安全生物识别的传感器要求
Microsoft利用受信任的平台模块 (TPM) 2.0 来确保在身份验证时未提供用户生物识别时,在适当的硬件、软件(最多和包括内核级恶意软件)上无法生成有效的生物识别身份验证。
为此,我们在受信任的执行环境中使用基于 TPM 2.0 会话的授权和传感器执行功能提取和匹配。 Windows 生物识别框架首次看到安全传感器(由安全传感器功能报告),它会预配在安全生物识别传感器与 TPM 之间共享的机密。 该机密永远不会再次公开到 OS,并且它对于每个传感器都是独一无二的。
若要执行身份验证,Windows 生物识别框架将打开与 TPM 的会话,并获取 nonce。 nonce 作为安全匹配作的一部分传递到安全传感器。 传感器在受信任的执行环境中执行匹配,如果成功,则根据该 nonce 计算 HMAC 以及标识的用户的身份。
Windows 生物识别框架可以使用此 HMAC 在 TPM 中为标识的用户执行加密作。 HMAC 生存期较短,几秒钟后过期。
在初始预配后使用此协议,OS 中不包含任何敏感数据。 机密由 TPM 和安全传感器持有,身份验证期间唯一公开的机密是生存期较短的 HMAC。
安全传感器功能
如果传感器支持引擎适配器接口 v 4.0 中的新引擎适配器方法,则必须报告WINBIO_CAPABILITY_SECURE_SENSOR功能。
若要声明传感器是安全传感器,它必须满足以下要求:
- 传感器的匹配引擎必须与普通 OS 隔离(例如,使用受信任的执行环境)
- 传感器必须支持将样本安全输入到隔离的匹配引擎;不得向普通 OS 公开示例的内容
- 匹配引擎必须通过实现下面概述的新 v4 方法来支持安全凭据发布
- 传感器必须支持演示文稿攻击检测。
WINBIO_CAPABILITY_SECURE_SENSOR值包含在 WINBIO_CAPABILITIES 结构中。 下面是有关如何定义它的示例。
#define WINBIO_CAPABILITY_SECURE_SENSOR ((WINBIO_CAPABILITIES)0x00000100)
错误代码
//
// MessageId: WINBIO_E_INVALID_KEY_IDENTIFIER
//
// MessageText:
//
// The key identifier is invalid.
//
#define WINBIO_E_INVALID_KEY_IDENTIFIER ((HRESULT)0x80098052L)
//
// MessageId: WINBIO_E_KEY_CREATION_FAILED
//
// MessageText:
//
// The key cannot be created.
//
#define WINBIO_E_KEY_CREATION_FAILED ((HRESULT)0x80098053L)
//
// MessageId: WINBIO_E_KEY_IDENTIFIER_BUFFER_TOO_SMALL
//
// MessageText:
//
// The key identifier buffer is too small.
//
#define WINBIO_E_KEY_IDENTIFIER_BUFFER_TOO_SMALL ((HRESULT)0x80098054L)
引擎适配器接口 v 4.0
引擎适配器接口版本已递增到 4.0。 新接口中的其他函数允许传感器参与 TPM 2.0。 它们是:
//
// Additional methods available in V4.0 and later
//
typedef HRESULT
(WINAPI *PIBIO_ENGINE_CREATE_KEY_FN)(
_Inout_ PWINBIO_PIPELINE Pipeline,
_In_reads_(KeySize) const UCHAR* Key,
_In_ SIZE_T KeySize,
_Out_writes_bytes_to_(KeyIdentifierSize, *ResultSize) PUCHAR KeyIdentifier,
_In_ SIZE_T KeyIdentifierSize,
_Out_ PSIZE_T ResultSize
);
typedef HRESULT
(WINAPI *PIBIO_ENGINE_IDENTIFY_FEATURE_SET_SECURE_FN)(
_Inout_ PWINBIO_PIPELINE Pipeline,
_In_reads_(NonceSize) const UCHAR* Nonce,
_In_ SIZE_T NonceSize,
_In_reads_(KeyIdentifierSize) const UCHAR* KeyIdentifier,
_In_ SIZE_T KeyIdentifierSize,
_Out_ PWINBIO_IDENTITY Identity,
_Out_ PWINBIO_BIOMETRIC_SUBTYPE SubFactor,
_Out_ PWINBIO_REJECT_DETAIL RejectDetail,
_Outptr_result_bytebuffer_(*AuthorizationSize) PUCHAR *Authorization,
_Out_ PSIZE_T AuthorizationSize
);
#define WINBIO_ENGINE_INTERFACE_VERSION_4 WINBIO_MAKE_INTERFACE_VERSION(4,0)
typedef struct _WINBIO_ENGINE_INTERFACE {
WINBIO_ADAPTER_INTERFACE_VERSION Version;
WINBIO_ADAPTER_TYPE Type;
SIZE_T Size;
GUID AdapterId;
PIBIO_ENGINE_ATTACH_FN Attach;
PIBIO_ENGINE_DETACH_FN Detach;
