Face identity authentication method based on terminal device legitimacy precondition constraint and related device
By introducing terminal device legitimacy verification into the facial recognition process, illegal devices are prohibited from collecting facial information. Furthermore, the design of combining a one-time collection of permission tokens and device-bound authentication materials solves the security and privacy leakage problems caused by the neglect of device legitimacy in existing technologies, thus achieving higher security and privacy protection for identity authentication.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING EETRUST TECH CO LTD
- Filing Date
- 2026-05-07
- Publication Date
- 2026-06-05
AI Technical Summary
Existing facial recognition authentication schemes ignore the legitimacy of terminal devices, resulting in low security and a high risk of privacy leaks.
By verifying the legitimacy of devices before the identity authentication process, the device key generated by the authentication server is used to verify the legitimacy of the terminal device. If the device legitimacy verification fails, the collection of facial information is prohibited. The message authentication code is calculated by combining the one-time collection permission token and the device-bound authentication materials to ensure the integrity and legitimacy of the data.
It effectively prevents abnormal terminals from participating in authentication, reduces security risks, prevents cross-device migration and replay attacks of facial feature data, and improves the security and privacy protection of identity authentication.
Smart Images

Figure CN122160191A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of Internet technology, and in particular to a facial recognition method and related equipment based on pre-constraints on the legitimacy of terminal devices. Background Technology
[0002] With the rapid development of facial recognition technology, facial recognition has been widely used in identity authentication scenarios such as cloud desktop login, government systems, enterprise office systems, and financial payments, and is gradually becoming the main authentication method to replace traditional passwords and card swiping.
[0003] However, most facial recognition authentication schemes in related technologies only focus on the dimension of "whether the person is a legitimate user", while ignoring the crucial issue of "whether the terminal device that collects and uploads facial data is trustworthy", which leads to low security of identity authentication and high risk of privacy leakage.
[0004] There is currently no effective solution to the aforementioned problems in the relevant technologies. Summary of the Invention
[0005] The facial identity authentication method and related equipment based on the pre-constraint of terminal device legitimacy provided in this invention at least partially solve the problems of low identity authentication security and high risk of privacy leakage in facial identity authentication methods in related technologies.
[0006] To address the aforementioned problems, one aspect of this invention provides a face authentication method based on pre-constraints of terminal device legitimacy, applied to an identity authentication system, wherein the identity authentication system includes a face recognition terminal, an authentication client, and an authentication server; the method includes: In response to a user's authentication request, the authentication client sends a verification command to the face recognition terminal and forwards the device legitimacy verification request, which includes the device's unique identifier, returned by the face recognition terminal to the authentication server. The authentication server generates a first device key based on the pre-stored master key and the received unique device identifier using a key derivation algorithm, and then uses the first device key to perform device legitimacy verification on the face recognition terminal. If the face recognition terminal fails the device legitimacy verification, the authentication process is terminated through the authentication client, and the face recognition terminal is prohibited from performing face information collection operations. If the face recognition terminal passes the device legitimacy verification, a one-time collection permission token corresponding to the current session identifier is generated through the authentication server, and the one-time collection permission token is sent to the face recognition terminal through the authentication client. This allows the face recognition terminal to collect the user's face information and extract the face feature digest based on the one-time collection permission token. Using the device binding authentication materials pre-stored within the face recognition terminal, the system collects at least the face feature digest and the device unique identifier. The system calculates a message authentication code using the identifier, the current session identifier, and the one-time acquisition permission token data to generate a first message authentication code. A face authentication request, including the face feature summary, the device unique identifier, the current session identifier, and the first message authentication code, is then sent to the authentication server via the authentication client. The internally pre-stored device-bound authentication material is generated by the licensing tool during the device initialization phase using the key derivation algorithm based on the master key and the device unique identifier, and written into the secure storage area of the face recognition terminal. This device-bound authentication material is bound to the device unique identifier and cannot be exported or reused across devices. The authentication server generates a second device key using the key derivation algorithm based on the pre-stored master key and the received unique device identifier, and verifies the first message authentication code based on the second device key, and determines the identity authentication result based on the verification result.
[0007] In some embodiments, the master key is stored in the hardware security module or trusted execution environment of the authentication server, and neither the face recognition terminal nor the authentication client stores the master key; the step of using the first device key to perform device legitimacy verification on the face recognition terminal includes: The authentication server generates a random challenge value, which is then sent to the face recognition terminal via the authentication client. The face recognition terminal uses the pre-stored device-bound authentication materials to perform cryptographic calculations on the random challenge value, generates a response value, and returns it to the authentication server via the authentication client. The authentication server performs the same cryptographic calculation on the random challenge value based on the first device key to obtain the expected response value, and compares the expected response value with the received response value. If the expected response value is consistent with the response value, the device legitimacy verification of the face recognition terminal is determined to be successful.
[0008] In some embodiments, the step of verifying the first message authentication code based on the second device key includes: The authentication server finds the corresponding one-time collection permission token based on the current session identifier, and uses the second device key to calculate the message authentication code on the data including the face feature digest, the device unique identifier, the current session identifier, and the one-time collection permission token, thereby generating a second message authentication code; The second message authentication code is compared with the received first message authentication code. If the second message authentication code matches the first message authentication code, the verification is successful; otherwise, the identity authentication fails.
[0009] In some embodiments, the data used for calculating the message authentication code further includes a terminal trusted state digest, a timestamp, or a session random number; wherein the terminal trusted state digest includes at least one of a firmware version digest, a secure boot state digest, or a trusted execution environment metric. The step of generating the first message authentication code includes: using the face recognition terminal to calculate the message authentication code by using the device binding authentication materials stored internally, including the face feature summary, the device unique identifier, the current session identifier, the one-time collection permission token, the terminal trusted state summary, and the timestamp or session random number, to generate the first message authentication code; If the data used to calculate the message authentication code includes a timestamp or a session random number; after sending the face authentication request to the authentication server, the method further includes: The authentication server parses the received face authentication request to extract the timestamp or session random number; it verifies whether the timestamp is within a preset valid time window, or whether the session random number has not been used; if the timestamp is not within the preset valid time window, or the session random number has been used, the authentication result is directly determined as authentication failure.
[0010] In some embodiments, the random challenge value is only valid in the current authentication session; after the device legitimacy verification process is completed, the first device key temporarily stored in the corresponding memory is cleared by the authentication server; after the face authentication process is completed, the second device key temporarily stored in the corresponding memory is cleared by the authentication server.
[0011] In some embodiments, the method further includes: If the number of times the face recognition terminal fails the device legitimacy verification exceeds a preset threshold, the authentication client adds the corresponding device unique identifier to the blacklist and rejects requests that include the device unique identifier for a preset time period. If the face recognition terminal passes the device legitimacy verification, it generates a temporary session key through the authentication server and sends the temporary session key to the face recognition terminal via the authentication client. This allows the face recognition terminal to use the temporary session key to encrypt the data to be transmitted, which includes the face feature summary, the device unique identifier, the current session identifier, and the first message authentication code, and then send the generated encrypted data packet to the authentication client.
[0012] In some of these embodiments, the one-time collection permission token has at least one of the following attributes: bound to the device's unique identifier, bound to the current session identifier, has a preset valid time window, is valid for a single use, and automatically expires upon timeout; The facial authentication request does not contain the user's original facial image data, but only the extracted facial feature summary; after the first message authentication code is verified, the facial feature summary is also compared with a pre-stored standard facial feature template by the authentication server to determine the final identity authentication result.
[0013] In some embodiments, the method further includes: When the user's identity authentication result is successful, the authentication server generates a single sign-on license credential and returns the license credential to the authentication client. The authentication client allows the user to access the target business system based on the license credential; wherein the target business system includes at least one of a cloud desktop system, a government affairs system, an enterprise office system, or a financial payment system.
[0014] To address the aforementioned problems, one aspect of this invention provides an identity authentication system, including a face recognition terminal, an authentication client, and an authentication server; wherein... The authentication client is used to respond to a user's identity authentication request, send a verification command to the face recognition terminal, and forward the device legitimacy verification request returned by the face recognition terminal, including the unique device identifier, to the authentication server so that the authentication server can perform device legitimacy verification. If the face recognition terminal fails the device legitimacy verification, the authentication client terminates the identity authentication process and prohibits the face recognition terminal from performing face information collection operations. If the face recognition terminal passes the device legitimacy verification, the authentication server forwards a one-time collection permission token corresponding to the current session identifier to the face recognition terminal. The face recognition terminal is used to collect the user's facial information and extract a facial feature summary based on the one-time collection permission token. Using the device binding authentication materials pre-stored within the face recognition terminal, it calculates a message authentication code on data including at least the facial feature summary, the device unique identifier, the current session identifier, and the one-time collection permission token, generating a first message authentication code. A face authentication request including the facial feature summary, the device unique identifier, the current session identifier, and the first message authentication code is then sent to the authentication server via the authentication client. The pre-stored device binding authentication materials are generated by the licensing tool during the device initialization phase using the key derivation algorithm based on the master key and the device unique identifier, and written into the secure storage area of the face recognition terminal. These device binding authentication materials are bound to the device unique identifier and cannot be exported or reused across devices. The authentication server is configured to, upon receiving the device legitimacy verification request, generate a first device key based on a pre-stored master key and the received unique device identifier using a key derivation algorithm, and perform device legitimacy verification on the face recognition terminal according to the first device key; when the face recognition terminal passes the device legitimacy verification, generate a one-time acquisition permission token corresponding to the current session identifier, and send the one-time acquisition permission token to the face recognition terminal via the authentication client; and is further configured to, based on the pre-stored master key and the received unique device identifier, generate a second device key using the key derivation algorithm, verify the first message authentication code based on the second device key, and determine the identity authentication result based on the verification result.
