CN108389049A - Identity identifying method, device and mobile terminal - Google Patents

Identity identifying method, device and mobile terminal Download PDF

Info

Publication number
CN108389049A
CN108389049A CN201810013600.XA CN201810013600A CN108389049A CN 108389049 A CN108389049 A CN 108389049A CN 201810013600 A CN201810013600 A CN 201810013600A CN 108389049 A CN108389049 A CN 108389049A
Authority
CN
China
Prior art keywords
applet
fingerprint
user
verified
finger print
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810013600.XA
Other languages
Chinese (zh)
Inventor
李勃
张渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Watchdata Ltd By Share Ltd
Beijing WatchData System Co Ltd
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing Watchdata Ltd By Share Ltd
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Watchdata Ltd By Share Ltd, Beijing WatchSmart Technologies Co Ltd filed Critical Beijing Watchdata Ltd By Share Ltd
Priority to CN201810013600.XA priority Critical patent/CN108389049A/en
Publication of CN108389049A publication Critical patent/CN108389049A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The embodiment of the invention discloses a kind of identity identifying method, device and mobile terminal, method therein includes:TA sends user fingerprints checking request to SE moulds Applet in the block is operated in;Applet drives fingerprint module to acquire user fingerprints, obtains the finger print data to be verified that fingerprint module is sent;Finger print data to be verified is compared Applet with the fingerprint characteristic data stored inside it, carries out subscriber authentication, and send subscriber authentication results messages to TA.The method, apparatus and mobile terminal of the present invention, fingerprint authentication can be initiated in safer TEE environment ask summation process verification result, and acquisition, secure storage, the verification of fingerprint characteristic data are executed in safer SE environment, the fingerprint characteristic data that different Applet is stored is completely isolated, secure storage and the verification for reaching fingerprint characteristic data ensure that the safety of the business such as transaction.

