CN114078009A - Payment processing method and device, electronic equipment and computer readable storage medium - Google Patents
Payment processing method and device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114078009A CN114078009A CN202010843991.5A CN202010843991A CN114078009A CN 114078009 A CN114078009 A CN 114078009A CN 202010843991 A CN202010843991 A CN 202010843991A CN 114078009 A CN114078009 A CN 114078009A
- Authority
- CN
- China
- Prior art keywords
- payment
- equipment
- application
- private key
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
Abstract
The embodiment of the application relates to the technical field of safety, and discloses a payment processing method, a payment processing device, electronic equipment and a computer readable storage medium, wherein the payment processing method comprises the following steps: when a payment instruction is obtained, obtaining an equipment private key of payment equipment, and producing an equipment certificate of the payment equipment according to the equipment private key, wherein the payment equipment is equipment where payment application is located, and the equipment private key is prestored in a payment area which is added in advance of the payment equipment; then, a payment request is sent to a background server of the payment application, wherein the payment request comprises the device certificate, so that the background server verifies the payment device based on the device certificate. The payment security is ensured, the key of the device dimension is realized, and the only device certificate can be generated for the payment device according to the device private key, so that the legality of the payment device can be accurately and effectively verified before the payment processing is carried out by the background server of the payment application, the payment security is ensured, and the benefit loss to the user is avoided.
Description
Technical Field
The embodiment of the application relates to the technical field of security, in particular to a payment processing method and device, electronic equipment and a computer-readable storage medium.
Background
With the progress of science and technology, the current payment mode is diversified day by day, and great convenience is brought to the life of people. Among them, mobile payment has been one of the most popular ways of payment today. The mobile payment means that a user carries out financial payment on consumed goods or services through a mobile terminal by using technologies such as internet, wireless communication and the like.
Conventional mobile payments may protect keying material from unauthorized use through a keystore (e.g., secure keystore) system. However, in the specific implementation process, the inventors of the embodiments of the present application find that: when the secret key is generated or introduced, the secret key is assigned by the payment application in an authorized use mode, once the secret key is generated or introduced, the authorization cannot be changed, the secret key is forcibly authorized by the secret key library every time the secret key is used, and the secret key mechanism is a secret key mechanism of payment application dimension, so that when the payment application is uninstalled and reinstalled on the payment equipment or the payment equipment is reinstated to install the payment application again after being restored to factory settings, the authorization of the payment application can be reset, the obtaining right of the secret key is lost, further, great potential safety hazards are caused to mobile payment, and the benefit loss of a user is caused.
Disclosure of Invention
The purpose of the embodiments of the present application is to solve at least one of the above technical drawbacks, and to provide the following technical solutions:
in one aspect, a payment processing method applied to a payment application is provided, including:
when a payment instruction is obtained, obtaining an equipment private key of payment equipment, and producing an equipment certificate of the payment equipment according to the equipment private key, wherein the payment equipment is equipment where payment application is located, and the equipment private key is prestored in a payment area which is added in advance of the payment equipment;
and sending a payment request to a background server of the payment application, wherein the payment request comprises the device certificate, so that the background server verifies the payment device based on the device certificate.
In one aspect, a payment processing method is provided, which is applied to a background server of a payment application, and includes:
receiving a payment request initiated by a payment application, wherein the payment request comprises a device certificate of payment equipment where the payment application is located, the device certificate is generated according to a device private key of the payment equipment, and the device private key is prestored in a payment area corresponding to the payment application which is added in advance of the payment equipment;
the payment device is authenticated based on the device credential and payment processing is performed on the payment request when the payment device is authenticated.
In one aspect, a payment processing apparatus is provided, comprising:
the first processing module is used for acquiring an equipment private key of the payment equipment when the payment instruction is acquired, and producing an equipment certificate of the payment equipment according to the equipment private key, wherein the payment equipment is equipment where payment application is located, and the equipment private key is prestored in a payment area which is additionally arranged in advance of the payment equipment;
the sending module is used for sending a payment request to a background server of the payment application, wherein the payment request comprises the device certificate, so that the background server verifies the payment device based on the device certificate.
In a possible implementation manner, the apparatus further includes a second processing module, where the second processing module is configured to:
adding a payment area corresponding to the payment application in a storage area of the payment equipment;
the device private key is stored in the white-box encrypted file by obfuscating the key storage logic in the white-box, and the white-box encrypted file is stored in the payment area.
In a possible implementation manner, the apparatus further includes a third processing module, where the third processing module is configured to:
storing the device public key of the payment device in a cloud server of the payment application;
and establishing a corresponding relation between the device private key and the device public key so that the background server obtains the device public key based on the corresponding relation, and verifying the payment device according to the device public key and the device certificate, wherein the device private key and the device public key are symmetric keys.