[0015] To address the aforementioned problems, one aspect of this invention provides an electronic device, including: a processor and a memory storing a program, the program including instructions that, when executed by the processor, cause the processor to perform any of the aforementioned authentication methods.
[0016] To address the aforementioned problems, one aspect of this invention provides a non-transitory machine-readable medium storing computer instructions for causing a computer to execute any of the aforementioned authentication methods.
[0017] The beneficial effects of this invention are as follows: An identity authentication method is provided, applied to an identity authentication system including a face recognition terminal, an authentication client, and an authentication server. This method responds to a user's identity authentication request by sending a verification command to the face recognition terminal through the authentication client, and forwarding the device legitimacy verification request returned by the face recognition terminal, including a unique device identifier, to the authentication server. The authentication server generates a first device key based on a pre-stored master key and the received unique device identifier using a key derivation algorithm, and performs device legitimacy verification on the face recognition terminal using the first device key. If the face recognition terminal fails the device legitimacy verification, the identity authentication process is terminated through the authentication client, and the face recognition terminal is prohibited from performing face information collection operations. If the face recognition terminal passes the device legitimacy verification, a one-time collection permission token corresponding to the current session identifier is generated through the authentication server, and the one-time collection permission token is issued to the face recognition terminal via the authentication client, enabling the face recognition terminal to perform one-time collection permission verification. This method involves collecting a user's facial information using a one-time data collection authorization token and extracting a facial feature digest. Utilizing pre-stored device-bound authentication materials within the facial recognition terminal, a message authentication code is calculated on data including at least the facial feature digest, the device's unique identifier, the current session identifier, and the one-time data collection authorization token. This generates a first message authentication code, and a facial identity verification request, including the facial feature digest, the device's unique identifier, the current session identifier, and the first message authentication code, is sent from the authentication client to the authentication server. The pre-stored device-bound authentication materials are generated by the authorization tool during device initialization using a key derivation algorithm based on the master key and the device's unique identifier, and are written to the secure storage area of the facial recognition terminal. These materials are bound to the device's unique identifier and cannot be exported or reused across devices. The authentication server generates a second device key based on the pre-stored master key and the received device's unique identifier using a key derivation algorithm. This second device key is then used to verify the first message authentication code, and the authentication result is determined based on the verification result. This approach overcomes the problems of low security and high privacy risks associated with other identity authentication methods.This invention addresses security risks by placing device legitimacy verification at the front end of the identity authentication process and directly prohibiting face capture when verification fails. This prevents abnormal terminals from participating in authentication at the source. The design separates the master key from the device-bound authentication materials, ensuring the terminal doesn't store the master key but only retains non-exportable and non-reusable device-bound authentication materials. This prevents attackers from obtaining the master key even if the face recognition terminal is compromised or communication is intercepted, thus hindering the impersonation of legitimate devices or large-scale attacks. The introduction of a one-time capture permission token elevates "allow capture" to protocol-level control, forming a pre-gating mechanism. Incorporating face feature summaries, unique device identifiers, current session identifiers, and one-time capture permission tokens into the message authentication code calculation enables session-level joint binding, effectively preventing face feature data from being ported and replayed across devices. Furthermore, unified verification of the first message authentication code by the authentication server simultaneously confirms device legitimacy and the authenticity of face data, effectively preventing data tampering and replay attacks. This achieves the technical effects of improving identity authentication security, reducing privacy risks, and expanding the applicable scenarios of identity authentication methods.
[0018] Details of one or more embodiments of the present invention are set forth in the following drawings and description, so that other features, objects and advantages of the invention will be more readily understood. Attached Figure Description
[0019] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other embodiments can be obtained based on these drawings without creative effort.
[0020] Figure 1 This is a schematic diagram of the main process of a face authentication method based on pre-constraint of terminal device legitimacy in one embodiment of the present invention; Figure 2 This is a schematic diagram of the main modules of a face authentication system based on pre-constraint of terminal device legitimacy, according to one embodiment of the present invention. Figure 3 This is a schematic diagram of the module interaction of a face authentication system based on pre-constraint of terminal device legitimacy, according to one embodiment of the present invention. Figure 4 This is a schematic diagram of the structure of an electronic device according to an embodiment of the invention. Detailed Implementation
[0021] Embodiments of the present invention will now be described in more detail with reference to the accompanying drawings. While some embodiments of the invention are shown in the drawings, it should be understood that the invention can be implemented in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided to provide a more thorough and complete understanding of the invention. It should be understood that the accompanying drawings and embodiments are for illustrative purposes only and are not intended to limit the scope of protection of the invention.
[0022] In practical applications, the facial identity authentication solutions provided by related technologies mainly have the following technical defects: (1) In the solutions of related technologies, device authentication and facial authentication often exist as parallel authentication factors or independent steps, lacking process dependency. Attackers can bypass the device authentication process by impersonating terminal devices and directly submit the facial data of legitimate users to the authentication system. Even if the system is configured with device authentication function, due to the decoupling of device authentication and facial authentication processes, abnormal terminals can still independently trigger the facial collection and authentication process when device authentication fails, resulting in security vulnerabilities in the authentication system. (2) In the solutions of related technologies, terminal devices usually need to store static authentication private keys or digital certificates to prove the device identity. However, once the static key is extracted or leaked, attackers can use the key to impersonate legitimate terminals in batches, causing large-scale security incidents. In addition, the management and updating of static keys require complex infrastructure support, increasing the system's operation and maintenance costs and the risk of key leakage. (3) In the solutions of related technologies, facial authentication data and device identity lack cryptographic binding. Facial feature data may be intercepted, tampered with, or replayed during transmission, and the server has difficulty effectively distinguishing between authentication requests submitted by legitimate terminals and requests impersonated by attackers. Even if the server verifies the device identity, since facial data and device identity are not protected holistically, attackers can still extract facial data from legitimate devices and perform replay attacks or cross-device migrations on other abnormal terminals. (4) In the solutions of related technologies, device legitimacy verification is usually not used as a prerequisite for facial data collection. This means that even if the device fails authentication, the facial data collection device can still work normally and collect user facial information, which may allow legitimate users' facial information to be collected and used by abnormal terminals, increasing the risk of leakage of user biometric information.
[0023] To address the aforementioned problems, embodiments of the present invention provide a face authentication method based on pre-constraints of terminal device legitimacy, such as... Figure 1 As shown, this face authentication method based on pre-constraint of terminal device legitimacy is applied to an identity authentication system, which includes a face recognition terminal, an authentication client, and an authentication server; the method includes: Step S101: In response to the user's identity authentication request, a verification command is sent to the face recognition terminal through the authentication client, and the device legitimacy verification request returned by the face recognition terminal, including the device's unique identifier, is forwarded to the authentication server. Step S102: The authentication server generates a first device key based on the pre-stored master key and the received unique device identifier using a key derivation algorithm, and uses the first device key to perform device legitimacy verification on the face recognition terminal. Step S103: If the face recognition terminal fails the device legitimacy verification, the identity authentication process is terminated through the authentication client, and the face recognition terminal is prohibited from performing face information collection operations. If the face recognition terminal passes the device legitimacy verification, a one-time collection permission token corresponding to the current session identifier is generated through the authentication server, and the one-time collection permission token is sent to the face recognition terminal through the authentication client. This allows the face recognition terminal to collect the user's face information and extract the face feature summary based on the one-time collection permission token. Using the device binding authentication materials pre-stored within the face recognition terminal, the face information is collected, including at least the face feature summary. The device unique identifier, current session identifier, and one-time acquisition license token data are used to calculate a message authentication code to generate a first message authentication code. A face authentication request, including a face feature summary, device unique identifier, current session identifier, and the first message authentication code, is sent to the authentication server via the authentication client. The internally pre-stored device binding authentication material is generated by the licensing tool based on the master key and device unique identifier using a key derivation algorithm during the device initialization phase and written into the secure storage area of the face recognition terminal. The device binding authentication material is bound to the device unique identifier and cannot be exported or reused across devices. Step S104: The authentication server generates a second device key based on the pre-stored master key and the received unique device identifier using a key derivation algorithm, and verifies the first message authentication code based on the second device key, and determines the identity authentication result based on the verification result.