Description

Identity identifying method, device and mobile terminal
Technical field
The present invention relates to a kind of field of information security technology more particularly to identity identifying method, device and mobile terminals.
Background technology
In recent years, the demand that network bank business is carried out on intelligent mobile terminal is increasingly vigorous, merchandise stroke count and transaction amount Rapid growth, but safety issue allows of no optimist.By taking Android system as an example, usually it is responsible for finger there are one fingerprint TA in the sides TEE The acquisition of line, verification with it is centrally stored, fingerprint TA is to the sides REE application offer fingerprint collecting and the service for checking credentials.It is carried out using fingerprint Authentication has following two typical case scenes:1, with unlocked by fingerprint mobile phone screen locking:Fingerprint inspection is initiated by the APP of the sides REE Card request executes fingerprint collecting and verification by the fingerprint TA of the sides TEE, verification result is returned to the APP of the sides REE, is executed by APP Unlocking motion;2, it is merchandised with fingerprint identification:Transaction is initiated by the APP of the sides REE, the transaction TA of the sides TEE shows Transaction Information, then Fingerprint authentication service request is initiated by APP back to the sides REE, the fingerprint TA of the sides TEE executes fingerprint collecting and verification, the sides TEE Transaction TA is digitally signed transaction after obtaining verification result from fingerprint TA.
Application scenarios one finally handle fingerprint authentication as a result, due to being in insincere performing environment by the APP of the sides REE, obtain To handling result be also incredible.Application scenarios two have to return to from TEE environment in process of exchange REE environment with Fingerprint authentication request is initiated to fingerprint TA, has inevitably enlarged entire transaction flow risk under attack.Meanwhile in the prior art Under, no matter which kind of application scenarios, the fingerprint characteristic data being related to all be it is shared, all by the same fingerprint TA it is centrally stored and Verification, brings prodigious security risk;In addition, the prior art executes the storage and verification of fingerprint characteristic data in TEE, with SE Environment is relatively low compared to its security level.
Invention content
In view of this, the invention solves a technical problem be to provide a kind of identity identifying method, device and shifting Dynamic terminal.
According to an aspect of the present invention, a kind of identity identifying method is provided, including:Operate in credible performing environment TEE In trusted application TA send user fingerprints checking request to safety element SE moulds Applet in the block is operated in;The Applet It drives fingerprint module to acquire user fingerprints, obtains the finger print data to be verified that the fingerprint module is sent;The Applet is by institute It states finger print data to be verified and is compared with the fingerprint characteristic data stored inside it, carry out subscriber authentication, and to institute It states TA and sends subscriber authentication results messages.
Optionally, the TA includes to Applet transmission subscriber authentication requests:The TA passes through the first APDU It orders to the Applet corresponding with this TA and sends the user fingerprints checking request, wherein in the first APDU orders Carry fingerprint characteristic identification information.
Optionally, the Applet finger print data to be verified is compared with the fingerprint characteristic data of storage, into Row subscriber authentication includes:The Applet obtains the fingerprint characteristic number corresponding with the fingerprint characteristic identification information According to;This fingerprint characteristic data is compared the Applet with the finger print data to be verified, if it is determined that compares successfully, then Determine subscriber authentication success.
Optionally, the subscriber authentication success message that the Applet is sent is received, the TA passes through the 2nd APDU Transaction message corresponding with this user is sent to the Applet and carries out signature processing by order.
Optionally, the Applet will be identified after determining subscriber authentication success by the verification of the user of verification It is set as effective;The Applet obtains private key corresponding with this user and carries out signature processing to the transaction message, and is signing After name processing, the verification mark of this user is set as invalid.
Optionally, there are multiple Applet operations in the SE modules, stored in the different Applet Fingerprint characteristic data is mutually isolated.
Optionally, the Applet drivings fingerprint module acquisition user fingerprints include:The Applet passes through the SE moulds The physical layer interface that block provides controls the fingerprint module acquisition user fingerprint image and extracts institute from the user fingerprint image State finger print data to be verified.
Optionally, the fingerprint module includes:Main control unit and sensor unit;The main control unit receives described The fingerprint collecting instruction that Applet is sent controls the sensor unit and obtains fingerprint image;The main control unit is from the finger The finger print data to be verified is extracted in print image, and is sent to the Applet.
Optionally, the processor for running the TA is total by data between the fingerprint module and the SE modules respectively Line connects;It is connected by data/address bus between the SE and the fingerprint module.
Optionally, the SE modules include:ESE modules, inSE modules.
According to another aspect of the present invention, a kind of identification authentication system is provided, including:Operate in credible performing environment TEE In trusted application TA, operate in safety element SE moulds Applet in the block and fingerprint module;The TA is sent out to the Applet Send user fingerprints checking request;The Applet drives the fingerprint module to acquire user fingerprints, obtains the fingerprint module hair The finger print data to be verified sent;The fingerprint characteristic data that the Applet is stored by the finger print data to be verified and inside it It is compared, carries out subscriber authentication, and subscriber authentication results messages are sent to the TA.
Optionally, the TA, for sending the user to the corresponding Applet by the first APDU orders Fingerprint authentication is asked, wherein carries fingerprint characteristic identification information in the first APDU orders.
Optionally, the Applet, for obtaining the fingerprint characteristic corresponding with the fingerprint characteristic identification information Data this fingerprint characteristic data are compared with the finger print data to be verified, if it is determined that compare successfully, it is determined that user Authentication success.
Optionally, the TA, the subscriber authentication success message sent for receiving the Applet, passes through second Transaction message corresponding with this user is sent to the Applet and carries out signature processing by APDU orders.
Optionally, the Applet, for after determining subscriber authentication success, the verification of the user of verification will to be passed through Mark is set as effective;It obtains private key corresponding with this user and signature processing is carried out to the transaction message, and in signature processing Afterwards, the verification of this user mark is set as invalid.
