CN112487505A

CN112487505A - Data processing method and device and data processing device

Info

Publication number: CN112487505A
Application number: CN202011330694.7A
Authority: CN
Inventors: 李振宇; 李延凯; 杨杏
Original assignee: Huakong Tsingjiao Information Technology Beijing Co Ltd
Current assignee: Huakong Tsingjiao Information Technology Beijing Co Ltd
Priority date: 2020-11-23
Filing date: 2020-11-23
Publication date: 2021-03-12

Abstract

The embodiment of the invention provides a data processing method and device and a device for data processing, which are applied to mobile equipment. The method comprises the following steps: under the condition that permission that a user agrees to acquire user data is received, acquiring user data collected by preset application in the mobile equipment, and storing the acquired user data in a trusted environment of the mobile equipment; decrypting the personal key encrypted based on the public key corresponding to the private key by using the private key stored in the trusted environment to obtain the personal key; and encrypting the user data stored in the trusted environment by using the personal key, and storing encrypted data obtained by encryption in a storage space of the mobile equipment. The embodiment of the invention can provide guarantee for safe storage and safe export of the user data, and further ensure the privacy and safety of the user data.

Description

Data processing method and device and data processing device

Technical Field

The present invention relates to the field of computer technologies, and in particular, to a data processing method and apparatus, and an apparatus for data processing.

Background

Currently, in a process that a user uses a mobile device (such as a mobile phone, a tablet computer, an intelligent wearable device, and the like), application software in the mobile device may monitor and collect user data in real time, such as personal health data, trajectory data, consumption records, and the like of the user, when receiving permission that the user agrees to obtain the user data.

The belonged right and the disposable right of the user data belong to the user, and the user can collect, summarize, analyze, dispose, trade and the like the data of the user. However, application software usually stores the plaintext of the user data directly in the disk, so that the plaintext of the user data is exposed in an unsafe space, and the plaintext is at risk of being leaked. Or, the application software may encrypt the user data and store the ciphertext data in the disk. However, the key of the ciphertext data is easily intercepted by a third party application or a plug-in, so that the user data still risks being leaked by decrypting the ciphertext data or performing other malicious operations.

Disclosure of Invention

Embodiments of the present invention provide a data processing method and apparatus, and an apparatus for data processing, so that a user can collect personal information securely and truthfully through a mobile device, thereby avoiding a risk of personal information being leaked.

In order to solve the above problem, an embodiment of the present invention discloses a data processing method applied to a mobile device, where the method includes:

under the condition that permission that a user agrees to acquire user data is received, acquiring user data collected by preset application in the mobile equipment, and storing the acquired user data in a trusted environment of the mobile equipment;

decrypting the personal key encrypted based on the public key corresponding to the private key by using the private key stored in the trusted environment to obtain the personal key;

and encrypting the user data stored in the trusted environment by using the personal key, and storing encrypted data obtained by encryption in a storage space of the mobile equipment.

Optionally, after the encrypted ciphertext data is stored in the storage space of the mobile device, the method further includes:

receiving a derivation instruction for the ciphertext data;

and transmitting the ciphertext data from the storage space of the mobile device to the storage space of the device specified by the export instruction in response to the export instruction.

Optionally, before the responding to the export instruction, the method further includes:

receiving biometric data entered by the user and storing the entered biometric data in the trusted environment;

the transmitting the ciphertext data from the memory space of the mobile device to the memory space of the device specified by the derivation instruction in response to the derivation instruction comprises:

collecting the biological characteristic data of the current user in real time;

comparing the biological characteristic data of the current user acquired in real time with the biological characteristic data stored in the trusted environment to obtain a comparison result;

and if the comparison result meets a preset condition, responding to the export instruction, and transmitting the ciphertext data from the storage space of the mobile equipment to the storage space of the export instruction designated equipment.

Optionally, the acquiring user data collected by a preset application in the mobile device includes:

and acquiring user data collected by preset application in the mobile equipment in an off-line manner through a data collection interface preset at the bottom layer of the mobile equipment.

and under the condition of obtaining the authorization authority of the preset application, obtaining the user data collected by the preset application on line.