[0024] Based on the above settings, by placing device legitimacy verification at the front end of the identity authentication process, and directly prohibiting face capture operations when device legitimacy verification fails, the possibility of abnormal terminals participating in authentication is blocked from the source, reducing security risks. Through the design of separating the master key from the device-bound authentication materials, the terminal does not store the master key, but only retains the device-bound authentication materials that cannot be exported or reused across devices. This ensures that even if the face recognition terminal is compromised or communication is intercepted, attackers cannot obtain the master key, thus preventing the impersonation of other legitimate devices or large-scale attacks. By introducing a one-time collection permission token, "allowing collection" is elevated to protocol-level control, forming a pre-gating mechanism. By incorporating face feature summaries, unique device identifiers, current session identifiers, and one-time collection permission tokens into the message authentication code calculation, session-level joint binding is achieved, effectively preventing face feature data from being ported and replayed across devices. Furthermore, by uniformly verifying the message authentication code through the authentication server, the legitimacy of the device, session, and the authenticity and integrity of the data can be confirmed simultaneously, effectively preventing data tampering and replay attacks. This achieves the technical effects of improving identity authentication security, reducing privacy leakage risks, and expanding the applicable scenarios of identity authentication methods.
[0025] The "first" and "second" prefixes before the device key are only used to distinguish whether the device key is used in the scenario of performing a device legitimacy verification process or in the scenario of performing a face authentication process.
[0026] According to an embodiment of the present invention, after the device legitimacy verification process is completed, the first device key temporarily stored in the corresponding memory is cleared by the authentication server; after the face authentication process is completed, the second device key temporarily stored in the corresponding memory is cleared by the authentication server. This further avoids the risk of device key leakage and improves the security level of identity authentication.
[0027] In this embodiment of the invention, the device-bound authentication material refers to authentication material that is bound only to a specific device, cannot be exported, and cannot be reused across devices. It is obtained by combining the master key with the device's unique identifier through a key derivation algorithm, a trusted writing mechanism, or a secure generation mechanism. According to a specific implementation of this invention, the device-bound authentication material (also referred to as the secondary key) and the first device key derived from the authentication server have the same origin and value.
[0028] In some embodiments, based on the above step S101, an active interaction mechanism between the authentication client and the face recognition terminal is established, clarifying that the authentication process is initiated by the authentication client rather than the terminal device. The authentication client, as a trusted node, sends a verification instruction as a prerequisite for triggering the face recognition terminal to return the device's unique identifier, ensuring that only authentication requests initiated by the authentication client can enter the subsequent process, preventing the terminal device from starting the authentication process on its own without receiving an instruction.
[0029] In some examples, based on step S102 above, a first device key generation mode of "master key + device unique identifier → dynamic derivation" is adopted. The authentication server does not rely on the static credentials provided by the terminal, but dynamically derives the first device key based on its own stored master key and the device unique identifier reported by the terminal, and uses this first device key to verify the legitimacy of the terminal. Since the device unique identifier is public or semi-public information, while the master key is confidential, only the authentication server that possesses the master key can derive the correct first device key, thereby achieving independent verification of the terminal's legitimacy. At the same time, since the first device key is dynamically derived, it does not need to be pre-distributed or stored in the face recognition terminal, avoiding the risk of terminal-side key leakage.
[0030] In some examples, based on step S103 above, technical constraints are implemented at both the process control and data protection levels. At the process control level: "Prohibiting the triggering of face information collection operations" is directly linked to "Device legitimacy verification failure," making the face collection operation logically dependent on the device legitimacy verification result. This strong dependency ensures that abnormal terminals cannot enter the face collection stage. Simultaneously, by introducing a one-time collection permission token, face information collection can only be triggered after the device legitimacy verification passes, forming a protocol-level pre-gating, further enhancing security. At the data protection level: The device binding authentication materials pre-stored within the face recognition terminal are from the same source as the first device key derived from the authentication server (both derived from the master key and the device's unique identifier). However, the terminal only stores the non-exportable and non-reusable device binding authentication materials, not the master key. This ensures that the terminal can independently complete message authentication code calculation while also ensuring the security of the master key. By calculating message authentication codes from facial feature summaries, unique device identifiers, current session identifiers, and one-time collection permission tokens, a multi-dimensional joint binding of device identity, user identity, session identity, and collection permission is achieved. Any tampering with the data content or impersonation of the device identity will result in message authentication code verification failure.
[0031] In some embodiments, based on step S104 above, the authentication server, using the master key and the device's unique identifier and employing the same key derivation algorithm, can derive a device key consistent with the device binding authentication material pre-stored in the face recognition terminal (generated by the licensing tool using the key derivation algorithm based on the master key and the device's unique identifier). When verifying the first message authentication code based on the second device key, if the verification passes, it indicates that the device binding authentication material used to generate the first message authentication code is consistent with the second device key, thus proving that the device binding authentication material pre-stored within the face recognition terminal and the second device key derived by the authentication server are of the same origin and value. This proves that the face recognition terminal is a legitimate device, the current authentication request belongs to a legitimate session, and the facial feature digest has not been tampered with or transplanted. This verification mechanism integrates device legitimacy verification, session legitimacy verification, and face data integrity verification into a single cryptographic operation, simplifying the verification process and enhancing security.
[0032] In some embodiments, the master key is stored in the hardware security module or trusted execution environment of the authentication server, and the face recognition terminal and authentication client do not store the master key. The step of performing device legitimacy verification on the face recognition terminal using the first device key includes: generating a random challenge value through the authentication server and sending the random challenge value to the face recognition terminal via the authentication client; the face recognition terminal performing cryptographic calculations on the random challenge value using internally pre-stored device binding authentication materials to generate a response value and returning it to the authentication server via the authentication client; the authentication server performing the same cryptographic calculations on the random challenge value based on the first device key to obtain the expected response value, and comparing the expected response value with the received response value. If the expected response value matches the response value, the device legitimacy verification of the face recognition terminal is determined to be successful.
[0033] Based on the above settings, by restricting the storage of the master key to a hardware security module or a trusted execution environment, key leakage is prevented at the physical level. Simultaneously, the device legitimacy verification scheme employs a challenge-response mechanism to prevent replay attacks at the protocol level. Furthermore, by restricting the face recognition terminal and authentication client from storing the master key, key proliferation is prevented at the terminal level. This three-layered protection works in tandem to form a complete key lifecycle security guarantee. Specifically, the master key, as the trust anchor, is always stored in the secure environment of the authentication server and never leaves its storage boundary; the face recognition terminal only holds a secondary key derived from the master key and which cannot be reverse-engineered (i.e., device-bound authentication materials); the authentication client is used for forwarding relevant information. During device legitimacy verification, the authentication server uses the master key to derive the first device key and calculates the expected response value, while the face recognition terminal uses its internally stored secondary key to calculate the actual response value. Both ends (the authentication server and the face recognition terminal) use keys of the same origin but different security levels to complete collaborative verification, achieving absolute isolation of the root key (i.e., the master key) and realizing a secure trust mechanism that separates keys from computation.
[0034] Furthermore, during the device legitimacy verification process, the authentication server actively initiates challenges, rather than passively accepting credentials submitted by the facial recognition terminal, thus making the verification process controlled by the authentication side. The introduction of random challenge values ensures the uniqueness of each verification, preventing facial recognition terminals from passing verification using pre-calculated or historically intercepted data, and making it impossible for attackers to impersonate legitimate devices by replaying historical authentication packets. In addition, facial recognition terminals no longer need to store high-value master keys; the device-binding authentication materials stored internally are only used to perform cryptographic calculations to prove their legitimacy, transforming the facial recognition terminal into a verifiable executor rather than a trusted storage entity. Understandably, even if a facial recognition terminal is compromised, the attacker can only obtain a secondary key that cannot be used to deduce the master key and is only valid for that specific device, unable to be used to attack other devices or systems. This gives the crucial device legitimacy verification process multiple security attributes: resistance to physical attacks, resistance to replay attacks, and resistance to key leakage.
[0035] According to a specific implementation of the present invention, the specific implementation of device legitimacy verification can include at least three methods.
[0036] Method 1: Challenge-Response Mechanism. The specific steps are as follows: First, the authentication server derives a first device key. Based on a pre-stored master key (master_key) and the received unique device identifier (sn), the authentication server generates a first device key (mac_key_1) using a key derivation algorithm. Second, the authentication server generates a challenge value. It generates a random number as the challenge value and sends it to the face recognition terminal via the authentication client. Third, the face recognition terminal calculates the response value. It reads pre-stored device-bound authentication materials (which can also be labeled mac_key_1 because they originate from the same source as the first device key) from the secure storage area, performs cryptographic operations (such as message authentication code calculation or encryption) on the challenge value using the first device key, and generates a response value. Fourth, the authentication server verifies the response value. It uses its own derived first device key (mac_key_1) to perform the same cryptographic operations on the same challenge value to obtain the expected response value. The response value returned by the terminal is compared with the expected response value: if they match, the terminal is determined to be a legitimate device; if they do not match, it is determined to be an abnormal device. The advantage of this device legitimacy verification mechanism is that it can proactively verify whether the terminal actually holds the correct primary device key, providing high security and effectively resisting replay attacks.
[0037] Method 2: Implicit Verification Mechanism. The specific steps are as follows: First, the authentication server derives a first device key. Based on a pre-stored master key and the device's unique identifier, the authentication server generates a first device key using a key derivation algorithm. Second, the authentication server records the derivation result, associating the derived first device key with the device's unique identifier (e.g., caching it in memory), but does not immediately verify it. Third, subsequent authentication data verification is performed. When the face recognition terminal generates authentication data and sends it to the authentication server, the authentication server derives a second device key based on the same master key and device unique identifier, and verifies the authentication data. If the authentication data verification passes, it is inferred that the first device key held by the terminal during the device legitimacy verification stage is correct, thus confirming the device's legitimacy. If the authentication data verification fails, the device legitimacy verification stage is deemed abnormal. The advantage of this device legitimacy verification mechanism is that it reduces the number of interactions, simplifies the process, and is suitable for scenarios with high performance requirements.
[0038] Method 3: Pre-shared key verification mechanism. The specific steps are as follows: The face recognition terminal sends its unique device identifier (SN) to the authentication server via the authentication client; the authentication server derives a first device key based on the master key and the unique device identifier; the face recognition terminal calculates authentication data using pre-stored device binding authentication materials, performing message authentication code calculation on data including the unique device identifier and the current timestamp to generate first authentication data, which is then sent to the authentication server; the authentication server verifies the data, using the derived first device key to calculate a message authentication code on the same data, generating second authentication data, which is then compared with the received first authentication data. If they match, the device is deemed legitimate; otherwise, the device is deemed abnormal. The advantage of this device legitimacy verification mechanism is that it completes device legitimacy verification in one step, eliminating the need for multiple interactions.
[0039] The appropriate device legitimacy verification scheme can be selected based on the needs of the actual application scenario.
[0040] In some embodiments, the step of verifying the first message authentication code based on the second device key includes: using the authentication server to find the corresponding one-time collection permission token according to the current session identifier; using the second device key to calculate the message authentication code on data including face feature digest, device unique identifier, current session identifier, and one-time collection permission token to generate a second message authentication code; comparing the second message authentication code with the received first message authentication code; if the second message authentication code matches the first message authentication code, the verification is confirmed to be successful; if they do not match, the identity authentication is confirmed to have failed.
[0041] Based on the above settings, a specific implementation scheme for verifying the first message authentication code using a second device key is proposed. By combining key technologies such as a same-source key derivation mechanism, the cryptographic characteristics of the message authentication code, the integrity design of the verification data, and independent server-side computation, unified verification of device identity, user identity, and session identity is achieved. This ensures the authenticity and reliability of the identity authentication results, enabling the entire identity authentication scheme to effectively resist various security threats such as device impersonation, data tampering, and replay attacks.
[0042] In one specific implementation, the face recognition terminal can add a one-time collection token to the face authentication request and send it to the authentication server via the authentication client. The authentication server can then verify the one-time collection token based on the session identifier. If the verification passes (i.e., ensuring that the face authentication request is legitimate), the server calculates the second message code and performs the face authentication operation.
[0043] In some embodiments, the second device key derived by the authentication server and the device binding authentication materials pre-stored within the face recognition terminal share the same generation source—both are generated from the master key and the device's unique identifier using the same key derivation algorithm. This homogeneity ensures that, assuming the terminal is legitimate and the data is complete, the message authentication codes calculated by both ends (authentication server and face recognition terminal) will necessarily be the same. The authentication server only needs to compare whether the two message authentication codes match to accurately determine the legitimacy of the terminal and the integrity of the data, without relying on other external information.
[0044] In some examples, the message authentication code provided in this embodiment of the invention has two key cryptographic characteristics: (i) only an entity holding the correct key can calculate the correct message authentication code; (ii) the message authentication code is strongly bound to the input data, and any modification to the data will cause unpredictable changes to the message authentication code. The authentication server utilizes these two characteristics to verify whether the face recognition terminal holds the correct key and whether the data is complete by comparing the consistency of the first and second message authentication codes, thereby providing a reliable security guarantee for identity authentication.
[0045] In one example, the data explicitly used to calculate the message authentication code includes a facial feature digest, a unique device identifier, and a current session identifier. This ensures that the message authentication code is simultaneously bound to user identity information, device identity information, and session identity. Understandably, any attack attempting to transfer legitimate facial data to an abnormal device will result in message authentication code verification failure due to a mismatch in the device's unique identifier; similarly, any attack attempting to tamper with facial feature data will also lead to verification failure. This dual-binding design provides a cryptographically enforced guarantee for the association between device identity and facial data.
[0046] According to embodiments of the present invention, the authentication server does not rely on any intermediate calculation results provided by the authentication client or the face recognition terminal during the face authentication process. Instead, it performs calculations entirely based on its own stored master key and the received raw data. This independence means that even if the face recognition terminal is compromised, an attacker cannot construct a message authentication code that can be verified by the authentication server, because the attacker cannot obtain the master key stored by the authentication server to generate the correct device key.
[0047] In some embodiments, the data used for calculating the message authentication code may also include a terminal trusted state digest, a timestamp, or a session random number; wherein the terminal trusted state digest includes at least one of a firmware version digest, a secure boot state digest, or a trusted execution environment metric.
[0048] Based on the above settings, by introducing a trusted state digest for the terminal, the security status of the face recognition terminal can be further verified, preventing terminals with tampered firmware or insecure operating environments from passing authentication. Introducing timestamps or session random numbers enables timeliness constraints and replay protection. Specifically, when the authentication server verifies whether the timestamp is within a preset valid window or whether the session random number has already been used, if the verification fails, it directly determines that the authentication has failed, thus quickly filtering invalid requests.
[0049] In some embodiments, the step of generating the first message authentication code includes: using the face recognition terminal to calculate the message authentication code on data including face feature summary, device unique identifier, current session identifier, one-time collection permission token, terminal trusted state summary, timestamp or session random number using internally stored device binding authentication materials, and generating the first message authentication code.
[0050] Based on the above settings, by introducing a timestamp or session random number into the calculation of the message authentication code, the cryptographic binding based on the timestamp achieves the enforceability of the timeliness constraint, and the uniqueness verification of the session random number ensures the single-use of the request, thereby providing strong timeliness constraints to effectively resist replay attacks. The integrity protection of the message authentication code ensures the immutability of the binding relationship, and realizes the uniqueness and unpredictability of the subsequently generated face authentication requests, making the entire identity authentication system more resistant to replay attacks, and further effectively improving the security and reliability of the identity authentication process.
[0051] Specifically, according to embodiments of the present invention, by incorporating timestamps or session random numbers into the data range used to calculate message authentication codes, the generated message authentication codes are bound to a parameter with timeliness or uniqueness. The inclusion of timestamps as input data in the message authentication code calculation means that the timestamp and authentication data as a whole are protected by a key. If an attacker attempts to modify the timestamp in the request to extend its validity period, they must simultaneously recalculate the message authentication code; however, due to the lack of the correct key, the attacker cannot complete the recalculation. Similarly, legitimate terminals cannot obtain a longer validity period by modifying the timestamp, because any modification to the timestamp will cause the message authentication code calculated by the authentication server during subsequent verification to be inconsistent with the received message authentication code. Session random numbers are generated and distributed by the authentication client or authentication server, or negotiated between the face recognition terminal and the authentication server. Their uniqueness is guaranteed by the generation algorithm (such as UUID, timestamp + random number combination) or the authentication server's recording mechanism. The authentication server maintains a cache of used random numbers (such as a Bloom filter or in-memory database), and checks whether the random number has been used before each verification. Because random numbers are globally unique and can only be used once, any request attempting to reuse historical random numbers will be directly rejected by the server. This provides a strong timeliness constraint to effectively resist replay attacks and improve the security and reliability of the identity authentication process.
[0052] Furthermore, the cryptographic nature of the Message Authentication Code (MAC) makes it highly sensitive to any modification to the input data. The MAC is calculated using timestamps or session random numbers along with facial feature digests, device unique identifiers, and session identifiers as input data, creating a cryptographic binding between these data elements. Any modification to any of these data elements will cause the MAC verification to fail. This binding ensures that the timestamp and random number are not merely additional fields to the request, but integral parts of the authentication data, their integrity protected at the same level as biometric data.
[0053] In some embodiments, if the data used to calculate the message authentication code includes a timestamp or a session random number, then after the step of sending the face authentication request to the authentication server, the method further includes: parsing the received face authentication request through the authentication server to extract the timestamp or session random number; verifying whether the timestamp is within a preset valid time window, or verifying whether the session random number has not been used; if the timestamp is not within the preset valid time window, or the session random number has been used, then directly determining the authentication result as authentication failure.
[0054] Based on the above settings, by performing pre-verification using timestamps or random numbers on the authentication server, invalid requests can be quickly filtered out. At the same time, the verification efficiency is ensured by directly judging the verification results. This enables the identity authentication system to have efficient identification and defense capabilities against replay attacks, while also optimizing the resource utilization efficiency of the authentication server and improving the overall performance and security of the system.
[0055] According to embodiments of the present invention, by placing the verification of timestamps or session random numbers before message authentication code verification, the low computational overhead of these two types of verifications is fully utilized. When processing facial recognition authentication requests, the authentication server first performs lightweight pre-verification, and only proceeds to the computationally intensive message authentication code verification stage after the pre-verification passes. This process design allows the authentication server to quickly reject invalid requests at an early stage, avoiding unnecessary consumption of computational resources on invalid requests. Furthermore, by independently performing timestamp or session random number verification by the authentication server, without relying on information provided by any front-end device, this independence ensures the objectivity and reliability of the verification results.
