生物辨識特徵模板信息進行比對是否匹配。Step S6: The password authentication center compares the password and biometric data stored on the user's machine with the decrypted first local private key and the at least one user biometric template information to see if they match.
在一實施例中,若預存在用戶本機的生物特徵資料與解密後的至少一用戶生物辨識特徵模板信息的比對結果為匹配時,且預存在該用戶本機的密碼與解密後的該第一本機私鑰的比對結果為匹配時,匹配結果成功。在步驟S7中,若否,結束。In one embodiment, if the comparison result between the biometric data pre-stored on the user's machine and the decrypted at least one user biometric template information is a match, and the password pre-stored on the user's machine and the decrypted user's biometric template information match, When the comparison result of the first local private key is a match, the matching result is successful. In step S7, if not, end.
在一實施例中,工業物聯網可為IEC 61158所規範的工業通訊協議所應用的現場總線,其涵蓋現場總線相關的標準分為多種通信行規族(Communication Profile Families,CPF)涵蓋CPF01-CPF15:FOUNDATION Fieldbus(基金會現場總線)、CIP(Common Industrial Protocol,通用工業協定)、PROFIBUS及PROFINET、P-NET、WorldFIP(Factory Instrumentation Protocol,法國標準的通訊協定)、INTERBUS、CC-Link、HART(Highway Addressable Remote Transducer Protocol)、Vnet/IP(由日本橫河電機推動的通訊協定)、TCnet、EtherCAT、Ethernet POWER LINK、MODBUS-RTU、SERCOS與其他。In one embodiment, the Industrial Internet of Things can be a fieldbus applied to the industrial communication protocol standardized by IEC 61158, which covers fieldbus-related standards and is divided into multiple Communication Profile Families (CPF) covering CPF01-CPF15: FOUNDATION Fieldbus (Foundation Fieldbus), CIP (Common Industrial Protocol, Common Industrial Protocol), PROFIBUS and PROFINET, P-NET, WorldFIP (Factory Instrumentation Protocol, French standard communication protocol), INTERBUS, CC-Link, HART (Highway Addressable Remote Transducer Protocol), Vnet/IP (communication protocol promoted by Japan's Yokogawa Electric), TCnet, EtherCAT, Ethernet POWER LINK, MODBUS-RTU, SERCOS and others.
步驟S8:由該密碼認證中心驗證該至少一用戶資料信息的用戶身份是否正確,若是,該密碼認證中心根據該用戶本機的RSA公鑰演算法產生一第二本機私鑰,在步驟S9中,若否,該密碼認證中心拒絕產生該第二本機私鑰。Step S8: The password authentication center verifies whether the user identity of the at least one user profile is correct. If so, the password authentication center generates a second local private key based on the user's local RSA public key algorithm. In step S9 , if not, the password authentication center refuses to generate the second local private key.
步驟S10:由該密碼認證中心將該第一本機私鑰和該第二本機私鑰傳送至該用戶本機。Step S10: The password authentication center transmits the first local private key and the second local private key to the user's local machine.
在一實施例中,密碼認證中心驗證用戶資料信息的用戶身份為正確時,即會將用戶本機的RSA公鑰演算法將第二本機私鑰取出,並再將解密後的第一本機私鑰和該第二本機私鑰傳回給用戶本機,避免了密碼認證中心在向用戶本機發送密碼時被截獲和破解等困擾事件的發生,本發明提出的安全認證方法為安全又方便使用的機制,進而確保使用者從事商業交易、經濟活動或多用途的安全性。In one embodiment, when the password authentication center verifies that the user identity of the user profile information is correct, it will extract the second local private key using the user's local RSA public key algorithm, and then decrypt the first private key. The machine's private key and the second machine's private key are transmitted back to the user's machine, thus avoiding troublesome events such as the password authentication center being intercepted and cracked when sending the password to the user's machine. The security authentication method proposed by the present invention is safe. It is an easy-to-use mechanism to ensure the safety of users engaged in commercial transactions, economic activities or multi-purpose.
請同時參閱圖2和圖3,圖3為本發明另一實施例所提供應用生物辨識於工業物聯網的安全認證方法的流程示意圖。在步驟S10由該密碼認證中心將該第一本機私鑰和該第二本機私鑰傳送至該用戶本機後,更包括:步驟S11:該用戶本機的生物感測設備再次收集該至少一用戶生物辨識特徵模板信息;步驟S12:對至少一用戶生物辨識特徵模板信息與該密碼認證中心的生物特徵資料進行特徵抽取和特徵比對後產生認證結果(例如指紋驗證成功率)。Please refer to FIG. 2 and FIG. 3 at the same time. FIG. 3 is a schematic flowchart of a security authentication method using biometrics in the industrial Internet of Things provided by another embodiment of the present invention. After the password authentication center transmits the first local private key and the second local private key to the user's local machine in step S10, it further includes: Step S11: The user's local biometric sensing device collects the user's local private key again. At least one user biometric feature template information; Step S12: Perform feature extraction and feature comparison on at least one user biometric feature template information and the biometric data of the password authentication center to generate an authentication result (such as fingerprint verification success rate).