Optionally, there are multiple Applet operations in the SE modules, stored in the different Applet Fingerprint characteristic data is mutually isolated.
Optionally, the Applet is additionally operable to control the fingerprint module by the physical layer interface that the SE modules provide Acquisition user fingerprint image simultaneously extracts the finger print data to be verified from the user fingerprint image.
Optionally, the fingerprint module includes:Main control unit and sensor unit;The main control unit, for receiving The fingerprint collecting instruction for stating Applet transmissions controls the sensor unit and obtains fingerprint image;It is carried from the fingerprint image The finger print data to be verified is taken, and is sent to the Applet.
Optionally, the processor for running the TA is total by data between the fingerprint module and the SE modules respectively Line connects;It is connected by data/address bus between the SE and the fingerprint module.
Optionally, the SE modules include:ESE modules, inSE modules.
According to another aspect of the invention, a kind of mobile terminal, including network bank business system as described above are provided.
In accordance with a further aspect of the present invention, a kind of network bank business system is provided, including:Memory;And it is coupled to described The processor of memory, the processor are configured as based on the instruction being stored in the memory, the net in execution Silver-colored trading system.
Identity identifying method, device and the mobile terminal of the present invention, TA send to operation SE moulds Applet in the block and use Family fingerprint authentication request, Applet drive fingerprint module to acquire user fingerprints, finger print data to be verified are obtained, by fingerprint to be verified Data are compared with the fingerprint characteristic data stored inside it, carry out subscriber authentication, and send user identity to TA Verification result message;Fingerprint authentication can be initiated in safer TEE environment and ask summation process verification result, and more pacifying Acquisition, secure storage, the verification of fingerprint characteristic data are executed in full eSE environment, the fingerprint that different Applet is stored is special It is completely isolated to levy data, cannot access mutually, reach secure storage and the verification of fingerprint characteristic data, ensure that the business such as transaction Safety.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the art With obtain other attached drawings according to these attached drawings.
Fig. 1 is the flow diagram according to one embodiment of the identity identifying method of the present invention;
Fig. 2 is the flow diagram according to another embodiment of the identity identifying method of the present invention;
Fig. 3 is the connection diagram of each module in one embodiment according to the identity identifying method of the present invention;
Fig. 4 is the module diagram according to one embodiment of the identification authentication system of the present invention;
Fig. 5 is the module diagram according to another embodiment of the identification authentication system of the present invention.
Specific implementation mode
Carry out the various exemplary embodiments of detailed description of the present invention now with reference to attached drawing.It should be noted that:Unless in addition having Body illustrates that the unlimited system of component and the positioned opposite of step, numerical expression and the numerical value otherwise illustrated in these embodiments is originally The range of invention.
Simultaneously, it should be appreciated that for ease of description, the size of attached various pieces shown in the drawings is not according to reality Proportionate relationship draw.
It is illustrative to the description only actually of at least one exemplary embodiment below, is never used as to the present invention And its application or any restrictions that use.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable In the case of, the technology, method and apparatus should be considered as part of specification.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi It is defined, then it need not be further discussed in subsequent attached drawing in a attached drawing.
The embodiment of the present invention can be applied to computer system/server, can be with numerous other general or specialized calculating System environments or configuration operate together.Suitable for be used together with computer system/server well-known computing system, ring The example of border and/or configuration includes but not limited to:Smart mobile phone, personal computer system, server computer system, Thin clients Machine, thick client computer, hand-held or laptop devices, microprocessor-based system, set-top box, programmable consumer electronics, network PC, little types Ji calculate machine Xi Tong ﹑ large computer systems and the distributed cloud computing technology ring including any of the above described system Border, etc..
Computer system/server can be in computer system executable instruction (such as journey executed by computer system Sequence module) general context under describe.In general, program module may include routine, program, target program, component, logic, number According to structure etc., they execute specific task or realize specific abstract data type.Computer system/server can be with Implement in distributed cloud computing environment, in distributed cloud computing environment, task is long-range by what is be linked through a communication network Manage what equipment executed.In distributed cloud computing environment, program module can be positioned at the Local or Remote meter for including storage device It calculates in system storage medium.
" first ", " second " hereinafter is only used for distinguishing in description, and there is no other special meanings.
Fig. 1 is according to the flow diagram of one embodiment of the identity identifying method of the present invention, as shown in Figure 1:
Step 101, the trusted application TA operated in credible performing environment TEE is in the block to safety element SE moulds are operated in Applet sends user fingerprints checking request.SE modules include embedded-type security element eSE modules, inSE modules etc..
Step 102, Applet drives fingerprint module to acquire user fingerprints, obtains the fingerprint number to be verified that fingerprint module is sent According to.
Step 103, finger print data to be verified is compared Applet with the fingerprint characteristic data stored inside it, into Row subscriber authentication, and send subscriber authentication results messages to TA.
TEE (Trusted Execution Environment, credible performing environment) is a kind of performing environment of isolation, TEE is run parallel with rich operating system (REE, Rich Execution Environment), and provides safety clothes for rich environment Business can realize that isolation is accessed and protected to the software and hardware secure resources and application program under rich environment.Safety element SE can be with It is the security module that software and hardware and related protocol combine, the smart card level application used can be embedded in, such as UICC, embedded SE, pluggable RAM card etc..Applet is a kind of program operated in SE.
Identity identifying method in above-described embodiment carries out authentication, by TEE environment using biological fingerprint feature Lower initiation fingerprint authentication service is responsible for acquisition, storage and verification fingerprint characteristic data, to reach by the Applet operated in SE To the security targets such as completely isolated of fingerprint characteristic data between the secure storage and verification, different application of fingerprint characteristic data.