[0056] In some embodiments, because the timestamp is protected by the message authentication code, attackers cannot modify the timestamp in the request without compromising the message authentication code, thus preventing bypass of the time window verification. The authentication server independently verifies whether the timestamp is within a preset window and uses verification failure as the reason for determining the authentication result as authentication failure, thereby enforcing the timeliness constraint cryptographically. Alternatively, the authentication server can maintain a record of used session random numbers, which can be stored in a memory cache (such as Redis) or a Bloom filter to support high-concurrency query and write operations. When a session random number appears for the first time, the authentication server adds it to the record and continues subsequent verification; when the same session random number appears again, the authentication server can quickly identify and directly determine the authentication result as authentication failure by querying the record, thereby ensuring that each session random number can only be used once, eliminating the possibility of replay attacks at the source.
[0057] According to a specific embodiment of the present invention, the parameters of the preset effective time window can be flexibly adjusted through configuration. The appropriate effective time window size can be set according to the security requirements and network conditions of the actual deployment environment. For example, in scenarios with high security requirements, a shorter time window (e.g., 1 minute) can be set; in scenarios with high network latency, a longer time window (e.g., 10 minutes) can be set. This allows the technical feature to adapt to different application scenarios, achieving the best balance between security and availability.
[0058] In some embodiments, the aforementioned random challenge value is only valid within the current authentication session; after the device legitimacy verification process is completed, the first device key temporarily stored in the corresponding memory is cleared by the authentication server; after the face authentication process is completed, the second device key temporarily stored in the corresponding memory is cleared by the authentication server. First device key Second device key Based on the above settings, by limiting the random challenge value to be valid only in the current session and requiring the temporary first and second device keys stored in memory to be cleared after the corresponding verification / authentication process is completed, the lifecycle management of temporary key materials is incorporated into the security design of the identity authentication process. This transforms the key security of the entire authentication system from relying on long-term storage security to relying on short-term exposure control, reduces the risk of leakage, eliminates potential backdoors caused by key residues, and builds session-level security isolation, significantly improving the system's ability to resist key leakage attacks.
[0059] In some embodiments, the method further includes: if the number of times the face recognition terminal fails the device legitimacy verification exceeds a preset threshold, the corresponding device unique identifier is added to a blacklist through the authentication client, and requests including the device unique identifier are rejected within a preset time period; if the face recognition terminal passes the device legitimacy verification, a temporary session key is generated through the authentication server, and the temporary session key is sent to the face recognition terminal through the authentication client, so that the face recognition terminal uses the temporary session key to encrypt the data to be transmitted containing the face feature summary, device unique identifier, current session identifier and first message authentication code, and sends the generated encrypted data packet to the authentication client.
[0060] Based on the above settings, by introducing a blacklist mechanism and a temporary session key encrypted transmission mechanism, rapid identification and proactive isolation of abnormal devices are achieved. An adaptive security strategy is constructed to resist brute-force attacks, reducing system resource consumption and improving service availability. This provides traceability of security incidents and implements a time-based penalty mechanism to balance security and user experience. Specifically, the temporary session key encrypted transmission mechanism achieves end-to-end encryption protection at the transport layer; the constructed key separation system reduces the exposure surface of core keys, thereby ensuring the confidentiality of subsequent interactions in the authentication process; dynamic key management at the session level is implemented; and the integrity and source credibility of authentication data are enhanced.
[0061] In this embodiment of the invention, the temporary session key is dynamically generated by the authentication server after the device's legitimacy verification is passed. The generation algorithm can employ a secure random number generator or a derivation algorithm based on the master key. Since a new temporary session key is generated for each authentication session, the keys are not correlated, and attackers cannot deduce the keys for other sessions using known temporary session keys. This dynamic generation mechanism ensures secure isolation between sessions. Furthermore, the lifespan of the temporary session key is strictly limited to the current authentication session. After the authentication server generates the temporary session key and issues it to the face recognition terminal, the face recognition terminal uses this temporary session key to encrypt and transmit data. Upon receiving the encrypted data packet, the authentication client forwards it to the authentication server so that the authentication server can decrypt it using the same key. After decryption, both parties can destroy the temporary session key. This short lifespan design ensures the temporary nature of the key material. Even if an attacker obtains the temporary session key from a previous session, that temporary session key is already invalid and cannot be used to decrypt data from other sessions.
[0062] In some of these embodiments, the aforementioned one-time data collection permission token has at least one of the following attributes: bound to a unique device identifier, bound to a current session identifier, has a preset valid time window, is valid for a single use, and automatically expires upon timeout.
[0063] In some embodiments, the method further includes: when the user's authentication result is successful, generating a license credential for single sign-on through the authentication server and returning the license credential to the authentication client; the authentication client allows the user to access the target business system based on the license credential; wherein the target business system includes at least one of a cloud desktop system, a government affairs system, an enterprise office system, or a financial payment system.
[0064] Based on the above settings, the reusability of authentication results is ensured through the single sign-on permission credential mechanism, the credibility of the permission credential is ensured by using the authentication server as a trust anchor, the scalability of the identity authentication system is enhanced by decoupling identity authentication from business processing, and rich application scenario adaptation capabilities are provided.
[0065] The license credential provided in this embodiment of the invention is a time-sensitive and secure token generated by the authentication server after successful identity authentication. This license credential typically contains user identity information, device information, license scope, and validity period, and is digitally signed or encrypted by the authentication server. Since the license credential is issued by the authentication server, the business system can trust the identity authentication result carried by the license credential. After obtaining the license credential, the authentication client can use it as a pass to access the business system. The business system can confirm that the user has completed identity authentication by verifying the validity of the license credential, without needing to execute the authentication process again. This license credential mechanism allows the result of a single authentication to be reused multiple times and across multiple systems.
[0066] According to a specific embodiment of the present invention, the format and verification mechanism of the license credential can adopt a standardized single sign-on protocol or a custom security protocol. The standardized protocol ensures that target business systems from different vendors and of different types can uniformly access the identity authentication system. Although cloud desktop systems, government systems, enterprise office systems, and financial payment systems have different business models, they can all verify license credentials by following the same license protocol, thereby achieving seamless integration with the authentication server.
[0067] According to another specific embodiment of the present invention, the target business systems listed above, such as cloud desktop systems, government systems, enterprise office systems, and financial payment systems, have the following characteristics: cloud desktop scenarios require users to quickly enter the work environment; government scenarios require strict identity authentication and audit traceability; enterprise office scenarios involve the collaboration of multiple internal systems; and financial payment scenarios have extremely high requirements for security and user experience. That is, the application scenarios of the above-mentioned target business systems have at least the following common characteristics: high security requirements, multi-system collaborative access requirements, and frequent user identity authentication.
[0068] In some embodiments, the method further includes a key dynamic update step: if the authentication result is successful, a new salt value is generated by the authentication server, and the new salt value is encrypted and sent to the face recognition terminal via the authentication client; the face recognition terminal uses the received new salt value to update the internally stored device binding authentication materials to obtain the updated internally stored device binding authentication materials; the authentication server updates the locally stored derived base value corresponding to the device's unique identifier based on the new salt value; wherein, in the next authentication process, the authentication server uses the updated derived base value and the received device unique identifier to generate a first device key and a second device key respectively using a key derivation algorithm.
[0069] Based on the above settings, a dynamic key update scheme is provided. The update calculation of the device-bound authentication materials pre-stored inside the face recognition terminal is based on a one-way function calculation of the new salt value and the old device-bound authentication materials. This function usually adopts a cryptographic hash function (such as SM3, SHA-256) or a key derivation function (such as HKDF (HMAC-based Key Derivation Function)), which has the following characteristics: the input-output mapping is one-way, that is, the new device-bound authentication materials can be calculated from the old device-bound authentication materials and the new salt value, but the old device-bound authentication materials or the new salt value cannot be derived from the new device-bound authentication materials.
[0070] According to an embodiment of the present invention, the new salt value is randomly generated by the authentication server after the current identity authentication result is passed. Its randomness originates from a secure random number generator (such as an entropy source based on hardware noise). Due to the high randomness and unpredictability of the salt value, attackers cannot deduce the future salt value from the current key and any known information, thus preventing the pre-calculation of future keys. Even if an attacker obtains the current key, they cannot deduce the updated key because they cannot know the future random salt value, achieving backward security. Simultaneously, the derived base value stored locally by the authentication server is updated based on the new salt value. The derived base value can be understood as a transformed form of the salt value, or a combination of the salt value and the device's unique identifier. In subsequent authentication, the authentication server generates a first device key and a second device key based on the updated derived base value and the device's unique identifier. Since the derived base value is updated only after successful authentication and is synchronized with the update of the terminal's internal key, the consistency of the key state between the server and the terminal is ensured.
[0071] In some embodiments, the trigger condition for key updates is a successful authentication result. This ensures that only terminals that have undergone a complete authentication process and whose device legitimacy and user identity have been confirmed can trigger key updates. That is, before generating and issuing a new salt value, the authentication server has already verified the legitimacy of the terminal and the integrity of the authentication data through a message authentication code. This strong binding relationship inherently endorses the legitimacy of the key update operation, preventing unauthorized devices from obtaining legitimate key materials through the key update mechanism.