Optionally, before decrypting, by using a private key stored in the trusted environment, the personal key encrypted based on the public key corresponding to the private key, the method further includes:

generating a public key and private key pair according to a preset key algorithm, returning a public key to a user, and storing the private key in the trusted environment;

and receiving the personal key encrypted by the user by using the public key.

Optionally, the trusted environment includes an instruction set extension SGX environment, a trusted execution environment TEE, and a secure operating system Trusty environment.

On the other hand, the embodiment of the invention discloses a data processing device, which is applied to mobile equipment, and the device comprises:

the data acquisition module is used for acquiring user data collected by preset application in the mobile equipment and storing the acquired user data in a trusted environment of the mobile equipment under the condition that permission that a user agrees to acquire the user data is received;

the key decryption module is used for decrypting the personal key encrypted based on the public key corresponding to the private key by using the private key stored in the trusted environment to obtain the personal key;

and the data encryption storage module is used for encrypting the user data stored in the trusted environment by using the personal key and storing encrypted data obtained by encryption in a storage space of the mobile equipment.

Optionally, the apparatus further comprises:

the instruction receiving module is used for receiving a derivation instruction of the ciphertext data;

and the data export module is used for responding to the export instruction and transmitting the ciphertext data from the storage space of the mobile equipment to the storage space of the export instruction designated equipment.

Optionally, the apparatus further comprises:

the characteristic storage module is used for receiving the biological characteristic data input by the user and storing the input biological characteristic data in the trusted environment;

the data export module comprises:

the characteristic acquisition submodule is used for acquiring the biological characteristic data of the current user in real time;

the characteristic comparison submodule is used for comparing the biological characteristic data of the current user acquired in real time with the biological characteristic data stored in the credible environment to obtain a comparison result;

and the data export submodule is used for responding to the export instruction and transmitting the ciphertext data from the storage space of the mobile equipment to the storage space of the export instruction designated equipment if the comparison result meets a preset condition.

Optionally, the data obtaining module is specifically configured to obtain, offline, user data collected by a preset application in the mobile device through a data collection interface preset at a bottom layer of the mobile device.

Optionally, the data obtaining module is specifically configured to obtain, on line, the user data collected by the preset application under the condition of obtaining the grant permission of the preset application.

Optionally, the apparatus further comprises:

the key generation module is used for generating a public key and private key pair according to a preset key algorithm, returning the public key to the user and storing the private key in the trusted environment;

and the key receiving module is used for receiving the personal key encrypted by the user by using the public key.

In yet another aspect, an embodiment of the present invention discloses an apparatus for data processing, applied to a mobile device, the apparatus including a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs configured to be executed by the one or more processors include instructions for:

Optionally, the device is also configured to execute the one or more programs by the one or more processors including instructions for:

receiving a derivation instruction for the ciphertext data;

collecting the biological characteristic data of the current user in real time;

and receiving the personal key encrypted by the user by using the public key.

In yet another aspect, an embodiment of the invention discloses a machine-readable medium having stored thereon instructions, which, when executed by one or more processors, cause an apparatus to perform a data processing method as described in one or more of the preceding.

The embodiment of the invention has the following advantages:

the embodiment of the invention provides a data processing method for safely storing and safely exporting user data collected by preset application in mobile equipment. According to the embodiment of the invention, under the condition that the permission that the user agrees to obtain the user data is received, the user data collected by the preset application in the mobile equipment is obtained, and the obtained user data is stored in the trusted environment of the mobile equipment, so that the clear text of the collected user data can be prevented from being exposed in an unsafe space, and the privacy and safety of the user data are improved. In addition, the private key of the user is stored in the trusted environment, and only the private key in the trusted environment can decrypt the encrypted personal private key, so that the private key can be prevented from being intercepted by a third-party application or a plug-in, the personal private key of the user can be obtained through decryption, the risk of decrypting ciphertext data or performing other malicious operations can be further avoided, and the privacy safety of the user data can be further ensured. In addition, in the process of storing and exporting the user data collected by the preset application in the mobile equipment, the mobile equipment does not need to be connected with a network, so that the mobile equipment can be ensured to be in a safe and isolated environment, and the guarantee is provided for safe storage and safe export of the user data.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.

