WO2022170759A1

WO2022170759A1 - Information processing method and apparatus, and electronic device, server and medium

Info

Publication number: WO2022170759A1
Application number: PCT/CN2021/117232
Authority: WO
Inventors: 李定洲; 郭伟; 祖立军; 钱进
Original assignee: 中国银联股份有限公司
Priority date: 2021-02-09
Filing date: 2021-09-08
Publication date: 2022-08-18
Also published as: TW202232407A; CN112819475A

Abstract

Disclosed are an information processing method and apparatus, and an electronic device, a server and a medium. The information processing method comprises: firstly, receiving a first input for user identity authentication; next, in response to the first input, acquiring identity information to be authenticated of a user by means of near field communication in a trusted execution environment; then, determining, according to the identity information to be authenticated of the user, target information for representing the identity of the user, wherein the target information comprises first biological characteristic information of the user, and acquiring a user image within a pre-set time period, wherein the user image comprises second biological characteristic information of the user; and then, on the basis of a comparison result between the first biological characteristic information and the second biological characteristic information, determining a user identity authentication result of the identity information to be authenticated. By means of the method, the accuracy of an identity authentication result can be effectively improved, user identity information is prevented from being leaked and tampered with, and network information security is improved.

Description

Information processing method, apparatus, electronic device, server and medium

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the priority of Chinese Patent Application No. 202110179442.7, which was filed on February 9, 2021, and is entitled "Information Processing Method, Device, Electronic Device, Server, and Medium", the entire content of which is incorporated herein by reference.

technical field

The present disclosure belongs to the field of Internet technologies, and in particular, relates to an information processing method, an apparatus, an electronic device, a server and a medium.

Background technique

With the development of computers and the Internet, there are more and more scenarios that require user identity authentication, such as identity authentication in account login or online payment scenarios.

At present, identity authentication can be performed by comparing the image of the user's identity document with the image of the user, or by reading the identity information of the chip in the user's identity document. However, the former identity authentication method is difficult to identify the authenticity of the user's identity document. In addition, the wear of the surface information of the user's identity document or the poor image capture effect will also reduce the accuracy of the identity authentication result. The latter method of identity authentication will also cause the user's identity information to be maliciously tampered with and leaked due to the low security of the platform that reads the user's identity document.

SUMMARY OF THE INVENTION

The embodiments of the present disclosure provide an information processing method, apparatus, electronic device, server and medium, which can effectively improve the accuracy of identity authentication results, prevent user identity information from being leaked and tampered with, and improve network information security.

In a first aspect, an embodiment of the present disclosure provides an information processing method, which is applied to an electronic device, including:

receiving a first input for user identity authentication;

In response to the first input, in a trusted execution environment, obtain the user's identity information to be authenticated through near field communication;

According to the user's identity information to be authenticated, determine target information for characterizing the user's identity, the target information includes the user's first biometric information, and a user image acquired within a preset time period, the user image includes the user's second biometrics information;

Based on the comparison result between the first biometric information and the second biometric information, the user identity authentication result of the identity information to be authenticated is determined.

In a second aspect, an embodiment of the present disclosure provides an information processing method, applied to an electronic device, including:

receiving a first input for user identity authentication;

Send the user's identity information to be authenticated to the server, and the user's identity information to be authenticated is used to determine the user identity authentication result of the identity information to be authenticated;

Acquire a user image within a preset time period, and send the user image to the server, where the user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result;

Receive the user identity authentication result of the identity information to be authenticated sent by the server.

In a third aspect, an embodiment of the present disclosure provides an information processing method, applied to a server, including:

Receive the identity information to be authenticated of the user sent by the electronic device;

When it is detected that the device type of the electronic device is the preset target device type, acquire target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity, the target information including the user's first biometric feature information ;

Receive user images sent by electronic devices;

Determine the user identity authentication result of the identity information to be authenticated based on the comparison result between the first biometric information and the second biometric information in the user image;

Send the user authentication result to the electronic device.

In a fourth aspect, an embodiment of the present disclosure provides an information processing apparatus, which is applied to an electronic device, including:

a receiving module for receiving the first input for user identity authentication;

an acquisition module, configured to acquire the user's identity information to be authenticated through near field communication in a trusted execution environment in response to the first input;

The processing module is configured to determine target information used to characterize the user's identity according to the user's identity information to be authenticated, the target information includes the user's first biometric information, and the user image obtained within a preset time period, and the user image includes the user's first biometric information. the second biometric information;

The determining module is configured to determine the user identity authentication result of the identity information to be authenticated based on the comparison result between the first biometric information and the second biometric information.

In a fifth aspect, an embodiment of the present disclosure provides an information processing apparatus, which is applied to an electronic device, and may specifically include:

a sending module, configured to send the user's identity information to be authenticated to the server, and the user's identity information to be authenticated is used to determine the user identity authentication result of the identity information to be authenticated;

The sending module is further configured to acquire a user image within a preset time period, and send the user image to the server, where the user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result;

The receiving module is further configured to receive the user identity authentication result of the identity information to be authenticated sent by the server.

In a sixth aspect, an embodiment of the present disclosure provides an information processing apparatus, which is applied to a server, and may specifically include:

a receiving module, configured to receive the identity information to be authenticated of the user sent by the electronic device;

The acquisition module is configured to acquire target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity when it is detected that the device type of the electronic device is a preset target device type, and the target information includes the user's first biometric information;

The receiving module is also used for receiving the user image sent by the electronic device;

A determination module, for determining the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information in the user image;

The sending module is used for sending the user identity authentication result to the electronic device.

In a seventh aspect, an embodiment of the present disclosure provides an electronic device, the electronic device comprising: a processor and a memory storing computer program instructions;

The information processing method shown in the first aspect or the second aspect is implemented when the processor executes the computer program instructions.

In an eighth aspect, an embodiment of the present disclosure provides a server, the server comprising: a processor and a memory storing computer program instructions;

The information processing method shown in the third aspect is implemented when the processor executes the computer program instructions.

In a ninth aspect, an embodiment of the present disclosure provides a computer-readable storage medium, where computer program instructions are stored on the computer-readable storage medium, and when the computer program instructions are executed by a processor, the information processing method shown in the first aspect is implemented .

The information processing method, device, device, and medium of the embodiments of the present disclosure obtain the trusted target information for characterizing the user's identity by obtaining the user's identity information to be authenticated in the trusted execution environment TEE and the near field communication NFC. For example, the identity document information can avoid the problem of forging identity documents, and also avoid the problem of inaccurate target information obtained due to poor photographing effect or insufficient photographing hardware, resulting in incorrect user identity authentication results.

In addition, by acquiring target information in the trusted execution environment TEE, comparing the first biometric information in the target information with the second biometric information in the captured user image, it can effectively prevent malware from intercepting the identity document information that has been replaced and tampered with. At the same time, secure access to the camera of the electronic device through the Trusted Execution Environment (TEE) ensures the accuracy of the user image used for comparison authentication and prevents the injection of fake facial photos or videos.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present disclosure more clearly, the accompanying drawings required in the embodiments of the present disclosure will be briefly introduced below. For those of ordinary skill in the art, under the premise of no creative work, the Additional drawings can be obtained from these drawings.

1 is a schematic diagram of an information processing architecture of an embodiment of an information processing method according to the first aspect of the present disclosure;

2 is a schematic structural diagram of an electronic device and a server according to an embodiment of the information processing method of the first aspect of the present disclosure;

3 is a schematic architectural diagram of an application scenario of an embodiment of the information processing method according to the first aspect of the present disclosure;

4 is a schematic diagram of an APDU instruction execution position corresponding to a category to which an electronic device belongs according to an embodiment of the information processing method of the first aspect of the present disclosure;

5 is a schematic flowchart of an information processing method according to an embodiment of the information processing method of the first aspect of the present disclosure;

6 is a schematic diagram of an information processing interface according to an embodiment of the information processing method of the first aspect of the present disclosure;

7 is a schematic diagram of an original image histogram of an embodiment of the information processing method according to the first aspect of the present disclosure;

8 is a schematic diagram of a trusted identity authentication initialization process according to an embodiment of the information processing method of the first aspect of the present disclosure;

9 is a schematic flowchart of a trusted identity authentication comparison according to an embodiment of the information processing method of the first aspect of the present disclosure;

10 is a schematic structural diagram of an embodiment of an information processing apparatus based on an electronic device of the information processing apparatus according to the fourth aspect of the present disclosure;

11 is a schematic structural diagram of an embodiment of an electronic device-based information processing apparatus of the information processing apparatus according to the fifth aspect of the present disclosure;

12 is a schematic structural diagram of an embodiment of a server-based information processing apparatus of the information processing apparatus according to the sixth aspect of the present disclosure;

13 is a schematic diagram of a hardware structure of an embodiment of an information processing apparatus according to a seventh aspect of the present disclosure.

Detailed ways

The features and exemplary embodiments of various aspects of the present disclosure will be described in detail below. In order to make the purpose, technical solutions and advantages of the present disclosure more clear, the present disclosure will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are only configured to explain the present disclosure, and not to limit the present disclosure. It will be apparent to those skilled in the art that the present disclosure may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present disclosure by illustrating examples of the present disclosure.

It should be noted that, in this document, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. any such actual relationship or sequence exists. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element defined by the phrase "comprising" does not preclude the presence of additional identical elements in the process, method, article or device that includes the element.

At present, the operating system of the identity authentication scheme is mostly Android system, so the security of identity authentication is highly dependent on the security of the Android system itself. There are also loopholes in the scheme. If the identity authentication process is initiated by an application and executed in the Android environment, and the security of the Android system environment itself is low, once an attacker is attacked, such as an attacker obtaining root privileges, by implanting a Trojan horse and other means, stealing and Tampering with the information in the user's identity authentication process, falsifying the identity authentication results that are inconsistent with the actual situation, and even using the forged identity information to carry out illegal activities, resulting in the disclosure of the user's identity information.

In the existing identity authentication scheme, identity authentication can be performed by comparing the user image in the user's identity document and obtaining the user's image in real time, or by reading the identity information of the chip in the user's identity document. However, the former identity authentication method is difficult to identify the authenticity of the user's identity document, and the result of identity authentication is inaccurate due to the wear and tear of the surface information of the user's identity document or the poor image capture effect of the electronic device. The latter identity authentication scheme is usually authorized to the operating organization of the application for reading and identity authentication. If the personnel of the operating organization intentionally disclose the authorization credentials to the unauthorized organization, or the unauthorized organization uses reverse engineering, malicious debugging and other means If the authorization certificate is stolen, the unauthorized organization may use the certificate to obtain improper benefits. In addition, the identity authentication process of performing face comparison in the method of obtaining the identity information of the chip in the user's identity document is performed in an Android control in the Android system, or as a part of the Android application. Low security, resulting in malicious tampering and disclosure of user identity information.

Thus, the embodiments of the present disclosure provide an information processing method, apparatus, device, and storage medium, which can obtain a user's waiting list by using a trusted execution environment (TEE) and near field communication (NFC). The method of authenticating identity information to obtain trustworthy target information used to characterize the user's identity, such as identity document information, to avoid the problem of forging identity documents, and also to avoid the target obtained due to poor photographing effect or insufficient photographing hardware. Inaccurate information, resulting in incorrect user authentication results.

For a better understanding of the present disclosure, the information processing method, apparatus, electronic device, server, and storage medium according to the embodiments of the present disclosure will be described in detail below with reference to FIG. 1 to FIG. 11 . It should be noted that these embodiments are not used for limit the scope of this disclosure.

FIG. 1 is a schematic diagram of an information processing architecture of an embodiment of an information processing method according to the first aspect of the present disclosure.

As shown in FIG. 1 , the information processing system includes an electronic device 10 , a server 20 and a near field communication chip 30 , such as a chip in an ID document, a chip in a bank card document, a chip in a recharge card, and other chips that support near field communication. When the electronic device 10 establishes a communication link with the server 20, a first input for user identity authentication is received. In response to the first input, the electronic device 10 acquires the identity information to be authenticated of the user in the near field communication chip 30 through near field communication in a trusted execution environment. The electronic device 10 determines target information for characterizing the user's identity according to the user's identity information to be authenticated, the target information includes the user's first biometric information, and the user image acquired within a preset time period, and the user image includes the user's first biometric information. two biometric information, and based on the comparison result of the first biometric information and the second biometric information, determine the user identity authentication result of the identity information to be authenticated.

Here, after the electronic device 10 obtains the user's identity information to be authenticated, it may also send the user's identity information to be authenticated to the server 20, so that the server 20 determines a target for characterizing the user's identity according to the user's identity information to be authenticated information, and determine the user identity authentication result of the identity information to be authenticated through the user image captured by the electronic device 10, and then feed back the user identity authentication result of the identity information to be authenticated to the electronic device 10, so that the electronic device 10 displays the user identity to the user. Authentication result.

Based on the above architecture, the electronic device 10 and the server 20 will be described in detail below, respectively. As shown in FIG. 2 , the electronic device 10 in the embodiment of the present disclosure may include an electronic device application 101 , a trusted identity authentication service control 102 and a trusted identity authentication service TA103 . Examples of the electronic device application 101 include the trusted identity authentication service SDK1011, which is a software development kit (SDK), and the trusted identity authentication service TA103, which is a trusted application (trusted application, TA).

Further, the electronic device 10 has a trusted execution environment TEE, and the electronic device 10 passes a third-party application (Application, APP) related to the trusted identity authentication service, which is provided by a platform that needs to carry out user authentication service, such as a shopping application or an industry party. , which obtains the trusted identity authentication service capability by integrating the trusted identity authentication service SDK1011, the trusted identity authentication service control 102 runs on the electronic device as an independent application, and the trusted identity authentication service TA103 runs in the trusted execution environment TEE.

The server 20 in the embodiment of the present disclosure may run a platform supporting management classes, such as a trusted identity service platform. The operating trusted identity service platform may include an authoritative identity authentication module 201 , a trusted identity authentication background module 202 and a face authentication comparison module 203 . The authoritative identity authentication module 201 is used to interact with the identity authentication server of the identity authentication platform, and parse the identity information plaintext data of the identity information to be authenticated of the user. Here, the trusted identity service platform in the embodiment of the present disclosure is used to manage third-party applications that access and use the trusted identity service platform. The authentication service control 102 provides the business function processing flow.

Based on the structures shown in the above-mentioned electronic device 10 and server 20, the information processing method provided by the embodiment of the present disclosure will be described in detail, and the details are as follows.

Based on the above, it can be seen that the existing identity document information, such as the user's identity document image and the identity document number, has problems such as abuse, theft, and malicious disclosure. Therefore, in order to ensure the safe and compliant use of identity document information, first of all, it is necessary to ensure that the identity document used by the user is real and close to him. In this way, the safe reading and parsing of identity document information through NFC is implemented in this disclosure. The technical basis of the example. There are two prerequisites to realize the safe reading and parsing of the ID card through NFC. One is to realize the safe transmission of ID information from the electronic device 10 through the server to the identity authentication server, and the other is to realize the safe reading of the ID information through NFC.

In view of this, the embodiments of the present disclosure propose a security information interaction method from the electronic device to the server based on the TEE security guarantee mechanism. First, the embodiment of the present disclosure grants the authoritative identity authentication module 201 the function of docking with an identity authentication server, and pre-installs the server certificate granted by the identity authentication server in the server, and the server certificate is used to indicate that the server has the authority to authenticate the user's identity to be authenticated. information for identification. Secondly, through the trusted application management platform (Trusted Application Management, TAM) corresponding to the electronic device, the target information data decryption authorization certificate provided by the identity authentication server is securely downloaded to the trusted identity authentication service, so as to realize the transition from electronic device to reliable authentication service. A closed loop of secure communication from the identity service platform to the identity authentication platform.

Based on this, when the electronic device receives the user's first input for user identity authentication, the electronic device can use the trusted identity authentication service SDK 1011 and the trusted identity authentication service control 102 in the Android system and/or the ios system in the electronic device to realize the authentication of the user's identity. Invoke the trusted identity authentication service TA103, and initiate the collection and processing of the identity information to be authenticated, and then it is credibly connected to the trusted identity service platform to communicate with the trusted identity authentication background module 202. Finally, the verification and parsing processing of the identity information to be authenticated is completed by the authoritative identity authentication module 201 .

In this way, on the one hand, the problem of limited capability due to the small TEE space in the electronic device is effectively avoided, and the requirements on the hardware resources of the electronic device for reading the identity information to be authenticated are reduced. On the other hand, the trusted identity authentication service TA generates a pair of public and private keys based on the digital certificate of the electronic device such as the root trust certificate. Among them, the device public key and user address (UserId) and the unique identifier of the electronic device in the public-private key pair will be recorded on the trusted identity service platform. When a risk is found in an electronic device, it will quickly locate an electronic device and Terminate its continued access to the trusted identity service platform, which provides effective support for the trusted identity service platform to carry out risk prevention and control of electronic equipment. In addition, after ensuring the security of the identity authentication information transmission from the electronic device to the identity authentication platform, it has the ability to securely accept the verification and analysis of the identity information to be authenticated. The information and the process of securely docking with the trusted identity service platform can be described in detail with reference to FIG. 3 .

FIG. 3 is an architectural schematic diagram of an application scenario of an embodiment of an information processing system provided according to the present disclosure. As shown in FIG. 3 , the near field communication chip is a chip that includes the user's identity information to be authenticated, and the chip supports NFC communication, such as a second-generation identity document. The electronic device 10 includes an NFC module and a trusted identity authentication service TA103. The NFC module is used to read and transmit the identity information to be authenticated of the user in the second-generation identity document. The trusted identity authentication service TA103 runs in the TEE trusted execution environment. When the second-generation ID card communicates with the NFC using Application Protocol Data Unit (APDU) commands, it judges and compares the current Internet of Things electronic devices, and determines the communication process between the NFC access and the second-generation ID card. For example, in some IoT electronic devices with severely limited resources, such as wearable devices, smart door locks and other devices that cannot carry a large amount of computing, it is necessary to further customize the process in the NFC communication process, and access the NFC The APDU command interaction with the second-generation ID document is executed in the device TEE, and the generation, assembly and APDU response processing of the second-generation ID document access APDU command are carried out on the background of the trusted identity authentication service. The specific content can be Specifically refer to the content shown in FIG. 4 .

The server 20 runs a trusted identity service platform, which is used as a support management platform for the information processing method based on the trusted identity authentication service. In addition, the operating trusted identity service platform may include an APDU instruction operation module and an authoritative identity authentication module 201, wherein the APDU instruction operation module is used to process the generation, assembly and response of the second-generation identity document access APDU instruction, which is mainly related to the authoritative identity authentication. Module 201 interacts. The authoritative identity authentication module 201 is used for securely interacting with the identity authentication platform to determine the identity information plaintext data of the identity information to be authenticated of the user.

Based on the system architecture shown in FIG. 3 , the embodiment of the present disclosure implements secure reading of NFC information through TEE, and then enables the trusted identity authentication service TA103 to comprehensively monitor NFC reading operations outside the device. When the trusted identity authentication service TA103 receives the ID card operation request, it will safely call the NFC module of the electronic device, execute the APDU command set according to the second-generation ID card specification, and execute the command response to the identity information to be authenticated. return. Next, the trusted identity authentication service TA103 sends the received ciphertext information of the identity information to be authenticated to the authoritative identity authentication module 201 through the secure link between the electronic device and the server. The authoritative identity authentication module 201 establishes a secure communication with the identity authentication server after receiving the ciphertext information of the identity information to be authenticated, and parses it through the identity authentication server and splices and assembles it into a target for characterizing the user identity through the identity authentication server attribute format. When the original text string of the information is returned, the trusted identity service service platform responds the original text string of the target information to the trusted identity authentication service TA103. At this point, the trusted identity authentication service TA103 can decrypt the original character string of the authorization certificate and the target information according to the target information data of the pre-saved authoritative identity authentication agency, and the identity information to be authenticated, such as the identity document number, the identity document image and the identity document image Decrypt the user's face image, etc., to obtain target information such as the user's face image in the ID document image. In the above process, the trusted identity authentication service TA103 reads the identity information to be authenticated of the second-generation identity document through the NFC near field, and then hands it over to the authoritative identity authentication module 201 to process and parse the identity information of the identity information to be authenticated. data.

In addition, it should be noted that the information processing method in the embodiment of the present disclosure may be executed on the side of the electronic device, and may also be executed on the electronic device and the server. Therefore, in some possible embodiments, for example, in some IoT electronic devices with severely limited resources, such as wearable devices, smart door locks, etc. that cannot carry a large amount of computing, it is also necessary to check the NFC communication process. Its process is further customized. These Internet of Things electronic devices can be specifically described with reference to FIG. 4 . As shown in FIG. 4 , for some IoT electronic devices (such as wearable devices, smart door locks, etc.) with severely limited resources provided by the embodiments of the present disclosure, the process needs to be further customized in the NFC communication process. The access to NFC and the APDU command interaction with the ID document are executed in the device TEE, and the generation, assembly and APDU response processing of the ID document access APDU command are carried out on the trusted identity service platform. That is, the embodiment of the present disclosure realizes the secure reading of NFC information through TEE, and then enables the trusted identity authentication service TA103 to comprehensively monitor the reading operation of NFC outside the device. When the trusted identity authentication service TA103 receives the ID card swiping operation request, it will safely call the NFC module of the electronic device, and execute the near field communication command in the APDU command set according to the second-generation ID card specification, and will execute the command response to the waiting list. The authenticated identity information is returned. Here, the instructions in the APDU instruction set are determined by the server. Next, the trusted identity authentication service TA103 sends the received ciphertext information of the identity information to be authenticated to the authoritative identity authentication module 201 through the secure link between the electronic device and the server. The authoritative identity authentication module 201 establishes a secure communication with the identity authentication server after receiving the ciphertext information of the identity information to be authenticated, and is parsed by the identity authentication server and assembled into a target for characterizing the user identity by splicing and splicing according to the identity document attribute format. The original text string of the information is returned to the authoritative identity authentication module 201 . At this time, the authoritative identity authentication module 201 can decrypt the original character string of the authorization certificate and the target information according to the target information data of the authoritative identity authentication agency saved in advance, such as the identity information to be authenticated, such as the identity document number, the identity document image and the identity document image. Decryption of the user's face image, etc., to obtain target information such as the user's face image in the identity document image. In the above process, the trusted identity authentication service TA103 reads the identity information to be authenticated of the second-generation identity document through the NFC near field, and then hands it over to the authoritative identity authentication module 201 to process and parse the identity information of the identity information to be authenticated. data.

When customizing the communication process between NFC access and ID documents according to the Internet of Things electronic device, select the appropriate processing process according to the performance, use and type of the Internet of Things electronic device, such as smart phones, portable/tablet computers, smart POS equipment, smart cars, Self-service vending machines and self-service gates use the scheme of calling NFC in the TEE to perform APDU command interaction between NFC and second-generation ID documents; smart watches/bands, smart door locks/access control use the device to execute APDU commands, and the trusted identity The service platform generates, assembles and processes APDU instructions.

Based on this, when the electronic device receives the user's first input for user identity authentication, in response to the first input, in a trusted execution environment, the user's identity information to be authenticated is obtained through near field communication, and the user's identity information to be authenticated is sent to the server. Authentication identity information, the user's identity information to be authenticated is used to determine the user identity authentication result of the identity information to be authenticated. In this way, the server receives the identity information to be authenticated of the user sent by the electronic device, and when it detects that the device type of the electronic device is the preset target device type, that is, the device type of the electronic device conforms to the wearable device, smart door lock, etc., it cannot bear the computational burden. In the case of a large device, target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity is acquired, and the target information includes the user's first biometric feature information. Furthermore, the electronic device acquires the user image within a preset time period, and sends the user image to the server, where the user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result. Then, the server receives the user image sent by the electronic device, determines the second biometric information of the user in the user image, and determines the user identity authentication of the identity information to be authenticated based on the comparison result between the first biometric information and the second biometric information As a result, the user identity authentication result of the identity information to be authenticated is sent to the electronic device. The electronic device receives the user identity authentication result of the identity information to be authenticated sent by the server, so as to prompt the user with the user identity authentication result of the identity information to be authenticated. Here, when determining the first biometric information of the user, the server may send an instruction to acquire the user image to the electronic device, where the user image instruction is used to instruct the electronic device to acquire the user image within a preset time period. The electronic device acquires the user image when receiving the instruction for acquiring the user image sent by the server. Alternatively, when the electronic device receives an instruction from the user for acquiring the user image, the electronic device may also acquire the user image.

Further, the electronic device may obtain the user's identity information to be authenticated by executing the near field communication instruction in the protocol data instruction set provided by the server in a trusted execution environment.

When the server is in the target information, it can specifically go through the following steps, that is, according to the ciphertext information of the identity information to be authenticated, determine the original character string assembled and assembled according to the attribute format of the identity document and used to represent the target information of the user's identity, according to the pre-stored target information The information data decrypts the original character string of the authorization certificate and the target information, decrypts the identity information to be authenticated, and obtains the target information.

Further, in the process of determining the original character string, the server sends a protocol data instruction to the identity authentication server, and the protocol data instruction is used to instruct the identity authentication server to splicing and assemble the original text of the target information used to represent the user identity according to the identity document attribute format. String, receiving the original text string of the target information sent by the authentication server.

Therefore, an embodiment of the present disclosure proposes an information processing method for trusted identity authentication based on TEE and NFC, which can securely access NFC through the TEE to read the identity information to be authenticated of the identity document to obtain reliable and trusted identity information. Target information representing the user's identity, and in some embodiments, can interact with the trusted identity service platform running in the server in the trusted execution environment TEE, so as to avoid the problem of forgery of ID cards, and also avoid the problem of ineffective photographing. This will result in inaccurate target information obtained and improve the accuracy of identity authentication. By migrating the target information data decryption authorization certificate corresponding to the identity information to be authenticated into the TEE, the problem that the identity information to be authenticated may be stolen by the Trojan virus during the interaction between the electronic device and the server is eliminated. In addition, by securely accessing the camera from within the TEE, the source of the user image used for comparison and authentication, that is, the real-time user image, can be trusted, preventing the injection of fake face photos or videos.

In addition, in view of the problem that the hardware resources of some IoT electronic devices supporting TEE and NFC are severely limited, the embodiments of the present disclosure utilize the 4th generation mobile communication technology (4G), the fifth generation mobile communication technology ( 5th generation mobile networks, 5G) has the characteristics of higher transmission rate and lower delay, and splits the commands for interaction between NFC and second-generation ID cards. Among them, the part that obtains the user's identity information to be authenticated through near field communication is electronic The device is implemented, mainly dealing with the identity document APDU request response and interaction protocol, and the back-end part is moved to the server to run, and is mainly responsible for the generation and assembly of the identity document access APDU command and the processing of the APDU response. Through the above-mentioned front-end and back-end separation processing method, the space ratio of the NFC interaction protocol of electronic devices is reduced, and it has stronger applicability to IoT terminal devices with limited resources such as wearable devices. Through the category of electronic equipment, the method of determining the comparison result between the electronic equipment and the server is determined, which ensures the availability and adaptability of ID card reading and face comparison functions in the case of limited TEE space resources of electronic equipment.

In the above, using TEE to securely access NFC to read the user's identity information to be authenticated ensures that the data source of the acquired identity card information is true and accurate, and has the effect of anti-counterfeiting identity cards. At the same time, the trusted execution environment TEE prevents malware from intercepting identity card information data. replaced and tampered with. In addition, the embodiments of the present disclosure are implemented based on the security closed loop between the electronic device TEE and the server, which can ensure that the information is sent to the trusted identity authentication background decrypted in ciphertext and then transmitted back through the secure TEE secure channel for use, which is applicable to more authentication scenarios.

Based on the above-mentioned information processing architecture and application scenario, the information processing method provided by the embodiment of the present disclosure will be described in detail below with reference to FIG. 5 .

5 is a schematic flowchart of an information processing method according to an embodiment of the information processing method of the first aspect of the present disclosure.

As shown in FIG. 5 , the information processing method may be applied to the electronic device shown in FIG. 1 , and the information processing method may specifically include the following steps.

First, in step 510, a first input for user identity authentication is received. Next, in step 520, in response to the first input, in a trusted execution environment, acquire the user's identity information to be authenticated through near field communication. Furthermore, in step 530, according to the user's identity information to be authenticated, determine the target information used to represent the user's identity, the target information includes the user's first biometric information, and the user image obtained within a preset time period, the user image Include second biometric information of the user. Then, in step 540, based on the comparison result of the first biometric information and the second biometric information, determine the user identity authentication result of the identity information to be authenticated.

Therefore, by obtaining the user's identity information to be authenticated in the trusted execution environment TEE and near field communication NFC, the trusted target information for characterizing the user's identity, such as identity document information, can be obtained to avoid the problem of forging identity documents. At the same time, it also avoids the problem that the obtained target information is inaccurate due to poor photographing effect or insufficient photographing hardware, resulting in incorrect user identity authentication results.

In addition, by acquiring target information and comparing the first biometric information in the target information with the second biometric information in the captured user image in the trusted execution environment TEE, malware can effectively prevent malicious software from intercepting and tampering with identity document information. At the same time, secure access to the cameras of electronic devices through the Trusted Execution Environment (TEE) ensures the accuracy of user images used for comparison authentication and prevents the injection of fake facial images or videos.

Based on this, the above steps are described in detail below, as follows:

First, involving step 320, the embodiment of the present disclosure provides the following at least two ways to obtain the to-be-authenticated identity information of the user of the identity certificate, as shown in detail below.

In some possible embodiments, step 320 may specifically include:

In response to the first input,

When the data interaction environment satisfies the preset interaction environment and in the trusted execution environment, read the near field communication chip through near field communication, and obtain the label content and user identity of the near field communication chip;

Based on the content of the label and the user identity, the identity information to be authenticated of the user is generated.

Further, before the step of reading the near field communication chip through near field communication to obtain the label content and user identity of the near field communication chip, the information processing method further includes:

Detecting the data interaction environment with the near field communication chip, the data interaction environment includes the distance value between the electronic device and the near field communication chip and the contact time between the electronic device and the near field communication chip within the preset distance;

When the distance value satisfies the preset distance value and/or the contact with the market satisfies the preset contact duration, it is determined that the data interaction environment satisfies the preset interaction environment.

In some other possible embodiments, in response to the first input, in a trusted execution environment, a target near field communication chip is determined, and the data interaction environment between the near field communication chip and the electronic device satisfies a preset near field communication environment;

Obtain the target application protocol data corresponding to the target near field communication chip through the preset correspondence between the near field communication chip and the application protocol data;

Obtain the user's identity information to be authenticated according to the target application protocol data.

Here, in order to ensure the user's information security, the embodiment of the present disclosure provides that the target application protocol data corresponding to the target near field communication chip is acquired according to the preset correspondence between the near field communication chip and the application protocol data. For example, if the near field communication chip is an identity document, and the preset correspondence indicates that the electronic device can access the user's face image in the identity document image, the electronic device can obtain the user's face image in the identity document image. Similarly, if the preset correspondence indicates that the electronic device can access the ID number, ID image, and ID user identity information, the electronic device can obtain the ID number, ID image, and ID user ID information. , you can obtain its information according to the user's previous settings.

In addition, the preset corresponding relationship between the near field communication chip and the application protocol data in the embodiment of the present disclosure can be determined by the following steps, that is, obtaining the near field corresponding to the target through the preset corresponding relationship between the near field communication chip and the application protocol data Before the step of the target application protocol data corresponding to the communication chip, the information processing method provided by the embodiment of the present disclosure further includes:

Send a permission request to the server, the permission request includes the identity information of the electronic device, and the permission request is used to obtain the permission of the near field communication chip;

Receive permission feedback information sent by the server, where the permission feedback information includes the permission for the electronic device to communicate with the near field communication chip;

According to the permission feedback information and the user's preset, the preset correspondence between the near field communication chip and the application protocol data is obtained.

Next, step 330 is involved, and this step can be divided into two parts, that is, one part is determining target information used to characterize the user's identity, and the other part is acquiring a photographed image of the user. Based on this, two parts will be explained separately.

First, the process of determining the target information in the embodiment of the present disclosure is as follows, that is, according to the user's identity information to be authenticated, the target information used to characterize the user's identity is determined, including:

Step 3301: Determine the identity information plaintext data of the identity information to be authenticated according to the identity information to be authenticated.

Further, this step 3301 may specifically include:

Step 33011: Send an identity authentication request to the server, the identity authentication request includes the identity information to be authenticated, and the identity authentication request is used to request the server to parse the identity information to be authenticated to obtain the identity information plaintext data of the identity information to be authenticated;

Step 33012: Receive the identity authentication feedback information sent by the server, where the identity authentication feedback information includes the identity information plaintext data of the identity information to be authenticated.

Step 3302: Decrypt the authorization certificate according to the plaintext data of the identity information and the target information data to determine the first biometric information.

Here, the target information data decryption authorization credential can be determined according to the following steps, which may specifically include steps 33021-33023.

Step 33021: Generate a device public-private key pair according to the digital certificate in the electronic device.

Step 33022, send a user identity authentication initialization request to the server through the trusted identity authentication initialization interface, the user identity authentication initialization request includes the device public and private key pair, and the user identity authentication initialization request is used to establish a secure communication link with the server, and through the secure communication link Perform key exchange.

The trusted identity authentication initialization interface corresponding to the server may be obtained based on the pre-stored server public key.

Step 33023: Receive the user identity authentication initialization feedback information from the server, where the user identity authentication initialization feedback information includes the target information data decryption authorization certificate.

It should be noted that the user identity authentication initialization request also includes application program information, and the application program information includes at least one of the following: application program identification, signature certificate information, and certificate fingerprint information, and the application program information is used to determine the identity information to be authenticated. The execution environment of the user authentication result.

Therefore, based on the possibility involved in the above, step 3302 in this embodiment of the present disclosure may specifically include: sending a biometric information request to the server, where the biometric information request includes the identity information plaintext data and the target information data decryption authorization credential, and the biometric information request It is used to request the server to decrypt the authorization certificate based on the plaintext data of the identity information and the target information data, and determine the first biometric information;

The biometric feedback information sent by the server is received, where the biometric feedback information includes the first biometric information encrypted by the public key of the device.

It should be noted that, in the embodiments of the present disclosure, it is considered that some IoT electronic devices with severely limited resources cannot determine target information and compare results. In this way, before executing the step of sending the identity authentication request to the server, the method further includes:

Send the identity of the electronic device to the server, and the electronic identity of the electronic device is used to determine whether the electronic device meets the conditions for identity authentication;

Receive the identity feedback information sent by the server;

The identity authentication request is sent to the server under the condition that the identity identification feedback information indicates that the electronic device does not meet the identity authentication condition.

In addition, in addition to the above-mentioned reading and parsing of the user-based identity information to be authenticated, the embodiment of the present disclosure also has a key point in that the parsed first biometric information, such as the user's face image in the identity document image and the identity card holder The second biometric information in the user image of the person is compared to the user image. In this process, there is a key problem that needs to be solved urgently, that is, there is a difference between the user's current facial information and the original photo when the ID document was collected. There may be time factors and the original face collection equipment is not high accuracy or even the user's face. Injuries, etc. Therefore, it is necessary to optimize the facial information of the user's face image in the parsed ID document image and the user's user image of the holder.

In response to this, in addition to the image deblurring and contrast method, the embodiment of the present disclosure also proposes a feature model that is insensitive to the clarity of the image, that is, the target ID document portrait feature model, which is used to optimize the false rejection rate of face comparison ( false reject rate, FRR).

Based on this, another part of the step 330, that is, the process of acquiring the user image specifically includes steps 3311-3303.

Step 3311: Display the fixed portrait position area, and the fixed portrait position area is used to obtain the human body part image corresponding to the user and the fixed portrait position area.

For example, as shown in FIG. 6 , the image of the human body part is acquired by fixing the position area of the portrait. Here, in the traditional face recognition processing, more face feature points are selected for detection, which also consumes more performance resources. Due to limited TEE resources, the embodiments of the present disclosure propose to use a fixed portrait position on the portrait capture interface of the electronic device, delineate the fixed portrait position area on the portrait capture interface to match the best position of the face, and at the same time discard some special processing of face rotation and alignment, so as to Quickly locate the position of the face in the image and improve the positioning accuracy of the facial feature points. After intercepting the face area, select the feature points with obvious face features for detection, such as the eyes, nose, cheekbones, mouth, chin, and forehead feature points for detection, in order to reduce the FRR of face contrast, so that the TEE environment can meet the needs of people. The performance consumption of face rotation and alignment processing.

Step 3312: When receiving the second input of the image captured by the user, acquire the image of the human body part to be processed.

Further, the target feature points are screened from a plurality of feature points in the human body part through the fixed position area, and the human body part image corresponding to the target feature point is acquired according to the target feature points.

In this way, when a fixed portrait position area is drawn on the portrait acquisition interface to match the best position of the face, some feature points of face rotation can be discarded, so as to quickly locate the position of the face in the image and improve the positioning accuracy of the face feature points.

Step 3313: Perform grayscale normalization on the image of the human body part to be processed to obtain a user image.

Further, acquiring a first grayscale value of the human body part image to be processed, the first grayscale value corresponds to the first grayscale level, and adjusting the human body part image to be processed by grayscale stretching according to the first grayscale level, A user image with the first gray level is obtained.

Here, grayscale normalization processing may be performed on the photograph of the face in the captured user image. The grayscale normalization process is to perform illumination compensation processing on the user image to overcome the influence of illumination changes. In the embodiment of the present disclosure, the grayscale stretching method can be used to expand the grayscale distribution in the original image to have the entire grayscale level. Image. For example, the collected image is an 8-bit grayscale image, and there should be 256 grayscale levels. However, due to the influence of factors such as illumination during acquisition, the grayscale levels of the image are concentrated in one or several grayscale segments. At this time, the grayscale stretching method can be used to expand the image to 256 grayscales. As a result, after the photographed face photo is processed for illumination compensation and mapped according to the color scale, the photo becomes clearer and more vivid, which is more conducive to image contrast.

Further, during the grayscale normalization operation, grayscale normalization processing is performed according to the RGB color mode of the user image, according to the following two formulas:

(1) Brightness is determined by formula (1):

D=R*0.3086+G*0.6094+B*0.0820 (1)

Among them, D is the brightness, R is the red color channel, G is the green color channel, and B is the blue color channel.

(2) The color scale mapping is determined by formula (2):

D'＝0+(D-255*LOW)/(255*HIGH-255*LOW)*255 (2)

Among them, D' is the color level, and 255*LOW and 255*HIGH are the lowest point of D and the highest point of D in the original image histogram of the user image, respectively.

As shown in Figure 7, based on the initial screening of the original image histogram, the distribution of pixels is obviously abnormal, such as images mainly distributed on the left side of the x-axis, mainly distributed on the right side of the x-axis, and mainly distributed in a very narrow interval, directly Treated as a low-quality photo without post-processing. Image histograms are all grayscale images, the x-axis is the grayscale value (usually 0 to 255), and the y-axis is the number of pixels corresponding to each grayscale in the y-axis image.

Then, involving step 340, based on the user image obtained in step 330, in some embodiments, before step 340, in the case where the first biometric information includes an image of an identification document, the image of the identification document and the image of the identification document are compared by geometric normalization A user image to obtain a comparison result between the first biometric information and the second biometric information.

In this way, in view of the problem that the first biometric information on the ID document, such as the small pixels of the portrait picture, is not highly recognizable, this proposal uses geometric normalization and grayscale normalization to transform the collected living photos. The processing improves the recognition rate of the comparison between the face photo and the image photo on the ID card, and improves the false rejection rate (False Reject Rate, FRR) of the face comparison.

Further, this step may specifically include steps 3401-3403.

Step 3401: Identify the user's face area in the identity document image, and obtain a user's face image corresponding to the user's face area.

Step 3402: Perform proportional enlargement or reduction of the user face image or the face area in the user image, and calculate the feature values of the user image and the user face image.

Step 3403: Obtain a comparison result between the first biometric information and the second biometric information according to the at least one feature value.

For example, a geometric normalization algorithm is used to compare the first biometric information with the second biometric information. The face authentication and comparison module in the trusted identity service platform finds the user's face area in the ID document image by locating the face feature model for the ID document image, determines the face position in the user image according to the geometric normalization algorithm, and compares the feature values of the two , in the process of determining the face position in the user image, the geometric figures of the face in the live face photo are compared using proportional enlargement and reduction. Further, the geometric normalization algorithm refers to changing the face position in the user image in the user face region in the ID document image to the same position and size according to the comparison target positioning result. The comparison steps provided by the embodiments of the present disclosure include:

Step 1, find out the area where the eyes and nose of the person in the ID document image are located through face model matching;

Step 2, set the distance between the two eyes as D, and its center point as O;

Step 3: Determine the rectangular feature area according to the facial features and geometric model of the face, take O as the center origin, the two eye lines are the x-axis, and the cutting distance d on both sides, where d=D/2, and the y-axis is cut in the nose direction by 1.5d , crop 0.5d in the other direction, and finally crop out a square area;

Step 4: Find out the areas where the eyes and nose are located in the user image through the same face model matching;

Step 5, the distance between the two eyes in the user image is set to be D', and its center point is O';

Step 6: Determine the rectangular feature area according to the facial features of the face and the geometric model, take O' as the center origin, the two eye lines are the x-axis, and the clipping distance d' on both sides, where d'=D'/2, y-axis nose Cut 1.5d' in one direction, 0.5d' in the other direction, and finally cut out a square area;

Step 7, by means of proportional stretching or scaling such as stretching ratio V=D'/D, scaling ratio V'=D/D', make the size of the cropped ID document image and the cropped user image consistent;

Step 8: Extract the feature values of the two cropped area pictures for comparison, and convert them into similarity as a comparison result between the first biometric information and the second biometric information according to the equal index of the two feature values.

It should be noted that the process of comparing images involved in the embodiments of the present disclosure may be as shown in the above steps 1 to 8. Here, the comparison result between the two may be determined through the target identity document portrait feature model, that is, further, at least A feature value is input into the portrait feature model of the target ID document, and a comparison result between the first biometric information and the second biometric information is obtained. In addition, in some possible embodiments, the above-mentioned target ID document portrait feature model can be determined, and the specific process is as follows. Since the ID document image photo is small and the image resolution is low, in order to improve the target ID document portrait feature The comparison accuracy of the model focuses on selecting points with obvious facial features, and discarding the feature points that are easy to be misdetected at low resolution. At the same time, it is supplemented by a large number of ID card image samples for training, and the comparison results are obtained in each face comparison. After that, select the ID card portrait feature value with a similarity exceeding N% (N is a positive number, which can be customized according to the application scenario) to participate in the iterative training of the model, and then determine the new target ID card portrait feature model.

Based on this, an embodiment of the present disclosure also provides a method for determining a portrait feature model of a target identity document, which is specifically as follows:

According to the training feature value of the user's face image in the target ID document, the preset ID document portrait feature model is simplified to obtain the target ID document portrait feature model.

Based on the user image obtained in step 340 , an embodiment of the present disclosure provides a process for determining a comparison result between the first biometric information and the second biometric information, which is specifically as follows, that is, before step 340 , the information processing method Also includes:

Encrypting the first biometric information and the second biometric information by using a symmetric key to obtain encrypted biometric information;

Send an identity authentication result request to the server, where the identity authentication result request includes encrypted biometric information, and the identity authentication result request is used to request the server to calculate the first biometric information and the second biometric information according to the first biometric information and the second biometric information The similarity of the biometric comparison results of the information;

Receive the identity authentication result feedback information sent by the server, and the identity authentication result feedback information includes the similarity of the biometric comparison result encrypted by the public key of the device;

The similarity of the biometric comparison result is decrypted by encrypting the private key of the device to obtain the similarity of the biometric comparison result, and the similarity of the biometric comparison result is used to represent the comparison result between the first biometric information and the second biometric information.

Based on this, step 340 may specifically include: in the case that the similarity of the biometric comparison result meets the preset similarity, determining that the user identity authentication of the identity information to be authenticated is successful.

It should be noted that the target information in the embodiments of the present disclosure also includes at least one of the following: ID number, ID image, ID user identity information, such as the user's name, gender, ethnicity, and date of birth in the ID. ,address. The first biometric information includes at least one of the following: an image of the user's face in the identity document image, and an iris image of the user corresponding to the identity document.

In addition, in view of the problem that the hardware resources of some IoT electronic devices supporting TEE and NFC are severely limited, the embodiments of the present disclosure utilize the 4th generation mobile communication technology (4G), the fifth generation mobile communication technology ( 5th generation mobile networks, 5G) has the characteristics of higher transmission rate and lower delay, splitting the commands for interaction between NFC and the second-generation ID card, and obtaining the user's identity information to be authenticated through near field communication. , mainly deals with ID document APDU request response and interactive protocol, the back-end part is moved to the server to run, mainly responsible for the generation and assembly of ID document access APDU instructions and the processing of APDU response. Through the above-mentioned front-end and back-end separation processing method, the space ratio of the NFC interaction protocol of electronic devices is reduced, and it has stronger applicability to IoT terminal devices with limited resources such as wearable devices. Through the category of electronic equipment, the method of determining the comparison result between the electronic equipment and the server is determined, which ensures the availability and adaptability of ID card reading and face comparison functions in the case of limited TEE space resources of electronic equipment.

In order to better describe the above information processing method, the embodiments of the present disclosure describe the information processing method in detail with reference to the architectures shown in FIGS. 1 and 2 . The following examples can illustrate the information processing method through the two processes of FIG. 8 and FIG. 9 , wherein FIG. 8 is a process of initializing trusted identity authentication provided by an embodiment of the present disclosure, and FIG. 9 is a trusted identity authentication initialization process provided by an embodiment of the present disclosure. The process of identity authentication comparison is as follows.

When a third-party application is a consumer application, the third-party application needs to integrate the trusted authentication service SDK in advance, and install the trusted authentication service control on the electronic device running the third-party application, and use the electronic device to install the trusted authentication service control. The corresponding trusted application management (TAM) installs the trusted identity authentication service TA into the device TEE trusted execution environment. Subsequently, the application identification (AppId), signature certificate information and certificate fingerprint information of the third-party application need to be entered in the trusted identity service platform.

As shown in FIG. 8 , the process of initializing trusted identity authentication in the resource processing method may include steps 801 to 813, as shown in detail below.

Step 801 , the electronic device receives an operation of initializing trusted identity authentication initiated by a user for application A.

Step 802: Application A initiates a trusted identity authentication initialization request to the integrated trusted identity authentication service SDK, and transmits the transaction element Context. Here, the transaction elements are detailed in Table 4.

Step 803, the trusted identity authentication service SDK obtains the AppId, signature certificate information and certificate fingerprint information of application A through the Context context, calls the trusted identity authentication initialization interface of the trusted identity authentication service control, and passes in the transaction element application program A's AppId, signature certificate information, and certificate fingerprint information.

Step 804, the trusted identity authentication service control invokes the trusted identity authentication service TA initialization interface, and inputs the transaction element AppId, signature certificate information and certificate fingerprint information.

Step 805, the trusted identity authentication service TA generates a pair of device public and private key pairs according to the device root trust certificate.

Step 806 , the trusted identity authentication service TA requests the trusted identity service platform, and inputs the AppId of the application A, the signature certificate information and the certificate fingerprint information.

Step 807, the server public key of the trusted identity service platform is preset in the trusted identity authentication service TA. The trusted identity authentication service TA establishes a secure link with the trusted identity service platform through the server public key, uses the device public key and the server public key of the trusted identity service platform for session key negotiation, and subsequently uses the negotiated session key for interaction.

The trusted identity authentication service TA encrypts the AppId, signature certificate information and certificate fingerprint information of application A with the session key, and transmits it to the trusted identity service platform.

Step 808, the trusted identity service platform decrypts using the session key, and verifies whether the AppId, signature certificate information and certificate fingerprint information of application A are consistent with those previously entered in the trusted identity service platform. The trusted identity authentication service TA returns the ciphertext of the authorization certificate for decryption of the target information data of the identity authentication platform encrypted by the public key of the device, such as the identity authentication service of the subordinate institutions of the Ministry of Public Security.

Step 809 , after receiving the response, the trusted identity authentication service TA verifies the validity of the message containing the ciphertext of the received target information data decryption authorization certificate. In the case of valid verification, decrypt the ciphertext of the authorization certificate for the target information data decryption of the identity authentication platform through the private key of the device, and save the target information data decryption authorization certificate of the identity authentication platform to the trusted identity authentication service TA.

Step 810, the trusted identity authentication service TA returns an operation result corresponding to the operation of the trusted identity authentication initialization to the trusted identity authentication service control.

Step 811, the trusted identity authentication service control returns an operation result corresponding to the trusted identity authentication initialization operation to the trusted identity authentication service SDK.

Step 812, the trusted identity authentication service SDK returns the trusted identity authentication initialization result to application A.

Step 813, the application A displays the trusted identity authentication initialization result to the user through the electronic device.

Based on the above-mentioned completion of the trusted identity authentication initialization or registration, with reference to FIG. 9 , the process of the trusted identity authentication comparison in the resource processing method provided by the embodiment of the present disclosure will be described in detail.

As shown in FIG. 9 , the trusted identity authentication and comparison process in the resource processing method includes steps 901 to 916 , as shown in detail below.

Step 901 , the electronic device receives a comparison operation of the trusted identity authentication initiated by the user with respect to the application A.

Step 902, the application A initiates a trusted identity authentication comparison request to the integrated trusted identity authentication service SDK, and passes in the transaction element to be authenticated identity information UserId, such as the transaction element, as shown in FIG. 4 .

Step 903, the trusted identity authentication service SDK invokes the authentication comparison interface of the trusted identity authentication service control, and inputs the identity information UserId of the transaction element to be authenticated.

Step 904, the trusted identity authentication service control invokes the trusted identity authentication service TA authentication comparison interface.

Step 905 , the trusted identity authentication service TA accesses the NFC module of the device, so that the electronic device displays the ID card swiping interface.

Step 906, the electronic device obtains the identity information to be authenticated in the near field communication chip, the NFC module responds the identity information to be authenticated to the trusted identity authentication service TA, and the trusted identity authentication service TA sends the identity information to be authenticated to the authoritative identity authentication module Such as the identity authentication service platform of the subordinate institutions of the Ministry of Public Security.

Step 907: The authoritative identity authentication module processes the received identity information to be authenticated, and returns the processed identity information to be authenticated in plaintext to the trusted identity authentication service TA.

Step 908, the trusted identity authentication service TA sends the target information data decryption authorization certificate of the authoritative identity authentication module and the information plaintext of the identity information to be authenticated to the trusted identity service platform.

Step 909, the trusted identity service platform obtains target information through the authoritative identity authentication module, the target information includes the user's face image in the identity document image, encrypted with the device public key, and returned to the trusted identity authentication service TA.

Step 910, the trusted identity authentication service TA securely accesses the camera of the electronic device to obtain the user image.

Step 911, the trusted identity authentication service TA submits the user's face image in the identity document image and the user image decrypted using the device private key to the trusted identity service platform using symmetric key encryption.

Step 912, the trusted identity service platform uses the symmetric key to decrypt to obtain the face image in the user image, compares the two images according to the preprocessing process of the face image in the user image and the user face image in the identity document image, and returns to use the device public image. Key-encrypted biometric comparison results similarity.

Step 913, the trusted identity authentication service TA decrypts the biometric comparison result similarity using the device private key, and returns it to the trusted identity authentication service control.

Step 914, the trusted identity authentication service control returns the similarity of the biometric comparison result to the trusted identity authentication service SDK.

Step 915, the trusted identity authentication service SDK returns the similarity of the biometric comparison result to the application A.

Step 916, the application A displays the user identity authentication result of the identity information to be authenticated corresponding to the similarity of the biometric comparison result to the user.

It should be noted that the life cycle based on the trusted identity authentication service operation may include the trusted identity authentication service initialization function, the trusted identity authentication service registration function, the trusted identity authentication function, the trusted identity witness comparison function, and the trusted identity authentication function. The authentication service logout function, in which the trusted identity authentication service can be initialized first, and if the initialization verification is passed, the trusted identity authentication registration, trusted identity witness comparison and trusted identity authentication logout operations can be performed.

In addition, in view of the problem that the hardware resources of some IoT electronic devices supporting TEE and NFC are severely limited, the embodiments of the present disclosure utilize the 4th generation mobile communication technology (4G), the fifth generation mobile communication technology ( 5th generation mobile networks, 5G) has the characteristics of higher transmission rate and lower delay, and splits the commands for interaction between NFC and second-generation ID cards. Among them, the part that obtains the user's identity information to be authenticated through near field communication is electronic The device is implemented, mainly dealing with the identity document APDU request response and interaction protocol, and the back-end part is moved to the server to run, mainly responsible for the generation and assembly of the identity document access APDU command and the processing of the APDU response. Through the above-mentioned front-end and back-end separation processing method, the space ratio of the NFC interaction protocol of electronic devices is reduced, and it has stronger applicability to IoT terminal devices with limited resources such as wearable devices. By determining the type of electronic device, the method of determining the comparison result between the electronic device and the server ensures the availability and adaptability of ID card reading and face comparison functions in the case of limited TEE space resources of electronic devices.

Based on the same inventive concept, the present disclosure also provides an information processing apparatus. Specifically, detailed description is given with reference to FIG. 10 .

FIG. 10 is a schematic structural diagram of an embodiment of an electronic device-based information processing apparatus provided according to the present disclosure.

In some embodiments of the present disclosure, the apparatus shown in FIG. 10 may be provided in the electronic device shown in FIG. 1 .

Wherein, as shown in FIG. 10 , the information processing apparatus 100 may specifically include:

a receiving module 1001, configured to receive a first input for user identity authentication;

an obtaining module 1002, configured to obtain the user's identity information to be authenticated through near field communication in a trusted execution environment in response to the first input;

The processing module 1003 is configured to determine target information used to characterize the user's identity according to the user's identity information to be authenticated, the target information includes the user's first biometric information, and the user image obtained within a preset time period, the user image include the user's second biometric information;

The determining module 1004 is configured to determine the user identity authentication result of the identity information to be authenticated based on the comparison result between the first biometric information and the second biometric information.

In addition, by acquiring target information and comparing the first biometric information in the target information with the second biometric information in the captured user image in the trusted execution environment TEE, malware can effectively prevent malicious software from intercepting and tampering with identity document information. At the same time, secure access to the camera of the electronic device through the Trusted Execution Environment (TEE) ensures the accuracy of the user image used for comparison authentication and prevents the injection of fake facial photos or videos.

The information processing apparatus 100 in the embodiments of the present disclosure will be described in detail below.

In some embodiments of the present disclosure, the acquiring module 1002 may be specifically configured to, in response to the first input, read the near field communication chip through near field communication when the data interaction environment satisfies the preset interaction environment and under the trusted execution environment , to obtain the label content and user ID of the near field communication chip,

Further, the information processing apparatus 100 may further include a detection module for detecting a data interaction environment with the near field communication chip, where the data interaction environment includes a distance value between the electronic device and the near field communication chip and/or the electronic device within a preset distance For the contact duration with the near field communication chip, when the distance value meets the preset distance value and/or the contact market meets the preset contact duration, it is determined that the data interaction environment meets the preset interaction environment.

In addition, the acquiring module 1002 can be specifically configured to, in response to the first input, determine the target near field communication chip under the trusted execution environment, and the data interaction environment between the near field communication chip and the electronic device satisfies the preset near field communication environment, and through According to the preset correspondence between the near field communication chip and the application protocol data, the target application protocol data corresponding to the target near field communication chip is obtained, and the user's identity information to be authenticated is obtained according to the target application protocol data.

In some embodiments of the present disclosure, the processing module 1003 in the embodiment of the present disclosure may be specifically configured to, according to the identity information to be authenticated, determine the identity information plaintext data of the identity information to be authenticated, and determine the identity information plaintext data of the identity information to be authenticated according to the identity information plaintext data and the target information data. Decrypt the authorization credential to determine the first biometric information.

Further, the information processing apparatus 100 in the embodiment of the present disclosure may further include a sending module. Based on this, a sending module is used to send an identity authentication request to the server, where the identity authentication request includes the identity information to be authenticated, and the identity authentication request is used to request the server to parse the identity information to be authenticated to obtain the identity information of the identity information to be authenticated plaintext data.

The receiving module 1001 in the embodiment of the present disclosure receives the identity authentication feedback information sent by the server, and the identity authentication feedback information includes the identity information plaintext data of the identity information to be authenticated.

In some possible embodiments, the sending module in the embodiments of the present disclosure may also be configured to send the identity identification of the electronic device to the server, where the electronic identification of the electronic device is used to determine whether the electronic device satisfies the conditions for identity authentication.

The receiving module 1001 in the embodiment of the present disclosure is further configured to receive the identity feedback information sent by the server.

The sending module in the embodiment of the present disclosure may also be configured to send an identity authentication request to the server under the condition that the identity identification feedback information indicates that the electronic device does not meet the identity authentication condition.

In some possible embodiments, the information processing apparatus 100 in this embodiment of the present disclosure may further include a generating module, configured to generate a device public-private key pair according to the digital certificate in the electronic device. Based on this, the sending module in the embodiment of the present disclosure can also be used to send a user identity authentication initialization request to the server through a trusted identity authentication initialization interface, where the user identity authentication initialization request includes the device public and private key pair, and the user identity authentication initialization request uses It establishes a secure communication link with the server and performs key exchange through the secure communication link. The receiving module 1001 in the embodiment of the present disclosure is further configured to receive the user identity authentication initialization feedback information of the server, where the user identity authentication initialization feedback information includes the target information data decryption authorization certificate.

In some possible embodiments, the obtaining module in the embodiments of the present disclosure may also be used to obtain a trusted identity authentication initialization interface corresponding to the server based on the server public key.

The user identity authentication initialization request in the embodiment of the present disclosure further includes application program information, and the application program information includes at least one of the following: an application program identifier, signature certificate information, and certificate fingerprint information, wherein the application program information is used to determine the pending The execution environment of the user authentication result that authenticates the identity information.

In some possible embodiments, the processing module 1003 in this embodiment of the present disclosure may be specifically configured to send a biometric information request to the server, where the biometric information request includes the identity information plaintext data and the target information data decryption authorization credential, and the biometric information request It is used to request the server to decrypt the authorization certificate based on the plaintext data of the identity information and the target information data, determine the first biometric information, and receive the biometric feedback information sent by the server, where the biometric feedback information includes the first biometric information encrypted by the device public key.

In some possible embodiments, the information processing apparatus 100 in this embodiment of the present disclosure may further include a display module, configured to display a fixed portrait position area, and the fixed portrait position area is used to obtain a human body part image corresponding to the user and the fixed portrait position area. The acquiring module 1002 in the embodiment of the present disclosure may be specifically configured to acquire the image of the human body part to be processed through the fixed location area when receiving the second input of the captured image by the user. The processing module 1003 in the embodiment of the present disclosure may be specifically configured to perform grayscale normalization processing on the image of the human body part to be processed to obtain a user image.

Wherein, the acquisition module 1002 in the embodiment of the present disclosure can be specifically used to select target feature points from a plurality of feature points in a human body part through a fixed location area, and obtain a human body part image corresponding to the target feature point according to the target feature points .

The processing module 1003 in this embodiment of the present disclosure can be specifically configured to obtain a first grayscale value of a human body part image to be processed, where the first grayscale value corresponds to the first grayscale level, and according to the first grayscale level Stretch and adjust the image of the human body part to be processed to obtain a user image with a first gray level.

In some possible embodiments, the determining module 1004 in this embodiment of the present disclosure may be specifically configured to, in the case that the first biometric information includes an image of an ID document, compare the image of the ID document and the user image through geometric normalization, and obtain The comparison result of the first biometric information and the second biometric information.

The determining module 1004 in the embodiment of the present disclosure can be specifically used to identify the user's face area in the ID document image, obtain the user's face image corresponding to the user's face area, perform the user's face image or the face area in the user image, etc. The ratio is enlarged or reduced, and the feature values of the user image and the user face image are calculated, and a comparison result between the first biometric information and the second biometric information is obtained according to at least one feature value.

Further, the determining module 1004 in this embodiment of the present disclosure may be specifically configured to input at least one feature value into the target ID document portrait feature model to obtain a comparison result between the first biometric information and the second biometric information.

In some possible embodiments, the information processing apparatus 100 in this embodiment of the present disclosure may further include a simplification module, configured to simplify the preset identity document portrait feature model according to the training feature values of the user's face image in the target identity document, to obtain The target identity document portrait feature model. In the embodiment of the present disclosure, the information processing apparatus 100 may further include an encryption module configured to encrypt the first biometric information and the second biometric information by using a symmetric key to obtain encrypted biometric information.

The sending module in the embodiment of the present disclosure is further configured to send an identity authentication result request to the server, where the identity authentication result request includes encrypted biometric information, and the identity authentication result request is used to request the server according to the first biometric information and the second biometric information , and calculate the similarity of the biometric comparison results between the first biometric information and the second biometric information.

The receiving module 1001 in the embodiment of the present disclosure is further configured to receive the identity authentication result feedback information sent by the server, where the identity authentication result feedback information includes the similarity of the biometric comparison result encrypted by the public key of the device.

The processing module 1003 in this embodiment of the present disclosure is further configured to decrypt the similarity of the biometric comparison result by encrypting the device private key to obtain the similarity of the biometric comparison result, and the similarity of the biometric comparison result is used to represent the first biometric information Comparison result with the second biometric information.

In some possible embodiments, the determining module 1004 in this embodiment of the present disclosure may be specifically configured to determine that the user identity authentication of the identity information to be authenticated is successful if the similarity of the biometric comparison result meets the preset similarity.

It should be noted that the target information involved in the above also includes at least one of the following: ID number and ID image. The first biometric information includes at least one of the following: an image of the user's face in the identity document image, and an iris image of the user corresponding to the identity document.

It should be noted that, the information processing apparatus 100 shown in FIG. 10 can execute various steps in the information processing method embodiments shown in FIGS. 1-9 , and implement each step in the method embodiments shown in FIGS. 1-9 . The process and effect will not be repeated here.

Based on the same inventive concept, the present disclosure also provides an information processing device based on electronic devices such as wearable devices, smart door locks, etc. that cannot carry a large amount of computation. Specifically, detailed description is given with reference to FIG. 11 .

FIG. 11 is a schematic structural diagram of another embodiment of an electronic device-based information processing apparatus provided according to the present disclosure.

In some embodiments of the present disclosure, the apparatus shown in FIG. 11 may be set in a wearable device, a smart door lock, or other information processing equipment that cannot carry a large amount of computation.

Wherein, as shown in FIG. 11 , the information processing apparatus 1100 may specifically include:

a receiving module 1110, configured to receive a first input for user identity authentication;

an obtaining module 1120, configured to, in response to the first input, obtain the user's identity information to be authenticated through near field communication in a trusted execution environment;

The sending module 1130 is configured to send the user's identity information to be authenticated to the server, and the user's identity information to be authenticated is used to determine the user identity authentication result of the identity information to be authenticated;

The sending module 1130 is further configured to obtain a user image within a preset time period, and send the user image to the server, where the user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result;

The receiving module 1110 is further configured to receive the user identity authentication result of the identity information to be authenticated sent by the server.

In addition, the obtaining module 1120 provided by the embodiment of the present disclosure is specifically configured to obtain the user's identity information to be authenticated by executing the near field communication instruction in the protocol data instruction set in a trusted execution environment; wherein the near field communication instruction is set by Server OK.

Based on the same inventive concept, the present disclosure also provides a server. Specifically, detailed description is given with reference to FIG. 12 .

FIG. 12 is a schematic structural diagram of an embodiment of a server-based information processing apparatus provided according to the present disclosure.

In some embodiments of the present disclosure, as shown in FIG. 12 , the information processing apparatus 1200 may specifically include:

A receiving module 1210, configured to receive the identity information to be authenticated of the user sent by the electronic device;

The obtaining module 1220 is configured to obtain target information corresponding to the user's to-be-authenticated identity information and used to characterize the user's identity when it is detected that the user's to-be-authenticated identity information is used to determine the user's identity authentication result of the to-be-authenticated identity information, the target information including the user's first biometric information;

The receiving module 1210 is further configured to receive the user image sent by the electronic device;

A determination module 1230, configured to determine the user identity authentication result of the identity information to be authenticated based on the comparison result between the first biometric information and the second biometric information in the user image;

The sending module 1240 is further configured to send the user identity authentication result to the electronic device.

Among them, the obtaining module 1220 in the embodiment of the present disclosure is specifically used to determine a protocol data instruction according to the ciphertext information of the identity information to be authenticated, and the protocol data instruction is used to indicate that the user identity is represented by splicing and assembling according to the attribute format of the identity document. The original character string of the target information is decrypted according to the pre-stored target information data and the original character string of the authorization certificate and the target information, and the identity information to be authenticated is decrypted to obtain the target information.

Further, the sending module 1230 can also be used to send a protocol data instruction to the identity authentication server, where the protocol data instruction is used to instruct the identity authentication server to spliced and assembled according to the identity document attribute format and is used to characterize the original character string of the target information of the user identity. . Based on this, the receiving module 1210 may also be configured to receive the original character string of the target information sent by the identity authentication server.

Based on the same inventive concept, the present disclosure also provides an information processing device. Specifically, detailed description is given with reference to FIG. 13 .

FIG. 13 shows a schematic diagram of a hardware structure of an information processing device provided by an embodiment of the present disclosure.

As shown in FIG. 13 , the information processing 1300 may include an electronic device or a server involved in the embodiments of the present disclosure. Information processing 1300 may include a processor 1301 and a memory 1302 storing computer program instructions.

Specifically, the above-mentioned processor 1301 may include a central processing unit (CPU), or a specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present disclosure.

Memory 1302 may include mass storage for data or instructions. By way of example and not limitation, memory 1302 may include a Hard Disk Drive (HDD), a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (USB) drive or two or more A combination of more than one of the above. Memory 1302 may include removable or non-removable (or fixed) media, where appropriate. Storage 1302 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In certain embodiments, memory 1302 is non-volatile solid state memory. In certain embodiments, memory 1302 includes read only memory (ROM). Where appropriate, the ROM may be a mask programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically erasable PROM (EEPROM), electrically rewritable ROM (EAROM) or flash memory or A combination of two or more of the above.

The processor 1301 reads and executes the computer program instructions stored in the memory 1302 to implement any one of the information processing methods in the foregoing embodiments.

In one example, the data processing device may also include a communication interface 1303 and a bus 1310 . Among them, as shown in FIG. 13 , the processor 1301 , the memory 1302 , and the communication interface 1303 are connected through the bus 1310 and complete the mutual communication.

The communication interface 1303 is mainly used to implement communication between modules, apparatuses, units and/or devices in the embodiments of the present disclosure.

The bus 1310 includes hardware, software, or both, coupling the components of the flow control device to each other. By way of example and not limitation, the bus may include Accelerated Graphics Port (AGP) or other graphics bus, Enhanced Industry Standard Architecture (EISA) bus, Front Side Bus (FSB), HyperTransport (HT) Interconnect, Industry Standard Architecture (ISA) Bus, Infiniband Interconnect, Low Pin Count (LPC) Bus, Memory Bus, Microchannel Architecture (MCA) Bus, Peripheral Component Interconnect (PCI) Bus, PCI-Express (PCI-X) Bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association Local (VLB) bus or other suitable bus or a combination of two or more of the above. Bus 1310 may include one or more buses, where appropriate. Although embodiments of the present disclosure describe and illustrate a particular bus, this disclosure contemplates any suitable bus or interconnect.

The data processing device can execute the information processing method in the embodiment of the present disclosure, thereby realizing the information processing method and apparatus described in conjunction with FIG. 1 to FIG. 10 .

In addition, in combination with the information processing methods in the foregoing embodiments, the embodiments of the present disclosure may be implemented by providing a computer-readable storage medium. Computer program instructions are stored on the computer-readable storage medium, and when the computer program instructions are executed by the processor, any one of the information processing methods in the foregoing embodiments is implemented. Examples of computer-readable storage media include non-transitory computer-readable storage media, such as read-only memory (Read-Only Memory, ROM for short), random access memory (Random Access Memory, RAM for short), magnetic disk, or optical disk, and the like.

It is to be understood that the present disclosure is not limited to the specific configurations and processes described above and illustrated in the figures. For the sake of brevity, detailed descriptions of known methods are omitted here. In the above-described embodiments, several specific steps are described and shown as examples. However, the method process of the present disclosure is not limited to the specific steps described and shown, and those skilled in the art can make various changes, modifications and additions, or change the order of steps after comprehending the spirit of the present disclosure.

The functional blocks shown in the above structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, elements of the present disclosure are programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted over a transmission medium or communication link by a data signal carried in a carrier wave. A "machine-readable medium" may include any medium that can store or transmit information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, and the like. The code segments may be downloaded via a computer network such as the Internet, an intranet, or the like.

It should also be noted that the exemplary embodiments mentioned in the present disclosure describe some methods or systems based on a series of steps or devices. However, the present disclosure is not limited to the order of the above steps, that is, the steps may be performed in the order mentioned in the embodiment, or may be different from the order in the embodiment, or several steps may be performed simultaneously.

The above are only specific implementations of the present disclosure, and those skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the above-described systems, modules and units can be referred to in the foregoing method embodiments. The corresponding process is not repeated here. It should be understood that the protection scope of the present disclosure is not limited to this, and any person skilled in the art can easily think of various equivalent modifications or replacements within the technical scope disclosed in the present disclosure, and these modifications or replacements should all cover within the scope of protection of the present disclosure.

Claims

An information processing method applied to electronic equipment, comprising:

receiving a first input for user identity authentication;

In response to the first input, in a trusted execution environment, obtain the user's identity information to be authenticated through near field communication;

According to the user's identity information to be authenticated, target information for characterizing the user's identity is determined, the target information includes the user's first biometric feature information, and a user image acquired within a preset time period, the user image includes second biometric information of the user;

Based on the comparison result of the first biometric information and the second biometric information, a user identity authentication result of the identity information to be authenticated is determined.
The method according to claim 1, wherein, in response to the first input, in a trusted execution environment, acquiring the user's identity information to be authenticated through near field communication, comprising:

In response to the first input,

When the data interaction environment satisfies the preset interaction environment and under the trusted execution environment, read the near field communication chip through near field communication, and obtain the label content and user identity of the near field communication chip;

Based on the content of the label and the user identity, the identity information to be authenticated of the user is generated.
The method according to claim 2, wherein before reading the near field communication chip through near field communication and acquiring the label content and user identity of the near field communication chip, the method further comprises:

Detecting a data interaction environment with the near field communication chip, where the data interaction environment includes a distance value between the electronic device and the near field communication chip and/or the electronic device and the near field within a preset distance The contact time of the communication chip;

When the distance value satisfies the preset distance value and/or the contact market satisfies the preset contact duration, it is determined that the data interaction environment satisfies the preset interaction environment.
The method according to claim 1, wherein, in response to the first input, in a trusted execution environment, acquiring the user's identity information to be authenticated through near field communication, comprising:

In response to the first input, in a trusted execution environment, a target near field communication chip is determined, and a data interaction environment between the near field communication chip and the electronic device satisfies a preset near field communication environment;

Obtain the target application protocol data corresponding to the target near field communication chip through the preset correspondence between the near field communication chip and the application protocol data;

Obtain the identity information of the user to be authenticated according to the target application protocol data.
The method according to claim 1, wherein the determining the target information for characterizing the user's identity according to the identity information of the user to be authenticated comprises:

Determine the identity information plaintext data of the identity information to be authenticated according to the identity information to be authenticated;

The first biometric feature information is determined by decrypting the authorization certificate according to the plaintext data of the identity information and the target information data.
The method according to claim 5, wherein determining the identity information plaintext data of the identity information to be authenticated according to the identity information to be authenticated comprises:

Send an identity authentication request to the server, where the identity authentication request includes the identity information to be authenticated, and the identity authentication request is used to request the server to parse the identity information to be authenticated to obtain the identity information to be authenticated. identity information plaintext data;

Receive identity authentication feedback information sent by the server, where the identity authentication feedback information includes identity information plaintext data of the identity information to be authenticated.
The method according to claim 6, wherein before the sending the identity authentication request to the server, the method further comprises:

Sending the identity identification of the electronic device to the server, where the electronic identification of the electronic device is used to determine whether the electronic device satisfies the conditions for identity authentication;

receiving the identity feedback information sent by the server;

The identity authentication request is sent to the server under the condition that the identity identification feedback information indicates that the electronic device does not meet the identity authentication condition.
The method of claim 5, wherein before the determining the first biometric information, the method further comprises:

Generate a device public-private key pair according to the digital certificate in the electronic device;

Send a user identity authentication initialization request to the server through the trusted identity authentication initialization interface, the user identity authentication initialization request includes the device public and private key pair, and the user identity authentication initialization request is used to establish a secure communication link with the server, and perform key exchange through said secure communication link;

Receive user identity authentication initialization feedback information from the server, where the user identity authentication initialization feedback information includes the target information data decryption authorization credential.
The method according to claim 8, wherein before the user identity authentication initialization request is sent to the server through the trusted identity authentication initialization interface, the method further comprises:

Based on the server public key, a trusted identity authentication initialization interface corresponding to the server is obtained.
The method according to claim 9, wherein the user identity authentication initialization request further includes application program information, and the application program information includes at least one of the following: application program identification, signature certificate information and certificate fingerprint information, The application program information is used to determine the execution environment of the user identity authentication result of the identity information to be authenticated.
The method according to claim 5 or 6, wherein the decrypting the authorization certificate according to the plaintext data of the identity information and the target information data to determine the first biometric information comprises:

Send a biometric information request to the server, the biometric information request includes the identity information plaintext data and the target information data decryption authorization credential, the biometric information request is used to request the server based on the identity information plaintext data Decrypt the authorization certificate with the target information data to determine the first biometric information;

The biometric feedback information sent by the server is received, where the biometric feedback information includes the first biometric information encrypted by the public key of the device.
The method according to claim 1, wherein the acquiring the captured user image within a preset time period comprises:

Displaying a fixed portrait position area, the fixed portrait position area is used to obtain a human body part image corresponding to the user and the fixed portrait position area;

When receiving the second input of the image captured by the user, obtain the image of the human body part to be processed through the fixed position area;

Grayscale normalization is performed on the image of the human body part to be processed to obtain the user image.
The method according to claim 12, wherein the acquiring the image of the human body part to be processed through the fixed position area comprises:

Screening target feature points from a plurality of feature points in the body part through the fixed location area;

According to the target feature points, a human body part image corresponding to the target feature points is acquired.
The method according to claim 13, wherein, performing grayscale normalization processing on the image of the human body part to be processed to obtain the user image, comprising:

acquiring a first grayscale value of the to-be-processed human body part image, where the first grayscale value corresponds to a first grayscale level;

The image of the human body part to be processed is adjusted by gray scale stretching according to the first gray level, so as to obtain a user image with the first gray level.
The method according to claim 12, wherein the first biometric information comprises an image of an identity document; before the determination of the user identity authentication result of the identity information to be authenticated, the method further comprises:

Comparing the identity document image and the user image through geometric normalization, a comparison result of the first biometric information and the second biometric information is obtained.
The method according to claim 15, wherein the comparison result of the first biometric information and the second biometric information is obtained by comparing the identity document image and the user image through geometric normalization, include:

Identify the user's face area in the identity document image, and obtain the user's face image corresponding to the user's face area;

Perform proportional enlargement or reduction of the user face image or the face area in the user image, and calculate the feature values of the user image and the user face image;

According to the at least one feature value, a comparison result of the first biometric information and the second biometric information is obtained.
The method according to claim 16, wherein, according to the at least one feature value, obtaining a comparison result of the first biometric information and the second biometric information, comprising:

The at least one feature value is input into the target identity document portrait feature model to obtain a comparison result between the first biometric information and the second biometric information.
The method according to claim 17, wherein before obtaining the comparison result between the first biometric information and the second biometric information, the method further comprises:

According to the training feature value of the user's face image in the target ID document, the preset ID document portrait feature model is simplified to obtain the target ID document portrait feature model.
The method according to claim 1, wherein, before determining the user identity authentication result of the identity information to be authenticated, the method further comprises:

Encrypting the first biometric information and the second biometric information by using a symmetric key to obtain encrypted biometric information;

Send an identity authentication result request to the server, where the identity authentication result request includes the encrypted biometric information, and the identity authentication result request is used to request the server to calculate, according to the first biometric information and the second biometric information, similarity of the biometric comparison results of the first biometric information and the second biometric information;

Receive the identity authentication result feedback information sent by the server, where the identity authentication result feedback information includes the similarity of the biometric comparison result encrypted by the device public key;

The similarity of the biometric comparison result is decrypted by the device private key encryption to obtain the similarity of the biometric comparison result, and the similarity of the biometric comparison result is used to characterize the first biometric information and the second biometric Information comparison results.
The method according to claim 19, wherein determining the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information comprises:

If the similarity of the biometric comparison result satisfies the preset similarity, it is determined that the user identity authentication of the identity information to be authenticated is successful.
The method according to claim 1, wherein the target information further comprises at least one of the following: ID number, ID image, ID user identity information; the first biometric information includes the following: At least one of: a user's face image in the identity document image, and an iris image of the user corresponding to the identity document.
An information processing method applied to electronic equipment, comprising:

receiving a first input for user identity authentication;

In response to the first input, in a trusted execution environment, obtain the user's identity information to be authenticated through near field communication;

sending the identity information to be authenticated of the user to the server, where the identity information to be authenticated of the user is used to determine the user identity authentication result of the identity information to be authenticated;

Acquire a user image within a preset time period, and send the user image to the server, where the user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result;

The user identity authentication result of the identity information to be authenticated sent by the server is received.
The method according to claim 22, wherein, in the trusted execution environment, acquiring the user's identity information to be authenticated through near field communication comprises:

Under the trusted execution environment, the near field communication instruction in the protocol data instruction set is executed to obtain the user's identity information to be authenticated; wherein the near field communication instruction is determined by the server.
An information processing method, applied to a server, includes:

Receive the identity information to be authenticated of the user sent by the electronic device;

When it is detected that the device type of the electronic device is the preset target device type, acquire target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity, the target information including the user's first - biometric information;

receiving a user image sent by the electronic device;

Determine the user identity authentication result of the identity information to be authenticated based on the comparison result between the first biometric information and the second biometric information in the user image;

Send the user identity authentication result to the electronic device.
The method according to claim 24, wherein the acquiring target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity comprises:

According to the ciphertext information of the identity information to be authenticated, a protocol data instruction is determined, and the protocol data instruction is used to indicate the original character string for representing the target information of the user identity assembled and assembled according to the attribute format of the identity document;

According to the pre-stored target information data decryption authorization certificate and the original character string of the target information, decrypt the identity information to be authenticated to obtain the target information.
The method according to claim 25, wherein the determining the protocol data instruction according to the ciphertext information of the identity information to be authenticated comprises:

Send the protocol data instruction to the identity authentication server, where the protocol data instruction is used to instruct the identity authentication server to splicing and assemble the original character string used to represent the target information of the user identity according to the identity document attribute format;

The original character string of the target information sent by the identity authentication server is received.
An information processing device, applied to electronic equipment, includes:

a receiving module for receiving the first input for user identity authentication;

an acquisition module, configured to, in response to the first input, acquire the user's identity information to be authenticated through near field communication in a trusted execution environment;

a processing module, configured to determine target information for characterizing the user's identity according to the user's identity information to be authenticated, the target information including the user's first biometric information and a user image obtained within a preset time period, the user image includes second biometric information of the user;

A determination module, configured to determine a user identity authentication result of the identity information to be authenticated based on a comparison result between the first biometric information and the second biometric information.
An information processing device, applied to electronic equipment, includes:

a receiving module for receiving the first input for user identity authentication;

an acquisition module, configured to, in response to the first input, acquire the user's identity information to be authenticated through near field communication in a trusted execution environment;

a sending module, configured to send the identity information to be authenticated of the user to the server, where the identity information to be authenticated of the user is used to determine the user identity authentication result of the identity information to be authenticated;

The sending module is further configured to acquire a user image within a preset time period, and send the user image to the server, where the user image is used to compare with the identity to be authenticated of the user to determine the user identity authentication result;

The receiving module is further configured to receive the user identity authentication result of the identity information to be authenticated sent by the server.
An information processing device, applied to a server, includes:

a receiving module, configured to receive the identity information to be authenticated of the user sent by the electronic device;

The acquiring module is configured to acquire the user's identity information corresponding to the user's identity information to be authenticated and used to characterize the user's identity when it is detected that the identity information to be authenticated of the user is used to determine the user identity authentication result of the identity information to be authenticated. target information, the target information includes the user's first biometric information;

The receiving module is further configured to receive the user image sent by the electronic device;

a determination module, configured to determine the user identity authentication result of the identity information to be authenticated based on the comparison result between the first biometric information and the second biometric information in the user image;

A sending module, configured to send the user identity authentication result to the electronic device.
An electronic device comprising: a processor and a memory storing computer program instructions;

When the processor executes the computer program instructions, the information processing method according to any one of claims 1-21 or the information processing method according to any one of claims 22-23 is implemented.
A server comprising: a processor and a memory storing computer program instructions;

When the processor executes the computer program instructions, the information processing method according to any one of claims 24-26 is implemented.
A computer-readable storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, implement the information processing method according to any one of claims 1-21, or The information processing method according to any one of claims 22-23 is realized, or the information processing method according to any one of claims 24-26 is realized.