[0072] In some examples, the key update operation is designed as a deterministic operation: given the same old key and a new salt value, the update operation always produces the same new key. This ensures that during the normal authentication process, both the authentication server and the facial recognition terminal can independently calculate a consistent updated key state without additional synchronization communication. Furthermore, the key update mechanism is fully embedded in the normal identity authentication process, requiring no additional management operations. Each time a user successfully completes authentication, the system automatically triggers a key update. This design naturally correlates the frequency of key updates with user activity—the more frequently a user uses the device, the faster the key updates and the higher the security; while for inactive devices, although their keys are not updated, the security risk is correspondingly lower because the device itself is not used. Through this adaptive update cycle design, an automatic balance between security and operational costs is achieved.
[0073] In some embodiments, the above method further includes an abnormal circuit breaker protection step: the authentication client or authentication server records the number of device legitimacy verification failures or identity authentication failures for the same device unique identifier; if the number of failures reaches a threshold within a preset time, an abnormal circuit breaker mechanism is triggered, the device unique identifier is added to a temporary blacklist, and any authentication request from the device unique identifier is rejected within the locked time; after receiving the rejection instruction, the face recognition terminal enters a locked state and outputs a device abnormality prompt.
[0074] Based on the above settings, a specific implementation scheme for abnormal circuit breaker protection is provided. By combining the statistics of failure counts with a preset time window, a dynamic defense strategy based on the time dimension is constructed. Unlike simple cumulative failure counting, this mechanism requires the number of failures to reach a threshold within a preset time before triggering the circuit breaker. This means that attackers cannot evade detection through slow, low-frequency attempts, because even if the total number of failures is high, as long as the threshold is not reached within the time window, the circuit breaker will not be triggered. This effectively identifies concentrated brute-force attacks while avoiding overreaction to long-term, occasional failures. Simultaneously, attackers may consume the computing resources of the authentication client and authentication server by using a large number of spoofed device identifiers or repeatedly attempting authentication. However, through the circuit breaker mechanism, upon detecting abnormally high-frequency failures, the target device identifier is immediately added to a temporary blacklist, and all requests from that identifier are rejected for a locked period. This effectively prevents attackers from continuously consuming system resources, ensuring that the authentication system can still maintain basic service capabilities for legitimate devices even when under attack.
[0075] It should be noted that the preset time, threshold, and lock time mentioned above are all configurable parameters and can be flexibly adjusted according to the security requirements of different application scenarios. For scenarios with high security requirements (such as financial payments), a shorter time window, a lower failure threshold, and a longer lock time can be set; for scenarios with high user experience requirements (such as enterprise offices), relatively lenient parameters can be set, thereby enhancing the scenario adaptability of the solution.
[0076] In some embodiments, the step of using the device binding authentication materials pre-stored within the face recognition terminal to calculate the message authentication code for data including at least a face feature summary, a unique device identifier, a session identifier, and a one-time collection permission token, and generating a first message authentication code, further includes: performing a hash operation on the face feature data through the face recognition terminal to obtain a face feature summary; concatenating the face feature summary, the unique device identifier, the current session identifier, the one-time collection permission token, and the current timestamp / session random number into a string to be signed; and using the pre-stored device binding authentication materials to calculate the message authentication code for the string to be signed, thereby generating a first message authentication code. This achieves a strong binding between the face feature summary and the unique device identifier and the session identifier, preventing the face feature data from being ported to other devices for use.
[0077] Based on the above setup, by using the hash digest of facial feature data along with the device unique identifier, session identifier, and timestamp as inputs for calculating the message authentication code, a multi-dimensional cryptographic binding between facial feature data and device / session identity is achieved. Specifically, the feature digest carries user identity information, the device unique identifier carries device identity information, the session identifier carries the current session identity, and the timestamp carries time-related information. These data elements form an indivisible whole under the key protection of the message authentication code. Any attempt to separate or replace any of these data elements will result in message authentication code verification failure, thus achieving a strong binding between facial feature data, device unique identifier, and session. Furthermore, hash operations are unidirectional and irreversible; the original facial feature data cannot be derived from the feature digest. By obtaining the feature digest through hash operations on the facial feature data, rather than directly using the original facial feature data for message authentication code calculation, the direct exposure of the original facial feature data in the authentication data is avoided. Even if an attacker intercepts the data packet in the authentication request, they cannot obtain the user's original facial feature information, thereby protecting the privacy and security of the user's biometrics.
[0078] In some embodiments, the above-mentioned face authentication request does not contain the user's original face image data, but only the extracted face feature summary; after the authentication server passes the verification, it compares the face feature data with the pre-stored standard face feature template to complete the final identity confirmation.
[0079] Based on the above settings, in terms of data composition, by transmitting only facial feature summaries instead of the original images, user biometric privacy is protected, the risk of sensitive data leakage is reduced, network transmission load is decreased, and system response speed is improved. In terms of the verification process, a layered verification architecture separates the responsibilities of cryptographic verification and feature comparison, optimizing server-side resource utilization. Therefore, the identity authentication system ensures high security while possessing good performance and privacy protection capabilities.
[0080] The identity authentication method provided in this embodiment of the invention responds to a user's identity authentication request by sending a verification command to the face recognition terminal through an authentication client, and forwarding the device legitimacy verification request returned by the face recognition terminal, including the device's unique identifier, to the authentication server. The authentication server generates a first device key based on a pre-stored master key and the received device unique identifier using a key derivation algorithm, and uses the first device key to perform device legitimacy verification on the face recognition terminal. If the face recognition terminal fails the device legitimacy verification, the identity authentication process is terminated through the authentication client, and the face recognition terminal is prohibited from performing face information collection operations. If the face recognition terminal passes the device legitimacy verification, a one-time collection permission token corresponding to the current session identifier is generated through the authentication server, and the one-time collection permission token is issued to the face recognition terminal through the authentication client, enabling the face recognition terminal to collect the user's face information and extract facial features based on the one-time collection permission token. The method involves using pre-stored device-binding authentication materials within the face recognition terminal to calculate a message authentication code from data including at least a face feature summary, a unique device identifier, a current session identifier, and a one-time acquisition permission token. This generates a first message authentication code, and a face authentication request, including the face feature summary, unique device identifier, current session identifier, and the first message authentication code, is sent from the authentication client to the authentication server. The pre-stored device-binding authentication materials are generated by the licensing tool during device initialization using a key derivation algorithm based on the master key and the unique device identifier, and are written to the secure storage area of the face recognition terminal. These materials are bound to the unique device identifier and cannot be exported or reused across devices. The authentication server then uses the pre-stored master key and the received unique device identifier to generate a second device key using a key derivation algorithm. This second device key is then used to verify the first message authentication code, and the authentication result is determined based on the verification result.By setting device legitimacy verification at the front end of the identity authentication process, and directly prohibiting face capture operations when device legitimacy verification fails, the possibility of abnormal terminals participating in authentication is blocked from the source, reducing security risks. Through the design of separating the master key from the device-bound authentication materials, the terminal does not store the master key, but only retains the device-bound authentication materials that cannot be exported or reused across devices. This ensures that even if the face recognition terminal is compromised or communication is intercepted, attackers cannot obtain the master key, thus preventing the impersonation of other legitimate devices or large-scale attacks. By introducing a one-time collection permission token, "allowing collection" is elevated to protocol-level control, forming a pre-gating mechanism. By incorporating face feature summaries, unique device identifiers, current session identifiers, and one-time collection permission tokens into the message authentication code calculation, session-level joint binding is achieved, effectively preventing face feature data from being ported and replayed across devices. Furthermore, based on the unified verification of this first message authentication code by the authentication server, the legitimacy of the device and the authenticity of the face data can be confirmed simultaneously, effectively preventing data tampering and replay attacks. This achieves the technical effects of improving the security of identity authentication, reducing the risk of privacy leakage, and expanding the applicable scenarios of identity authentication methods.
[0081] Based on the face authentication method based on the pre-constraint of terminal device legitimacy provided in the embodiments of the present invention, the embodiments of the present invention also provide a face authentication system based on the pre-constraint of terminal device legitimacy, such as... Figure 2 As shown, the face authentication system 200 based on the pre-constraint of terminal device legitimacy includes: The authentication client 201 is used to respond to the user's identity authentication request, send a verification command to the face recognition terminal, and forward the device legitimacy verification request returned by the face recognition terminal, including the unique device identifier, to the authentication server so that the authentication server can perform device legitimacy verification. If the face recognition terminal fails the device legitimacy verification, the authentication client terminates the identity authentication process and prohibits the face recognition terminal from performing face information collection operations. If the face recognition terminal passes the device legitimacy verification, the authentication server forwards the one-time collection permission token generated by the authentication server, which corresponds to the current session identifier, to the face recognition terminal. The face recognition terminal 202 is used to collect a user's facial information and extract a facial feature summary based on a one-time collection permission token. Utilizing pre-stored device binding authentication materials within the face recognition terminal, it calculates a message authentication code on data including at least the facial feature summary, the device's unique identifier, the current session identifier, and the one-time collection permission token, generating a first message authentication code. It then sends a face authentication request, including the facial feature summary, the device's unique identifier, the current session identifier, and the first message authentication code, to the authentication server via an authentication client. The pre-stored device binding authentication materials are generated by the licensing tool during the device initialization phase using a key derivation algorithm based on the master key and the device's unique identifier, and are written into the secure storage area of the face recognition terminal. These device binding authentication materials are bound to the device's unique identifier and cannot be exported or reused across devices. The authentication server 203 is used to generate a first device key based on a pre-stored master key and a received unique device identifier using a key derivation algorithm after receiving a device legitimacy verification request, and to perform device legitimacy verification on the face recognition terminal based on the first device key; when the face recognition terminal passes the device legitimacy verification, it generates a one-time acquisition permission token corresponding to the current session identifier and sends the one-time acquisition permission token to the face recognition terminal via the authentication client; it is also used to generate a second device key based on a pre-stored master key and a received unique device identifier using a key derivation algorithm, to verify the first message authentication code based on the second device key, and to determine the identity authentication result based on the verification result.