In one aspect, a payment processing apparatus is provided, comprising:
the payment processing device comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving a payment request initiated by a payment application, the payment request comprises a device certificate of a payment device where the payment application is located, the device certificate is generated according to a device private key of the payment device, and the device private key is prestored in a payment area corresponding to the payment application which is added in advance of the payment device;
and the processing module is used for verifying the payment equipment based on the equipment certificate and carrying out payment processing on the payment request when the payment equipment passes the verification.
In one possible implementation, the processing module, when authenticating the payment device based on the device credential, is to:
acquiring a device public key of the payment device based on a pre-established corresponding relation between the device private key and the device public key of the payment device, wherein the device public key is pre-stored in a cloud server of the payment application, and the device private key and the device public key are symmetric keys;
and verifying the payment equipment according to the equipment public key and the equipment certificate.
In one possible implementation manner, when verifying the payment device according to the device public key and the device credential, the processing module is configured to:
decrypting the device certificate through the device public key;
when the device public key successfully decrypts the device certificate, determining that the payment device passes verification;
when the device public key fails to decrypt the device credential, it is determined that the payment device is not authenticated.
In one possible implementation manner, the device private key is stored in a white-box encrypted file through a key storage logic in a confusion white-box, and the white-box encrypted file is prestored in a payment area corresponding to a pre-added payment application of the payment device.
In one aspect, an electronic device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the program, the payment processing method is implemented.
In one aspect, a computer-readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the payment processing method described above.
The payment processing method provided by the embodiment of the application adds the payment area in the payment device, so that a payment application party corresponding to the payment area can perform writing operation and reading operation on the payment area, the access security is ensured, the device private key of the payment device is prestored in the payment area of the payment device, the device dimensional key is realized, the key cannot be lost along with the unloading of the payment application or the recovery factory setting of the payment device and cannot be exported and tampered, the life cycle of the payment application is separated, in addition, a unique device certificate can be generated for the payment device according to the device private key, the device certificate cannot be tampered and accords with the unique requirement on the payment device, and the background server of the payment application can accurately and effectively verify the legality of the payment device before performing payment processing, the payment safety is ensured, and the benefit loss to the user is avoided.
Additional aspects and advantages of embodiments of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of embodiments of the present application will become apparent and more readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a schematic flow chart diagram of a payment processing method according to an embodiment of the present application;
FIG. 2 is a schematic illustration of adding a payment area according to one embodiment of the present application;
FIG. 3 is a schematic diagram of storing a white-box encrypted file according to one embodiment of the present application;
fig. 4 is a schematic diagram illustrating establishment of a correspondence relationship between a device private key and a device public key according to an embodiment of the present application;
FIG. 5 is a schematic flow chart diagram illustrating a payment processing method according to yet another embodiment of the present application;
fig. 6 is a schematic diagram of a basic structure of a payment processing apparatus according to another embodiment of the present application;
FIG. 7 is a detailed structural diagram of a payment processing apparatus according to another embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to another embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary only for the purpose of explaining the present application and are not to be construed as limiting the present application.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
Cloud technology refers to a hosting technology for unifying serial resources such as hardware, software, network and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.
Cloud technology (Cloud technology) is based on a general term of network technology, information technology, integration technology, management platform technology, application technology and the like applied in a Cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms for Cloud-based business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
A distributed cloud storage system (hereinafter, referred to as a storage system) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of different types in a network through application software or application interfaces to cooperatively work by using functions such as cluster application, grid technology, and a distributed storage file system, and provides a data storage function and a service access function to the outside.
At present, a storage method of a storage system is as follows: logical volumes are created, and when created, each logical volume is allocated physical storage space, which may be the disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as data Identification (ID), the file system writes each object into a physical storage space of the logical volume, and the file system records storage location information of each object, so that when the client requests to access the data, the file system can allow the client to access the data according to the storage location information of each object.
The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided in advance into stripes according to a group of capacity measures of objects stored in a logical volume (the measures often have a large margin with respect to the capacity of the actual objects to be stored) and Redundant Array of Independent Disks (RAID), and one logical volume can be understood as one stripe, thereby allocating physical storage space to the logical volume.
For better understanding and description of the embodiments of the present application, some technical terms used in the embodiments of the present application will be briefly described below.
White box: namely, the attacker has complete control over the whole operation process and is completely visible, the attacker can freely observe the running process of the dynamic password, and the detailed content of the internal algorithm is completely visible and can be changed at will. For example, an attacker can run a program through a debugger and observe the process of software running as long as the software is running locally. All the codes relating to the decrypted part are also listed. The definition is as follows: a. the attacker has complete control over the host and the software; b. the software dynamic execution process is visible; c. the internal details of the encryption algorithm are fully visible and modifiable.
Black box: as opposed to a white-box, an attacker does not have substantial access to the key (i.e., the algorithm that performs the encryption or decryption) or any internal operations, can only observe some external information or operations, including the plaintext (input) or ciphertext (output) within the system, and considers code execution and dynamic encryption unobservable.
Ash box: the gray box assumes that an attacker can be substantially exposed to the partial key or the leaked information (i.e., so-called side-channel information). Side Channel Analysis (SCA) exploits information revealed during the operation of cryptographic systems. The leakage information is obtained by passively observing time information, power consumption, electromagnetic radiation, and the like.