在一實施例中,密碼認證中心的生物特徵資料包括多個預設指紋,每個預設指紋包括對應的指紋特徵,基於指紋特徵的匹配,可以計算出指紋信息的指紋匹配度。具體地,在一種實施方式中,本發明的安全認證方法對使用者輸入的指紋信息進行特徵點提取,可得到包含終結點、分叉點、孤立點等各種特徵點的指紋特徵,基於指紋特徵,在預設的密碼認證中心數據庫中,與預設指紋的指紋特徵進行匹配,得到指紋信息的指紋匹配度,並獲取指紋匹配度最高的指紋驗證成功率。In one embodiment, the biometric data of the password authentication center includes a plurality of preset fingerprints, and each preset fingerprint includes corresponding fingerprint features. Based on the matching of the fingerprint features, the fingerprint matching degree of the fingerprint information can be calculated. Specifically, in one embodiment, the security authentication method of the present inventionThe verification method extracts feature points from the fingerprint information input by the user, and can obtain fingerprint features including terminal points, bifurcation points, isolated points and other feature points. Based on the fingerprint features, in the preset password authentication center database, it is compared with the preset password authentication center database. Suppose the fingerprint characteristics of the fingerprint are matched to obtain the fingerprint matching degree of the fingerprint information, and obtain the fingerprint verification success rate with the highest fingerprint matching degree.
換言之,自動生物特徵認證的過程是按照用戶認證代號(用戶ID)或用戶名稱等信息將其存在密碼認證中心數據庫中的生物特徵範本中取出,將用戶所輸入的生物特徵抽取出來,然後再將用戶的生物特徵範本輸入與抽取的生物特徵進行生物特徵比對,以生物認證演算技術確認這兩幅生物特徵(例如用戶生物辨識特徵模板信息與密碼認證中心的生物特徵資料)是否為唯一且相同的生物特徵,有效增加精確性。另外,本發明提出的安全認證方法具有多重認證用戶生物辨識特徵模板信息的功能,有效增加安全性。In other words, the process of automatic biometric authentication is to extract the biometric template stored in the password authentication center database according to the user authentication code (user ID) or user name, extract the biometric characteristics entered by the user, and then extract the biometric characteristics entered by the user. The user's biometric template input is compared with the extracted biometric features, and biometric authentication algorithm technology is used to confirm whether the two biometric features (such as the user's biometric template information and the biometric data from the password authentication center) are unique and identical. biological characteristics, effectively increasing accuracy. In addition, the security authentication method proposed by the present invention has the function of multi-authentication of user biometric template information, effectively increasing security.
應該理解的是,雖然S1至S12的流程示意圖中的各個步驟按照箭頭的指示依次顯示,但是這些步驟並不是必然按照箭頭指示的順序依次執行。除非本文中有明確的說明,這些步驟的執行並沒有嚴格的順序限制,這些步驟可以以其它的循序執行。而且,S1至S12中的至少一部分步驟可以包括多個子步驟或者多個階段,這些子步驟或者階段並不必然是在同一時刻執行完成,而是可以在不同的時刻執行,這些子步驟或者階段的執行順序也不必然是依次進行,而是可以與其它步驟或者其它步驟的子步驟或者階段的至少一部分輪流或者交替地執行。It should be understood that although the steps in the flowchart of S1 to S12 are shown in sequence as indicated by the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated in this article, the execution of these steps is not strictly limited in order, and these steps can be executed in other sequences. Moreover, at least some of the steps from S1 to S12 may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily executed at the same time, but may be executed at different times. The order of execution is not necessarily sequential, but may be performed in turn or alternately with other steps or sub-steps of other steps or at least part of the stages.
在一實施例中,用戶本機的儲存裝置包括為磁條卡、二維條碼卡、IC卡、智慧卡、電子記憶儲存媒體或工業物聯網裝置的其中至少一。例如,用戶本機的電路板上包括精簡指令集運算微處理器(RISC CPU)、複雜指令集運算微處理器(CISC CPU)、數位訊號處理器(DSP)、現場可程式邏輯陣列(FPGA)、複雜可程式邏輯元件(CPLD)、特定積體電路路(ASIC)、微處理器(Microprocessor)或微控制器(Microcontroller)的其中至少一,用戶本機為具備有運算能力的晶片,其晶片的型態為單個整合晶片型態、多個複合功能的整合型晶片型態或多個單一功能的晶片型態。例如,密碼認證中心可以為一雲端(Cloud)、一區域網路伺服器(Server)或一場總線(Fieldbus)閘道器(Gateway)。本發明提出一種結合密碼與生物辨識技術應用於工業物聯網的安全認證方法,其應用生物特徵辨識(Biometric Feature)的唯一性,人體與生具有等特質,進行一種動態生物特徵資料的非對稱性比對、除了消除利用密碼技術從事安全認證的缺陷,同時改善了人類不易保管私鑰的困擾,且事實證明結合生物特徵辨識與密碼技術(Cryptography Technology)可以去除單以生物特徵從事認證的隱私性暴露問題,而能廠泛應用於信息交換的安全技術,因此,可為工業物聯網所涉及商業交易、網路電子商務等,所涉及的身份認證安全問題帶來很高的商業實用價值。In one embodiment, the user's local storage device includes at least one of a magnetic stripe card, a two-dimensional barcode card, an IC card, a smart card, an electronic memory storage medium, or an industrial Internet of Things device. For example, the circuit board of the user's local machine includes a reduced instruction set computing microprocessor (RISC CPU), a complex instruction set computing microprocessor (CISC CPU), and a digital signal processor.At least one of (DSP), field programmable logic array (FPGA), complex programmable logic device (CPLD), specific integrated circuit (ASIC), microprocessor (Microprocessor) or microcontroller (Microcontroller), the user This machine is a chip with computing capabilities, and its chip type is a single integrated chip type, multiple composite-function integrated chip types, or multiple single-function chip types. For example, the password authentication center can be a cloud, a local network server (Server) or a Fieldbus gateway (Gateway). The present invention proposes a security authentication method that combines password and biometric technology and is applied to the industrial Internet of Things. It uses the uniqueness of biometric features and the characteristics of the human body and life to carry out a kind of asymmetry of dynamic biometric data. By comparison, in addition to eliminating the shortcomings of using cryptographic technology for security authentication, it also improves the difficulty of human beings in keeping private keys. It has been proven that combining biometric identification and cryptography technology can eliminate the privacy issues of using biometric authentication alone. Exposed problems, and can be widely used in security technology for information exchange. Therefore, it can bring high commercial and practical value to the identity authentication security issues involved in commercial transactions and online e-commerce involved in the Industrial Internet of Things.
在請參照圖4所示,圖4為本發明另一實施例所提供應用生物辨識於工業物聯網的安全認證系統的方塊示意圖。本發明提出一種應用生物辨識於工業物聯網的安全認證系統400(以下簡稱“安全認證系統”),包括:產生電路410,用於根據AES私鑰演算法產生一第一本機私鑰;收集電路420,用於收集至少一用戶生物辨識特徵模板信息;接受電路430,用於接受至少一用戶資料信息;加密電路440,通過一公鑰對該第一本機私鑰、該至少一用戶生物辨識特徵模板信息及該至少一用戶資料信息進行加密後通過工業物聯網的安全通道傳送至一密碼認證中心;解密電路450,用於對加密後的該第一本機私鑰、該至少一用戶生物辨識特徵模板信息及該至少一用戶資料信息進行解密;比對電路460,用於對預存在一用戶本機的密碼和生物特徵資料與解密後的該第一本機私鑰和該至少一用戶生物辨識特徵模板信息進行比對是否匹配,若是,匹配結果成功,若否,結束;第一驗證電路470,用於驗證該至少一用戶資料信息的用戶身份是否正確,若是,一密碼認證中心根據該用戶本機的RSA公鑰演算法產生一第二本機私鑰,若否,該密碼認證中心拒絕產生該第二本機私鑰;傳送電路480,用於將該第一本機私鑰和該第二本機私鑰傳送至該用戶本機。Please refer to FIG. 4 , which is a schematic block diagram of a security authentication system using biometrics in the industrial Internet of Things according to another embodiment of the present invention. The present invention proposes a security authentication system 400 (hereinafter referred to as the "security authentication system") that applies biometric identification to the industrial Internet of Things, including: a generation circuit 410 for generating a first local private key according to the AES private key algorithm; collecting Circuit 420 is used to collect at least one user biometric feature template information; receiving circuit 430 is used to accept at least one user profile information;The encryption circuit 440 encrypts the first local private key, the at least one user biometric feature template information and the at least one user profile information using a public key and then transmits them to a password authentication center through a secure channel of the Industrial Internet of Things; The decryption circuit 450 is used to decrypt the encrypted first local private key, the at least one user biometric feature template information and the at least one user profile information; the comparison circuit 460 is used to decrypt a pre-existing user profile. The machine's password and biometric data are compared with the decrypted first local private key and the at least one user biometric feature template information to see if they match. If so, the matching result is successful. If not, the end is completed; the first verification circuit 470 , used to verify whether the user identity of the at least one user profile information is correct. If yes, a password authentication center generates a second local private key based on the user's local RSA public key algorithm. If not, the password authentication center rejects The second local private key is generated; the transmission circuit 480 is used to transmit the first local private key and the second local private key to the user's local machine.