[0082] Based on the above settings, by placing device legitimacy verification at the front end of the identity authentication process, and directly prohibiting face capture operations when device legitimacy verification fails, the possibility of abnormal terminals participating in authentication is blocked from the source, reducing security risks. Through the design of separating the master key from the device-bound authentication materials, the terminal does not store the master key, but only retains the device-bound authentication materials that cannot be exported or reused across devices. This ensures that even if the face recognition terminal is compromised or communication is intercepted, attackers cannot obtain the master key, thus preventing the impersonation of other legitimate devices or large-scale attacks. By introducing a one-time collection permission token, "allowing collection" is elevated to protocol-level control, forming a pre-gating mechanism. By incorporating face feature summaries, unique device identifiers, current session identifiers, and one-time collection permission tokens into the message authentication code calculation, session-level joint binding is achieved, effectively preventing face feature data from being ported and replayed across devices. Furthermore, unified verification of the message authentication code by the authentication server simultaneously confirms device legitimacy, session legitimacy, and the authenticity and integrity of the data, effectively preventing data tampering and replay attacks. This achieves the technical effects of improving identity authentication security, reducing privacy leakage risks, and expanding the applicable scenarios of the identity authentication system.
[0083] Meanwhile, since this application uses the aforementioned face authentication system 200 based on the pre-constraint of terminal device legitimacy to implement any of the aforementioned face authentication methods based on the pre-constraint of terminal device legitimacy, the execution operations corresponding to the individual execution of each module or the interaction between modules in the aforementioned face authentication system based on the pre-constraint of terminal device legitimacy are consistent with those in the aforementioned face authentication method based on the pre-constraint of terminal device legitimacy, and can achieve all the beneficial effects corresponding to the aforementioned face authentication method based on the pre-constraint of terminal device legitimacy. This application will not elaborate further here.
[0084] According to a specific embodiment of the present invention, such as Figure 3 As shown in the diagram, the interaction steps between different modules in a face authentication system based on pre-constraints of terminal device legitimacy are as follows: (1) The user clicks the cloud desktop shortcut to trigger the authentication process; (2) The authentication client responds to the user's click by jumping to the cloud desktop login interface and sending a verification command to the face recognition terminal; (3) The face recognition terminal sends a device legitimacy verification request, including the device's unique identifier (sn), to the authentication server via the authentication client; (4) The authentication server generates a random challenge value and sends it to the face recognition terminal via the authentication client; (5) The face recognition terminal performs cryptographic calculations on the random challenge value based on the internally stored device binding authentication materials to generate a response value (response_1); (6) The face recognition terminal... The terminal returns the response value response_1 to the authentication server via the authentication client; (7) The authentication server generates the first device key mac_key_1 based on the pre-stored master key master_key and the received device unique identifier sn using the key derivation algorithm; and uses the first device key mac_key_1 to perform the same cryptographic calculation on the random challenge value challenge to obtain the expected response value response_2. The expected response value response_2 is compared with the received response value response_1. If the expected response value response_2 is consistent with the response value response_1, then the face recognition is determined. (8) If the verification is successful, the authentication server generates a one-time collection permission token corresponding to the current session identifier SessionID and sends it to the face recognition terminal via the authentication client; (9) The face recognition terminal collects the user's face information and extracts the face feature digest data based on the one-time collection permission token; (10) Using the device binding authentication material mac_key_1 pre-stored inside the face recognition terminal (generated by the licensing tool based on the master key and the unique device identifier using a key derivation algorithm during the device initialization phase and written into the secure storage area of the face recognition terminal), the device binding authentication material mac_key_1 is used to collect the user's face information and extract the face feature digest data. The unique identifier sn, the current session identifier SessionID, and the one-time collection permission token are used to calculate the message authentication code and generate the first message authentication code mac_1; (11) The face recognition terminal sends the face authentication request, which includes the face feature summary data, the device unique identifier sn, the current session identifier SessionID and the first message authentication code mac_1, to the authentication client, and forwards the face authentication request to the authentication server through the authentication client; (12) The authentication server generates the second device key mac_key_2 based on the pre-stored master key master_key and the received device unique identifier sn using the key derivation algorithm;(13) The authentication server uses the second device key mac_key_2 to calculate the message authentication code on the data including face feature digest data, device unique identifier sn, current session identifier SessionID, and one-time collection permission token, generating a second message authentication code mac_2. The second message authentication code mac_2 is compared with the received first message authentication code mac_1. If the second message authentication code mac_2 matches the first message authentication code mac_1, the verification is confirmed to be successful; if they do not match, the identity authentication is confirmed to have failed. (14) If the comparison matches, the authentication success result is fed back.
[0085] It should be noted that the specific module settings within the aforementioned face authentication system based on pre-existing terminal device legitimacy constraints are primarily defined according to the corresponding operations performed and are not intended to limit the specific modules. For example, an identity authentication gateway can be introduced into the face authentication system based on pre-existing terminal device legitimacy constraints to perform device legitimacy verification and face authentication operations. Third-party licensing tools can also be introduced into the identity authentication system to generate master keys, device keys, and to distribute execution keys.
[0086] This invention also provides a non-transitory machine-readable medium storing a computer program, wherein the computer program, when executed by a computer's processor, is used to cause the computer to perform a method according to an embodiment of this invention.
[0087] This invention also provides a computer program product, including a computer program, wherein the computer program, when executed by a computer's processor, is used to cause the computer to perform the methods of embodiments of this invention. The computer program product should be understood as a software product that primarily implements the methods of this invention through a computer program.
[0088] This invention also provides an electronic device, including: at least one processor; and a memory communicatively connected to the at least one processor. The memory stores a computer program executable by the at least one processor, which, when executed by the at least one processor, causes the electronic device to perform the method of this invention.
[0089] refer to Figure 4The present invention will now be described in the form of a structural block diagram of an electronic device that can serve as an embodiment of the present invention, which is an example of a hardware device that can be applied to various aspects of the present invention. The electronic device is intended to represent various forms of digital electronic computer devices, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the invention described and / or claimed herein.
[0090] like Figure 4 As shown, the electronic device includes a computing unit 401, which can perform various appropriate actions and processes based on a computer program stored in a read-only memory (ROM) 402 or a computer program loaded from a storage unit 408 into a random access memory (RAM) 403. The RAM 403 may also store various programs and data required for the operation of the electronic device. The computing unit 401, ROM 402, and RAM 403 are interconnected via a bus 404. An input / output (I / O) interface 405 is also connected to the bus 404.
[0091] Multiple components in the electronic device are connected to I / O interface 405, including: input unit 406, output unit 407, storage unit 408, and communication unit 409. Input unit 406 can be any type of device capable of inputting information into the electronic device. Input unit 406 can receive input digital or character information and generate key signal inputs related to user settings and / or function control of the electronic device. Output unit 407 can be any type of device capable of presenting information and may include, but is not limited to, a display, speaker, video / audio output terminal, vibrator, and / or printer. Storage unit 408 may include, but is not limited to, disks and optical discs. Communication unit 409 allows the electronic device to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks, and may include, but is not limited to, modems, network cards, infrared communication devices, and / or wireless communication transceivers, such as Bluetooth devices, WiFi devices, WiMax devices, cellular communication devices, and / or the like.
[0092] The computing unit 401 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of the computing unit 401 include, but are not limited to, CPUs, graphics processing units (GPUs), various special-purpose artificial intelligence (AI) computing units, various computing units running machine learning model algorithms, digital signal processors (DSPs), and any suitable processor, controller, microcontroller, etc. The computing unit 401 performs the various methods and processes described above. For example, in some embodiments, the method embodiments of the present invention can be implemented as a computer program tangibly contained in a machine-readable medium, such as storage unit 408. In some embodiments, part or all of the computer program can be loaded and / or installed on an electronic device via ROM 402 and / or communication unit 409. In some embodiments, the computing unit 401 can be configured to perform the methods described above by any other suitable means (e.g., by means of firmware).
[0093] Computer programs for implementing the methods of embodiments of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor or controller of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus, such that when executed by the processor or controller, the computer programs cause the functions / operations specified in the flowcharts and / or block diagrams to be implemented. The computer programs may be executed entirely on a machine, partially on a machine, or as a standalone software package, partially on a machine and partially on a remote machine, or entirely on a remote machine or server.
[0094] In the context of embodiments of the present invention, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable signal medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, or infrared systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
[0095] It should be noted that the term "comprising" and its variations used in the embodiments of the present invention are open-ended, meaning "including but not limited to". The term "based on" means "at least partially based on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". The modifications of "one" and "multiple" mentioned in the embodiments of the present invention are illustrative and not restrictive. Those skilled in the art should understand that, unless explicitly indicated otherwise in the context, they should be understood as "one or more".
[0096] The information / data involved in the embodiments of this invention (including but not limited to user device information / data, user personal information / data, information / data used for analysis, stored information / data, displayed information / data, etc.) are all information / data that has been permitted by the user or fully agreed upon by all parties. Furthermore, the collection, use and processing of such information / data must comply with relevant laws, regulations and standards, and corresponding operation entry points are provided for users to choose to agree or refuse.
[0097] The steps described in the method embodiments provided by this invention can be performed in different orders and / or in parallel. Furthermore, the method embodiments may include additional steps and / or omit the steps shown. The scope of protection of this invention is not limited in this respect.
[0098] The term "embodiment" in this specification refers to a specific feature, structure, or characteristic described in connection with an embodiment that may be included in at least one embodiment of the invention. The appearance of this phrase in various places in the specification does not necessarily imply the same embodiment, nor does it imply independence or alternativeity from other embodiments. The various embodiments in this specification are described in a related manner, with reference to each other for similar or identical parts. In particular, for apparatus, device, and system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, and relevant details are referred to in the description of the method embodiments.
[0099] The embodiments described above are merely illustrative of several implementations of the present invention, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of protection. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of the present invention, and these all fall within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the appended claims.
Claims
1. A face authentication method based on pre-constraint of terminal device legitimacy, characterized in that, The method is applied to an identity authentication system, which includes a face recognition terminal, an authentication client, and an authentication server; the method includes: In response to a user's authentication request, the authentication client sends a verification command to the face recognition terminal and forwards the device legitimacy verification request, which includes the device's unique identifier, returned by the face recognition terminal to the authentication server. The authentication server generates a first device key based on the pre-stored master key and the received unique device identifier using a key derivation algorithm, and then uses the first device key to perform device legitimacy verification on the face recognition terminal. If the face recognition terminal fails the device legitimacy verification, the authentication process is terminated through the authentication client, and the face recognition terminal is prohibited from performing face information collection operations. If the face recognition terminal passes the device legitimacy verification, a one-time collection permission token corresponding to the current session identifier is generated through the authentication server, and the one-time collection permission token is sent to the face recognition terminal through the authentication client. This allows the face recognition terminal to collect the user's face information and extract the face feature digest based on the one-time collection permission token. Using the device binding authentication materials pre-stored within the face recognition terminal, the system collects at least the face feature digest and the device unique identifier. The system calculates a message authentication code using the identifier, the current session identifier, and the one-time acquisition permission token data to generate a first message authentication code. A face authentication request, including the face feature summary, the device unique identifier, the current session identifier, and the first message authentication code, is then sent to the authentication server via the authentication client. The internally pre-stored device-bound authentication material is generated by the licensing tool during the device initialization phase using the key derivation algorithm based on the master key and the device unique identifier, and written into the secure storage area of the face recognition terminal. This device-bound authentication material is bound to the device unique identifier and cannot be exported or reused across devices. The authentication server generates a second device key using the key derivation algorithm based on the pre-stored master key and the received unique device identifier, and verifies the first message authentication code based on the second device key, and determines the identity authentication result based on the verification result.
2. The method according to claim 1, characterized in that, The master key is stored in the hardware security module or trusted execution environment of the authentication server, and neither the face recognition terminal nor the authentication client stores the master key; The step of performing device legitimacy verification on the face recognition terminal using the first device key includes: The authentication server generates a random challenge value, which is then sent to the face recognition terminal via the authentication client. The face recognition terminal uses the device binding authentication materials pre-stored inside to perform cryptographic calculations on the random challenge value, generate a response value, and return it to the authentication server via the authentication client; The authentication server performs the same cryptographic calculation on the random challenge value based on the first device key to obtain the expected response value, and compares the expected response value with the received response value. If the expected response value is consistent with the response value, the device legitimacy verification of the face recognition terminal is determined to be successful.
3. The method according to claim 1, characterized in that, The step of verifying the first message authentication code based on the second device key includes: The authentication server finds the corresponding one-time collection permission token based on the current session identifier, and uses the second device key to calculate the message authentication code on the data including the face feature digest, the device unique identifier, the current session identifier, and the one-time collection permission token, thereby generating a second message authentication code; The second message authentication code is compared with the received first message authentication code. If the second message authentication code matches the first message authentication code, the verification is successful; otherwise, the identity authentication fails.
4. The method according to claim 1, characterized in that, The data used for calculating the message authentication code also includes a terminal trusted state digest, a timestamp, or a session random number; wherein, the terminal trusted state digest includes at least one of a firmware version digest, a secure boot state digest, or a trusted execution environment metric. The step of generating the first message authentication code includes: using the face recognition terminal to calculate the message authentication code by using the device binding authentication materials stored internally, including the face feature summary, the device unique identifier, the current session identifier, the one-time collection permission token, the terminal trusted state summary, and the timestamp or session random number, to generate the first message authentication code; If the data used to calculate the message authentication code includes a timestamp or a session random number; after the step of sending the face authentication request to the authentication server via the authentication client, the method further includes: The authentication server parses the received face authentication request to extract the timestamp or session random number; it verifies whether the timestamp is within a preset valid time window, or whether the session random number has not been used; if the timestamp is not within the preset valid time window, or the session random number has been used, the authentication result is directly determined as authentication failure.
5. The method according to claim 2, characterized in that, The random challenge value is only valid in the current authentication session; after the device legitimacy verification process is completed, the first device key temporarily stored in the corresponding memory is cleared by the authentication server; after the face identity verification process is completed, the second device key temporarily stored in the corresponding memory is cleared by the authentication server.
6. The method according to claim 1, characterized in that, The method further includes: If the number of times the face recognition terminal fails the device legitimacy verification exceeds a preset threshold, the authentication client adds the corresponding device unique identifier to the blacklist and rejects requests that include the device unique identifier for a preset time period. If the face recognition terminal passes the device legitimacy verification, it generates a temporary session key through the authentication server and sends the temporary session key to the face recognition terminal via the authentication client. This allows the face recognition terminal to use the temporary session key to encrypt the data to be transmitted, which includes the face feature summary, the device unique identifier, the current session identifier, and the first message authentication code, and then send the generated encrypted data packet to the authentication client.
7. The method according to claim 1, characterized in that, The one-time data collection permission token has at least one of the following attributes: it is bound to the device's unique identifier, it is bound to the current session identifier, it has a preset valid time window, it is valid for one use, and it automatically expires after timeout; The facial authentication request does not contain the user's original facial image data, but only the extracted facial feature summary; after the first message authentication code is verified, the facial feature summary is also compared with a pre-stored standard facial feature template by the authentication server to determine the final identity authentication result.
8. The method according to any one of claims 1 to 7, characterized in that, The method further includes: When the user's identity authentication result is successful, the authentication server generates a single sign-on license credential and returns the license credential to the authentication client. The authentication client allows the user to access the target business system based on the license credential; wherein the target business system includes at least one of a cloud desktop system, a government affairs system, an enterprise office system, or a financial payment system.
9. A facial recognition system based on pre-existing terminal device legitimacy constraints, characterized in that, This includes facial recognition terminals, authentication clients, and authentication servers; among them, The authentication client is used to respond to a user's identity authentication request, send a verification command to the face recognition terminal, and forward the device legitimacy verification request returned by the face recognition terminal, including the unique device identifier, to the authentication server so that the authentication server can perform device legitimacy verification. If the face recognition terminal fails the device legitimacy verification, the authentication client terminates the identity authentication process and prohibits the face recognition terminal from performing face information collection operations. If the face recognition terminal passes the device legitimacy verification, the authentication server forwards a one-time collection permission token corresponding to the current session identifier to the face recognition terminal. The face recognition terminal is used to collect the user's facial information and extract a facial feature summary based on the one-time collection permission token. Using the device binding authentication materials pre-stored within the face recognition terminal, it calculates a message authentication code on data including at least the facial feature summary, the device unique identifier, the current session identifier, and the one-time collection permission token, generating a first message authentication code. A face authentication request including the facial feature summary, the device unique identifier, the current session identifier, and the first message authentication code is then sent to the authentication server via the authentication client. The pre-stored device binding authentication materials are generated by the licensing tool during the device initialization phase using the key derivation algorithm based on the master key and the device unique identifier, and written into the secure storage area of the face recognition terminal. These device binding authentication materials are bound to the device unique identifier and cannot be exported or reused across devices. The authentication server is configured to, upon receiving the device legitimacy verification request, generate a first device key based on a pre-stored master key and the received unique device identifier using a key derivation algorithm, and perform device legitimacy verification on the face recognition terminal according to the first device key; when the face recognition terminal passes the device legitimacy verification, generate a one-time acquisition permission token corresponding to the current session identifier, and send the one-time acquisition permission token to the face recognition terminal via the authentication client; and is further configured to, based on the pre-stored master key and the received unique device identifier, generate a second device key using the key derivation algorithm, verify the first message authentication code based on the second device key, and determine the identity authentication result based on the verification result.
10. A non-transitory machine-readable medium storing computer instructions, characterized in that, The computer instructions are used to cause the computer to perform the method according to claims 1 to 8.