FIG. 1 is a flow chart of the steps of one data processing method embodiment of the present invention;

FIG. 2 is a block diagram of an embodiment of a data processing apparatus according to the present invention;

FIG. 3 is a block diagram of an apparatus 800 for data processing of the present invention;

fig. 4 is a schematic diagram of a server in some embodiments of the invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Method embodiment

Referring to fig. 1, a flowchart illustrating steps of an embodiment of a data processing method according to the present invention is shown, where the method is applied to a mobile device, and the method specifically includes the following steps:

step 101, under the condition that permission that a user agrees to acquire user data is received, acquiring user data collected by preset application in the mobile equipment, and storing the acquired user data in a trusted environment of the mobile equipment;

102, decrypting the personal key encrypted based on the public key corresponding to the private key by using the private key stored in the trusted environment to obtain the personal key;

and 103, encrypting the user data stored in the trusted environment by using the personal key, and storing encrypted data obtained by encryption in a storage space of the mobile device.

The data processing method provided in the embodiment of the present invention may be applied to a Mobile device, which may be, for example, a Mobile phone, a tablet Computer, a notebook Computer, a palm Computer, a vehicle-mounted electronic device, a wearable device, an Ultra-Mobile Personal Computer (UMPC), a netbook, a Personal Digital Assistant (PDA), or the like, and a non-Mobile electronic device may be a server, a Network Attached Storage (NAS), a Personal Computer (PC), a Television (Television, TV), a teller machine, or a self-service machine, and the type of the Mobile device is not specifically limited in the embodiment of the present invention.

The mobile device may be equipped with an operating system, which may be an Android operating system, an ios operating system, or other possible operating systems, and the embodiment of the present invention is not limited specifically.

The mobile device can provide a human-computer interaction interface, and the implementation form of the human-computer interaction interface can be a webpage, an application page, a window and the like. Through the man-machine interaction interface, the personal key of the user can be received, and the data export instruction issued by the user can be received.

The preset application is application software which can collect user data in real time when the permission right that the user agrees to obtain the user data is received in the mobile equipment. The preset applications include, but are not limited to, applications for monitoring and collecting user personal health data, applications for tracking user trajectories or locating user locations, applications for collecting and analyzing user consumption preferences, and the like. The user data includes, but is not limited to, personal health data, trajectory data, consumption records, etc. of the user.

The data processing method provided by the embodiment of the invention is used for safely storing and safely exporting the user data collected by the preset application in the mobile equipment. The safe storage means that user data collected by the preset application is encrypted and then stored in a storage space of the mobile equipment, and in the process, the plaintext of the user data cannot be exposed in an unsafe space. The safe export refers to exporting the ciphertext data stored in the storage space of the mobile equipment to the mobile equipment, and the ciphertext data can be decrypted only through the personal key held by the user, so that the ciphertext data in the export process can not be decrypted by a third party, and the safety of the export process can be ensured.

In order to ensure that user data collected by a preset application can be safely stored, the embodiment of the invention acquires the user data collected by the preset application in the mobile equipment and stores the acquired user data in a trusted environment of the mobile equipment under the condition that an permission that a user agrees to acquire the user data is received. Since the user data collected by the preset application is plaintext data, in order to avoid exposing the plaintext user data in an unsafe space, the embodiment of the present invention stores the user data collected by the preset application in a trusted environment of the mobile device.

A trusted environment refers to an environment in which the behavior of a component, process, or operation is predictable under any operating condition and is well-protected against corruption by unwanted code and certain physical disturbances. In mobile devices, the trusted environment may typically be provided by a hardware platform in conjunction with a secure operating system. A secure operating system refers to an operating system that causes a mobile device to operate in a secure mode.

In an optional embodiment of the invention, the trusted context includes, but is not limited to: trusted Execution environment tee (trusted Execution environment), instruction set extension sgx (software Guard extensions) environment, secure operating system Trusty environment.