在一實施例中,安全認證系統400,更包括:第二驗證電路490,用於驗證預存在該用戶本機的生物特徵資料與解密後的該至少一用戶生物辨識特徵模板信息的比對結果為匹配時,且預存在該用戶本機的密碼與解密後的該第一本機私鑰的比對結果為匹配時,匹配結果成功,當驗證該至少一用戶資料信息的用戶身份不正確時,匹配結果失敗,結束。在整個安全認證系統400中,利用生物特徵的唯一性,而選用自動生物特徵認證與密碼相結合的機制,對用戶的密碼進行保密,使用戶安全地與外界可以於工業物聯網路安全交換信息。主要是將用戶的密碼和生物特徵統一存儲在密碼認證中心,用戶在使用密碼時選用自動生物特徵認證而從密碼認證中心中獲取,這樣便避免了用戶自己忘記所保存密碼的麻煩,有效增加用戶體驗,通過公鑰私鑰加解密的機制以令用戶在收發密碼或資料時不被截獲和破解,有效增加通信安全性。其中,產生電路410、收集電路420、接受電路430、加密電路440、解密電路450、比對電路460、第一驗證電路470、傳送電路480和第二驗證電路490彼此電性耦接。In one embodiment, the security authentication system 400 further includes: a second verification circuit 490 for verifying the comparison result between the biometric data pre-stored on the user's machine and the decrypted biometric template information of the at least one user. When there is a match, and the comparison result between the password pre-stored on the user's local machine and the decrypted first local private key is a match, the matching result is successful. When the user identity of the at least one user profile information is verified to be incorrect. , the matching result fails and ends. In the entire security authentication system 400, the uniqueness of biometrics is utilized, and a mechanism combining automatic biometric authentication and password is selected to keep the user's password confidential, so that the user can safely exchange information with the outside world on the Industrial Internet of Things network. . The main purpose is to uniformly store the user's password and biometrics in the password authentication center. When the user uses the password, they choose automatic biometric authentication and obtain it from the password authentication center. This avoids the trouble of the user forgetting the saved password and effectively increases the number of users. Experience, add the public key and private keyThe decryption mechanism prevents users from being intercepted and cracked when sending and receiving passwords or data, effectively increasing communication security. Among them, the generation circuit 410, the collection circuit 420, the receiving circuit 430, the encryption circuit 440, the decryption circuit 450, the comparison circuit 460, the first verification circuit 470, the transmission circuit 480 and the second verification circuit 490 are electrically coupled to each other.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,本發明所屬技術領域中具有通常知識者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。Although the present invention has been disclosed above through embodiments, they are not intended to limit the present invention. Those with ordinary knowledge in the technical field to which the present invention belongs can make some modifications and modifications without departing from the spirit and scope of the present invention. Therefore, the protection scope of the present invention shall be determined by the appended patent application scope.
S1~S10:步驟S1~S10: steps
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW110149278ATWI835043B (en) | 2021-12-29 | 2021-12-29 | Method and asystem of biometric-based authentication in iiot |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW110149278ATWI835043B (en) | 2021-12-29 | 2021-12-29 | Method and asystem of biometric-based authentication in iiot |
| Publication Number | Publication Date |
|---|---|
| TW202326477A TW202326477A (en) | 2023-07-01 |
| TWI835043Btrue TWI835043B (en) | 2024-03-11 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW110149278ATWI835043B (en) | 2021-12-29 | 2021-12-29 | Method and asystem of biometric-based authentication in iiot |
| Country | Link |
|---|---|
| TW (1) | TWI835043B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060026672A1 (en)* | 2004-07-29 | 2006-02-02 | Rockwell Automation Technologies, Inc. | Security system and method for an industrial automation system |
| CN105929726A (en)* | 2015-02-09 | 2016-09-07 | 基岩自动化平台公司 | Input/output Module With Multi-channel Switching Capability |
| CN107925581A (en)* | 2016-03-22 | 2018-04-17 | 株式会社日立制作所 | 1:N organism authentications, encryption, signature system |
| CN209946896U (en)* | 2019-04-24 | 2020-01-14 | 上海互啊佑智能科技有限公司 | Fingerprint authentication equipment |
| US20200195696A1 (en)* | 2017-09-08 | 2020-06-18 | Convida Wireless, Llc | Automated service enrollment in a machine-to-machine communications network |
| CN111742314A (en)* | 2017-11-06 | 2020-10-02 | 维萨国际服务协会 | Biometric Sensors on Portable Devices |
| CN111818039A (en)* | 2020-07-03 | 2020-10-23 | 西安电子科技大学 | A three-factor anonymous user authentication protocol method based on PUF in the Internet of Things |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060026672A1 (en)* | 2004-07-29 | 2006-02-02 | Rockwell Automation Technologies, Inc. | Security system and method for an industrial automation system |
| CN105929726A (en)* | 2015-02-09 | 2016-09-07 | 基岩自动化平台公司 | Input/output Module With Multi-channel Switching Capability |
| CN107925581A (en)* | 2016-03-22 | 2018-04-17 | 株式会社日立制作所 | 1:N organism authentications, encryption, signature system |
| US20200195696A1 (en)* | 2017-09-08 | 2020-06-18 | Convida Wireless, Llc | Automated service enrollment in a machine-to-machine communications network |
| CN111742314A (en)* | 2017-11-06 | 2020-10-02 | 维萨国际服务协会 | Biometric Sensors on Portable Devices |
| CN209946896U (en)* | 2019-04-24 | 2020-01-14 | 上海互啊佑智能科技有限公司 | Fingerprint authentication equipment |
| CN111818039A (en)* | 2020-07-03 | 2020-10-23 | 西安电子科技大学 | A three-factor anonymous user authentication protocol method based on PUF in the Internet of Things |
| Title |
|---|
| 網路文獻 Dimitrios Serpanos, etc., "Designing Safe and Secure Industrial Control Systems: A Tutorial Review", IEEE CEDA, IEEE CASS, IEEE SSCS, and TTTC, June 2018, https://par.nsf.gov/servlets/purl/10084768* |
| Publication number | Publication date |
|---|---|
| TW202326477A (en) | 2023-07-01 |
| Publication | Publication Date | Title |
|---|---|---|
| US11855983B1 (en) | Biometric electronic signature authenticated key exchange token | |
| US11652816B1 (en) | Biometric knowledge extraction for mutual and multi-factor authentication and key exchange | |
| US11824991B2 (en) | Securing transactions with a blockchain network | |
| US12155779B2 (en) | Gesture-extracted passwords for authenticated key exchange | |
| EP2747361B1 (en) | Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method | |
| US11949785B1 (en) | Biometric authenticated biometric enrollment | |
| CN103124269B (en) | Based on the Bidirectional identity authentication method of dynamic password and biological characteristic under cloud environment | |
| JP7302606B2 (en) | system and server | |
| US11405387B1 (en) | Biometric electronic signature authenticated key exchange token | |
| CN100566250C (en) | A kind of point to point network identity identifying method | |
| CN107113175A (en) | Multi-User Strong Authentication Token | |
| US20230038949A1 (en) | Electronic signature system and tamper-resistant device | |
| KR101897715B1 (en) | System for non-password secure biometric digital signagure | |
| CN101483654A (en) | Method and system for implementing authentication and data safe transmission | |
| JP2019506789A (en) | A method, system, and apparatus using forward secure encryption technology for passcode verification. | |
| EP3513539A1 (en) | User sign-in and authentication without passwords | |
| CN112036881A (en) | Software and hardware implementation mode for getting through different system accounts by using block chain | |
| CN111541708A (en) | Identity authentication method based on power distribution | |
| US20240169350A1 (en) | Securing transactions with a blockchain network | |
| CN101547098B (en) | Method and system for security certification of public network data transmission | |
| TWI835043B (en) | Method and asystem of biometric-based authentication in iiot | |
| CN117711094A (en) | Dynamic password generation method and related equipment for smart door locks | |
| CN113468596B (en) | Multi-element identity authentication method and system for outsourcing calculation of power grid data | |
| Rathnavibhushana et al. | A Social Wallet Scheme with Robust Private Key Recovery | |
| CN119416192B (en) | Personal data security protection method, electronic device and storage medium |