In one embodiment, TA sends user fingerprints to and with the corresponding Applet of this TA by the first APDU orders and tests Card request, carries fingerprint characteristic identification information, fingerprint characteristic identification information includes in the first APDU orders:Id information, index Value information etc..
Multiple Applet are run in eSE, each Applet can control fingerprint module to acquire by eSE physical layer interfaces Fingerprint characteristic data.Each Applet can load different fingerprint protection keys when individualized, and fingerprint characteristic data is as two Binary file is stored in after being encrypted with fingerprint protection key inside Applet.
Applet can preserve multigroup, every group of multiple fingerprint characteristic datas, and different numbers is accessed with FID or index value According to.Can be in the line typing stage, multiple fingerprints that a natural person (authentication entity) is possessed are as one group.TA is sent The first APDU in carry parameter and specify and carry out fingerprint comparison in specific a certain group of fingerprint characteristic data.Applet is obtained Fingerprint characteristic data corresponding with fingerprint characteristic identification information, Applet is by this fingerprint characteristic data and finger print data to be verified It is compared, if it is determined that compare successfully, it is determined that subscriber authentication success.
Verify fingerprint when, Applet first new fingerprint characteristic data is acquired from fingerprint module, then with locally preserve certain The fingerprint characteristic data of one group of (being specified in APDU) typing compares one by one, if finding matched fingerprint characteristic data, refers to Line is verified.Applet externally provides one group of APDU, for acquiring, merging, typing, comparison, deletes its fingerprint spy stored Data are levied, these APDU are issued by TA tissues, realize the management to fingerprint characteristic data and authentication function.
In one embodiment, the subscriber authentication success message of Applet transmissions is received, TA passes through the 2nd APDU Transaction message corresponding with this user is sent to Applet and carries out signature processing by order.Each preserved in Applet is private Key is all associated with its corresponding use condition, and private key could be used (such as the success of verification fingerprint) by only having reached use condition requirement (sign or decrypt).Parameter in the APDU that the use condition of key is sent when key pair generates or imports by TA is specified, And it is stored in Applet.Applet understands the use article for first checking the private key specified in the 2nd APDU when receiving two APDU Part, for example, the use condition of private key can be " verifying fingerprint success with the 1st group of fingerprint characteristic template ".
Applet will be set as effective after determining subscriber authentication success by the verification of the user of verification mark. Applet obtains private key corresponding with this user and carries out signature processing to transaction message, and after signature processing, by this user's Verification mark is set as invalid.
Applet can cache this condition flag inside it after fingerprint authentication success, for being related in execution next time Judge whether the use condition for meeting private key when to APDU using private key.This mark is only once effective, i.e., when this mark is effective And after performing the 2nd APDU that one article is related to using private key, this mark fails immediately.During mark failure herein, Applet Refusal executes all the 2nd APDU orders being related to using private key.
Fig. 2 is according to the flow diagram of another embodiment of the identity identifying method of the present invention, as shown in Figure 2:
Step 201, Internetbank APP obtains network bank business message, and network bank business message is sent to TA.
Internetbank APP is obtained there are many modes of network bank business message.For example, Internetbank APP receives what ebanking server was sent Network bank business message generates network bank business message etc. by scanning the two-dimensional code the network bank business data of acquisition.
Step 202, TA parses Netease's transaction message according to preset format, and extraction is shown to user and confirms Network bank business show information.
Network bank business needs to do digital signature to Transaction Information with the signing certificate of user, and trading signature is finally also by servicing End verification.The format of Transaction Information is appointed with content by Internetbank backstage and TA in advance, wherein generally comprising needs is shown to use The part and be not required to part to be shown that family confirms.
Step 203, TA shows that network bank business shows information and provided on TUI by TUI and believes for inputting trade confirmation The operation button of breath, operation button include:ACK button, cancel button etc..If user does not operate for a long time, TUI can be automatic Time-out exits, and transaction will be cancelled.
TUI operates in credible performing environment, can ensure that the transaction letter that the Transaction Information that user sees will videlicet sign Breath, " finding is signed ".After user confirms Transaction Information, before executing trading signature, it is also necessary to user fingerprints are first verified, Ensure that using the operator that private key is signed be user.A variety of dummy keyboard configurations, such as number can also be provided in TUI Keyboard, alphabetic keypad, keyboard symbol etc. may be implemented to experience with input completely the same in Rich OS.
On mobile terminals, RichOS and TEE shares same display device and user's progress human-computer interaction, Yong Huxu Differentiate the content currently shown be software under RichOS show or TEE in TUI show.TA is obtained and Internetbank The corresponding reserved information of APP, and when showing that network bank business shows information, information is reserved in the display at the interfaces TUI, so that user The information content, which is reserved, by comparison judges whether network bank business display information is shown by TUI.
Show that a reserved information, user can reserve the information content to reflect by comparison in the fixed position at the interfaces TUI Whether other present displayed content is that TUI is exported.Reserved information has acquiescence initial value, user to be needed before using network bank business for the first time It first to change acquiescence and reserve information.Modification is reserved information and is executed in TUI, inputs new reserved information at TUI by user.When When user sees the reserved information for showing oneself setting in TUI, it can confirm that current picture is to be in the credible performing environments of TUI Under.
Step 204, TA judges whether user confirms progress Internetbank friendship based on user by the TUI transaction confirmation messages inputted Easily, if so, entering step 206, if not, entering step 205.
Step 205, TA sends network bank business failure notification message and failure cause information, failure cause to Internetbank APP Information includes:User Cancels Transaction.
Step 206, TA sends user fingerprints checking request to Applet.
Applet drives fingerprint module to acquire user fingerprints, obtains the finger print data to be verified that fingerprint module is sent, will wait for Verification finger print data is compared with the fingerprint characteristic data stored inside it, carries out subscriber authentication.
Step 207, judge whether Applet is proved to be successful the finger print data of user, if it is, entering step 209, if it is not, then entering step 208.
Step 208, TA sends network bank business failure notification message and failure cause information, failure cause to Internetbank APP Information includes:Fingerprint authentication is unsuccessfully etc..
Step 209, after being proved to be successful to user fingerprints, network bank business message is sent to Applet and carried out at signature by TA Reason.
Applet obtains the access right of private key after fingerprint authentication is correct, obtains private key pair corresponding with this user Transaction message carries out signature processing.
Step 210, TA receives signature handling results of the Applet for network bank business message, by signature handling result hair Give Internetbank APP.
Step 211, signature handling result is sent to ebanking server and verified by Internetbank APP, if be proved to be successful, Internetbank APP carries out network bank business operation.
In one embodiment, most widely used at present credible to hold in the TrustZone Technical Architectures based on ARM Row environment OS is the GP TEE of the GP and QSEE of high pass respectively.As shown in figure 3, total by SPI between TA and fingerprint module, eSE Line is connected, and CPU is used as main equipment, fingerprint module and eSE from equipment.Also by another way SPI between eSE and fingerprint module Bus is connected, and eSE is used as main equipment, fingerprint module from equipment.
The physical layer interface control fingerprint module that Applet is provided by SE modules acquires user fingerprint image and refers to from user Finger print data to be verified is extracted in print image.Fingerprint module includes:Main control unit and sensor unit.Main control unit receives The fingerprint collecting instruction that Applet is sent, control sensor unit obtain fingerprint image, finger to be verified are extracted from fingerprint image Line data, and it is sent to Applet.
In one embodiment, as shown in figure 4, the present invention provides a kind of identification authentication system 40, including:It operates in credible Trusted application TA 41 in performing environment TEE, safety element SE moulds Applet 42 in the block and fingerprint module 43 are operated in.
TA 41 sends user fingerprints checking request to Applet 42.Applet 41 drives fingerprint module 43 to acquire user Fingerprint obtains the finger print data to be verified that fingerprint module 43 is sent.Applet 42 by finger print data to be verified with deposit inside it The fingerprint characteristic data of storage is compared, and carries out subscriber authentication, and send subscriber authentication results messages to TA 41. There are the operations of multiple Applet 42 in SE modules, the fingerprint characteristic data stored in different Applet is mutually isolated, cannot Mutually access.
TA 41 by the first APDU orders to corresponding thereto Applet 42 send user fingerprints checking request, first Fingerprint characteristic identification information is carried in APDU orders.Applet 42 obtains fingerprint corresponding with fingerprint characteristic identification information Characteristic this fingerprint characteristic data is compared with finger print data to be verified, if it is determined that compare successfully, it is determined that user Authentication success.
TA 41 receives the subscriber authentication success message of the transmissions of Applet 42, will be with this by the 2nd APDU orders The corresponding transaction message of user is sent to Applet 42 and carries out signature processing.Applet 42 is determining subscriber authentication success Afterwards, it will be set as effective by the verification of the user of verification mark.Applet 42 obtains private key corresponding with this user to transaction Message carries out signature processing, and after signature processing, the verification mark of this user is set as invalid.
The physical layer interface that Applet 42 is provided by SE modules control fingerprint module 43 acquire user fingerprint image and from Finger print data to be verified is extracted in the fingerprint image of family.Fingerprint module 43 includes:Main control unit and sensor unit.Main control unit connects The fingerprint collecting instruction that Applet is sent is received, control sensor unit obtains fingerprint image, extracted from fingerprint image to be verified Finger print data, and it is sent to Applet 42.TA 41 is connect between fingerprint module 43 and SE modules by spi bus respectively. It is connected by spi bus between SE modules and fingerprint module.
In one embodiment, the present invention provides a kind of mobile terminal, including the authentication in any embodiment as above Device.Mobile terminal can be smart mobile phone, tablet computer etc..
Fig. 5 is the module diagram according to another embodiment of the identity identifying method device of the present invention.Such as Fig. 5 institutes Show, which may include memory 51, processor 52, bus 53.For storing instruction, processor 52 is coupled to be deposited memory 51 Reservoir 51, processor 52 are configured as realizing above-mentioned identity identifying method based on the instruction execution that memory 51 stores.Storage Device 51 can be high-speed RAM memory, nonvolatile memory (NoN-volatile memory) etc., and memory 51 can also It is memory array.Processor 52 can be central processor CPU etc..
Identity identifying method, device in above-described embodiment and mobile terminal, TA to operation SE moulds Applet in the block User fingerprints checking request is sent, Applet drives fingerprint module to acquire user fingerprints, obtains finger print data to be verified, will be to be tested Card finger print data is compared with the fingerprint characteristic data stored inside it, carries out subscriber authentication, and send and use to TA Family authentication results messages;Fingerprint authentication can be initiated in safer TEE environment ask summation process verification result, and Acquisition, secure storage, the verification of fingerprint characteristic data are executed in safer eSE environment, what different Applet was stored Fingerprint characteristic data is completely isolated, cannot access mutually, reaches secure storage and the verification of fingerprint characteristic data, ensure that transaction Etc. business safety.
The method and system of the present invention may be achieved in many ways.For example, can by software, hardware, firmware or Software, hardware, firmware any combinations come realize the present invention method and system.The said sequence of the step of for method is only In order to illustrate, the step of method of the invention, is not limited to sequence described in detail above, especially says unless otherwise It is bright.In addition, in some embodiments, also the present invention can be embodied as to record program in the recording medium, these programs include For realizing machine readable instructions according to the method for the present invention.Thus, the present invention also covers storage for executing according to this hair The recording medium of the program of bright method.
Description of the invention provides for the sake of example and description, and is not exhaustively or will be of the invention It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage Various embodiments with various modifications of the solution present invention to design suitable for special-purpose.

Claims (22)

1. a kind of identity identifying method, which is characterized in that including:
The trusted application TA operated in credible performing environment TEE sends use to safety element SE moulds Applet in the block is operated in Family fingerprint authentication request;
The Applet drivings fingerprint module acquires user fingerprints, obtains the finger print data to be verified that the fingerprint module is sent;
The finger print data to be verified is compared the Applet with the fingerprint characteristic data stored inside it, is used Family authentication, and send subscriber authentication results messages to the TA.
2. the method as described in claim 1, which is characterized in that the TA sends subscriber authentication request to the Applet Including:
The TA sends the user fingerprints checking request by the first APDU orders to the Applet corresponding with TA, In, carry fingerprint characteristic identification information in the first APDU orders.
3. method as claimed in claim 2, which is characterized in that the Applet by the finger print data to be verified with storage Fingerprint characteristic data is compared, carries out subscriber authentication:
The Applet obtains the fingerprint characteristic data corresponding with the fingerprint characteristic identification information;
This fingerprint characteristic data is compared the Applet with the finger print data to be verified, if it is determined that it compares successfully, Then determine subscriber authentication success.
4. method as claimed in claim 3, which is characterized in that further include:
The subscriber authentication success message that the Applet is sent is received, the TA will be with this use by the 2nd APDU orders The corresponding transaction message in family is sent to the Applet and carries out signature processing.
5. method as claimed in claim 4, which is characterized in that further include:
The Applet will be set as effective after determining subscriber authentication success by the verification of the user of verification mark;
The Applet obtains private key corresponding with this user and carries out signature processing to the transaction message, and in signature processing Afterwards, the verification of this user mark is set as invalid.
6. the method as described in claim 1, which is characterized in that
There are multiple Applet operations, the fingerprint characteristic data stored in the different Applet in the SE modules It is mutually isolated.
7. the method as described in claim 1, which is characterized in that the Applet drivings fingerprint module acquires user fingerprints packet It includes:
The Applet controls the fingerprint module by the physical layer interface that the SE modules provide and acquires user fingerprint image simultaneously The finger print data to be verified is extracted from the user fingerprint image.
8. the method for claim 7, which is characterized in that the fingerprint module includes:Main control unit and sensor unit;
The main control unit receives the fingerprint collecting instruction that the Applet is sent, and controls the sensor unit and obtains fingerprint Image;
The main control unit extracts the finger print data to be verified from the fingerprint image, and is sent to the Applet.
9. the method as described in claim 1, which is characterized in that run the processor of the TA respectively with the fingerprint module and It is connected by data/address bus between the SE modules;It is connected by data/address bus between the SE and the fingerprint module.
10. the method as described in claim 1, which is characterized in that
The SE modules include:ESE modules, inSE modules.
11. a kind of identification authentication system, which is characterized in that including:
The trusted application TA that operates in credible performing environment TEE, safety element SE moulds Applet in the block and fingerprint are operated in Module;
The TA sends user fingerprints checking request to the Applet;The Applet drives the fingerprint module to acquire user Fingerprint obtains the finger print data to be verified that the fingerprint module is sent;The Applet by the finger print data to be verified with The fingerprint characteristic data of its storage inside is compared, and carries out subscriber authentication, and send subscriber authentication to the TA Results messages.
12. device as claimed in claim 11, which is characterized in that
The TA is asked for sending the user fingerprints verification to the corresponding Applet by the first APDU orders It asks, wherein carry fingerprint characteristic identification information in the first APDU orders.
13. device as claimed in claim 12, which is characterized in that
The Applet refers to this for obtaining the fingerprint characteristic data corresponding with the fingerprint characteristic identification information Line characteristic is compared with the finger print data to be verified, if it is determined that compares successfully, it is determined that subscriber authentication at Work(.
14. device as claimed in claim 13, which is characterized in that
The TA, the subscriber authentication success message sent for receiving the Applet will by the 2nd APDU orders Transaction message corresponding with this user is sent to the Applet and carries out signature processing.
15. device as claimed in claim 14, which is characterized in that
The Applet, for after determining subscriber authentication success, will be set as by the verification of the user of verification mark Effectively;It obtains private key corresponding with this user and signature processing is carried out to the transaction message, and after signature processing, by this user Verification mark be set as invalid.
16. device as claimed in claim 11, which is characterized in that
There are multiple Applet operations, the fingerprint characteristic data stored in the different Applet in the SE modules It is mutually isolated.
17. device as claimed in claim 11, which is characterized in that
The Applet is additionally operable to control the fingerprint module acquisition user fingerprints by the physical layer interface that the SE modules provide Image simultaneously extracts the finger print data to be verified from the user fingerprint image.
18. device as claimed in claim 17, which is characterized in that the fingerprint module includes:Main control unit and sensor list Member;
The main control unit, the fingerprint collecting instruction sent for receiving the Applet control the sensor unit and obtain Fingerprint image;The finger print data to be verified is extracted from the fingerprint image, and is sent to the Applet.
19. device as claimed in claim 11, which is characterized in that
The processor for running the TA is connect between the fingerprint module and the SE modules by data/address bus respectively;It is described It is connected by data/address bus between SE and the fingerprint module.
20. device as claimed in claim 11, which is characterized in that
The SE modules include:ESE modules, inSE modules.
21. a kind of mobile terminal, it is characterised in that:
Including such as claim 11 to 20 any one of them identification authentication system.
22. a kind of identification authentication system, which is characterized in that including:
Memory;And it is coupled to the processor of the memory, the processor is configured as being based on being stored in the storage Instruction in device executes the identity identifying method as described in any one of claims 1 to 10.
CN201810013600.XA 2018-01-08 2018-01-08 Identity identifying method, device and mobile terminal Pending CN108389049A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810013600.XA CN108389049A (en) 2018-01-08 2018-01-08 Identity identifying method, device and mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810013600.XA CN108389049A (en) 2018-01-08 2018-01-08 Identity identifying method, device and mobile terminal

Publications (1)

Publication Number Publication Date
CN108389049A true CN108389049A (en) 2018-08-10

Family

ID=63077041

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810013600.XA Pending CN108389049A (en) 2018-01-08 2018-01-08 Identity identifying method, device and mobile terminal

Country Status (1)

Country Link
CN (1) CN108389049A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109324843A (en) * 2018-09-11 2019-02-12 深圳市文鼎创数据科技有限公司 A kind of finger prints processing system, method and fingerprint equipment
CN110876144A (en) * 2018-08-30 2020-03-10 华为技术有限公司 Mobile application method, device and system of identity certificate
CN111177687A (en) * 2019-12-25 2020-05-19 北京迈格威科技有限公司 Image unlocking method, device, equipment and storage medium
WO2020133500A1 (en) * 2018-12-29 2020-07-02 华为技术有限公司 Method and device for unlocking terminal device, and storage medium
WO2020191547A1 (en) * 2019-03-22 2020-10-01 华为技术有限公司 Biometric recognition method and apparatus
CN112214652A (en) * 2020-10-19 2021-01-12 支付宝(杭州)信息技术有限公司 Message generation method, device and equipment
EP3822836A1 (en) * 2019-11-12 2021-05-19 Koninklijke Philips N.V. Device and method for secure communication
CN115942323A (en) * 2023-01-09 2023-04-07 中国电子科技集团公司第三十研究所 USIM (Universal subscriber identity Module) device and USIM security enhancement method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104899506A (en) * 2015-05-08 2015-09-09 深圳市雪球科技有限公司 Security system implementation method based on virtual security element in trusted execution environment
CN105069442A (en) * 2015-08-25 2015-11-18 杭州晟元数据安全技术股份有限公司 Finger SE module group and payment verification method
CN105160254A (en) * 2014-06-06 2015-12-16 欧贝特科技公司 Electronic apparatus including a secure electronic entity and method implemented in such an electronic apparatus
US20160234176A1 (en) * 2015-02-06 2016-08-11 Samsung Electronics Co., Ltd. Electronic device and data transmission method thereof
US20160239686A1 (en) * 2015-02-17 2016-08-18 Samsung Electronics Co., Ltd. Storing and using data with secure circuitry
CN106899552A (en) * 2015-12-21 2017-06-27 中国电信股份有限公司 Authentication method, certification terminal and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105160254A (en) * 2014-06-06 2015-12-16 欧贝特科技公司 Electronic apparatus including a secure electronic entity and method implemented in such an electronic apparatus
US20160234176A1 (en) * 2015-02-06 2016-08-11 Samsung Electronics Co., Ltd. Electronic device and data transmission method thereof
US20160239686A1 (en) * 2015-02-17 2016-08-18 Samsung Electronics Co., Ltd. Storing and using data with secure circuitry
CN104899506A (en) * 2015-05-08 2015-09-09 深圳市雪球科技有限公司 Security system implementation method based on virtual security element in trusted execution environment
CN105069442A (en) * 2015-08-25 2015-11-18 杭州晟元数据安全技术股份有限公司 Finger SE module group and payment verification method
CN106899552A (en) * 2015-12-21 2017-06-27 中国电信股份有限公司 Authentication method, certification terminal and system

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110876144A (en) * 2018-08-30 2020-03-10 华为技术有限公司 Mobile application method, device and system of identity certificate
CN110876144B (en) * 2018-08-30 2023-07-11 华为技术有限公司 Mobile application method, device and system for identity certificate
CN109324843A (en) * 2018-09-11 2019-02-12 深圳市文鼎创数据科技有限公司 A kind of finger prints processing system, method and fingerprint equipment
WO2020052383A1 (en) * 2018-09-11 2020-03-19 深圳市文鼎创数据科技有限公司 Fingerprint processing system and method, and fingerprint device
CN109324843B (en) * 2018-09-11 2020-12-11 深圳市文鼎创数据科技有限公司 Fingerprint processing system and method and fingerprint equipment
WO2020133500A1 (en) * 2018-12-29 2020-07-02 华为技术有限公司 Method and device for unlocking terminal device, and storage medium
CN112334896A (en) * 2018-12-29 2021-02-05 华为技术有限公司 Unlocking method and device of terminal device and storage medium
CN112334896B (en) * 2018-12-29 2023-09-01 华为技术有限公司 Unlocking method and equipment of terminal equipment and storage medium
CN111989693A (en) * 2019-03-22 2020-11-24 华为技术有限公司 Biometric identification method and device
WO2020191547A1 (en) * 2019-03-22 2020-10-01 华为技术有限公司 Biometric recognition method and apparatus
EP3822836A1 (en) * 2019-11-12 2021-05-19 Koninklijke Philips N.V. Device and method for secure communication
WO2021094125A1 (en) * 2019-11-12 2021-05-20 Koninklijke Philips N.V. Device and method for secure communication
US11972031B2 (en) 2019-11-12 2024-04-30 Koninklijke Philips N.V. Device and method for secure communication
CN111177687A (en) * 2019-12-25 2020-05-19 北京迈格威科技有限公司 Image unlocking method, device, equipment and storage medium
CN112214652A (en) * 2020-10-19 2021-01-12 支付宝(杭州)信息技术有限公司 Message generation method, device and equipment
CN112214652B (en) * 2020-10-19 2023-09-29 支付宝(杭州)信息技术有限公司 Message generation method, device and equipment
CN115942323A (en) * 2023-01-09 2023-04-07 中国电子科技集团公司第三十研究所 USIM (Universal subscriber identity Module) device and USIM security enhancement method

Similar Documents

Publication Publication Date Title
CN108389049A (en) Identity identifying method, device and mobile terminal
CN108229956A (en) Network bank business method, apparatus, system and mobile terminal
CN105306490B (en) Payment verifying system, method and device
US6651168B1 (en) Authentication framework for multiple authentication processes and mechanisms
KR102214247B1 (en) Method and apparatus for service implementation
WO2015157295A1 (en) Systems and methods for transacting at an atm using a mobile device
US20160189135A1 (en) Virtual chip card payment
US20150120573A1 (en) Information processing method, device and system
CN110458559B (en) Transaction data processing method, device, server and storage medium
CN210691384U (en) Face recognition payment terminal platform based on security unit and trusted execution environment
CN107196901A (en) A kind of identity registration and the method and device of certification
US11451540B2 (en) Method of authentication
CN106651372A (en) Data processing method and system
CN105229709A (en) Security ststem
CN108337251A (en) Bank card phone number changes implementation method, equipment, system and storage medium
CA2395381A1 (en) Computerised device for accrediting data application to a software or a service
CN108270789A (en) Internetbank activating method, equipment, system and computer readable storage medium
CN107944241A (en) Barcode scanning method and device, computer installation and computer-readable recording medium
CN112687042B (en) Authentication method, authentication device and electronic equipment
CN109887195A (en) A kind of operating method and system of self-help teller machine
CN117275138A (en) Identity authentication method, device, equipment and storage medium based on automatic teller machine
JP2007052489A (en) User authentication method and user authentication program
CN105580046B (en) System and method for providing banking interaction with a remote banking device
TWI802669B (en) A password acquisition method, transaction equipment and terminal
JP4802670B2 (en) Cardless authentication system, cardless authentication method used in the system, and cardless authentication program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180810

RJ01 Rejection of invention patent application after publication