Obfuscation: the meaning is that the information is not understood, and the information exists in a completely unintelligible form by disturbing the information, so that the person cannot understand the intermediate process (i.e. only see input and output, but cannot understand how the result is obtained), but the information itself is not influenced to play a role.
White box encryption: the white-box encryption belongs to symmetric encryption, and refers to a special encryption method capable of resisting attacks in a white-box environment.
Android Keystore (Android Keystore) system: the keying material can be protected from unauthorized use. First, Android keystores can prevent the extraction of keying material from the application process and the Android device as a whole, thereby avoiding the use of keying material outside of the Android device in an unauthorized manner. Second, the Android Keystore may let applications specify the authorized manner of use of keys and enforce these restrictions outside the application process, thereby avoiding unauthorized use of keying material on Android devices.
TEE (Trusted Execution Environment): the TEE is a runtime environment that coexists with the Rich OS (operating system) on the device and provides secure services to the Rich OS; it has its own execution space, higher than the security level of Rich OS.
SE (security unit): is independent safety hardware, and the safety intensity is higher than TEE because the safety hardware is a completely independent safety hardware chip.
To make the objects, technical solutions and advantages of the embodiments of the present application more clear, the embodiments of the present application will be further described in detail with reference to the accompanying drawings.
The following describes in detail the technical solutions of the embodiments of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
An embodiment of the present application provides a payment processing method, where the method is executed by a payment application, the payment application is installed in or exists in a payment device, the payment device may be an intelligent terminal, such as a smart phone, a tablet computer, a smart watch, a payment machine (e.g., a face-brushing payment machine), and the like, and the payment device and a background server of the payment application may be directly or indirectly connected in a wired or wireless communication manner, which is not limited in the embodiment of the present application. As shown in fig. 1, the method includes:
step S110, when a payment instruction is obtained, obtaining an equipment private key of payment equipment, and producing an equipment certificate of the payment equipment according to the equipment private key, wherein the payment equipment is equipment where payment application is located, and the equipment private key is prestored in a payment area which is additionally arranged in advance of the payment equipment; step S120, a payment request is sent to a background server of the payment application, wherein the payment request includes a device certificate, so that the background server verifies the payment device based on the device certificate.
The payment application can be various application programs capable of being used for payment, the payment application is usually installed in various intelligent terminals, and a user can pay a certain amount of fees to a merchant through the payment application in the intelligent terminal. The user can initiate a payment instruction or instruction to the payment application in the process of paying a certain amount of fees to the merchant through the payment application in the intelligent terminal, and at this time, the payment application can acquire (for example, receive or detect) the payment instruction of the user. When the payment application acquires the payment instruction, a corresponding payment request is generated so as to request the background server of the payment application to perform payment processing on the payment request.
In the process of generating the payment request, the payment application firstly obtains a pre-stored device private key from a pre-added payment area of the payment device where the payment application is located, and generates a device certificate of the payment device according to the device private key. After the device credential of the payment device is produced, the device credential is carried in the payment request, that is, the payment request sent by the payment application to the background server of the payment application includes the device credential, so that after the background server of the payment application receives the payment request, firstly, the payment device is verified based on the device credential included in the payment request to determine the validity of the payment device, for example, whether the payment device is the payment device supported by the payment application or the payment device where the payment device is located is determined.
In one example, if the payment application P1 is installed in the payment device U1 and the device private key (e.g., M1) of the payment device U1 is pre-stored in the pre-populated payment area of the payment device U1, then: when the payment instruction is obtained, the payment application P1 first obtains the device private key M1 of the payment device U1 by accessing the payment area of the payment device U1, then produces the device credential (for example, ID _1) of the payment device U1 according to the obtained device private key M1, then carries the device credential ID _1 in the payment request, and sends the device credential to the backend server of the payment application P1, and then the backend server of the payment application P1 verifies the payment device U1 according to the device credential ID _1, for example, it is determined that the payment device U1 is indeed the payment device where the payment application P1 is located, and for example, it is determined that the payment device U1 is a device supporting the payment application P1.
The device private key is a device key of the payment device, and since the device key of the payment device belongs to a private key of the symmetric keys, it is referred to as the device private key. Wherein the device private key of each payment device is unique, and thus the device credential generated from the device private key is also unique, e.g., the device private key of payment device U1 is M1, the device private key of payment device U2 is M2, etc.
In addition, the payment area of the payment device is added to the payment device in advance before the payment device is shipped from a factory, for example, the payment area is added to a storage area of the payment device during the process of producing the payment device by a manufacturer of the payment device, which is equivalent to adding a new area to an existing storage area of the payment device as the payment area. The payment area corresponds to the payment application, and only the payment application can perform writing operation and reading operation on the newly added payment area in the using process of the payment equipment, so that the safety of reading and writing access is ensured.
In addition, the device private key of the payment device is stored in the payment area, so that a device dimensional key is realized, the device key cannot be lost along with the uninstallation of the payment application or the factory restoration of the payment device, and cannot be exported or tampered, and the limit of the life cycle of the payment application is removed.
The payment processing method provided by the embodiment of the application adds the payment area in the payment device, so that a payment application party corresponding to the payment area can perform writing operation and reading operation on the payment area, the security of reading and writing access is ensured, the device private key of the payment device is prestored in the payment area of the payment device, the key of the device dimension is realized, the key cannot be lost along with the unloading of the payment application or the recovery factory setting of the payment device and cannot be exported and tampered, the limitation of the life cycle of the payment application is eliminated, in addition, a unique device certificate can be generated for the payment device according to the device private key, the device certificate cannot be tampered and accords with the unique requirement on the payment device, the background server of the payment application can accurately and effectively verify the legality of the payment device before performing payment processing, the payment safety is ensured, and the benefit loss to the user is avoided.
Embodiments of the present application are described below by way of specific examples:
in one possible implementation, before obtaining the device private key of the payment device, the following processing may be further performed: adding a payment area corresponding to the payment application in a storage area of the payment equipment; the device private key is stored in the white-box encrypted file by obfuscating the key storage logic in the white-box, and the white-box encrypted file is stored in the payment area.
In practical application, in the process of producing the payment device, a manufacturer can newly add a payment region corresponding to a certain payment application in a storage region of the payment device according to requirements, wherein only the certain payment application can perform read-write access on the newly added payment region. For example, a payment area a1 corresponding to the payment application P1 is added to the Linux partition of the payment device on the chip platform, and only the payment application P1 can perform read-write access to the payment area a1, or for example, a payment area a2 corresponding to the payment application P2 is added to the Linux partition of the payment device on the chip platform, and only the payment application P2 can perform read-write access to the payment area a 2.
Equivalently, a new area is added on the basis of each partition of the existing storage area of the payment device to serve as a payment area. The payment area corresponds to the payment application, and only the payment application can perform writing operation and reading operation on the newly added payment area in the using process of the payment equipment, so that the safety of reading and writing access is ensured.
Fig. 2 is a schematic diagram of adding a payment area corresponding to a payment application in a storage area of a payment device, and a payment partition in fig. 2 is the added payment area corresponding to the payment application. The area a, the area B, the area C, the area D, and the like in fig. 2 are the existing partitions of the storage area of the payment device, and are used for storing the related device information, and are not described herein again.
In practical application, a key protection file which cannot be understood by an attacker can be achieved by obfuscating the key storage logic inside the white box based on the key storage technology of the white box encryption, and equivalently, the device private key is stored in the white box encrypted file by obfuscating the key storage logic in the white box. And then burning (i.e. storing) the white-box encrypted file into the newly added payment area of the payment device, i.e. storing the device private key in the form of the white-box encrypted file in the newly added payment area of the payment device. Fig. 3 is a schematic diagram of storing a white-box encrypted file in a newly added payment area of a payment device, where the white-box in fig. 3 is the above-mentioned white-box encrypted file.
After the device private key is stored in the white-box encrypted file by obfuscating the key storage logic in the white-box, the white-box encrypted file may be stored in a payment area corresponding to the payment application in the payment device, that is, the device private key of the payment device is stored in a newly added payment area corresponding to the payment application in the payment device, so that the payment application may obtain the device private key of the payment device by reading the payment area. The device private key in the newly added payment area in the payment device cannot be exported and tampered, and the device private key cannot be lost along with the unloading of the payment application or the factory restoration of the payment device, so that the device dimensional key is realized, and the limit of the life cycle of the payment application is broken away.
It should be noted that, the above process of storing the white-box encrypted file in the newly added payment area of the payment device may also be completed before the payment device leaves the factory, for example, in the process of producing the payment device by a manufacturer, except for a payment area corresponding to a certain payment application which is newly added in the storage area of the payment device according to a requirement, the device private key may be stored in the newly added payment area of the payment device in the form of the white-box encrypted file.
In one possible implementation, before obtaining the device private key of the payment device, the following processing may be further performed: the method comprises the steps of storing an equipment public key of the payment equipment in a cloud server of the payment application, then establishing a corresponding relation between an equipment private key and the equipment public key so that a background server can obtain the equipment public key based on the corresponding relation, and verifying the payment equipment according to the equipment public key and an equipment certificate, wherein the equipment private key and the equipment public key are symmetric keys.
The white-box encryption belongs to symmetric encryption, and the core idea is to confuse a symmetric key in white-box logic, so that an attacker is effectively prevented from cracking the white-box encryption, and the payment device also has a device public key which is the symmetric key with the device private key besides the device private key, wherein the device public key can be used for decrypting or analyzing the device private key. In order to ensure the security of the device public key, the device public key may be stored in a cloud server of the payment application, where the cloud server may be a server dedicated to store the device public key of each payment device, or may be a server having other additional functions, and the embodiment of the present application does not limit the server.