The trusted execution environment TEE refers to an execution environment that is secure through hardware isolation of external resources and internal resources. The core idea of the trusted execution environment TEE is that trusted hardware is used as a carrier, a hardware-level strong security isolation and a general computing environment are provided, data is decrypted and computed only in an isolated security zone, namely an Enclave (Enclave), besides, the clear text content of the data cannot be accessed by any other method, and the data is automatically encrypted before leaving the Enclave (Enclave).

Further, the trusted execution environment TEE may be implemented on the basis of a hardware device, or may also be implemented by a program written in a predetermined programming language (i.e., may be implemented in the form of software). The trusted execution environment TEE is an area on the mobile device CPU (Central Processing Unit). This region may provide a more secure space for the execution of data and code and may ensure the confidentiality and integrity of the content in the region.

SGX is an extension of the intel instruction set architecture, and can guarantee confidentiality and integrity of key code and data by providing a secure area (enclosure), i.e., an encrypted trusted execution area in memory, on a computing platform.

For an Enclave, only the Enclave itself can access the program and data therein, and other enclaves, basic Input Output system (bios), operating system (os), direct Memory access (dma), display cards and other software and hardware have no access right. To access the program and data in the Enclave, the program in the Enclave can be run and the data in the Enclave can be accessed only after the access authentication is performed, the Enclave mode is entered, and a series of legal checks are performed. And returning to the application program after the program in the Enclave is completed in the running process.

Trust is a secure operating system that provides a trusted execution environment for the Android operating system. The Trusty operating system runs on the same processor as the Android operating system, but Trusty is isolated from the rest of the Android operating system by hardware and software.

The embodiment of the invention can safely store and export the user data collected by the preset application in the mobile equipment. Specifically, under the condition that permission that a user agrees to obtain user data is received, user data collected by preset applications in the mobile device is obtained, and the obtained user data is stored in a trusted environment of the mobile device, so that the clear text of the collected user data can be prevented from being exposed in an unsafe space, and the privacy and safety of the user data are improved.

Further, in order to avoid the risk that the private key is intercepted by a third party application or a plug-in, so that the private key of the user is obtained through decryption, and then the ciphertext data is decrypted or other malicious operations are performed, the private key of the user is stored in the trusted environment of the mobile device. Before the user data collected by the preset application in the mobile device is safely stored, the embodiment of the invention receives the encrypted personal key input by the user, the encrypted personal key is obtained by encrypting based on the public key corresponding to the private key, and the encrypted personal key can be decrypted only by the private key stored in the trusted environment of the mobile device. After the encrypted personal key input by the user is decrypted by using the private key stored in the trusted environment of the mobile device to obtain the personal key of the user, the personal key is used for encrypting the user data stored in the trusted environment, and the encrypted ciphertext data is stored in the storage space of the mobile device to complete the safe storage process.

In an optional embodiment of the present invention, before the decrypting, in step 102, the personal key encrypted based on the public key corresponding to the private key by using the private key stored in the trusted environment, the method further includes:

step S11, generating a public key and private key pair according to a preset key algorithm, returning the public key to the user, and storing the private key in the trusted environment;

and step S12, receiving the personal key encrypted by the user by using the public key.

Before the user data collected by the preset application in the mobile equipment is safely stored, the embodiment of the invention generates a public key and private key pair in advance according to a preset key algorithm, returns a public key in the public key and private key pair to the user, and stores the private key in the public key and private key pair in the trusted environment. The preset key algorithm may be an asymmetric encryption algorithm. Asymmetric encryption algorithms require the use of two keys: public keys (public keys for short) and private keys (private keys for short). The public key and the private key are a pair, and if data is encrypted by the public key, the data can be decrypted only by the corresponding private key. In the embodiment of the present invention, the public key may be used to encrypt the personal key of the user to obtain the encrypted personal key. The private key can be used for decrypting the encrypted personal key to obtain the personal key of the user.

It can be understood that the embodiment of the present invention does not limit the type of the asymmetric encryption algorithm used. For example, asymmetric encryption algorithms that may be employed include, but are not limited to, RSA algorithm, Elgamal algorithm, knapsack algorithm, Rabin algorithm, D-H algorithm, ECC (Elliptic Curve Cryptography), and the like.

In an example, the trusted environment is a secure zone Enclave based on the SGX, and the preset encryption algorithm is an elliptic curve encryption algorithm, a public key and a private key pair may be generated in the secure zone Enclave by using the elliptic curve encryption algorithm, and the private key is stored in the secure zone Enclave, and the public key is exported to the user. In this way, when the user triggers the mobile device to securely store the user data collected by the preset application, the mobile device may prompt the user to input the personal key in response to the user triggering operation, and receive the personal key encrypted by the user using the public key held by the user. After the mobile device receives the encrypted personal key, the encrypted personal key is decrypted by using a private key stored in a trusted environment of the mobile device, so that the personal key of the user can be obtained; and encrypting the user data stored in the trusted environment by using the personal key, and storing encrypted data obtained by encryption in a storage space of the mobile equipment. Therefore, the user data collected by the preset application can be safely stored. In the storage process, the plaintext of the user data can be prevented from being exposed in an unsafe space, and the privacy safety of the user data can be improved. In addition, the private key of the user is stored in a trusted environment (such as the secure zone Enclave), and only the private key in the secure zone Enclave can decrypt the encrypted personal key, so that the private key can be prevented from being intercepted by a third-party application or a plug-in, the personal key of the user can be obtained through decryption, the risk of decrypting ciphertext data or performing other malicious operations can be further avoided, and the privacy security of the user data can be further ensured.

After the preset application in the mobile device collects the user data, a process of securely storing the collected user data may be automatically performed. In embodiments of the present invention, the secure storage may include a real-time storage or a periodic storage.

The real-time storage means that in the process of collecting user data in real time by a preset application, the user data collected in real time is encrypted according to the steps and stored in the storage space of the mobile equipment. The periodic storage means that user data collected by a preset application is encrypted according to a preset period and stored in a storage space of the mobile device. For example, if the preset period is 3 days, the user data collected by the preset application for the last 3 days is encrypted every 3 days and stored in the storage space of the mobile device.

It should be noted that, step S11 and step S12 may be executed before step S102, but the specific execution timing and execution times of step S11 and step S12 are not limited by the embodiment of the present invention. For example, when the mobile device initializes the secure storage function, steps S11 and S12 may be performed, and after the mobile device receives the encrypted personal key input by the user for the first time, the personal key encrypted based on the public key corresponding to the private key may be decrypted by using the private key stored in the trusted environment to obtain the personal key, and the personal key may be stored in the trusted environment of the mobile device. Therefore, the mobile device can automatically and safely store the user data collected by the preset application, and the steps S11 and S12 do not need to be executed in the subsequent automatic safe storage process.

Further, the embodiment of the present invention may also update the public key and the private key pair. Specifically, the embodiment of the present invention may receive an update key request input by a user, and when the update key request is received and it is determined that the identity of the current user has passed the authentication, step S11 may be executed again to generate a new public key and private key pair, and the new public key is returned to the user, and the private key stored in the trusted environment is updated by using the new private key to complete the update operation of the public key and private key pair, and the subsequent secure storage process may use the new public key and private key pair, thereby further improving the security of the private key.

In an optional embodiment of the present invention, after the storing the encrypted ciphertext data in the storage space of the mobile device in step 103, the method further includes:

step S21, receiving an export instruction of the ciphertext data;

and step S22, in response to the export instruction, transmitting the ciphertext data from the storage space of the mobile device to the storage space of the export instruction designated device.

After user data collected by a preset application is safely stored in a storage space of a mobile device in a ciphertext form, the mobile device may receive a derivation instruction for the ciphertext data, and transmit the ciphertext data from the storage space of the mobile device to a storage space of a derivation instruction-specifying device in response to the derivation instruction.

The designated device may be any device, such as a user's personal computer, etc. After the mobile device establishes a secure connection with the specified device, the ciphertext data in the mobile device can be transmitted to the storage space of the specified device through the secure connection. The secure connection may be a connection through a USB (Universal Serial Bus) without connecting to a network. Alternatively, the secure connection may be a secure trusted network connection established between the mobile device and the designated device. Alternatively, the secure connection may be a bluetooth connection, an infrared connection, a near field connection, or the like, which is established between the mobile device and the designated device after authorization. The embodiment of the present invention is not limited thereto.

After the ciphertext data is transmitted to the storage space of the designated device, the user can decrypt the ciphertext data by using the personal key held by the user, so as to obtain plaintext user data. Since the personal key of the user is owned by the user, the ciphertext data can be decrypted only by the personal key of the user, and therefore, the decryption process of the ciphertext data can be carried out in any safe or offline environment. Therefore, the embodiment of the invention can provide the processes of collecting, safely storing and safely exporting the personal user data for the user, so that the user can analyze, process, manage and the like the personal user data.

In an optional embodiment of the present invention, before responding to the export instruction in step S12, the method further comprises: receiving biometric data entered by the user and storing the entered biometric data in the trusted environment;

the step S22 of transmitting the ciphertext data from the memory space of the mobile device to the memory space of the device specified by the derivation instruction in response to the derivation instruction, includes:

step S221, collecting the biological characteristic data of the current user in real time;

step S222, comparing the biological characteristic data of the current user collected in real time with the biological characteristic data stored in the trusted environment to obtain a comparison result;

step S223, if the comparison result meets a preset condition, responding to the export instruction, and transmitting the ciphertext data from the storage space of the mobile device to the storage space of the device specified by the export instruction.

In order to further improve the privacy and the safety of user data and avoid the risk of stealing the user data by others, the embodiment of the invention carries out identity verification on the current user by a biological characteristic identification technology before executing the export instruction.

Biometric refers to a physiological characteristic or behavior pattern unique to each individual that can be measured or automatically identified and verified. The biometric characteristics may include physiological characteristics (e.g., fingerprint, face image, iris, palm print, etc.) and behavioral characteristics (e.g., gait, voice, handwriting, etc.). Biometric identification is the identification and identity authentication of each individual based on a unique biometric characteristic between them.

Specifically, the embodiment of the present invention stores, in advance, biometric data entered by a user in a trusted environment of a mobile device, and performs biometric identification on a current user, acquires biometric data of the current user in real time, and compares the biometric data of the current user acquired in real time with biometric data stored in the trusted environment to obtain a comparison result, each time when an instruction for exporting ciphertext data in the mobile device to the mobile device is received; if the comparison result meets a preset condition, if the biometric data of the current user is matched with the biometric data pre-stored in the trusted environment, the identity authentication is passed, the export instruction can be responded, and the ciphertext data is transmitted from the storage space of the mobile device to the storage space of the export instruction designated device.

In an optional embodiment of the present invention, the acquiring user data collected by a preset application in the mobile device in step 101 includes: and acquiring user data collected by preset application in the mobile equipment in an off-line manner through a data collection interface preset at the bottom layer of the mobile equipment.

In the embodiment of the present invention, for acquiring the user data collected by the preset application in the mobile device, the embodiment of the present invention may provide two manners, namely, offline acquisition and online acquisition.

The off-line acquisition process comprises the following steps: and acquiring user data collected by preset application in the mobile equipment in an off-line manner through a data collection interface preset at the bottom layer of the mobile equipment. For example, for an ios operating system, a built-in health application thereof may collect health data of a user, such as sleep analysis, step count, activity energy and the like, when receiving permission that the user agrees to obtain user data, and the health data of the user collected by the health application may be obtained through a health kit interface in the ios operating system. Among other things, the health kit may share health data with other applications while maintaining privacy and control of the data by the user. For another example, for the Android operating system, the built-in step-counting application may collect motion data such as the number of steps of the user when receiving an permission that the user agrees to obtain the user data, and the motion data of the user collected by the step-counting application may be obtained through an IsportStepInterface interface in the Android operating system.

It should be noted that, in a specific implementation, the operating system of the mobile device is not limited to the ios operating system and the Android operating system listed in the above example, the preset application is not limited to the health application and the step-counting application built in the ios operating system listed in the above example, and the data collection interface preset at the bottom of the mobile device is not limited to the health kit interface in the ios operating system and the isoportstinterface in the Android operating system listed in the above example.

In an optional embodiment of the present invention, the acquiring user data collected by a preset application in the mobile device in step 101 includes: and under the condition of obtaining the authorization authority of the preset application, obtaining the user data collected by the preset application on line.

In addition to offline acquiring user data collected by a preset application in the mobile device through a data collection interface preset at the bottom layer of the mobile device, the embodiment of the invention can also acquire the user data collected by the preset application on line under the condition of acquiring the grant permission of the preset application. For example, in the process of collecting user data by the preset application in real time, the user data collected by the preset application is acquired in real time through communication interaction with the preset application.

To sum up, the embodiment of the present invention provides a data processing method for securely storing and securely exporting user data collected by a preset application in a mobile device. According to the embodiment of the invention, under the condition that the permission that the user agrees to obtain the user data is received, the user data collected by the preset application in the mobile equipment is obtained, and the obtained user data is stored in the trusted environment of the mobile equipment, so that the clear text of the collected user data can be prevented from being exposed in an unsafe space, and the privacy and safety of the user data are improved. In addition, the embodiment of the invention generates a public key and private key pair according to a preset key algorithm, returns a public key in the public key and private key pair to the user, and stores a private key in the public key and private key pair in a trusted environment of the mobile device. Because the private key of the user is stored in the trusted environment, and only the private key in the trusted environment can decrypt the encrypted personal key, the private key can be prevented from being intercepted by a third-party application or a plug-in, so that the personal key of the user can be obtained through decryption, the risk of decrypting ciphertext data or performing other malicious operations can be further avoided, and the privacy security of the user data can be further ensured. In addition, in the process of storing and exporting the user data collected by the preset application in the mobile equipment, the mobile equipment does not need to be connected with a network, so that the mobile equipment can be ensured to be in a safe and isolated environment, and the guarantee is provided for safe storage and safe export of the user data.

It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.

Device embodiment

Referring to fig. 2, a block diagram of a data processing apparatus according to an embodiment of the present invention is shown, and is applied to a mobile device, where the apparatus may specifically include:

a data obtaining module 201, configured to, when receiving an permission right that a user agrees to obtain user data, obtain user data collected by a preset application in the mobile device, and store the obtained user data in a trusted environment of the mobile device;

the key decryption module 202 is configured to decrypt, by using a private key stored in the trusted environment, a personal key encrypted based on a public key corresponding to the private key to obtain the personal key;

and the data encryption storage module 203 is configured to encrypt the user data stored in the trusted environment by using the personal key, and store ciphertext data obtained through encryption in a storage space of the mobile device.

Optionally, the apparatus further comprises:

the data export module comprises:

Optionally, the apparatus further comprises:

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.

An embodiment of the present invention provides an apparatus for data processing, which is applied to a mobile device, the apparatus including a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs configured to be executed by the one or more processors include instructions for: under the condition that permission that a user agrees to acquire user data is received, acquiring user data collected by preset application in the mobile equipment, and storing the acquired user data in a trusted environment of the mobile equipment; decrypting the personal key encrypted based on the public key corresponding to the private key by using the private key stored in the trusted environment to obtain the personal key; and encrypting the user data stored in the trusted environment by using the personal key, and storing encrypted data obtained by encryption in a storage space of the mobile equipment.

Fig. 3 is a block diagram illustrating an apparatus 800 for data processing in accordance with an example embodiment. For example, the apparatus 800 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, and the like.

Referring to fig. 3, the apparatus 800 may include one or more of the following components: processing component 802, memory 804, power component 806, multimedia component 808, audio component 810, input/output (I/O) interface 812, sensor component 814, and communication component 816.

The processing component 802 generally controls overall operation of the device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing elements 802 may include one or more processors 820 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interaction between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.

The memory 804 is configured to store various types of data to support operation at the device 800. Examples of such data include instructions for any application or method operating on device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

Power components 806 provide power to the various components of device 800. The power components 806 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the apparatus 800.

The multimedia component 808 includes a screen that provides an output interface between the device 800 and a user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front facing camera and/or a rear facing camera. The front-facing camera and/or the rear-facing camera may receive external multimedia data when the device 800 is in an operating mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.

The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the apparatus 800 is in an operational mode, such as a call mode, a recording mode, and a voice information processing mode. The received audio signals may further be stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.

The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.

The sensor assembly 814 includes one or more sensors for providing various aspects of state assessment for the device 800. For example, the sensor assembly 814 may detect the open/closed state of the device 800, the relative positioning of the components, such as a display and keypad of the apparatus 800, the sensor assembly 814 may also detect a change in position of the apparatus 800 or a component of the apparatus 800, the presence or absence of user contact with the apparatus 800, orientation or acceleration/deceleration of the apparatus 800, and a change in temperature of the apparatus 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.

The communication component 816 is configured to facilitate communications between the apparatus 800 and other devices in a wired or wireless manner. The device 800 may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 816 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on radio frequency information processing (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.

In an exemplary embodiment, the apparatus 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.

In an exemplary embodiment, a non-transitory computer-readable storage medium comprising instructions, such as the memory 804 comprising instructions, executable by the processor 820 of the device 800 to perform the above-described method is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.

Fig. 4 is a schematic diagram of a server in some embodiments of the invention. The server 1900 may vary widely by configuration or performance and may include one or more Central Processing Units (CPUs) 1922 (e.g., one or more processors) and memory 1932, one or more storage media 1930 (e.g., one or more mass storage devices) storing applications 1942 or data 1944. Memory 1932 and storage medium 1930 can be, among other things, transient or persistent storage. The program stored in the storage medium 1930 may include one or more modules (not shown), each of which may include a series of instructions operating on a server. Still further, a central processor 1922 may be provided in communication with the storage medium 1930 to execute a series of instruction operations in the storage medium 1930 on the server 1900.

The server 1900 may also include one or more power supplies 1926, one or more wired or wireless network interfaces 1950, one or more input-output interfaces 1958, one or more keyboards 1956, and/or one or more operating systems 1941, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.

A non-transitory computer-readable storage medium in which instructions, when executed by a processor of an apparatus (server or terminal), enable the apparatus to perform the data processing method shown in fig. 1.

A non-transitory computer readable storage medium in which instructions, when executed by a processor of an apparatus (server or terminal), enable the apparatus to perform a data processing method applied to a mobile device, the method comprising: under the condition that permission that a user agrees to acquire user data is received, acquiring user data collected by preset application in the mobile equipment, and storing the acquired user data in a trusted environment of the mobile equipment; decrypting the personal key encrypted based on the public key corresponding to the private key by using the private key stored in the trusted environment to obtain the personal key; and encrypting the user data stored in the trusted environment by using the personal key, and storing encrypted data obtained by encryption in a storage space of the mobile equipment.

Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.

It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

The data processing method, the data processing apparatus and the apparatus for data processing provided by the present invention are described in detail above, and specific examples are applied herein to illustrate the principles and embodiments of the present invention, and the description of the above embodiments is only used to help understand the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims

1. A data processing method, applied to a mobile device, the method comprising:

2. The method of claim 1, wherein after storing the encrypted ciphertext data in the storage space of the mobile device, the method further comprises:

receiving a derivation instruction for the ciphertext data;

3. The method of claim 2, wherein prior to said responding to said derived instruction, said method further comprises:

collecting the biological characteristic data of the current user in real time;

4. The method of claim 1, wherein the obtaining user data collected by a preset application in the mobile device comprises:

5. The method of claim 1, wherein the obtaining user data collected by a preset application in the mobile device comprises:

6. The method of claim 1, wherein prior to decrypting the personal key encrypted based on the public key corresponding to the private key using a private key stored in the trusted environment, the method further comprises:

and receiving the personal key encrypted by the user by using the public key.

7. The method according to any of claims 1 to 6, wherein the trusted environment comprises an instruction set extension (SGX) environment, a Trusted Execution Environment (TEE), a secure operating system (Trust) environment.

8. A data processing apparatus, applied to a mobile device, the apparatus comprising:

9. An apparatus for data processing, for a mobile device, the apparatus comprising a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured for execution by the one or more processors to perform the one or more programs includes instructions for:

10. A machine-readable medium having stored thereon instructions, which when executed by one or more processors, cause an apparatus to perform the data processing method of any of claims 1 to 7.