PIBIO_ENGINE_CLEAR_CONTEXT_FN ClearContext;
PIBIO_ENGINE_QUERY_PREFERRED_FORMAT_FN QueryPreferredFormat;
PIBIO_ENGINE_QUERY_INDEX_VECTOR_SIZE_FN QueryIndexVectorSize;
PIBIO_ENGINE_QUERY_HASH_ALGORITHMS_FN QueryHashAlgorithms;
PIBIO_ENGINE_SET_HASH_ALGORITHM_FN SetHashAlgorithm;
PIBIO_ENGINE_QUERY_SAMPLE_HINT_FN QuerySampleHint;
PIBIO_ENGINE_ACCEPT_SAMPLE_DATA_FN AcceptSampleData; // PROCESSES CURRENT BUFFER FROM PIPELINE AND GENERATES A FEATURE SET IN THE PIPELINE
PIBIO_ENGINE_EXPORT_ENGINE_DATA_FN ExportEngineData; // EXPORTS FEATURE SET OR TEMPLATE
PIBIO_ENGINE_VERIFY_FEATURE_SET_FN VerifyFeatureSet;
PIBIO_ENGINE_IDENTIFY_FEATURE_SET_FN IdentifyFeatureSet;
PIBIO_ENGINE_CREATE_ENROLLMENT_FN CreateEnrollment; // ATTACHES AN EMPTY ENROLLMENT TEMPLATE TO THE PIPELINE
PIBIO_ENGINE_UPDATE_ENROLLMENT_FN UpdateEnrollment; // CONVERTS CURRENT PIPELINE FEATURE SET INTO SOMETHING THAT CAN BE ADDED TO A TEMPLATE
PIBIO_ENGINE_GET_ENROLLMENT_STATUS_FN GetEnrollmentStatus; // QUERIES TEMPLATE ATTACHED TO THE PIPELINE TO SEE IF IT IS READY TO COMMIT
PIBIO_ENGINE_GET_ENROLLMENT_HASH_FN GetEnrollmentHash;
PIBIO_ENGINE_CHECK_FOR_DUPLICATE_FN CheckForDuplicate; // DETERMINES WHETHER TEMPLATE IS ALREADY ENROLLED
PIBIO_ENGINE_COMMIT_ENROLLMENT_FN CommitEnrollment;
PIBIO_ENGINE_DISCARD_ENROLLMENT_FN DiscardEnrollment;
PIBIO_ENGINE_CONTROL_UNIT_FN ControlUnit;
PIBIO_ENGINE_CONTROL_UNIT_PRIVILEGED_FN ControlUnitPrivileged;
#if (NTDDI_VERSION >= NTDDI_WIN8)
//
// V2.0 methods begin here...
//
PIBIO_ENGINE_NOTIFY_POWER_CHANGE_FN NotifyPowerChange;
PIBIO_ENGINE_RESERVED_1_FN Reserved_1;
#endif
#if (NTDDI_VERSION >= NTDDI_WINTHRESHOLD)
//
// V3.0 methods begin here...
//
PIBIO_ENGINE_PIPELINE_INIT_FN PipelineInit;
PIBIO_ENGINE_PIPELINE_CLEANUP_FN PipelineCleanup;
PIBIO_ENGINE_ACTIVATE_FN Activate;
PIBIO_ENGINE_DEACTIVATE_FN Deactivate;
PIBIO_ENGINE_QUERY_EXTENDED_INFO_FN QueryExtendedInfo;
PIBIO_ENGINE_IDENTIFY_ALL_FN IdentifyAll;
PIBIO_ENGINE_SET_ENROLLMENT_SELECTOR_FN SetEnrollmentSelector;
PIBIO_ENGINE_SET_ENROLLMENT_PARAMETERS_FN SetEnrollmentParameters;
PIBIO_ENGINE_QUERY_EXTENDED_ENROLLMENT_STATUS_FN QueryExtendedEnrollmentStatus;
PIBIO_ENGINE_REFRESH_CACHE_FN RefreshCache;
PIBIO_ENGINE_SELECT_CALIBRATION_FORMAT_FN SelectCalibrationFormat;
PIBIO_ENGINE_QUERY_CALIBRATION_DATA_FN QueryCalibrationData;
PIBIO_ENGINE_SET_ACCOUNT_POLICY_FN SetAccountPolicy;
#endif
#if (NTDDI_VERSION >= NTDDI_WIN10_RS1)
//
// V4.0 methods begin here...
//
PIBIO_ENGINE_CREATE_KEY_FN CreateKey;
PIBIO_ENGINE_IDENTIFY_FEATURE_SET_SECURE_FN IdentifyFeatureSetSecure;
#endif
} WINBIO_ENGINE_INTERFACE, *PWINBIO_ENGINE_INTERFACE;
要求
Windows 10