CN115357929A - Image processing method, device and equipment - Google Patents

Image processing method, device and equipment Download PDF

Info

Publication number
CN115357929A
CN115357929A CN202210932254.1A CN202210932254A CN115357929A CN 115357929 A CN115357929 A CN 115357929A CN 202210932254 A CN202210932254 A CN 202210932254A CN 115357929 A CN115357929 A CN 115357929A
Authority
CN
China
Prior art keywords
image data
user image
seed key
watermark information
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210932254.1A
Other languages
Chinese (zh)
Inventor
李亚康
王文雅
王艺卓
肖轩淦
李建树
刘健
陈弢
陆海宁
谷大武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Jiaotong University
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Shanghai Jiaotong University
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Jiaotong University, Alipay Hangzhou Information Technology Co Ltd filed Critical Shanghai Jiaotong University
Priority to CN202210932254.1A priority Critical patent/CN115357929A/en
Publication of CN115357929A publication Critical patent/CN115357929A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T1/00General purpose image data processing
    • G06T1/0021Image watermarking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T2201/00General purpose image data processing
    • G06T2201/005Image watermarking

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Technology Law (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Editing Of Facsimile Originals (AREA)

Abstract

The embodiment of the specification discloses a method, a device and equipment for processing an image, wherein the method is applied to terminal equipment, a trusted execution environment is arranged in the terminal equipment, and the method comprises the following steps: the method comprises the steps of calling a camera shooting assembly through a trusted application to obtain user image data, setting the user image data in a trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key in the trusted execution environment to protect the privacy of the user image data, sending the user image data, the watermark information and the seed key to a server, triggering the server to verify the watermark information through the user image data and the seed key to obtain a corresponding verification result, receiving the verification result sent by the server, and executing corresponding business processing based on the user image data if the verification result is that verification is passed.

Description

Image processing method, device and equipment
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for processing an image.
Background
The popularization of biological identification in aspects of financial services, identity authentication and the like brings convenience to the life of people, and a biological identification mechanism has the advantages of non-contact, user friendliness, intuition, convenience, rapidness, easiness in expansion and the like, and is widely applied to an intelligent system, particularly a facial identification mechanism.
Face recognition mechanisms can be often divided into face detection, which can detect whether there is face information of a user in an image and remove a background unrelated to the face of the user, and face recognition. The face detection can be implemented based on image feature values, wherein the image feature values can be edge and shape features of a face, texture and color features of the face, and the like, and corresponding features can be extracted for detection based on a deep learning mechanism. However, face recognition mechanisms can be attacked by an attacker, and therefore, prior to face recognition, biometric detection is typically performed to ensure that the camera assembly is in front of the user, rather than an image or three-dimensional model. However, the biometric detection algorithm can also be bypassed by an attacker through injection attack, so as to realize dangerous behaviors such as logging in other people's accounts. Therefore, it is necessary to provide a method capable of accurately determining whether an image is replaced or tampered, so as to improve the security of image transmission and biometric identification, and effectively defend against the attacks.
Disclosure of Invention
The embodiment aims to provide a method for judging whether an image is replaced or tampered, so that the safety of image transmission and biological identification is improved, and the attack can be effectively prevented.
In order to implement the above technical solution, the embodiments of the present specification are implemented as follows:
an embodiment of the present specification provides an image processing method, which is applied to a terminal device, where the terminal device is provided with a trusted execution environment, and the method includes: and calling a camera shooting component through a trusted application to acquire user image data, and setting the user image data in the trusted execution environment. In the trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key so as to protect privacy of the user image data, and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result. And receiving the verification result sent by the server, and if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
An image processing method provided by an embodiment of the present specification is applied to a server, and the method includes: receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are acquired by calling a camera shooting component through a trusted application by the terminal device, and the user image data are set in the trusted execution environment, and the watermark information is generated for the user image data in the trusted execution environment by the terminal device based on the user image data and a preset seed key so as to carry out privacy protection on the user image data and send the user image data, the watermark information and the seed key to a server. And verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result. And if the verification result is that the verification is passed, executing corresponding business processing based on the user image data.
An embodiment of this specification provides an image processing apparatus, where a trusted execution environment is provided in the apparatus, and the apparatus includes: and the image acquisition module calls a camera shooting assembly through the trusted application to acquire user image data and sets the user image data in the trusted execution environment. The image processing module generates watermark information for the user image data based on the user image data and a preset seed key in the trusted execution environment so as to protect privacy of the user image data and sends the user image data, the watermark information and the seed key to a server, and the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result. And the business processing module is used for receiving the verification result sent by the server, and executing corresponding business processing based on the user image data if the verification result is that the verification is passed.
An embodiment of the present specification provides an apparatus for processing an image, the apparatus including: the data receiving module is used for receiving user image data, watermark information and a seed key which are sent by terminal equipment through a trusted execution environment, wherein the user image data are acquired by calling a camera shooting component through a trusted application by the terminal equipment and are set in the trusted execution environment, the watermark information is generated for the user image data in the trusted execution environment on the basis of the user image data and a preset seed key so as to carry out privacy protection on the user image data, and the user image data, the watermark information and the seed key are sent to the device. And the verification module is used for verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result. And the business processing module executes corresponding business processing based on the user image data if the verification result is that the verification is passed.
An embodiment of the present specification provides an image processing device, where the image processing device is provided with a trusted execution environment, and the image processing device includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: and calling a camera shooting component through a trusted application to acquire user image data, and setting the user image data in the trusted execution environment. In the trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key so as to protect privacy of the user image data, and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result. And receiving the verification result sent by the server, and if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
An embodiment of the present specification provides an apparatus for processing an image, including: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are acquired by calling a camera shooting component through a trusted application by the terminal device, and the user image data are set in the trusted execution environment, and the watermark information is generated for the user image data in the trusted execution environment based on the user image data and a preset seed key so as to carry out privacy protection on the user image data and send the user image data, the watermark information and the seed key to a processing device of the image. And verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result. And if the verification result is that the verification is passed, executing corresponding business processing based on the user image data.
The present specification also provides a storage medium for storing computer executable instructions, which when executed by a processor implement the following procedures: and calling a camera shooting component through the trusted application to acquire user image data, and setting the user image data in the trusted execution environment. In the trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key so as to protect privacy of the user image data, and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result. And receiving the verification result sent by the server, and if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
The present specification also provides a storage medium for storing computer executable instructions, which when executed by a processor implement the following procedures: the method comprises the steps of receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are obtained by calling a camera shooting component through a trusted application by the terminal device, the user image data are arranged in the trusted execution environment, the watermark information is generated for the user image data in the trusted execution environment based on the user image data and a preset seed key, so that privacy protection is carried out on the user image data, and the user image data, the watermark information and the seed key are sent to a server. And verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result. And if the verification result is that the verification is passed, executing corresponding business processing based on the user image data.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
FIG. 1A is a diagram illustrating an embodiment of a method for processing an image;
FIG. 1B is a schematic diagram of an image processing process according to the present disclosure;
fig. 2A is a schematic system structure diagram of a terminal device in the present specification;
FIG. 2B is a schematic diagram of an image processing system according to the present disclosure;
FIG. 3 is a schematic diagram of another image processing process according to the present disclosure;
FIG. 4A is a flowchart of another embodiment of a method for processing an image according to the present disclosure;
FIG. 4B is a schematic diagram of another image processing procedure in accordance with the present disclosure;
FIG. 5 is a schematic diagram of another image processing procedure in accordance with the present disclosure; (ii) a
FIG. 6 is a diagram illustrating an embodiment of an image processing apparatus according to the present disclosure;
FIG. 7 is a diagram illustrating another embodiment of an image processing apparatus according to the present disclosure;
fig. 8 is an embodiment of an image processing apparatus according to the present disclosure.
Detailed Description
The embodiment of the specification provides a method, a device and equipment for processing an image.
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.
Example one
As shown in fig. 1A and fig. 1B, an execution subject of the method may be a terminal device, where the terminal device may be a certain terminal device such as a mobile phone and a tablet computer, a computer device such as a notebook computer or a desktop computer, or an IoT device (specifically, a smart watch, an in-vehicle device, and the like). The terminal device is provided with a Trusted Execution Environment, which may be a TEE (Trusted Execution Environment), and the Trusted Execution Environment may be implemented by a program written in a predetermined programming language (i.e., may be implemented in a software form), or may be implemented by a hardware device and a pre-written program together (i.e., may be implemented in a hardware + software form), and the Trusted Execution Environment may be a secure operating Environment for performing data processing. The method may specifically comprise the steps of:
in step S102, the camera component is called by the trusted application to acquire user image data, and the user image data is set in the trusted execution environment.
The trusted application may be an application program that needs to be installed in the terminal device, a code program that is pre-embedded in some hardware device of the terminal device, or a program that is set in the form of a plug-in to run in the background of an operating system of the terminal device, and may be specifically set according to actual conditions. The trusted execution environment may be implemented by a program written in a predetermined programming language (i.e., may be implemented in the form of software), or may be implemented by a hardware device and a pre-written program (i.e., may be implemented in the form of hardware + software), and the trusted execution environment may be a data processing environment that is secure and isolated from other environments, i.e., processes executed in the trusted execution environment, and data and the like generated during the data processing cannot be accessed by other execution environments or application programs outside the executable environment. As shown in fig. 2A, the trusted execution environment may be implemented by creating a small operating system that may run independently in a trusted zone (e.g., trustZone, etc.), which may provide services directly in the form of system calls (e.g., handled directly by the TrustZone kernel). The terminal device may include an REE (rich execution environment) and a TEE (trusted execution environment), an operating system installed in the terminal device may be run under the REE, such as an Android operating system, an iOS operating system, a Windows operating system, a Linux operating system, and the like, and the REE may have characteristics of powerful function, good openness and extensibility, and may provide all functions of the terminal device, such as a camera function, a touch function, and the like, for an upper application program. The TEE has its own execution space, that is, there is an operating system under the TEE, the TEE has a higher security level than the REE, software and hardware resources in the terminal equipment which can be accessed by the TEE are separated from the REE, but the TEE can directly acquire the information of the REE, and the REE cannot acquire the information of the TEE. The TEE can perform authentication and other processing through the provided interface, so that user information (such as payment information, user privacy information and the like) cannot be tampered, passwords cannot be hijacked, and information such as fingerprints or faces cannot be stolen. The camera component can be a component for taking images or videos, and the camera component can be a camera or the like, and can be specifically set according to actual situations. The user image data may be image data related to a user, for example, image data including user face information, image data including user fingerprint information, or the like, and may be set according to actual situations, which is not limited in this embodiment of the specification.
In implementation, the popularization of biometric identification in aspects of financial services, identity authentication and the like brings convenience to life of people, and a biometric identification mechanism has the advantages of non-contact, user friendliness, intuition, convenience, rapidness, easiness in expansion and the like, and is widely applied to an intelligent system, particularly a facial identification mechanism. Face recognition mechanisms can be often divided into face detection, which can detect whether there is face information of a user in an image and remove a background unrelated to the face of the user, and face recognition. The face detection can be realized based on image feature values, such as edge and shape features of the face, texture and color features of the face, and the like, and can also be realized based on a deep learning mechanism to extract corresponding features for detection. However, the face recognition mechanism may be attacked by an attacker, for example, who may use images or three-dimensional face models instead of the user for face recognition, and therefore, prior to face recognition, biometric detection is typically performed to ensure that the camera assembly is in front of the user and not the images or three-dimensional models. However, the biometric detection algorithm can also be bypassed by an attacker through injection attack, so as to realize dangerous behaviors such as logging in other people's accounts, and specifically, the attacker replaces data acquired by the camera shooting assembly with a preset video or image, applies an internal key function such as a hook, performs data replacement before the data is sent, tampers a driving program of the camera shooting assembly, and customizes the attack ROM, so that a code layer execution logic is changed to return data specified by the attacker, wherein the image or video is a real shot image or video, and actions such as nodding and shaking head can also be simulated in the video, thereby realizing the purpose of bypassing the biometric detection algorithm. Therefore, it is necessary to provide a method capable of accurately determining whether an image is replaced or tampered, so as to improve the security of image transmission and biometric identification, and effectively defend against the above attacks. The embodiment of the present specification provides a technical solution that can be implemented, which specifically includes the following contents:
as shown in fig. 2B, an application program for executing biometric identification or related services (such as payment services) may be installed in the terminal device of the user, and the application program may be provided with a trigger mechanism (such as a key or a hyperlink, for example) for biometric identification or related services, when the user needs to execute biometric identification or related services, the application program may be started by the terminal device, and the trigger mechanism in the application program may be triggered, at this time, the terminal device may execute related services, and in the process of executing the services, biometric identification processing needs to be performed, the terminal device may invoke a corresponding application program CA in the REE through the JNI, and the CA may initiate a facial image collection instruction, and then the CA interacts with a trusted application TA in the trusted execution environment. The trusted application TA may invoke a camera component of the terminal device to obtain user image data. The user image data can be set in the trusted execution environment, so that the safety of the user image data in the processing process is guaranteed.
In step S104, in a trusted execution environment, based on the user image data and a preset seed key, generating watermark information for the user image data to perform privacy protection on the user image data, and sending the user image data, the watermark information, and the seed key to a server, where the user image data, the watermark information, and the seed key are used to trigger the server to verify the watermark information through the user image data and the seed key, so as to obtain a corresponding verification result.
The seed key may be used as an initial key for starting a key updating process or a key generation process, and in this embodiment, the seed key may be used as the initial key for the key generation process. The watermark information may be digital watermark information, the watermark information may be protection information that takes a specific digital signal as a specific article to protect the copyright, integrity, copy prevention or go-to-trace of the article, and the like, the watermark information may be specific information (such as a segment of characters, an identifier, a serial number, and the like) representing the identity of a copyright owner to be associated with the protected article in a certain way, and when copyright dispute occurs, the watermark information is extracted through a corresponding algorithm, so that the ownership of the copyright is verified, the legal benefit of the copyright owner is ensured, and the threat of illegal piracy is avoided.
In implementation, after the user image data is collected into the trusted execution environment in the manner described above, the user image data may be processed in the trusted execution environment, specifically, a seed key with a certain length may be set according to an actual situation, watermark information may be generated for the user image data by a preset algorithm based on the seed key and the user image data, the specific processing process may be various, for example, the user image data may be analyzed to obtain data such as features corresponding to the user image data, then, a data string with a certain length may be generated by the preset algorithm based on the seed key and in combination with the data such as the features corresponding to the user image data, the data string may be used as watermark information generated for the user image data, and a preset watermark embedding algorithm may be used to embed the watermark information into the user image data, so that the user image data may be protected, and thus privacy information such as the user image data may be protected.
As shown in fig. 2B, the user image data embedded with the watermark information and the seed key may be sent to a server, and the server may receive the information, where it is to be noted that the seed key may also be sent to the server after being processed, for example, in order to prevent the seed key from being tampered during transmission, a specified algorithm (such as a hash algorithm, an encryption algorithm, or the like) may be used to calculate the seed key to obtain a corresponding calculation result, and then the calculation result and the seed key may be sent to the server, and the like. The server may verify the watermark information by using the user image data and the seed key to obtain a corresponding verification result, and specifically, the server may calculate the corresponding watermark information by using the user image data and the seed key in the same calculation method as that of the terminal device, may compare the calculated watermark information with the received watermark information, and may determine that the watermark information is verified if the calculated watermark information is the same as the received watermark information, and may determine that the watermark information is not verified if the calculated watermark information is different from the received watermark information.
In step S106, the authentication result sent by the server is received, and if the authentication result is that the authentication is passed, corresponding business processing is executed based on the user image data.
In implementation, as shown in fig. 2B, the terminal device may receive the verification result sent by the server, may analyze the verification result, and if the verification result is that the verification is passed, it indicates that the user image data is not tampered, at this time, may obtain the received user image data, and may perform subsequent processing such as biometric detection and biometric identification based on the user image data, so as to perform corresponding business processing.
The embodiment of the specification provides an image processing method, which is applied to a terminal device, wherein a trusted execution environment is arranged in the terminal device, a camera shooting component is called through trusted application to obtain user image data, the user image data is arranged in the trusted execution environment, watermark information is generated for the user image data in the trusted execution environment based on the user image data and a preset seed key so as to protect privacy of the user image data, the watermark information and the seed key are sent to a server, the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result, the verification result sent by the server is received, if the verification result is verified, corresponding business processing is executed based on the user image data, therefore, the user image data is obtained through the camera shooting component connected with the trusted execution environment, the input image data is guaranteed to be authentic, meanwhile, an algorithm is operated in the trusted execution environment, a watermark generation process is related to the key, so that an attacker cannot obtain the seed key and further cannot store the seed information, and counterfeit attack resistance to counterfeit in the trusted execution environment is guaranteed, and a certain degree of counterfeit biological attack.
Example two
As shown in fig. 3, an execution subject of the method may be a terminal device, where the terminal device may be a certain terminal device such as a mobile phone and a tablet computer, and may also be a computer device such as a notebook computer or a desktop computer, or may also be an IoT device (specifically, a smart watch, a vehicle-mounted device, and the like). The terminal device is provided with a Trusted Execution Environment, which may be a TEE (Trusted Execution Environment), and the Trusted Execution Environment may be implemented by a program written in a predetermined programming language (i.e., may be implemented in a software form), or may be implemented by a hardware device and a pre-written program together (i.e., may be implemented in a hardware + software form), and the Trusted Execution Environment may be a secure operating Environment for performing data processing. The method may specifically comprise the steps of:
in step S302, the camera component is called by the trusted application to acquire user image data, and the user image data is set in the trusted execution environment.
In step S304, the user image data is converted into image data in YUV mode in the trusted execution environment.
In implementation, in the trusted execution environment, the user image data in RGB mode may be converted into image data in YUV mode using the following formula:
y =0.2990R +0.5870G +0.1140B; u = -0.1684R-0.3316G +0.5B +128; v =0.5R-0.4187G-0.0813B +128. Specifically, data of three elements, namely R, G, and B, included in the user image data may be acquired, and the acquired numerical values of the three elements may be substituted into the formula to obtain values of three elements, namely Y, U, and V, respectively, thereby achieving the purpose of converting the user image data into image data in a YUV mode.
In step S306, the image data in the YUV mode is divided into a plurality of different image blocks, and a corresponding key is generated for each image block based on a preset seed key.
The plurality of different image blocks may be a plurality of different image blocks with the same size, or a plurality of different image blocks with different sizes, and may be specifically set according to an actual situation.
In implementation, an image segmentation algorithm may be preset, and the image data in the YUV mode may be divided into a plurality of different image blocks using the image segmentation algorithm. For any image block, the image block may be analyzed to obtain data such as features corresponding to the image block, and then a data string having a certain length may be generated by a predetermined algorithm based on the seed key in combination with the data such as features corresponding to the image block, and the data string may be used as watermark information generated by the image block.
In practical applications, the process of generating the corresponding key for each image block based on the preset seed key in step S306 may be various, and an alternative processing manner is provided below, and specifically may include the following processes of step A2 and step A4.
In step A2, for each image block, a key stream is generated by using a preset seed key based on a preset cryptographic function.
The preset cipher function may include a variety of cipher functions, such as an AES-128 cipher function, an AES-192 cipher function, an AES-256 cipher function, etc.
In an implementation, taking the preset cipher function as the AES-128 cipher function as an example, for each image block converted into frequency-domain information, a key stream may be generated by using a preset seed key based on the AES-128 cipher function.
In step A4, data with a preset bit number is obtained from the key stream, and the obtained data with the preset bit number is used as a corresponding key generated by each image block, where the data with the preset bit number includes a watermark position, original watermark information, and reference bit information.
The data of the predetermined number of bits may be set according to actual conditions, for example, 24-bit data or 32-bit data.
In practical applications, the processing of step A4 may be various, and the following provides an alternative processing manner, which may specifically include the following: and acquiring 21 bits of data from the key stream, and using the acquired 21 bits of data as a corresponding key generated by each image block, wherein 16 bits of data in the 21 bits of data represent 4 watermark positions, 4 bits of data in the 21 bits of data represent original watermark information, and 1 bit of data in the 21 bits of data represent reference bit information.
In step S308, the time domain information of each image block is converted into frequency domain information.
In the implementation, considering that the image compression algorithm can greatly reduce the storage space of the image and the transmission time of the data by retaining the low-frequency information and discarding the high-frequency signal, it is necessary to recover the same watermark information as the original image as much as possible after the image compression is performed on the image, and therefore, the region at the upper left corner of the image is selected as the low-frequency region, and the value of the low-frequency region is less affected by quantization, so that the corresponding watermark information can be generated based on the region at the upper left corner of the image, and for this reason, the time domain information of each image block can be converted into the frequency domain information, where the process of converting the time domain information of each image block into the frequency domain information may include various ways, for example, converting the time domain information of each image block into the frequency domain information by fourier transform or discrete cosine transform.
In practical applications, the process of dividing the image data in the YUV mode into a plurality of different image blocks in step S308 may be various, and the following provides an optional processing manner, which may specifically include the following: and dividing the image data in the YUV mode into a plurality of different image blocks, wherein the size of each image block is 8 x 8.
In an implementation, the image data in the YUV mode may be divided into 8 × 8 image blocks, thereby obtaining a plurality of different image blocks.
In practical applications, the processing of converting the time domain information of each image block into the frequency domain information in step S306 may be various, and an optional processing manner is provided as follows, which may specifically include the following: and converting the time domain information of each image block into frequency domain information through discrete cosine transform.
In an implementation, 128 may be subtracted from each image block, followed by a discrete cosine transform, i.e.
Figure BDA0003782069780000091
Wherein F (i, j) represents time domain information of the image block, i and j represent a coordinate position of a certain element in the time domain information (specifically, a time domain matrix), F (u, v) represents frequency domain information after discrete cosine transform of the image block, N represents a length and a width of the image block, u and v represent a coordinate position of a certain element in frequency domain information (specifically, a frequency domain matrix) after discrete cosine transform, and c represents a function for mapping the coordinate position to a coefficient.
The time domain information of each image block can be converted into frequency domain information by the above formula of discrete cosine transform.
In step S310, based on the corresponding key generated by each image block, the watermark position, the original watermark information, and the reference bit information in each image block are determined, and based on the frequency domain information of each image block, the watermark position in each image block is quantized to obtain quantization information corresponding to the watermark position in each image block, and the watermark information is determined according to the original watermark information and the reference bit information in each image block, and the quantization information corresponding to the watermark position in each image block.
In an implementation, based on the above content, a preset bit number of data may be obtained from the key stream, and the obtained preset bit number of data is used as a corresponding key generated by each image block, where the preset bit number of data includes a watermark position, original watermark information, and reference bit information, specifically, 21 bits of data are obtained from the key stream, and the obtained 21 bits of data are used as a corresponding key generated by each image block, where 16 bits of data in the 21 bits of data represent 4 watermark positions, 4 bits of data in the 21 bits of data represent original watermark information, and 1 bit of data in the 21 bits of data represents reference bit information. Then, a standard quantization table with a certain quality factor may be used for quantization, for example, a standard quantization table with a quality factor of 50 may be used for quantization, which may be set according to actual conditions, and specifically, for any watermark position, quantization may be performed on the watermark position
Figure BDA0003782069780000092
Wherein, R represents rounding operation, D (i) represents the coefficient of corresponding unknown discrete cosine transform, q0 represents quantization step size, i represents watermark position, and D (i) represents quantization information corresponding to watermark position i.
The original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block can be respectively input into the following formula to obtain the watermark information.
Figure BDA0003782069780000101
Wherein F denotes a rounding-down operation, E denotes watermark information, s denotes reference bit information, w denotes original watermark information, and r (i) denotes an auxiliary bit calculation parameter for a watermark position i.
In step S312, the seed key is encrypted based on the first key corresponding to the server, and the encrypted seed key is signed by using the second key of the user, so as to obtain a processed seed key.
The first key corresponding to the server may be a public key or a private key of the server, or may be a key used for encryption processing in the server. The second key of the user may be a public key or a private key of the user, or may be a key of the user for signature processing, or the like.
In implementation, in order to prevent an attacker from being able to obtain key information and an operation result of an algorithm, a user key (that is, a second key of the user, specifically, a public-private key pair of the user, etc.) needs to be generated from a root key, a first key corresponding to a server is preset (specifically, a public key corresponding to a private key of the server or a private key of the server, etc.), and the second key of the user is transmitted to the server.
In practical applications, the processing of step S312 may be varied, and the following provides an achievable processing manner, which specifically includes: the seed key may be encrypted according to a first key corresponding to the server using an RSA algorithm or the like, the encrypted seed key may be used to generate a digest through a hash algorithm, and a second key of the user may be used to encrypt the digest to obtain a signature, so as to obtain the processed seed key.
In step S314, an image in a preset image format is generated from the user image data, and the generated image, the watermark information, the encrypted seed key, and the processed seed key are sent to the server, where the generated image, the watermark information, the encrypted seed key, and the processed seed key are used to trigger the server to verify the watermark information by using the generated image, the encrypted seed key, and the processed seed key, so as to obtain a corresponding verification result.
The images in the preset image format may include multiple images, which may include images in a corresponding image format obtained after lossy compression, such as JEPG images, and may also include images in a corresponding image format obtained after lossless compression, and the like. In this embodiment, based on the above related content, the image in the preset image format may be an image (such as a JEPG image) in a corresponding image format obtained after lossy compression processing.
In implementation, considering that embedding the watermark information into the user image data may damage the user image data to a certain extent, and the user image data needs to be provided to the application layer after inverse transform of discrete cosine transform, the process needs more calculation time, so that the watermark information in this embodiment may be provided to the application layer as additional information without being embedded into the user image data, and the application layer sends the generated image, the watermark information, the encrypted seed key, and the processed seed key to the server.
In addition, for the face recognition scene, in consideration of the face recognition application, only the face of the user is focused on, and the background part is not important, so that the method can be further expanded, the face in the user image data is detected in a credible execution environment, and the watermark information is directly generated and processed on the face according to the processing mode, so that the information amount contained in the watermark information can be reduced, the transmission is convenient, and the computing resource is saved.
In step S316, the authentication result sent by the server is received, and if the authentication result is that the authentication is passed, corresponding business processing is performed based on the user image data.
The embodiment of the specification provides an image processing method, which is applied to a terminal device, wherein a trusted execution environment is arranged in the terminal device, a camera shooting component is called through trusted application to obtain user image data, the user image data is arranged in the trusted execution environment, watermark information is generated for the user image data in the trusted execution environment based on the user image data and a preset seed key so as to protect privacy of the user image data, the watermark information and the seed key are sent to a server, the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result, the verification result sent by the server is received, if the verification result is verified, corresponding business processing is executed based on the user image data, therefore, the user image data is obtained through the camera shooting component connected with the trusted execution environment, the input image data is guaranteed to be authentic, meanwhile, an algorithm is operated in the trusted execution environment, a watermark generation process is related to the key, so that an attacker cannot obtain the seed key and further cannot store the seed information, and counterfeit attack resistance to counterfeit in the trusted execution environment is guaranteed, and a certain degree of counterfeit biological attack.
In addition, the watermark acquisition is carried out by combining the TEE and the secret key, so that the condition that an attacker cannot forge the watermark is ensured, and the image security of the whole link transmitted from the camera shooting component to the server end is ensured, so that the attacker can be prevented from bypassing a biological detection algorithm by using injection attack.
EXAMPLE III
As shown in fig. 4A and 4B, an execution subject of the method may be a server, where the server may be an independent server, or may be a server cluster formed by multiple servers, and the server may be a background server of a financial service or an online shopping service, or may be a background server of an application. The method specifically comprises the following steps:
in step S402, receiving user image data, watermark information, and a seed key that are sent by a terminal device through a trusted execution environment, where the user image data is obtained by the terminal device calling a camera component through a trusted application, and the user image data is set in the trusted execution environment, and the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key, so as to perform privacy protection on the user image data, and send the user image data, the watermark information, and the seed key to a server.
In step S404, the watermark information is verified through the user image data and the seed key, and a corresponding verification result is obtained.
In implementation, as shown in fig. 2B, the corresponding watermark information may be generated based on the user image data and the seed key, and the specific processing procedure may be implemented in a manner the same as a processing manner (i.e., related content in the first embodiment or the second embodiment) in which the terminal device generates the corresponding watermark information based on the user image data and the seed key, which may specifically refer to the related content in the first embodiment or the second embodiment, and is not described herein again. Then, the generated watermark information may be compared with the received watermark information, so as to verify the watermark information, and obtain a corresponding verification result.
In step S406, if the verification result is that the verification is passed, corresponding business processes are executed based on the user image data.
The embodiment of the specification provides an image processing method, a camera shooting component is called through a trusted application of a terminal device to obtain user image data, the user image data is arranged in a trusted execution environment, watermark information is generated for the user image data in the trusted execution environment based on the user image data and a preset seed key so as to protect privacy of the user image data, the watermark information and the seed key are sent to a server, the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result, the verification result sent by the server is received, if the verification result is verified, corresponding business processing is executed based on the user image data, therefore, the user image data is obtained through the camera shooting component connected with the trusted execution environment, the input image data is guaranteed to be trusted, meanwhile, an algorithm runs in the trusted execution environment, a generation process is related to the key, so that an attacker cannot obtain and forge the seed key, and further, in addition, the security of the seed key and the watermark data cannot be counterfeited and attack protection capability against biological attacks can be guaranteed.
Example four
As shown in fig. 5, an execution subject of the method may be a server, where the server may be an independent server, or a server cluster formed by multiple servers, and the server may be a background server of a financial service, an online shopping service, or the like, or a background server of an application program, for example. The method specifically comprises the following steps:
in step S502, user image data, watermark information, and a seed key that are sent by a terminal device through a trusted execution environment are received, the user image data is obtained by the terminal device invoking a camera component through a trusted application, and the user image data is set in the trusted execution environment, the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key, so as to perform privacy protection on the user image data, and the user image data, the watermark information, and the seed key are sent to a server.
The seed key comprises a seed key after encryption processing and a processed seed key obtained after encryption processing and signature processing, and the determination mode of the seed key after encryption processing and the processed seed key obtained after encryption processing and signature processing can refer to the related contents, that is, the seed key is encrypted based on a first key corresponding to a server, and the encrypted seed key is signed by using a second key of a user to obtain the processed seed key. Based on this, the following processing of step S504 to step S518 can be executed.
In step S504, the encrypted seed key is signed by using the second key of the locally stored user, so as to obtain a processed target seed key.
In practical applications, the processing of step S504 may be various, and the following provides an achievable processing manner, which specifically includes: the encrypted seed key may be used to generate a digest through a hash algorithm, and a second key of the user may be used to encrypt the digest to obtain a signature, so as to obtain a processed target seed key.
In step S506, it is determined whether the processed target seed key matches the processed seed key.
In step S508, if the seed key matches the seed key, the encrypted seed key is decrypted by using the key corresponding to the server, so as to obtain the seed key.
The key corresponding to the server may be a public key or a private key of the server, if the first key corresponding to the server is a public key, the key corresponding to the server is a private key, if the first key corresponding to the server is a private key, the key corresponding to the server is a public key, and the public key of the server may also be a key used for decryption processing in the server, or the like.
In step S510, the user image data is converted into image data in YUV mode.
Further, in consideration that the user image data may be user image data obtained by lossy compression processing of an image, in this case, the following processing may be performed: and decoding the user image data obtained after the lossy compression processing of the image to obtain the decrypted user image data.
Among them, the lossy compression processing of the image may be such as JEPG-based compression processing or the like.
Accordingly, the above process of converting the user image data into image data in YUV mode can be processed in the following manner: and converting the decrypted user image data into image data in a YUV mode.
In step S512, the image data in the YUV mode is divided into a plurality of different image blocks, and a corresponding key is generated for each image block based on a preset seed key.
In step S514, the time domain information of each image block is converted into frequency domain information.
In step S516, based on the corresponding key generated by each image block, the watermark position, the original watermark information, and the reference bit information in each image block are determined, and based on the frequency domain information of each image block, the watermark position in each image block is quantized to obtain quantization information corresponding to the watermark position in each image block, and the watermark information of each image block is determined according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block.
The processing of step S510 to step S516 can refer to the related contents of step S304 to step S310 in the second embodiment, and are not described herein again.
In step S518, if the determined watermark information of each image block matches the received watermark information of each image block, an authentication result that is authenticated is generated.
In implementation, if the determined watermark information of each image block is the same as the received watermark information of each image block, a verification result that the verification is passed is generated, otherwise, a verification result that the verification is not passed is generated.
In practical applications, the processing of step S518 may be various, and one achievable processing manner is provided below, and specifically, the processing of step B2 and step B4 may be included below.
In step B2, the number of bits corresponding to the determined watermark information of each image block and the different information contained in the received watermark information of each image block is obtained.
In step B4, if the acquired number of bits is less than the preset number threshold, a verification result that the verification passes is generated.
In practical application, in addition to the verification result obtained through the processing manner in step B4, the verification result may also be obtained through a manner that the ratio of the determined watermark information of each image block to the number of bits corresponding to different information included in the received watermark information of each image block is calculated to obtain a bit error rate, if the bit error rate is higher than a preset threshold, an error is returned, otherwise, it indicates that the user image data is not tampered, at this time, the server may receive the user image data, and transmit the user image data to the biometric detection module and the facial recognition module, and finally return a corresponding result.
In step S520, if the verification result is that the verification is passed, corresponding business processing is performed based on the user image data.
Based on the above processing, when the terminal device transmits the original user image data to the server, the watermark information can be completely recovered. After the user image data is JEPG compressed by the quality factor of 80, the bit error rate between the watermark information extracted by the server and the received watermark information is only 3%. And after the user image data is replaced, the bit error rate is more than 30%. The above processing procedure can also support scaling operation and cropping operation to a certain extent, and meanwhile, considering the bit error rate in the attack resisting scene, 1994 facial images are used in the experiment, and the detection rate of the attack resisting sample can be avoided is 22.9%, and in the deep forgery attack scene, the detection rate of the attack resisting sample is 13.4%. It can be seen that the above processing method still has a certain defense capability against attacks and deep forgery attacks.
The embodiment of the specification provides an image processing method, a camera shooting component is called through a trusted application of a terminal device to obtain user image data, the user image data is arranged in a trusted execution environment, watermark information is generated for the user image data in the trusted execution environment based on the user image data and a preset seed key so as to protect privacy of the user image data, the watermark information and the seed key are sent to a server, the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result, the verification result sent by the server is received, if the verification result is verified, corresponding business processing is executed based on the user image data, therefore, the user image data is obtained through the camera shooting component connected with the trusted execution environment, the input image data is guaranteed to be trusted, meanwhile, an algorithm runs in the trusted execution environment, a generation process is related to the key, so that an attacker cannot obtain and forge the seed key, and further, in addition, the security of the seed key and the watermark data cannot be counterfeited and attack protection capability against biological attacks can be guaranteed.
In addition, the watermark acquisition is carried out by combining the TEE and the secret key, so that the condition that an attacker cannot forge the watermark is ensured, and the image security of the whole link transmitted from the camera shooting component to the server end is ensured, so that the attacker can be prevented from bypassing a biological detection algorithm by using injection attack.
EXAMPLE five
Based on the same idea, the image processing method provided in the embodiment of the present specification further provides an image processing apparatus, in which a trusted execution environment is provided, as shown in fig. 6.
The image processing apparatus includes: an image acquisition module 601, an image processing module 602 and a service processing module 603, wherein:
the image acquisition module 601 calls a camera shooting assembly through a trusted application to acquire user image data and sets the user image data in the trusted execution environment;
an image processing module 602, configured to, in the trusted execution environment, generate watermark information for the user image data based on the user image data and a preset seed key, so as to perform privacy protection on the user image data, and send the user image data, the watermark information, and the seed key to a server, where the user image data, the watermark information, and the seed key are used to trigger the server to verify the watermark information through the user image data and the seed key, so as to obtain a corresponding verification result;
the service processing module 603 receives the verification result sent by the server, and if the verification result is that the verification is passed, executes corresponding service processing based on the user image data.
In this embodiment, the image processing module 602 includes:
the conversion unit is used for converting the user image data into image data in a YUV mode in the trusted execution environment;
the key generation unit is used for dividing the image data in the YUV mode into a plurality of different image blocks and generating a corresponding key for each image block based on a preset seed key;
the time-frequency conversion unit is used for converting the time domain information of each image block into frequency domain information;
the watermark determining unit determines the watermark position, the original watermark information and the reference bit information in each image block based on the corresponding key generated by each image block, performs quantization processing on the watermark position in each image block based on the frequency domain information of each image block to obtain quantization information corresponding to the watermark position in each image block, and determines the watermark information according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block.
In an embodiment of the present specification, the time-frequency conversion unit converts time domain information of each image block into frequency domain information through discrete cosine transform.
In an embodiment of the present specification, the key generation unit divides image data in the YUV mode into a plurality of different image blocks, and each image block has a size of 8 × 8.
In an embodiment of the present specification, the key generation unit generates, for each image block, a key stream through the preset seed key based on a preset cryptographic function; and acquiring data with preset bit number from the key stream, and taking the acquired data with the preset bit number as a corresponding key generated by each image block, wherein the data with the preset bit number comprises a watermark position, original watermark information and reference bit information.
In this embodiment, the key generation unit acquires 21 bits of data from the key stream, and uses the acquired 21 bits of data as a corresponding key generated for each image block, where 16 bits of data in the 21 bits of data represent 4 watermark positions, 4 bits of data in the 21 bits of data represent original watermark information, and 1 bit of data in the 21 bits of data represents reference bit information.
In this embodiment, the image processing module 602 includes:
the processing unit is used for encrypting the seed key based on a first key corresponding to the server and signing the encrypted seed key by using a second key of a user to obtain a processed seed key;
and the information sending unit is used for generating the user image data into an image with a preset image format and sending the generated image, the watermark information, the encrypted seed key and the processed seed key to a server.
An embodiment of the present disclosure provides an image processing apparatus, which is provided with a trusted execution environment, a camera module is invoked by a trusted application to obtain user image data, and the user image data is set in the trusted execution environment, watermark information is generated for the user image data based on the user image data and a preset seed key, so as to protect privacy of the user image data, and the user image data, the watermark information, and the seed key are sent to a server, where the user image data, the watermark information, and the seed key are used to trigger the server to verify the watermark information through the user image data and the seed key, so as to obtain a corresponding verification result, and receive the verification result sent by the server, and if the verification result is verified, corresponding service processing is executed based on the user image data, so that the user image data is obtained by the camera module connected to the trusted execution environment, thereby ensuring that the input image data is trusted, meanwhile, an algorithm is run in the trusted execution environment, a watermark generation process is associated with the key, thereby ensuring that an attacker cannot obtain and forge the seed key, and further ensure security of the watermark information, and further ensure that the attacker defends against a certain biological attack.
In addition, the watermark acquisition is carried out by combining the TEE and the secret key, so that the condition that an attacker cannot forge the watermark is ensured, and the image security of the whole link transmitted from the camera shooting component to the server end is ensured, so that the attacker can be prevented from bypassing a biological detection algorithm by using injection attack.
EXAMPLE six
Based on the same idea, the image processing method provided in the embodiment of the present specification further provides an image processing apparatus, in which a trusted execution environment is provided, as shown in fig. 7.
The image processing apparatus includes: a data receiving module 701, a verification module 702 and a service processing module 703, wherein:
a data receiving module 701, configured to receive user image data, watermark information, and a seed key, where the user image data is obtained by a terminal device through a trusted execution environment by calling a camera component by a trusted application, and the user image data is set in the trusted execution environment, and the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key, so as to perform privacy protection on the user image data, and send the user image data, the watermark information, and the seed key to the device;
the verification module 702 verifies the watermark information through the user image data and the seed key to obtain a corresponding verification result;
and the service processing module 703, if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
In this embodiment of the present specification, the seed key includes an encrypted seed key and a processed seed key obtained after encryption and signature, and the verification module 702 includes:
the signing unit is used for signing the encrypted seed key by using a second key of the locally stored user to obtain a processed target seed key;
the judging unit is used for judging whether the processed target seed key is matched with the processed seed key or not;
the decryption unit is used for decrypting the encrypted seed key by using the key corresponding to the server to obtain the seed key if the seed key is matched with the encrypted seed key;
a conversion unit which converts the user image data into image data in a YUV mode;
the key generation unit is used for dividing the image data in the YUV mode into a plurality of different image blocks and generating a corresponding key for each image block based on a preset seed key;
the time-frequency conversion unit is used for converting the time domain information of each image block into frequency domain information;
the watermark generation unit is used for determining the watermark position, the original watermark information and the reference bit information in each image block based on the corresponding key generated by each image block, carrying out quantization processing on the watermark position in each image block based on the frequency domain information of each image block to obtain quantization information corresponding to the watermark position in each image block, and determining the watermark information of each image block according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block;
and the verification unit is used for generating a verification result which passes the verification if the determined watermark information of each image block is matched with the received watermark information of each image block.
In an embodiment of this specification, the verifying unit obtains the number of bits corresponding to the determined watermark information of each image block and different information included in the received watermark information of each image block; and if the acquired bit number is less than a preset number threshold, generating a verification result that the verification is passed.
In an embodiment of this specification, the user image data is image data obtained by lossy compression processing of an image, and the apparatus further includes:
the decoding module is used for decoding the user image data obtained after the lossy compression processing of the image to obtain the decrypted user image data;
and the conversion unit is used for converting the decrypted user image data into image data in a YUV mode.
The embodiment of the specification provides an image processing device, a camera component is called through a trusted application of a terminal device to obtain user image data, the user image data is arranged in a trusted execution environment, watermark information is generated for the user image data in the trusted execution environment based on the user image data and a preset seed key so as to protect privacy of the user image data, the watermark information and the seed key are sent to a server, the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result, the verification result sent by the server is received, if the verification result is verified, corresponding business processing is executed based on the user image data, therefore, the user image data is obtained through the camera component connected with the trusted execution environment, the input image data is guaranteed to be trusted, meanwhile, an algorithm runs in the trusted execution environment, a generation process is related to the key, so that an attacker cannot obtain and forge the seed key, and further, in addition, information such as the seed key is stored in the trusted execution environment, and the security of the watermark data is guaranteed to be resistant to forgery attacks, and biological attacks.
In addition, the TEE and the secret key are combined for watermark acquisition, the condition that an attacker cannot forge watermarks is guaranteed, and the image security of the whole link transmitted from the camera shooting assembly to the server end is guaranteed, so that the attacker can be prevented from using injection attack to bypass a biological detection algorithm.
EXAMPLE seven
Based on the same idea, the image processing apparatus provided in the embodiments of the present specification further provides an image processing device, as shown in fig. 8.
The image processing device may provide a terminal device or a server for the above embodiments, where the terminal device is provided with a trusted execution environment.
The processing devices of the image may have large differences due to different configurations or performances, and may include one or more processors 801 and a memory 802, and one or more stored applications or data may be stored in the memory 802. Memory 802 may be, among other things, transient storage or persistent storage. The application program stored in memory 802 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in a processing device for images. Still further, the processor 801 may be configured to communicate with the memory 802, executing a series of computer-executable instructions in the memory 802 on a processing device for the image. The processing apparatus of the image may also include one or more power supplies 803, one or more wired or wireless network interfaces 804, one or more input-output interfaces 805, one or more keyboards 806.
In particular, in this embodiment, the processing device of the image comprises a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may comprise one or more modules, and each module may comprise a series of computer-executable instructions in the processing device of the image, and the one or more programs configured to be executed by the one or more processors comprise computer-executable instructions for:
calling a camera shooting component through a trusted application to acquire user image data, and setting the user image data in the trusted execution environment;
in the trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key so as to protect privacy of the user image data, and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result;
and receiving the verification result sent by the server, and if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
In an embodiment of this specification, the generating, in the trusted execution environment, watermark information for the user image data based on the user image data and a preset seed key includes:
in the trusted execution environment, converting the user image data into image data in a YUV mode;
dividing image data in a YUV mode into a plurality of different image blocks, and generating a corresponding key for each image block based on a preset seed key;
converting the time domain information of each image block into frequency domain information;
the method comprises the steps of determining a watermark position, original watermark information and reference bit information in each image block based on a corresponding key generated by each image block, carrying out quantization processing on the watermark position in each image block based on frequency domain information of each image block to obtain quantization information corresponding to the watermark position in each image block, and determining the watermark information according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block.
In this embodiment of the present specification, the converting time domain information of each image block into frequency domain information includes:
and converting the time domain information of each image block into frequency domain information through discrete cosine transform.
In an embodiment of this specification, the dividing image data in the YUV mode into a plurality of different image blocks includes:
and dividing the image data in the YUV mode into a plurality of different image blocks, wherein the size of each image block is 8 x 8.
In an embodiment of this specification, the generating a corresponding key for each image block based on a preset seed key includes:
generating a key stream through the preset seed key based on a preset cipher function aiming at each image block;
and acquiring data with preset bit number from the key stream, and taking the acquired data with the preset bit number as a corresponding key generated by each image block, wherein the data with the preset bit number comprises a watermark position, original watermark information and reference bit information.
In this embodiment of this specification, the acquiring data with a preset bit number from the key stream, and using the acquired data with the preset bit number as a corresponding key generated by each image block includes:
and acquiring 21 bits of data from the key stream, and using the acquired 21 bits of data as a corresponding key generated by each image block, wherein 16 bits of data in the 21 bits of data represent 4 watermark positions, 4 bits of data in the 21 bits of data represent original watermark information, and 1 bit of data in the 21 bits of data represents reference bit information.
In this embodiment of this specification, the sending the user image data, the watermark information, and the seed key to a server includes:
encrypting the seed key based on a first key corresponding to the server, and signing the encrypted seed key by using a second key of the user to obtain a processed seed key;
and generating an image in a preset image format from the user image data, and sending the generated image, the watermark information, the encrypted seed key and the processed seed key to a server.
Further, in particular in this embodiment, the processing device of the image comprises a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may comprise one or more modules, and each module may comprise a series of computer-executable instructions in the processing device of the image, and the one or more programs configured to be executed by the one or more processors comprise computer-executable instructions for:
receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are acquired by calling a camera shooting component through a trusted application by the terminal device, and the user image data are set in the trusted execution environment, and the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key so as to carry out privacy protection on the user image data and send the user image data, the watermark information and the seed key to the server;
verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result;
and if the verification result is that the verification is passed, executing corresponding business processing based on the user image data.
In an embodiment of this specification, the seed key includes a seed key after encryption processing and signature processing, and the verifying the watermark information by the user image data and the seed key to obtain a corresponding verification result includes:
the second key of the user stored locally is used for carrying out signature processing on the encrypted seed key to obtain a processed target seed key;
judging whether the processed target seed key is matched with the processed seed key;
if the seed key is matched with the seed key, decrypting the encrypted seed key by using the key corresponding to the server to obtain the seed key;
converting the user image data into image data in a YUV mode;
dividing image data in a YUV mode into a plurality of different image blocks, and generating a corresponding key for each image block based on a preset seed key;
converting the time domain information of each image block into frequency domain information;
determining a watermark position, original watermark information and reference bit information in each image block based on a corresponding key generated by each image block, performing quantization processing on the watermark position in each image block based on frequency domain information of each image block to obtain quantization information corresponding to the watermark position in each image block, and determining the watermark information of each image block according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block;
and if the determined watermark information of each image block is matched with the received watermark information of each image block, generating a verification result of passing the verification.
In this embodiment of the specification, if the determined watermark information of each image block matches the received watermark information of each image block, generating a verification result that is verified, where the generating includes:
acquiring the number of bits corresponding to the determined watermark information of each image block and different information contained in the received watermark information of each image block;
and if the acquired bit number is less than a preset number threshold, generating a verification result that the verification is passed.
In this embodiment of the present specification, the image data of the user is obtained by lossy compression processing of an image, and before the converting the image data of the user into image data in a YUV mode, the image processing method further includes:
decoding the user image data obtained after the lossy compression processing of the image to obtain decrypted user image data;
the converting the user image data into image data in a YUV mode comprises:
and converting the decrypted user image data into image data in a YUV mode.
An embodiment of the present disclosure provides an image processing apparatus, which is provided with a trusted execution environment, a camera module is invoked by a trusted application to obtain user image data, and the user image data is set in the trusted execution environment, watermark information is generated for the user image data based on the user image data and a preset seed key, so as to perform privacy protection on the user image data, and the user image data, the watermark information, and the seed key are sent to a server, where the user image data, the watermark information, and the seed key are used to trigger the server to verify the watermark information through the user image data and the seed key, so as to obtain a corresponding verification result, and receive the verification result sent by the server, and if the verification result is verified, corresponding service processing is performed based on the user image data, so that the user image data is obtained by using the camera module connected to the trusted execution environment, thereby ensuring that the input image data is trusted, meanwhile, an algorithm is run in the trusted execution environment, a watermark generation process is associated with the key, thereby ensuring that an attacker cannot obtain and forge the watermark information, and further ensure security of the watermark information, and further ensure that the attacker can defend a certain biological attack against forgery and attack.
In addition, the watermark acquisition is carried out by combining the TEE and the secret key, so that the condition that an attacker cannot forge the watermark is ensured, and the image security of the whole link transmitted from the camera shooting component to the server end is ensured, so that the attacker can be prevented from bypassing a biological detection algorithm by using injection attack.
Example eight
Further, based on the methods shown in fig. 1A to fig. 5, one or more embodiments of the present specification further provide a storage medium for storing computer-executable instruction information, in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, and the like, and when the storage medium stores the computer-executable instruction information, the storage medium implements the following processes:
calling a camera shooting component through a trusted application to acquire user image data, and setting the user image data in the trusted execution environment;
in the trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key so as to protect privacy of the user image data, and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result;
and receiving the verification result sent by the server, and if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
In an embodiment of this specification, the generating, in the trusted execution environment, watermark information for the user image data based on the user image data and a preset seed key includes:
in the trusted execution environment, converting the user image data into image data in a YUV mode;
dividing image data in a YUV mode into a plurality of different image blocks, and generating a corresponding key for each image block based on a preset seed key;
converting the time domain information of each image block into frequency domain information;
the method comprises the steps of determining a watermark position, original watermark information and reference bit information in each image block based on a corresponding key generated by each image block, carrying out quantization processing on the watermark position in each image block based on frequency domain information of each image block to obtain quantization information corresponding to the watermark position in each image block, and determining the watermark information according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block.
In this embodiment of this specification, the converting time domain information of each image block into frequency domain information includes:
the time domain information of each image block is converted into frequency domain information by discrete cosine transform.
In an embodiment of this specification, the dividing image data in the YUV mode into a plurality of different image blocks includes:
and dividing the image data in the YUV mode into a plurality of different image blocks, wherein the size of each image block is 8 x 8.
In an embodiment of this specification, the generating a corresponding key for each image block based on a preset seed key includes:
generating a key stream through the preset seed key based on a preset cipher function aiming at each image block;
and acquiring data with preset bit number from the key stream, and taking the acquired data with the preset bit number as a corresponding key generated by each image block, wherein the data with the preset bit number comprises a watermark position, original watermark information and reference bit information.
In this embodiment of the specification, the acquiring data with a preset bit number from the key stream, and using the acquired data with the preset bit number as a corresponding key generated by each image block includes:
and acquiring 21 bits of data from the key stream, and using the acquired 21 bits of data as a corresponding key generated by each image block, wherein 16 bits of data in the 21 bits of data represent 4 watermark positions, 4 bits of data in the 21 bits of data represent original watermark information, and 1 bit of data in the 21 bits of data represents reference bit information.
In this embodiment of this specification, the sending the user image data, the watermark information, and the seed key to a server includes:
encrypting the seed key based on a first key corresponding to the server, and signing the encrypted seed key by using a second key of the user to obtain a processed seed key;
and generating an image in a preset image format from the user image data, and sending the generated image, the watermark information, the encrypted seed key and the processed seed key to a server.
In addition, in another specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, or the like, and when the storage medium stores computer executable instruction information, the storage medium can implement the following process when executed by a processor:
receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are acquired by calling a camera shooting component through a trusted application by the terminal device, and the user image data are set in the trusted execution environment, the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key so as to carry out privacy protection on the user image data, and the user image data, the watermark information and the seed key are sent to the server;
verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result;
and if the verification result is that the verification is passed, executing corresponding business processing based on the user image data.
In an embodiment of this specification, the seed key includes a seed key after encryption processing and signature processing, and the verifying the watermark information by the user image data and the seed key to obtain a corresponding verification result includes:
the second key of the user stored locally is used for carrying out signature processing on the encrypted seed key to obtain a processed target seed key;
judging whether the processed target seed key is matched with the processed seed key;
if the seed key is matched with the seed key, decrypting the encrypted seed key by using the key corresponding to the server to obtain the seed key;
converting the user image data into image data in a YUV mode;
dividing image data in a YUV mode into a plurality of different image blocks, and generating a corresponding key for each image block based on a preset seed key;
converting the time domain information of each image block into frequency domain information;
determining a watermark position, original watermark information and reference bit information in each image block based on a corresponding key generated by each image block, carrying out quantization processing on the watermark position in each image block based on frequency domain information of each image block to obtain quantization information corresponding to the watermark position in each image block, and determining the watermark information of each image block according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block;
and if the determined watermark information of each image block is matched with the received watermark information of each image block, generating a verification result of which the verification is passed.
In this embodiment of the present specification, if the determined watermark information of each image block matches the received watermark information of each image block, generating a verification result that the verification is passed includes:
acquiring the number of bits corresponding to the determined watermark information of each image block and different information contained in the received watermark information of each image block;
and if the acquired bit number is smaller than the preset number threshold, generating a verification result which passes the verification.
In an embodiment of this specification, the user image data is image data obtained by lossy compression processing of an image, and before the user image data is converted into image data in a YUV mode, the method further includes:
decoding the user image data obtained after the lossy compression processing of the image to obtain decrypted user image data;
the converting the user image data into image data in a YUV mode includes:
and converting the decrypted user image data into image data in a YUV mode.
The embodiment of the specification provides a storage medium, a camera shooting component is called through a trusted application to obtain user image data, the user image data is arranged in a trusted execution environment, watermark information is generated for the user image data based on the user image data and a preset seed key in the trusted execution environment so as to protect privacy of the user image data, the watermark information and the seed key are sent to a server, the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result, the verification result sent by the server is received, if the verification result is verified, corresponding business processing is executed based on the user image data, therefore, the camera shooting component connected with the trusted execution environment is used for obtaining the user image data, and therefore the input image data are guaranteed to be trusted, meanwhile, an algorithm runs in the trusted execution environment, a watermark generation process is related to the key, and accordingly an attacker cannot obtain and forge the watermark information, in addition, the seed key and other information cannot be stored in the trusted execution environment, and the security of the data is guaranteed, and certain biological defense against forgery and attack depth recognition capability against forgery is guaranteed.
In addition, the watermark acquisition is carried out by combining the TEE and the secret key, so that the condition that an attacker cannot forge the watermark is ensured, and the image security of the whole link transmitted from the camera shooting component to the server end is ensured, so that the attacker can be prevented from bypassing a biological detection algorithm by using injection attack.
The foregoing description of specific embodiments has been presented for purposes of illustration and description. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical blocks. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as ABEL (Advanced Boolean Expression Language), AHDL (alternate Hardware Description Language), traffic, CUPL (core universal Programming Language), HDCal, jhddl (Java Hardware Description Language), lava, lola, HDL, PALASM, rhyd (Hardware Description Language), and vhigh-Language (Hardware Description Language), which is currently used in most popular applications. It will also be apparent to those skilled in the art that hardware circuitry for implementing the logical method flows can be readily obtained by a mere need to program the method flows with some of the hardware description languages described above and into an integrated circuit.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, respectively. Of course, the functionality of the various elements may be implemented in the same one or more pieces of software and/or hardware in implementing one or more embodiments of the present description.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present description are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable fraud case serial-parallel apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable fraud case serial-parallel apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable fraud case to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable fraud case serial-parallel apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
One or more embodiments of the specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present disclosure, and is not intended to limit the present disclosure. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.