After the device private key of the payment device is stored in the newly-added payment area of the payment device, the payment device can be sold out of a factory, after the user purchases the payment device, before the payment device is formally put into use, a corresponding relation between the device private key of the payment device and a device public key stored by a cloud server of a payment application is established, for example, mutual authentication, matching and the like between the device private key and the device public key are carried out, so that the payment device can be verified based on the device public key subsequently.
Fig. 4 is a schematic diagram illustrating a correspondence relationship between an apparatus private key and an apparatus public key, in fig. 4, an apparatus private key in a payment area of a payment apparatus establishes a correspondence relationship with an apparatus public key in a cloud server of a payment application through a network security link, and the apparatus public key of the payment apparatus is prestored in a cloud key management center of the cloud server.
When a user carries out expense payment through a payment application in payment equipment, the payment application generates a corresponding payment request when obtaining a payment instruction of the user and sends the payment request to a background server of the payment application to request the background server to carry out payment processing, wherein the payment request comprises an equipment certificate of the payment equipment where the payment application is located, the equipment certificate is generated according to an equipment private key of the payment equipment, and the equipment private key is prestored in a payment area corresponding to the payment application which is added in advance of the payment equipment. Correspondingly, the background server of the payment application sending the payment request receives the payment request initiated by the payment application.
After receiving the payment request of the payment application, the background server of the payment application does not immediately perform payment processing on the payment request, but verifies the payment device based on the device certificate included in the payment request, performs payment processing on the payment of the payment application after the payment device passes the verification, and does not continue to perform payment processing on the payment request of the payment application if the payment device does not pass the verification.
In the process of verifying the payment device, the background server of the payment application may obtain the device public key of the payment device from the cloud server in which the device public key of the payment device is prestored, based on a correspondence between the device private key of the payment device and the device public key of the payment device, where the device public key of the payment device is prestored in the cloud server of the payment application. After the device public key of the payment device is obtained, the payment device can be verified based on the obtained device public key of the payment device and the device certificate carried in the payment request.
The payment device can be verified in a decryption mode of the device certificate through the device public key in the process of verifying the payment device based on the obtained device public key of the payment device and the device certificate carried in the payment request, for example, when the device public key decrypts the device certificate successfully, the device public key can successfully decrypt the payment private key, at the moment, the payment device can be determined to pass the verification, for example, the payment device is determined to be the device where the payment application is located, so that a background server of the payment application can continue to perform subsequent payment processing on the payment request; when the device public key fails to decrypt the device certificate, it is indicated that the device public key cannot decrypt the payment private key, and at this time, it may be determined that the payment device is not verified, for example, it is determined that the payment device is not the device where the payment application is located, so that the background server of the payment application does not continue to perform subsequent payment processing on the payment request.
Before payment processing is carried out on the payment request, the payment device is verified based on the unique certificate of the payment device, so that the legality and the uniqueness of the payment device can be ensured, and the payment safety is effectively guaranteed.
Yet another embodiment of the present application provides a payment processing method, where the method is executed by a background server of a payment application, where the background server may be an independent physical server, a server cluster or a distributed system formed by multiple physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, and a big data and artificial intelligence platform, and the method is not limited in this embodiment of the present application. As shown in fig. 5, the method includes:
step S510, receiving a payment request initiated by a payment application, where the payment request includes a device credential of a payment device where the payment application is located, where the device credential is generated according to a device private key of the payment device, and the device private key is prestored in a payment area corresponding to a payment application that is added in advance of the payment device; and step S520, verifying the payment device based on the device certificate, and performing payment processing on the payment request when the payment device passes the verification.
It should be noted that the payment processing method of this embodiment corresponds to the payment processing method of the payment application side provided in the previous embodiment, and therefore, it can be understood that the processing steps of the payment processing method of the payment application side correspond to the processing steps of the payment processing method of the background server side of the payment application, and the processing steps of the payment processing method of the background server side of the payment application are not described again here. Wherein, the detailed description of the corresponding steps of the payment processing method on the payment application side can refer to the corresponding description in the foregoing.
The payment processing method provided by the embodiment of the application adds the payment area in the payment device, so that a payment application party corresponding to the payment area can perform writing operation and reading operation on the payment area, the access security is ensured, the device private key of the payment device is prestored in the payment area of the payment device, the device dimensional key is realized, the key cannot be lost along with the unloading of the payment application or the recovery factory setting of the payment device and cannot be exported and tampered, the limitation of the life cycle of the payment application is eliminated, in addition, a unique device certificate can be generated for the payment device according to the device private key, the device certificate cannot be tampered and conforms to the uniqueness requirement of the payment device, so that the validity of the payment device can be accurately and effectively verified before the payment processing is performed by a background server of the payment application, the payment safety is ensured, and the benefit loss to the user is avoided.
In one possible implementation, verifying the payment device based on the device credential includes:
acquiring a device public key of the payment device based on a pre-established corresponding relation between the device private key and the device public key of the payment device, wherein the device public key is pre-stored in a cloud server of the payment application, and the device private key and the device public key are symmetric keys;
and verifying the payment equipment according to the equipment public key and the equipment certificate.
In one possible implementation, verifying the payment device according to the device public key and the device credential includes:
decrypting the device certificate through the device public key;
when the device public key successfully decrypts the device certificate, determining that the payment device passes verification;
when the device public key fails to decrypt the device credential, it is determined that the payment device is not authenticated.
In one possible implementation manner, the device private key is stored in a white-box encrypted file through obfuscating a key storage logic in a white box, and the white-box encrypted file is pre-stored in a payment area corresponding to a pre-added payment application of the payment device.
Fig. 6 is a schematic structural diagram of a payment processing apparatus according to another embodiment of the present application, and as shown in fig. 6, the apparatus 600 may include a first processing module 601 and a sending module 602, where:
the first processing module 601 is configured to, when a payment instruction is obtained, obtain an equipment private key of a payment device, and produce an equipment credential of the payment device according to the equipment private key, where the payment device is an equipment where a payment application is located, and the equipment private key is prestored in a payment area, which is added in advance, of the payment device;
a sending module 602, configured to send a payment request to a background server of the payment application, where the payment request includes a device credential, so that the background server verifies the payment device based on the device credential.
In a possible implementation manner, the apparatus further includes a second processing module, where the second processing module is configured to:
adding a payment area corresponding to the payment application in a storage area of the payment equipment;
the device private key is stored in the white-box encrypted file by obfuscating the key storage logic in the white-box, and the white-box encrypted file is stored in the payment area.
In a possible implementation manner, the apparatus further includes a third processing module, where the third processing module is configured to:
storing the device public key of the payment device in a cloud server of the payment application;
and establishing a corresponding relation between the device private key and the device public key so that the background server obtains the device public key based on the corresponding relation, and verifying the payment device according to the device public key and the device certificate, wherein the device private key and the device public key are symmetric keys.
The device provided by the embodiment of the application adds the payment area in the payment equipment, so that a payment application party corresponding to the payment area can perform writing operation and reading operation on the payment area, the access security is ensured, the device private key of the payment equipment is prestored in the payment area of the payment equipment, the device dimensional key is realized, the key cannot be lost along with the unloading of the payment application or the recovery factory setting of the payment equipment and cannot be exported and tampered, the limitation of the life cycle of the payment application is separated, in addition, a unique device certificate can be generated for the payment equipment according to the device private key, the device certificate cannot be tampered and accords with the unique requirement on the payment equipment, the background server of the payment application can accurately and effectively verify the legality of the payment equipment before payment processing is performed, and the payment security is ensured, and the loss of interest to the user is avoided.
It should be noted that the present embodiment is an apparatus embodiment corresponding to the above method embodiment of the payment application side, and the present embodiment can be implemented in cooperation with the above method embodiment of the payment application side. The related technical details mentioned in the above embodiment of the method item on the payment application side are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related technical details mentioned in the present embodiment can also be applied in the above-mentioned method item embodiment on the payment application side.
Fig. 7 is a schematic structural diagram of a payment processing apparatus according to another embodiment of the present application, and as shown in fig. 7, the apparatus 700 may include a receiving module 701 and a processing module 702, where:
a receiving module 701, configured to receive a payment request initiated by a payment application, where the payment request includes a device credential of a payment device where the payment application is located, where the device credential is generated according to a device private key of the payment device, and the device private key is prestored in a payment area corresponding to a payment application that is added in advance of the payment device;
a processing module 702, configured to authenticate the payment device based on the device credential, and perform payment processing on the payment request when the payment device is authenticated.
In one possible implementation, the processing module, when authenticating the payment device based on the device credential, is to:
acquiring a device public key of the payment device based on a pre-established corresponding relation between the device private key and the device public key of the payment device, wherein the device public key is pre-stored in a cloud server of the payment application, and the device private key and the device public key are symmetric keys;
and verifying the payment equipment according to the equipment public key and the equipment certificate.
In one possible implementation manner, when verifying the payment device according to the device public key and the device credential, the processing module is configured to:
decrypting the device certificate through the device public key;
when the device public key successfully decrypts the device certificate, determining that the payment device passes verification;
when the device public key fails to decrypt the device credential, it is determined that the payment device is not authenticated.
In one possible implementation manner, the device private key is stored in a white-box encrypted file through a key storage logic in a confusion white-box, and the white-box encrypted file is prestored in a payment area corresponding to a pre-added payment application of the payment device.
The device provided by the embodiment of the application adds the payment area in the payment equipment, so that a payment application party corresponding to the payment area can perform writing operation and reading operation on the payment area, the access security is ensured, the device private key of the payment equipment is prestored in the payment area of the payment equipment, the device dimensional key is realized, the key cannot be lost along with the unloading of the payment application or the recovery factory setting of the payment equipment and cannot be exported and tampered, the limitation of the life cycle of the payment application is separated, in addition, a unique device certificate can be generated for the payment equipment according to the device private key, the device certificate cannot be tampered and accords with the unique requirement on the payment equipment, the background server of the payment application can accurately and effectively verify the legality of the payment equipment before payment processing is performed, and the payment security is ensured, and the loss of interest to the user is avoided.
It should be noted that this embodiment is an apparatus item embodiment corresponding to the above method item embodiment on the background server side of the payment application, and this embodiment may be implemented in cooperation with the above method item embodiment on the background server side of the payment application. The related technical details mentioned in the above method item embodiment of the background server side of the payment application are still valid in this embodiment, and are not described here again in order to reduce repetition. Accordingly, the related technical details mentioned in the present embodiment can also be applied in the above-mentioned method item embodiment on the background server side of the payment application.
Another embodiment of the present application provides an electronic device, as shown in fig. 8, an electronic device 800 shown in fig. 8 includes: a processor 801 and a memory 803. Wherein the processor 801 is coupled to a memory 803, such as via a bus 802. Further, the electronic device 800 may also include a transceiver 804. It should be noted that the transceiver 804 is not limited to one in practical applications, and the structure of the electronic device 800 is not limited to the embodiment of the present application.
The processor 801 is applied to the embodiment of the present application, and is configured to implement the functions of the first processing module and the sending module shown in fig. 6, or implement the functions of the receiving module and the processing module shown in fig. 7. The transceiver 804 includes a receiver and a transmitter.
The processor 801 may be a CPU, general purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 801 may also be a combination of computing functions, e.g., comprising one or more microprocessors, a combination of a DSP and a microprocessor, or the like.
The memory 803 may be, but is not limited to, a ROM or other type of static storage device that can store static information and instructions, a RAM or other type of dynamic storage device that can store information and instructions, an EEPROM, a CD-ROM or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
The memory 803 is used for storing application program code for performing the present solution and is controlled in execution by the processor 801. The processor 801 is configured to execute application program code stored in the memory 803 to implement the actions of the payment processing apparatus provided by the embodiment shown in fig. 6 or fig. 7.
The electronic device provided by the embodiment of the application comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and when the processor executes the program, the following two aspects can be realized:
on one hand, when a payment instruction is obtained, obtaining an equipment private key of the payment equipment, and producing an equipment certificate of the payment equipment according to the equipment private key, wherein the payment equipment is equipment where payment application is located, and the equipment private key is prestored in a payment area which is added in advance of the payment equipment; then, a payment request is sent to a background server of the payment application, wherein the payment request comprises the device certificate, so that the background server verifies the payment device based on the device certificate.
On the other hand, a payment request initiated by the payment application is received, wherein the payment request comprises a device certificate of the payment device where the payment application is located, the device certificate is generated according to a device private key of the payment device, and the device private key is prestored in a payment area corresponding to the payment application which is added in advance of the payment device; the payment device is then authenticated based on the device credential, and payment processing is performed on the payment request when the payment device is authenticated.
Another embodiment of the present application provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the methods provided in the various possible implementations of the above-described payment application aspect, or to perform the methods provided in the various possible implementations of the background server aspect of the above-described payment application.
The computer-readable storage medium provided by the embodiment of the application is suitable for any embodiment of the method. Moreover, the payment device is additionally provided with the payment area, so that a payment application party corresponding to the payment area can perform writing operation and reading operation on the payment area, the access security is ensured, the device private key of the payment device is prestored in the payment area of the payment device, the device dimension key is realized, such that the key is not lost with uninstallation of the payment application or factory reset of the payment device, and cannot be exported and tampered with, thereby breaking the life cycle limitation of the payment application, and furthermore, generating a unique device certificate for the payment device according to the device private key, the device certificate can not be tampered, and the uniqueness requirement on the payment device is met, so that the legality of the payment device can be accurately and effectively verified before payment processing is carried out on a background server of the payment application, the payment safety is ensured, and benefit loss to a user is avoided.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present application, and it should be noted that, for those skilled in the art, several modifications and decorations can be made without departing from the principle of the present application, and these modifications and decorations should also be regarded as the protection scope of the present application.
Claims (11)
1. A payment processing method, applied to a payment application, comprising:
when a payment instruction is obtained, obtaining an equipment private key of payment equipment, and generating an equipment certificate of the payment equipment according to the equipment private key, wherein the payment equipment is equipment where the payment application is located, and the equipment private key is prestored in a payment area which is added in advance of the payment equipment;
sending a payment request to a background server of the payment application, wherein the payment request comprises the device credential, so that the background server verifies the payment device based on the device credential.
2. The method of claim 1, wherein prior to obtaining the device private key of the payment device, further comprising:
adding a payment area corresponding to the payment application in a storage area of the payment equipment;
and storing the private key of the equipment in a white-box encrypted file by obfuscating a key storage logic in the white-box, and storing the white-box encrypted file in the payment area.
3. The method of claim 1 or 2, wherein prior to the obtaining the device private key of the payment device, further comprising:
storing the device public key of the payment device in a cloud server of the payment application;
establishing a corresponding relation between the device private key and the device public key so that the background server obtains the device public key based on the corresponding relation, and verifying the payment device according to the device public key and the device certificate, wherein the device private key and the device public key are symmetric keys.
4. A payment processing method is applied to a background server of a payment application, and comprises the following steps:
receiving a payment request initiated by a payment application, wherein the payment request comprises a device certificate of payment equipment where the payment application is located, the device certificate is generated according to a device private key of the payment equipment, and the device private key is prestored in a payment area corresponding to the payment application, which is added in advance, of the payment equipment;
and verifying the payment device based on the device certificate, and performing payment processing on the payment request when the payment device passes the verification.
5. The method of claim 4, wherein the verifying the payment device based on the device credential comprises:
acquiring a device public key of the payment device based on a pre-established corresponding relationship between the device private key and the device public key of the payment device, wherein the device public key is pre-stored in a cloud server of the payment application, and the device private key and the device public key are symmetric keys;
and verifying the payment equipment according to the equipment public key and the equipment certificate.
6. The method of claim 5, wherein the verifying the payment device based on the device public key and the device credential comprises:
decrypting the device credential with the device public key;
when the device public key successfully decrypts the device certificate, determining that the payment device passes verification;
determining that the payment device is not authenticated when the device public key fails to decrypt the device credential.
7. The method of any one of claims 4-6, wherein the device private key is stored in a white-box encrypted file pre-stored in a pre-populated payment area of the payment device corresponding to the payment application by obfuscating key storage logic in a white-box.
8. A payment processing apparatus, applied to a payment application, comprising:
the payment device comprises a first processing module, a second processing module and a payment processing module, wherein the first processing module is used for acquiring an equipment private key of a payment device when a payment instruction is acquired, and generating an equipment certificate of the payment device according to the equipment private key, the payment device is a device where the payment application is located, and the equipment private key is prestored in a payment area which is added in advance of the payment device;
a sending module, configured to send a payment request to a background server of the payment application, where the payment request includes the device credential, so that the background server verifies the payment device based on the device credential.
9. A payment processing apparatus, applied to a background server of a payment application, comprising:
the payment processing device comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving a payment request initiated by a payment application, the payment request comprises a device certificate of a payment device where the payment application is located, the device certificate is generated according to a device private key of the payment device, and the device private key is prestored in a payment area corresponding to the payment application, which is added in advance, of the payment device;
and the processing module is used for verifying the payment equipment based on the equipment certificate and carrying out payment processing on the payment request when the payment equipment passes the verification.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-7 when executing the program.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010843991.5A CN114078009A (en) | 2020-08-20 | 2020-08-20 | Payment processing method and device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010843991.5A CN114078009A (en) | 2020-08-20 | 2020-08-20 | Payment processing method and device, electronic equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114078009A true CN114078009A (en) | 2022-02-22 |
Family
ID=80281957
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010843991.5A Pending CN114078009A (en) | 2020-08-20 | 2020-08-20 | Payment processing method and device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114078009A (en) |
-
2020
- 2020-08-20 CN CN202010843991.5A patent/CN114078009A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| CN107743133B (en) | Mobile terminal and access control method and system based on trusted security environment | |
| CN110336774B (en) | Mixed encryption and decryption method, equipment and system | |
| CN111262889B (en) | Authority authentication method, device, equipment and medium for cloud service | |
| US10650139B2 (en) | Securing temporal digital communications via authentication and validation for wireless user and access devices with securitized containers | |
| CN111708991A (en) | Service authorization method, service authorization device, computer equipment and storage medium | |
| KR102218572B1 (en) | Processing method for preventing replication attacks, and server and client | |
| CN111404696B (en) | Collaborative signature method, security service middleware, related platform and system | |
| CN113014539B (en) | Internet of things equipment safety protection system and method | |
| US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
| CN109921902B (en) | Key management method, security chip, service server and information system | |
| JP2008507203A (en) | Method for transmitting a direct proof private key in a signed group to a device using a distribution CD | |
| CN101841525A (en) | Secure access method, system and client | |
| KR20190028787A (en) | A method and device for providing and obtaining graphics code information, | |
| CN112765684B (en) | Block chain node terminal management method, device, equipment and storage medium | |
| CN114788226A (en) | Unmanaged tool for building decentralized computer applications | |
| CN111538977A (en) | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server | |
| US9864853B2 (en) | Enhanced security mechanism for authentication of users of a system | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| EP3292654B1 (en) | A security approach for storing credentials for offline use and copy-protected vault content in devices | |
| EP3836478A1 (en) | Method and system of data encryption using cryptographic keys | |
| Tiwari et al. | Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| Zhou et al. | vTPM-SM: An application scheme of SM2/SM3/SM4 algorithms based on trusted computing in cloud environment | |
| CN114078009A (en) | Payment processing method and device, electronic equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40065463 Country of ref document: HK |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |