CN108389049A - Identity identifying method, device and mobile terminal - Google Patents
Identity identifying method, device and mobile terminal Download PDFInfo
- Publication number
- CN108389049A CN108389049A CN201810013600.XA CN201810013600A CN108389049A CN 108389049 A CN108389049 A CN 108389049A CN 201810013600 A CN201810013600 A CN 201810013600A CN 108389049 A CN108389049 A CN 108389049A
- Authority
- CN
- China
- Prior art keywords
- applet
- fingerprint
- user
- verified
- finger print
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
- G06Q20/38215—Use of certificates or encrypted proofs of transaction rights
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3825—Use of electronic signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
- G06Q20/40145—Biometric identity checks
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Collating Specific Patterns (AREA)
Abstract
The embodiment of the invention discloses a kind of identity identifying method, device and mobile terminal, method therein includes:TA sends user fingerprints checking request to SE moulds Applet in the block is operated in;Applet drives fingerprint module to acquire user fingerprints, obtains the finger print data to be verified that fingerprint module is sent;Finger print data to be verified is compared Applet with the fingerprint characteristic data stored inside it, carries out subscriber authentication, and send subscriber authentication results messages to TA.The method, apparatus and mobile terminal of the present invention, fingerprint authentication can be initiated in safer TEE environment ask summation process verification result, and acquisition, secure storage, the verification of fingerprint characteristic data are executed in safer SE environment, the fingerprint characteristic data that different Applet is stored is completely isolated, secure storage and the verification for reaching fingerprint characteristic data ensure that the safety of the business such as transaction.
Description
Technical field
The present invention relates to a kind of field of information security technology more particularly to identity identifying method, device and mobile terminals.
Background technology
In recent years, the demand that network bank business is carried out on intelligent mobile terminal is increasingly vigorous, merchandise stroke count and transaction amount
Rapid growth, but safety issue allows of no optimist.By taking Android system as an example, usually it is responsible for finger there are one fingerprint TA in the sides TEE
The acquisition of line, verification with it is centrally stored, fingerprint TA is to the sides REE application offer fingerprint collecting and the service for checking credentials.It is carried out using fingerprint
Authentication has following two typical case scenes:1, with unlocked by fingerprint mobile phone screen locking:Fingerprint inspection is initiated by the APP of the sides REE
Card request executes fingerprint collecting and verification by the fingerprint TA of the sides TEE, verification result is returned to the APP of the sides REE, is executed by APP
Unlocking motion;2, it is merchandised with fingerprint identification:Transaction is initiated by the APP of the sides REE, the transaction TA of the sides TEE shows Transaction Information, then
Fingerprint authentication service request is initiated by APP back to the sides REE, the fingerprint TA of the sides TEE executes fingerprint collecting and verification, the sides TEE
Transaction TA is digitally signed transaction after obtaining verification result from fingerprint TA.
Application scenarios one finally handle fingerprint authentication as a result, due to being in insincere performing environment by the APP of the sides REE, obtain
To handling result be also incredible.Application scenarios two have to return to from TEE environment in process of exchange REE environment with
Fingerprint authentication request is initiated to fingerprint TA, has inevitably enlarged entire transaction flow risk under attack.Meanwhile in the prior art
Under, no matter which kind of application scenarios, the fingerprint characteristic data being related to all be it is shared, all by the same fingerprint TA it is centrally stored and
Verification, brings prodigious security risk;In addition, the prior art executes the storage and verification of fingerprint characteristic data in TEE, with SE
Environment is relatively low compared to its security level.
Invention content
In view of this, the invention solves a technical problem be to provide a kind of identity identifying method, device and shifting
Dynamic terminal.
According to an aspect of the present invention, a kind of identity identifying method is provided, including:Operate in credible performing environment TEE
In trusted application TA send user fingerprints checking request to safety element SE moulds Applet in the block is operated in;The Applet
It drives fingerprint module to acquire user fingerprints, obtains the finger print data to be verified that the fingerprint module is sent;The Applet is by institute
It states finger print data to be verified and is compared with the fingerprint characteristic data stored inside it, carry out subscriber authentication, and to institute
It states TA and sends subscriber authentication results messages.
Optionally, the TA includes to Applet transmission subscriber authentication requests:The TA passes through the first APDU
It orders to the Applet corresponding with this TA and sends the user fingerprints checking request, wherein in the first APDU orders
Carry fingerprint characteristic identification information.
Optionally, the Applet finger print data to be verified is compared with the fingerprint characteristic data of storage, into
Row subscriber authentication includes:The Applet obtains the fingerprint characteristic number corresponding with the fingerprint characteristic identification information
According to;This fingerprint characteristic data is compared the Applet with the finger print data to be verified, if it is determined that compares successfully, then
Determine subscriber authentication success.
Optionally, the subscriber authentication success message that the Applet is sent is received, the TA passes through the 2nd APDU
Transaction message corresponding with this user is sent to the Applet and carries out signature processing by order.
Optionally, the Applet will be identified after determining subscriber authentication success by the verification of the user of verification
It is set as effective;The Applet obtains private key corresponding with this user and carries out signature processing to the transaction message, and is signing
After name processing, the verification mark of this user is set as invalid.
Optionally, there are multiple Applet operations in the SE modules, stored in the different Applet
Fingerprint characteristic data is mutually isolated.
Optionally, the Applet drivings fingerprint module acquisition user fingerprints include:The Applet passes through the SE moulds
The physical layer interface that block provides controls the fingerprint module acquisition user fingerprint image and extracts institute from the user fingerprint image
State finger print data to be verified.
Optionally, the fingerprint module includes:Main control unit and sensor unit;The main control unit receives described
The fingerprint collecting instruction that Applet is sent controls the sensor unit and obtains fingerprint image;The main control unit is from the finger
The finger print data to be verified is extracted in print image, and is sent to the Applet.
Optionally, the processor for running the TA is total by data between the fingerprint module and the SE modules respectively
Line connects;It is connected by data/address bus between the SE and the fingerprint module.
Optionally, the SE modules include:ESE modules, inSE modules.
According to another aspect of the present invention, a kind of identification authentication system is provided, including:Operate in credible performing environment TEE
In trusted application TA, operate in safety element SE moulds Applet in the block and fingerprint module;The TA is sent out to the Applet
Send user fingerprints checking request;The Applet drives the fingerprint module to acquire user fingerprints, obtains the fingerprint module hair
The finger print data to be verified sent;The fingerprint characteristic data that the Applet is stored by the finger print data to be verified and inside it
It is compared, carries out subscriber authentication, and subscriber authentication results messages are sent to the TA.
Optionally, the TA, for sending the user to the corresponding Applet by the first APDU orders
Fingerprint authentication is asked, wherein carries fingerprint characteristic identification information in the first APDU orders.
Optionally, the Applet, for obtaining the fingerprint characteristic corresponding with the fingerprint characteristic identification information
Data this fingerprint characteristic data are compared with the finger print data to be verified, if it is determined that compare successfully, it is determined that user
Authentication success.
Optionally, the TA, the subscriber authentication success message sent for receiving the Applet, passes through second
Transaction message corresponding with this user is sent to the Applet and carries out signature processing by APDU orders.
Optionally, the Applet, for after determining subscriber authentication success, the verification of the user of verification will to be passed through
Mark is set as effective;It obtains private key corresponding with this user and signature processing is carried out to the transaction message, and in signature processing
Afterwards, the verification of this user mark is set as invalid.
Optionally, there are multiple Applet operations in the SE modules, stored in the different Applet
Fingerprint characteristic data is mutually isolated.
Optionally, the Applet is additionally operable to control the fingerprint module by the physical layer interface that the SE modules provide
Acquisition user fingerprint image simultaneously extracts the finger print data to be verified from the user fingerprint image.
Optionally, the fingerprint module includes:Main control unit and sensor unit;The main control unit, for receiving
The fingerprint collecting instruction for stating Applet transmissions controls the sensor unit and obtains fingerprint image;It is carried from the fingerprint image
The finger print data to be verified is taken, and is sent to the Applet.
Optionally, the processor for running the TA is total by data between the fingerprint module and the SE modules respectively
Line connects;It is connected by data/address bus between the SE and the fingerprint module.
Optionally, the SE modules include:ESE modules, inSE modules.
According to another aspect of the invention, a kind of mobile terminal, including network bank business system as described above are provided.
In accordance with a further aspect of the present invention, a kind of network bank business system is provided, including:Memory;And it is coupled to described
The processor of memory, the processor are configured as based on the instruction being stored in the memory, the net in execution
Silver-colored trading system.
Identity identifying method, device and the mobile terminal of the present invention, TA send to operation SE moulds Applet in the block and use
Family fingerprint authentication request, Applet drive fingerprint module to acquire user fingerprints, finger print data to be verified are obtained, by fingerprint to be verified
Data are compared with the fingerprint characteristic data stored inside it, carry out subscriber authentication, and send user identity to TA
Verification result message;Fingerprint authentication can be initiated in safer TEE environment and ask summation process verification result, and more pacifying
Acquisition, secure storage, the verification of fingerprint characteristic data are executed in full eSE environment, the fingerprint that different Applet is stored is special
It is completely isolated to levy data, cannot access mutually, reach secure storage and the verification of fingerprint characteristic data, ensure that the business such as transaction
Safety.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the art
With obtain other attached drawings according to these attached drawings.
Fig. 1 is the flow diagram according to one embodiment of the identity identifying method of the present invention;
Fig. 2 is the flow diagram according to another embodiment of the identity identifying method of the present invention;
Fig. 3 is the connection diagram of each module in one embodiment according to the identity identifying method of the present invention;
Fig. 4 is the module diagram according to one embodiment of the identification authentication system of the present invention;
Fig. 5 is the module diagram according to another embodiment of the identification authentication system of the present invention.
Specific implementation mode
Carry out the various exemplary embodiments of detailed description of the present invention now with reference to attached drawing.It should be noted that:Unless in addition having
Body illustrates that the unlimited system of component and the positioned opposite of step, numerical expression and the numerical value otherwise illustrated in these embodiments is originally
The range of invention.
Simultaneously, it should be appreciated that for ease of description, the size of attached various pieces shown in the drawings is not according to reality
Proportionate relationship draw.
It is illustrative to the description only actually of at least one exemplary embodiment below, is never used as to the present invention
And its application or any restrictions that use.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable
In the case of, the technology, method and apparatus should be considered as part of specification.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined, then it need not be further discussed in subsequent attached drawing in a attached drawing.
The embodiment of the present invention can be applied to computer system/server, can be with numerous other general or specialized calculating
System environments or configuration operate together.Suitable for be used together with computer system/server well-known computing system, ring
The example of border and/or configuration includes but not limited to:Smart mobile phone, personal computer system, server computer system, Thin clients
Machine, thick client computer, hand-held or laptop devices, microprocessor-based system, set-top box, programmable consumer electronics, network
PC, little types Ji calculate machine Xi Tong ﹑ large computer systems and the distributed cloud computing technology ring including any of the above described system
Border, etc..
Computer system/server can be in computer system executable instruction (such as journey executed by computer system
Sequence module) general context under describe.In general, program module may include routine, program, target program, component, logic, number
According to structure etc., they execute specific task or realize specific abstract data type.Computer system/server can be with
Implement in distributed cloud computing environment, in distributed cloud computing environment, task is long-range by what is be linked through a communication network
Manage what equipment executed.In distributed cloud computing environment, program module can be positioned at the Local or Remote meter for including storage device
It calculates in system storage medium.
" first ", " second " hereinafter is only used for distinguishing in description, and there is no other special meanings.
Fig. 1 is according to the flow diagram of one embodiment of the identity identifying method of the present invention, as shown in Figure 1:
Step 101, the trusted application TA operated in credible performing environment TEE is in the block to safety element SE moulds are operated in
Applet sends user fingerprints checking request.SE modules include embedded-type security element eSE modules, inSE modules etc..
Step 102, Applet drives fingerprint module to acquire user fingerprints, obtains the fingerprint number to be verified that fingerprint module is sent
According to.
Step 103, finger print data to be verified is compared Applet with the fingerprint characteristic data stored inside it, into
Row subscriber authentication, and send subscriber authentication results messages to TA.
TEE (Trusted Execution Environment, credible performing environment) is a kind of performing environment of isolation,
TEE is run parallel with rich operating system (REE, Rich Execution Environment), and provides safety clothes for rich environment
Business can realize that isolation is accessed and protected to the software and hardware secure resources and application program under rich environment.Safety element SE can be with
It is the security module that software and hardware and related protocol combine, the smart card level application used can be embedded in, such as UICC, embedded
SE, pluggable RAM card etc..Applet is a kind of program operated in SE.
Identity identifying method in above-described embodiment carries out authentication, by TEE environment using biological fingerprint feature
Lower initiation fingerprint authentication service is responsible for acquisition, storage and verification fingerprint characteristic data, to reach by the Applet operated in SE
To the security targets such as completely isolated of fingerprint characteristic data between the secure storage and verification, different application of fingerprint characteristic data.
In one embodiment, TA sends user fingerprints to and with the corresponding Applet of this TA by the first APDU orders and tests
Card request, carries fingerprint characteristic identification information, fingerprint characteristic identification information includes in the first APDU orders:Id information, index
Value information etc..
Multiple Applet are run in eSE, each Applet can control fingerprint module to acquire by eSE physical layer interfaces
Fingerprint characteristic data.Each Applet can load different fingerprint protection keys when individualized, and fingerprint characteristic data is as two
Binary file is stored in after being encrypted with fingerprint protection key inside Applet.
Applet can preserve multigroup, every group of multiple fingerprint characteristic datas, and different numbers is accessed with FID or index value
According to.Can be in the line typing stage, multiple fingerprints that a natural person (authentication entity) is possessed are as one group.TA is sent
The first APDU in carry parameter and specify and carry out fingerprint comparison in specific a certain group of fingerprint characteristic data.Applet is obtained
Fingerprint characteristic data corresponding with fingerprint characteristic identification information, Applet is by this fingerprint characteristic data and finger print data to be verified
It is compared, if it is determined that compare successfully, it is determined that subscriber authentication success.
Verify fingerprint when, Applet first new fingerprint characteristic data is acquired from fingerprint module, then with locally preserve certain
The fingerprint characteristic data of one group of (being specified in APDU) typing compares one by one, if finding matched fingerprint characteristic data, refers to
Line is verified.Applet externally provides one group of APDU, for acquiring, merging, typing, comparison, deletes its fingerprint spy stored
Data are levied, these APDU are issued by TA tissues, realize the management to fingerprint characteristic data and authentication function.
In one embodiment, the subscriber authentication success message of Applet transmissions is received, TA passes through the 2nd APDU
Transaction message corresponding with this user is sent to Applet and carries out signature processing by order.Each preserved in Applet is private
Key is all associated with its corresponding use condition, and private key could be used (such as the success of verification fingerprint) by only having reached use condition requirement
(sign or decrypt).Parameter in the APDU that the use condition of key is sent when key pair generates or imports by TA is specified,
And it is stored in Applet.Applet understands the use article for first checking the private key specified in the 2nd APDU when receiving two APDU
Part, for example, the use condition of private key can be " verifying fingerprint success with the 1st group of fingerprint characteristic template ".
Applet will be set as effective after determining subscriber authentication success by the verification of the user of verification mark.
Applet obtains private key corresponding with this user and carries out signature processing to transaction message, and after signature processing, by this user's
Verification mark is set as invalid.
Applet can cache this condition flag inside it after fingerprint authentication success, for being related in execution next time
Judge whether the use condition for meeting private key when to APDU using private key.This mark is only once effective, i.e., when this mark is effective
And after performing the 2nd APDU that one article is related to using private key, this mark fails immediately.During mark failure herein, Applet
Refusal executes all the 2nd APDU orders being related to using private key.
Fig. 2 is according to the flow diagram of another embodiment of the identity identifying method of the present invention, as shown in Figure 2:
Step 201, Internetbank APP obtains network bank business message, and network bank business message is sent to TA.
Internetbank APP is obtained there are many modes of network bank business message.For example, Internetbank APP receives what ebanking server was sent
Network bank business message generates network bank business message etc. by scanning the two-dimensional code the network bank business data of acquisition.
Step 202, TA parses Netease's transaction message according to preset format, and extraction is shown to user and confirms
Network bank business show information.
Network bank business needs to do digital signature to Transaction Information with the signing certificate of user, and trading signature is finally also by servicing
End verification.The format of Transaction Information is appointed with content by Internetbank backstage and TA in advance, wherein generally comprising needs is shown to use
The part and be not required to part to be shown that family confirms.
Step 203, TA shows that network bank business shows information and provided on TUI by TUI and believes for inputting trade confirmation
The operation button of breath, operation button include:ACK button, cancel button etc..If user does not operate for a long time, TUI can be automatic
Time-out exits, and transaction will be cancelled.
TUI operates in credible performing environment, can ensure that the transaction letter that the Transaction Information that user sees will videlicet sign
Breath, " finding is signed ".After user confirms Transaction Information, before executing trading signature, it is also necessary to user fingerprints are first verified,
Ensure that using the operator that private key is signed be user.A variety of dummy keyboard configurations, such as number can also be provided in TUI
Keyboard, alphabetic keypad, keyboard symbol etc. may be implemented to experience with input completely the same in Rich OS.
On mobile terminals, RichOS and TEE shares same display device and user's progress human-computer interaction, Yong Huxu
Differentiate the content currently shown be software under RichOS show or TEE in TUI show.TA is obtained and Internetbank
The corresponding reserved information of APP, and when showing that network bank business shows information, information is reserved in the display at the interfaces TUI, so that user
The information content, which is reserved, by comparison judges whether network bank business display information is shown by TUI.
Show that a reserved information, user can reserve the information content to reflect by comparison in the fixed position at the interfaces TUI
Whether other present displayed content is that TUI is exported.Reserved information has acquiescence initial value, user to be needed before using network bank business for the first time
It first to change acquiescence and reserve information.Modification is reserved information and is executed in TUI, inputs new reserved information at TUI by user.When
When user sees the reserved information for showing oneself setting in TUI, it can confirm that current picture is to be in the credible performing environments of TUI
Under.
Step 204, TA judges whether user confirms progress Internetbank friendship based on user by the TUI transaction confirmation messages inputted
Easily, if so, entering step 206, if not, entering step 205.
Step 205, TA sends network bank business failure notification message and failure cause information, failure cause to Internetbank APP
Information includes:User Cancels Transaction.
Step 206, TA sends user fingerprints checking request to Applet.
Applet drives fingerprint module to acquire user fingerprints, obtains the finger print data to be verified that fingerprint module is sent, will wait for
Verification finger print data is compared with the fingerprint characteristic data stored inside it, carries out subscriber authentication.
Step 207, judge whether Applet is proved to be successful the finger print data of user, if it is, entering step
209, if it is not, then entering step 208.
Step 208, TA sends network bank business failure notification message and failure cause information, failure cause to Internetbank APP
Information includes:Fingerprint authentication is unsuccessfully etc..
Step 209, after being proved to be successful to user fingerprints, network bank business message is sent to Applet and carried out at signature by TA
Reason.
Applet obtains the access right of private key after fingerprint authentication is correct, obtains private key pair corresponding with this user
Transaction message carries out signature processing.
Step 210, TA receives signature handling results of the Applet for network bank business message, by signature handling result hair
Give Internetbank APP.
Step 211, signature handling result is sent to ebanking server and verified by Internetbank APP, if be proved to be successful,
Internetbank APP carries out network bank business operation.
In one embodiment, most widely used at present credible to hold in the TrustZone Technical Architectures based on ARM
Row environment OS is the GP TEE of the GP and QSEE of high pass respectively.As shown in figure 3, total by SPI between TA and fingerprint module, eSE
Line is connected, and CPU is used as main equipment, fingerprint module and eSE from equipment.Also by another way SPI between eSE and fingerprint module
Bus is connected, and eSE is used as main equipment, fingerprint module from equipment.
The physical layer interface control fingerprint module that Applet is provided by SE modules acquires user fingerprint image and refers to from user
Finger print data to be verified is extracted in print image.Fingerprint module includes:Main control unit and sensor unit.Main control unit receives
The fingerprint collecting instruction that Applet is sent, control sensor unit obtain fingerprint image, finger to be verified are extracted from fingerprint image
Line data, and it is sent to Applet.
In one embodiment, as shown in figure 4, the present invention provides a kind of identification authentication system 40, including:It operates in credible
Trusted application TA 41 in performing environment TEE, safety element SE moulds Applet 42 in the block and fingerprint module 43 are operated in.
TA 41 sends user fingerprints checking request to Applet 42.Applet 41 drives fingerprint module 43 to acquire user
Fingerprint obtains the finger print data to be verified that fingerprint module 43 is sent.Applet 42 by finger print data to be verified with deposit inside it
The fingerprint characteristic data of storage is compared, and carries out subscriber authentication, and send subscriber authentication results messages to TA 41.
There are the operations of multiple Applet 42 in SE modules, the fingerprint characteristic data stored in different Applet is mutually isolated, cannot
Mutually access.
TA 41 by the first APDU orders to corresponding thereto Applet 42 send user fingerprints checking request, first
Fingerprint characteristic identification information is carried in APDU orders.Applet 42 obtains fingerprint corresponding with fingerprint characteristic identification information
Characteristic this fingerprint characteristic data is compared with finger print data to be verified, if it is determined that compare successfully, it is determined that user
Authentication success.
TA 41 receives the subscriber authentication success message of the transmissions of Applet 42, will be with this by the 2nd APDU orders
The corresponding transaction message of user is sent to Applet 42 and carries out signature processing.Applet 42 is determining subscriber authentication success
Afterwards, it will be set as effective by the verification of the user of verification mark.Applet 42 obtains private key corresponding with this user to transaction
Message carries out signature processing, and after signature processing, the verification mark of this user is set as invalid.
The physical layer interface that Applet 42 is provided by SE modules control fingerprint module 43 acquire user fingerprint image and from
Finger print data to be verified is extracted in the fingerprint image of family.Fingerprint module 43 includes:Main control unit and sensor unit.Main control unit connects
The fingerprint collecting instruction that Applet is sent is received, control sensor unit obtains fingerprint image, extracted from fingerprint image to be verified
Finger print data, and it is sent to Applet 42.TA 41 is connect between fingerprint module 43 and SE modules by spi bus respectively.
It is connected by spi bus between SE modules and fingerprint module.
In one embodiment, the present invention provides a kind of mobile terminal, including the authentication in any embodiment as above
Device.Mobile terminal can be smart mobile phone, tablet computer etc..
Fig. 5 is the module diagram according to another embodiment of the identity identifying method device of the present invention.Such as Fig. 5 institutes
Show, which may include memory 51, processor 52, bus 53.For storing instruction, processor 52 is coupled to be deposited memory 51
Reservoir 51, processor 52 are configured as realizing above-mentioned identity identifying method based on the instruction execution that memory 51 stores.Storage
Device 51 can be high-speed RAM memory, nonvolatile memory (NoN-volatile memory) etc., and memory 51 can also
It is memory array.Processor 52 can be central processor CPU etc..
Identity identifying method, device in above-described embodiment and mobile terminal, TA to operation SE moulds Applet in the block
User fingerprints checking request is sent, Applet drives fingerprint module to acquire user fingerprints, obtains finger print data to be verified, will be to be tested
Card finger print data is compared with the fingerprint characteristic data stored inside it, carries out subscriber authentication, and send and use to TA
Family authentication results messages;Fingerprint authentication can be initiated in safer TEE environment ask summation process verification result, and
Acquisition, secure storage, the verification of fingerprint characteristic data are executed in safer eSE environment, what different Applet was stored
Fingerprint characteristic data is completely isolated, cannot access mutually, reaches secure storage and the verification of fingerprint characteristic data, ensure that transaction
Etc. business safety.
The method and system of the present invention may be achieved in many ways.For example, can by software, hardware, firmware or
Software, hardware, firmware any combinations come realize the present invention method and system.The said sequence of the step of for method is only
In order to illustrate, the step of method of the invention, is not limited to sequence described in detail above, especially says unless otherwise
It is bright.In addition, in some embodiments, also the present invention can be embodied as to record program in the recording medium, these programs include
For realizing machine readable instructions according to the method for the present invention.Thus, the present invention also covers storage for executing according to this hair
The recording medium of the program of bright method.
Description of the invention provides for the sake of example and description, and is not exhaustively or will be of the invention
It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches
It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage
Various embodiments with various modifications of the solution present invention to design suitable for special-purpose.
Claims (22)
1. a kind of identity identifying method, which is characterized in that including:
The trusted application TA operated in credible performing environment TEE sends use to safety element SE moulds Applet in the block is operated in
Family fingerprint authentication request;
The Applet drivings fingerprint module acquires user fingerprints, obtains the finger print data to be verified that the fingerprint module is sent;
The finger print data to be verified is compared the Applet with the fingerprint characteristic data stored inside it, is used
Family authentication, and send subscriber authentication results messages to the TA.
2. the method as described in claim 1, which is characterized in that the TA sends subscriber authentication request to the Applet
Including:
The TA sends the user fingerprints checking request by the first APDU orders to the Applet corresponding with TA,
In, carry fingerprint characteristic identification information in the first APDU orders.
3. method as claimed in claim 2, which is characterized in that the Applet by the finger print data to be verified with storage
Fingerprint characteristic data is compared, carries out subscriber authentication:
The Applet obtains the fingerprint characteristic data corresponding with the fingerprint characteristic identification information;
This fingerprint characteristic data is compared the Applet with the finger print data to be verified, if it is determined that it compares successfully,
Then determine subscriber authentication success.
4. method as claimed in claim 3, which is characterized in that further include:
The subscriber authentication success message that the Applet is sent is received, the TA will be with this use by the 2nd APDU orders
The corresponding transaction message in family is sent to the Applet and carries out signature processing.
5. method as claimed in claim 4, which is characterized in that further include:
The Applet will be set as effective after determining subscriber authentication success by the verification of the user of verification mark;
The Applet obtains private key corresponding with this user and carries out signature processing to the transaction message, and in signature processing
Afterwards, the verification of this user mark is set as invalid.
6. the method as described in claim 1, which is characterized in that
There are multiple Applet operations, the fingerprint characteristic data stored in the different Applet in the SE modules
It is mutually isolated.
7. the method as described in claim 1, which is characterized in that the Applet drivings fingerprint module acquires user fingerprints packet
It includes:
The Applet controls the fingerprint module by the physical layer interface that the SE modules provide and acquires user fingerprint image simultaneously
The finger print data to be verified is extracted from the user fingerprint image.
8. the method for claim 7, which is characterized in that the fingerprint module includes:Main control unit and sensor unit;
The main control unit receives the fingerprint collecting instruction that the Applet is sent, and controls the sensor unit and obtains fingerprint
Image;
The main control unit extracts the finger print data to be verified from the fingerprint image, and is sent to the Applet.
9. the method as described in claim 1, which is characterized in that run the processor of the TA respectively with the fingerprint module and
It is connected by data/address bus between the SE modules;It is connected by data/address bus between the SE and the fingerprint module.
10. the method as described in claim 1, which is characterized in that
The SE modules include:ESE modules, inSE modules.
11. a kind of identification authentication system, which is characterized in that including:
The trusted application TA that operates in credible performing environment TEE, safety element SE moulds Applet in the block and fingerprint are operated in
Module;
The TA sends user fingerprints checking request to the Applet;The Applet drives the fingerprint module to acquire user
Fingerprint obtains the finger print data to be verified that the fingerprint module is sent;The Applet by the finger print data to be verified with
The fingerprint characteristic data of its storage inside is compared, and carries out subscriber authentication, and send subscriber authentication to the TA
Results messages.
12. device as claimed in claim 11, which is characterized in that
The TA is asked for sending the user fingerprints verification to the corresponding Applet by the first APDU orders
It asks, wherein carry fingerprint characteristic identification information in the first APDU orders.
13. device as claimed in claim 12, which is characterized in that
The Applet refers to this for obtaining the fingerprint characteristic data corresponding with the fingerprint characteristic identification information
Line characteristic is compared with the finger print data to be verified, if it is determined that compares successfully, it is determined that subscriber authentication at
Work(.
14. device as claimed in claim 13, which is characterized in that
The TA, the subscriber authentication success message sent for receiving the Applet will by the 2nd APDU orders
Transaction message corresponding with this user is sent to the Applet and carries out signature processing.
15. device as claimed in claim 14, which is characterized in that
The Applet, for after determining subscriber authentication success, will be set as by the verification of the user of verification mark
Effectively;It obtains private key corresponding with this user and signature processing is carried out to the transaction message, and after signature processing, by this user
Verification mark be set as invalid.
16. device as claimed in claim 11, which is characterized in that
There are multiple Applet operations, the fingerprint characteristic data stored in the different Applet in the SE modules
It is mutually isolated.
17. device as claimed in claim 11, which is characterized in that
The Applet is additionally operable to control the fingerprint module acquisition user fingerprints by the physical layer interface that the SE modules provide
Image simultaneously extracts the finger print data to be verified from the user fingerprint image.
18. device as claimed in claim 17, which is characterized in that the fingerprint module includes:Main control unit and sensor list
Member;
The main control unit, the fingerprint collecting instruction sent for receiving the Applet control the sensor unit and obtain
Fingerprint image;The finger print data to be verified is extracted from the fingerprint image, and is sent to the Applet.
19. device as claimed in claim 11, which is characterized in that
The processor for running the TA is connect between the fingerprint module and the SE modules by data/address bus respectively;It is described
It is connected by data/address bus between SE and the fingerprint module.
20. device as claimed in claim 11, which is characterized in that
The SE modules include:ESE modules, inSE modules.
21. a kind of mobile terminal, it is characterised in that:
Including such as claim 11 to 20 any one of them identification authentication system.
22. a kind of identification authentication system, which is characterized in that including:
Memory;And it is coupled to the processor of the memory, the processor is configured as being based on being stored in the storage
Instruction in device executes the identity identifying method as described in any one of claims 1 to 10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810013600.XA CN108389049A (en) | 2018-01-08 | 2018-01-08 | Identity identifying method, device and mobile terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810013600.XA CN108389049A (en) | 2018-01-08 | 2018-01-08 | Identity identifying method, device and mobile terminal |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108389049A true CN108389049A (en) | 2018-08-10 |
Family
ID=63077041
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810013600.XA Pending CN108389049A (en) | 2018-01-08 | 2018-01-08 | Identity identifying method, device and mobile terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108389049A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109324843A (en) * | 2018-09-11 | 2019-02-12 | 深圳市文鼎创数据科技有限公司 | A kind of finger prints processing system, method and fingerprint equipment |
CN110876144A (en) * | 2018-08-30 | 2020-03-10 | 华为技术有限公司 | Mobile application method, device and system of identity certificate |
CN111177687A (en) * | 2019-12-25 | 2020-05-19 | 北京迈格威科技有限公司 | Image unlocking method, device, equipment and storage medium |
WO2020133500A1 (en) * | 2018-12-29 | 2020-07-02 | 华为技术有限公司 | Method and device for unlocking terminal device, and storage medium |
WO2020191547A1 (en) * | 2019-03-22 | 2020-10-01 | 华为技术有限公司 | Biometric recognition method and apparatus |
CN112214652A (en) * | 2020-10-19 | 2021-01-12 | 支付宝(杭州)信息技术有限公司 | Message generation method, device and equipment |
EP3822836A1 (en) * | 2019-11-12 | 2021-05-19 | Koninklijke Philips N.V. | Device and method for secure communication |
CN115942323A (en) * | 2023-01-09 | 2023-04-07 | 中国电子科技集团公司第三十研究所 | USIM (Universal subscriber identity Module) device and USIM security enhancement method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104899506A (en) * | 2015-05-08 | 2015-09-09 | 深圳市雪球科技有限公司 | Security system implementation method based on virtual security element in trusted execution environment |
CN105069442A (en) * | 2015-08-25 | 2015-11-18 | 杭州晟元数据安全技术股份有限公司 | Finger SE module group and payment verification method |
CN105160254A (en) * | 2014-06-06 | 2015-12-16 | 欧贝特科技公司 | Electronic apparatus including a secure electronic entity and method implemented in such an electronic apparatus |
US20160234176A1 (en) * | 2015-02-06 | 2016-08-11 | Samsung Electronics Co., Ltd. | Electronic device and data transmission method thereof |
US20160239686A1 (en) * | 2015-02-17 | 2016-08-18 | Samsung Electronics Co., Ltd. | Storing and using data with secure circuitry |
CN106899552A (en) * | 2015-12-21 | 2017-06-27 | 中国电信股份有限公司 | Authentication method, certification terminal and system |
-
2018
- 2018-01-08 CN CN201810013600.XA patent/CN108389049A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105160254A (en) * | 2014-06-06 | 2015-12-16 | 欧贝特科技公司 | Electronic apparatus including a secure electronic entity and method implemented in such an electronic apparatus |
US20160234176A1 (en) * | 2015-02-06 | 2016-08-11 | Samsung Electronics Co., Ltd. | Electronic device and data transmission method thereof |
US20160239686A1 (en) * | 2015-02-17 | 2016-08-18 | Samsung Electronics Co., Ltd. | Storing and using data with secure circuitry |
CN104899506A (en) * | 2015-05-08 | 2015-09-09 | 深圳市雪球科技有限公司 | Security system implementation method based on virtual security element in trusted execution environment |
CN105069442A (en) * | 2015-08-25 | 2015-11-18 | 杭州晟元数据安全技术股份有限公司 | Finger SE module group and payment verification method |
CN106899552A (en) * | 2015-12-21 | 2017-06-27 | 中国电信股份有限公司 | Authentication method, certification terminal and system |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110876144A (en) * | 2018-08-30 | 2020-03-10 | 华为技术有限公司 | Mobile application method, device and system of identity certificate |
CN110876144B (en) * | 2018-08-30 | 2023-07-11 | 华为技术有限公司 | Mobile application method, device and system for identity certificate |
CN109324843A (en) * | 2018-09-11 | 2019-02-12 | 深圳市文鼎创数据科技有限公司 | A kind of finger prints processing system, method and fingerprint equipment |
WO2020052383A1 (en) * | 2018-09-11 | 2020-03-19 | 深圳市文鼎创数据科技有限公司 | Fingerprint processing system and method, and fingerprint device |
CN109324843B (en) * | 2018-09-11 | 2020-12-11 | 深圳市文鼎创数据科技有限公司 | Fingerprint processing system and method and fingerprint equipment |
WO2020133500A1 (en) * | 2018-12-29 | 2020-07-02 | 华为技术有限公司 | Method and device for unlocking terminal device, and storage medium |
CN112334896A (en) * | 2018-12-29 | 2021-02-05 | 华为技术有限公司 | Unlocking method and device of terminal device and storage medium |
CN112334896B (en) * | 2018-12-29 | 2023-09-01 | 华为技术有限公司 | Unlocking method and equipment of terminal equipment and storage medium |
CN111989693A (en) * | 2019-03-22 | 2020-11-24 | 华为技术有限公司 | Biometric identification method and device |
WO2020191547A1 (en) * | 2019-03-22 | 2020-10-01 | 华为技术有限公司 | Biometric recognition method and apparatus |
EP3822836A1 (en) * | 2019-11-12 | 2021-05-19 | Koninklijke Philips N.V. | Device and method for secure communication |
WO2021094125A1 (en) * | 2019-11-12 | 2021-05-20 | Koninklijke Philips N.V. | Device and method for secure communication |
US11972031B2 (en) | 2019-11-12 | 2024-04-30 | Koninklijke Philips N.V. | Device and method for secure communication |
CN111177687A (en) * | 2019-12-25 | 2020-05-19 | 北京迈格威科技有限公司 | Image unlocking method, device, equipment and storage medium |
CN112214652A (en) * | 2020-10-19 | 2021-01-12 | 支付宝(杭州)信息技术有限公司 | Message generation method, device and equipment |
CN112214652B (en) * | 2020-10-19 | 2023-09-29 | 支付宝(杭州)信息技术有限公司 | Message generation method, device and equipment |
CN115942323A (en) * | 2023-01-09 | 2023-04-07 | 中国电子科技集团公司第三十研究所 | USIM (Universal subscriber identity Module) device and USIM security enhancement method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108389049A (en) | Identity identifying method, device and mobile terminal | |
CN108229956A (en) | Network bank business method, apparatus, system and mobile terminal | |
CN105306490B (en) | Payment verifying system, method and device | |
US6651168B1 (en) | Authentication framework for multiple authentication processes and mechanisms | |
KR102214247B1 (en) | Method and apparatus for service implementation | |
WO2015157295A1 (en) | Systems and methods for transacting at an atm using a mobile device | |
US20160189135A1 (en) | Virtual chip card payment | |
US20150120573A1 (en) | Information processing method, device and system | |
CN110458559B (en) | Transaction data processing method, device, server and storage medium | |
CN210691384U (en) | Face recognition payment terminal platform based on security unit and trusted execution environment | |
CN107196901A (en) | A kind of identity registration and the method and device of certification | |
US11451540B2 (en) | Method of authentication | |
CN106651372A (en) | Data processing method and system | |
CN105229709A (en) | Security ststem | |
CN108337251A (en) | Bank card phone number changes implementation method, equipment, system and storage medium | |
CA2395381A1 (en) | Computerised device for accrediting data application to a software or a service | |
CN108270789A (en) | Internetbank activating method, equipment, system and computer readable storage medium | |
CN107944241A (en) | Barcode scanning method and device, computer installation and computer-readable recording medium | |
CN112687042B (en) | Authentication method, authentication device and electronic equipment | |
CN109887195A (en) | A kind of operating method and system of self-help teller machine | |
CN117275138A (en) | Identity authentication method, device, equipment and storage medium based on automatic teller machine | |
JP2007052489A (en) | User authentication method and user authentication program | |
CN105580046B (en) | System and method for providing banking interaction with a remote banking device | |
TWI802669B (en) | A password acquisition method, transaction equipment and terminal | |
JP4802670B2 (en) | Cardless authentication system, cardless authentication method used in the system, and cardless authentication program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180810 |
|
RJ01 | Rejection of invention patent application after publication |