Claims (17)

1. A processing method of an image is applied to a terminal device, a trusted execution environment is set in the terminal device, and the method comprises the following steps:
calling a camera shooting component through a trusted application to acquire user image data, and setting the user image data in the trusted execution environment;
in the trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key so as to protect privacy of the user image data, and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result;
and receiving the verification result sent by the server, and if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
2. The method of claim 1, wherein generating, in the trusted execution environment, watermark information for the user image data based on the user image data and a preset seed key comprises:
in the trusted execution environment, converting the user image data into image data in a YUV mode;
dividing image data in a YUV mode into a plurality of different image blocks, and generating a corresponding key for each image block based on a preset seed key;
converting the time domain information of each image block into frequency domain information;
the method comprises the steps of determining a watermark position, original watermark information and reference bit information in each image block based on a corresponding key generated by each image block, carrying out quantization processing on the watermark position in each image block based on frequency domain information of each image block to obtain quantization information corresponding to the watermark position in each image block, and determining the watermark information according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block.
3. The method of claim 2, wherein converting the time domain information of each image block into frequency domain information comprises:
the time domain information of each image block is converted into frequency domain information by discrete cosine transform.
4. The method of claim 2, the dividing image data in YUV mode into a plurality of different image blocks, comprising:
and dividing the image data in the YUV mode into a plurality of different image blocks, wherein the size of each image block is 8 x 8.
5. The method according to claim 2, wherein the generating a corresponding key for each image block based on the preset seed key comprises:
generating a key stream through the preset seed key based on a preset cipher function aiming at each image block;
and acquiring data with preset bit number from the key stream, and taking the acquired data with the preset bit number as a corresponding key generated by each image block, wherein the data with the preset bit number comprises a watermark position, original watermark information and reference bit information.
6. The method according to claim 5, wherein the obtaining data with a preset number of bits from the key stream, and using the obtained data with the preset number of bits as a corresponding key generated by each image block comprises:
and acquiring 21 bits of data from the key stream, and using the acquired 21 bits of data as a corresponding key generated by each image block, wherein 16 bits of data in the 21 bits of data represent 4 watermark positions, 4 bits of data in the 21 bits of data represent original watermark information, and 1 bit of data in the 21 bits of data represents reference bit information.
7. The method of claim 5, the sending the user image data, the watermark information, and the seed key to a server, comprising:
encrypting the seed key based on a first key corresponding to the server, and signing the encrypted seed key by using a second key of the user to obtain a processed seed key;
and generating an image in a preset image format from the user image data, and sending the generated image, the watermark information, the encrypted seed key and the processed seed key to a server.
8. A processing method of an image is applied to a server, and the method comprises the following steps:
receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are acquired by calling a camera shooting component through a trusted application by the terminal device, and the user image data are set in the trusted execution environment, and the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key so as to carry out privacy protection on the user image data and send the user image data, the watermark information and the seed key to the server;
verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result;
and if the verification result is that the verification is passed, executing corresponding business processing based on the user image data.
9. The method according to claim 8, wherein the seed key includes an encrypted seed key and a processed seed key obtained after encryption and signature, and the verifying the watermark information by the user image data and the seed key obtains a corresponding verification result, including:
the second key of the user stored locally is used for carrying out signature processing on the seed key after encryption processing to obtain a processed target seed key;
judging whether the processed target seed key is matched with the processed seed key;
if the seed key is matched with the seed key, decrypting the encrypted seed key by using the key corresponding to the server to obtain the seed key;
converting the user image data into image data in a YUV mode;
dividing image data in a YUV mode into a plurality of different image blocks, and generating a corresponding key for each image block based on a preset seed key;
converting the time domain information of each image block into frequency domain information;
determining a watermark position, original watermark information and reference bit information in each image block based on a corresponding key generated by each image block, performing quantization processing on the watermark position in each image block based on frequency domain information of each image block to obtain quantization information corresponding to the watermark position in each image block, and determining the watermark information of each image block according to the original watermark information and the reference bit information in each image block and the quantization information corresponding to the watermark position in each image block;
and if the determined watermark information of each image block is matched with the received watermark information of each image block, generating a verification result of which the verification is passed.
10. The method according to claim 9, wherein if the determined watermark information of each image block matches the received watermark information of each image block, generating a verification result that is verified, comprises:
acquiring the number of bits corresponding to the determined watermark information of each image block and different information contained in the received watermark information of each image block;
and if the acquired bit number is less than a preset number threshold, generating a verification result that the verification is passed.
11. The method of claim 8, wherein the user image data is image data obtained by lossy compression processing of an image, and before the converting the user image data into image data in YUV mode, the method further comprises:
decoding the user image data obtained after the lossy compression processing of the image to obtain decrypted user image data;
the converting the user image data into image data in a YUV mode includes:
and converting the decrypted user image data into image data in a YUV mode.
12. An apparatus for processing an image, the apparatus having a trusted execution environment disposed therein, the apparatus comprising:
the image acquisition module calls a camera shooting assembly through trusted application to acquire user image data and arranges the user image data in the trusted execution environment;
the image processing module is used for generating watermark information for the user image data based on the user image data and a preset seed key in the trusted execution environment so as to protect the privacy of the user image data and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key to obtain a corresponding verification result;
and the business processing module is used for receiving the verification result sent by the server, and executing corresponding business processing based on the user image data if the verification result is that the verification is passed.
13. An apparatus for processing an image, the apparatus comprising:
the data receiving module is used for receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are acquired by the terminal device through a trusted application calling camera shooting component, and the user image data are set in the trusted execution environment, and the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key so as to protect the privacy of the user image data and send the user image data, the watermark information and the seed key to the device;
the verification module verifies the watermark information through the user image data and the seed key to obtain a corresponding verification result;
and the business processing module executes corresponding business processing based on the user image data if the verification result is that the verification is passed.
14. A device for processing an image, the device being provided with a trusted execution environment, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
calling a camera shooting component through a trusted application to acquire user image data, and setting the user image data in the trusted execution environment;
in the trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key so as to protect privacy of the user image data, and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result;
and receiving the verification result sent by the server, and if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
15. An apparatus for processing an image, the apparatus comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are acquired by calling a camera shooting component through a trusted application by the terminal device, and the user image data are set in the trusted execution environment, and the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key so as to carry out privacy protection on the user image data and send the user image data, the watermark information and the seed key to a processing device of the image;
verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result;
and if the verification result is that the verification is passed, executing corresponding business processing based on the user image data.
16. A storage medium for storing computer-executable instructions, which when executed by a processor implement the following:
calling a camera shooting component through a trusted application to acquire user image data, and setting the user image data in a trusted execution environment;
in the trusted execution environment, generating watermark information for the user image data based on the user image data and a preset seed key so as to protect privacy of the user image data, and sending the user image data, the watermark information and the seed key to a server, wherein the user image data, the watermark information and the seed key are used for triggering the server to verify the watermark information through the user image data and the seed key so as to obtain a corresponding verification result;
and receiving the verification result sent by the server, and if the verification result is that the verification is passed, executing corresponding service processing based on the user image data.
17. A storage medium for storing computer-executable instructions, which when executed by a processor implement the following:
receiving user image data, watermark information and a seed key which are sent by a terminal device through a trusted execution environment, wherein the user image data are acquired by calling a camera shooting component through a trusted application by the terminal device, and the user image data are set in the trusted execution environment, and the watermark information is generated for the user image data by the terminal device in the trusted execution environment based on the user image data and a preset seed key so as to carry out privacy protection on the user image data and send the user image data, the watermark information and the seed key to a server;
verifying the watermark information through the user image data and the seed key to obtain a corresponding verification result;
and if the verification result is that the verification is passed, executing corresponding business processing based on the user image data.
CN202210932254.1A 2022-08-04 2022-08-04 Image processing method, device and equipment Pending CN115357929A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210932254.1A CN115357929A (en) 2022-08-04 2022-08-04 Image processing method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210932254.1A CN115357929A (en) 2022-08-04 2022-08-04 Image processing method, device and equipment

Publications (1)

Publication Number Publication Date
CN115357929A true CN115357929A (en) 2022-11-18

Family

ID=84001107

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210932254.1A Pending CN115357929A (en) 2022-08-04 2022-08-04 Image processing method, device and equipment

Country Status (1)

Country Link
CN (1) CN115357929A (en)

Similar Documents

Publication Publication Date Title
US9208334B2 (en) Content management using multiple abstraction layers
Jain et al. Hiding biometric data
US11615176B2 (en) Registration and verification of biometric modalities using encryption techniques in a deep neural network
CN109829269A (en) Method, apparatus and system based on E-seal authenticating electronic documents
EP3198498B1 (en) A challenge-response method and associated computing device
CN109145563B (en) Identity verification method and device
Hämmerle-Uhl et al. Watermarking as a means to enhance biometric systems: A critical survey
JP2007013433A (en) Method for transmitting/receiving encrypted data and information processing system
CN102156843B (en) Data encryption method and system as well as data decryption method
CN107092816B (en) Android application program reinforcing method
FR2849230A1 (en) Encryption key free software application integrity verification procedure for decoder, mobile phone and chip card use compares memory map based signatures of executable instruction set
CN112469036B (en) Message encryption and decryption method and device, mobile terminal and storage medium
KR20180003113A (en) Server, device and method for authenticating user
Rassan et al. Securing mobile cloud computing using biometric authentication (SMCBA)
JP6756056B2 (en) Cryptographic chip by identity verification
CN112257086A (en) User privacy data protection method and electronic equipment
CN111614467B (en) System backdoor defense method and device, computer equipment and storage medium
CN111401901A (en) Authentication method and device of biological payment device, computer device and storage medium
CN111143784A (en) Copyright protection realization method and copyright protection storage device
CN111698253A (en) Computer network safety system
CN108449317B (en) Access control system for security verification based on SGX and homomorphic encryption and implementation method thereof
CN115357929A (en) Image processing method, device and equipment
CN115640589A (en) Security protection equipment, service execution method, device and storage medium
Abboud Multifactor authentication for software protection
CN115829816A (en) Image processing method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination